From 890e7ea6bb2b125c533d6f90f202c105542dab50 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 2 Feb 2021 17:20:48 +1100 Subject: [PATCH 001/303] Added Suspicious Auditpol Usage Auditpol can be used by threat actors to change audit policy configuration on hosts. --- .../win_sus_auditpol_usage.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_sus_auditpol_usage.yaml diff --git a/rules/windows/process_creation/win_sus_auditpol_usage.yaml b/rules/windows/process_creation/win_sus_auditpol_usage.yaml new file mode 100644 index 000000000..40fd0c5c9 --- /dev/null +++ b/rules/windows/process_creation/win_sus_auditpol_usage.yaml @@ -0,0 +1,27 @@ +title: Suspicious Auditpol Usage +id: 0a13e132-651d-11eb-ae93-0242ac130002 +description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +author: Janantha Marasinghe (https://github.com/blueteam0ps) +references: + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +date: 2021/02/02 +modified: 2021/02/02 +tags: + - attack.defense_evasion + - attack.t1562.002 +level: high +logsource: + category: process_creation + product: windows +detection: + selection_auditpol_binary: + Image|endswith: '\auditpol.exe' + selection_auditpol_command: + CommandLine|contains: + - 'disable' # disables a specific audit policy + - 'clear' # delete or clears audit policy + - 'remove' # removes an audit policy + - 'restore' # restores an audit policy + condition: selection_auditpol_binary and selection_auditpol_command +falsepositives: + - Admin activity From 30bfdd1dc0b595581d9286ab546e386700a08dd7 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 14:55:55 +0700 Subject: [PATCH 002/303] Create CVE-2021-26084 detection Detects CVE-2021-260841 Confluence Server Webwork OGNL injection --- ..._cve_2021_26084_confluence_rce_exploit.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_cve_2021_26084_confluence_rce_exploit.yml diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml new file mode 100644 index 000000000..a82d39496 --- /dev/null +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -0,0 +1,30 @@ +title: Atlassian Confluence RCE Exploit CVE-2021-26084 +id: 38825179-3c78-4fed-b222-2e2166b926b1 +description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection +status: experimental +reference: + - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083 + - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md + - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html +author: Sittikorn S +date: 2021/09/01 +tags: +- attack.initial_access +- attack.t1190 +logsource: + category: webserver +detection: + selection_exploit: + cs-method: 'POST' + sc-status: '200' + c-uri|contains|all: + - '/doenterpagevariables.action' + - 'queryString=' + - 'u0027' + condition: selection_exploit and keywords +fields: + - c-ip + - c-uri +falsepositives: + - Unknown +level: critical From 0213b31d9b87e7a8891a66674a45c6cf7af7c834 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 14:58:58 +0700 Subject: [PATCH 003/303] Update web_cve_2021_26084_confluence_rce_exploit.yml --- rules/web/web_cve_2021_26084_confluence_rce_exploit.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index a82d39496..fc645ed29 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -6,7 +6,7 @@ reference: - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083 - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html -author: Sittikorn S +author: Sittikorn S, Nuttakorn T date: 2021/09/01 tags: - attack.initial_access @@ -19,8 +19,8 @@ detection: sc-status: '200' c-uri|contains|all: - '/doenterpagevariables.action' - - 'queryString=' - - 'u0027' + - 'queryString=' + - 'u0027' condition: selection_exploit and keywords fields: - c-ip From 930c599de810c883f88759b951acbff87f4f4c7e Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 15:14:22 +0700 Subject: [PATCH 009/303] Update web_cve_2021_26084_confluence_rce_exploit.yml --- rules/web/web_cve_2021_26084_confluence_rce_exploit.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index fc645ed29..710a6881d 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -18,9 +18,9 @@ detection: cs-method: 'POST' sc-status: '200' c-uri|contains|all: - - '/doenterpagevariables.action' - - 'queryString=' - - 'u0027' + - '/doenterpagevariables.action' + - '- 'queryString=' + - 'u0027' condition: selection_exploit and keywords fields: - c-ip From edbaee0affa9d73dc63d59c729d58c073212e270 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 15:39:45 +0700 Subject: [PATCH 010/303] Update web_cve_2021_26084_confluence_rce_exploit.yml --- rules/web/web_cve_2021_26084_confluence_rce_exploit.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index 710a6881d..86199e490 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -19,8 +19,6 @@ detection: sc-status: '200' c-uri|contains|all: - '/doenterpagevariables.action' - - '- 'queryString=' - - 'u0027' condition: selection_exploit and keywords fields: - c-ip From 6bb6c8037f089677b914309a29e088992587aa8f Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 15:40:32 +0700 Subject: [PATCH 011/303] Update web_cve_2021_26084_confluence_rce_exploit.yml --- rules/web/web_cve_2021_26084_confluence_rce_exploit.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index 86199e490..25cb014c3 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -19,6 +19,8 @@ detection: sc-status: '200' c-uri|contains|all: - '/doenterpagevariables.action' + - 'queryString=' + - 'u0027' condition: selection_exploit and keywords fields: - c-ip From c30a4585353f2de0d1bd4df1e855c85dabbea1d4 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 1 Sep 2021 15:51:35 +0700 Subject: [PATCH 012/303] Update web_cve_2021_26084_confluence_rce_exploit.yml --- .../web/web_cve_2021_26084_confluence_rce_exploit.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index 25cb014c3..17baa3e77 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -2,7 +2,7 @@ title: Atlassian Confluence RCE Exploit CVE-2021-26084 id: 38825179-3c78-4fed-b222-2e2166b926b1 description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection status: experimental -reference: +references: - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083 - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html @@ -21,7 +21,14 @@ detection: - '/doenterpagevariables.action' - 'queryString=' - 'u0027' - condition: selection_exploit and keywords + selection_req: + cs-method: 'POST' + sc-status: '200' + c-uri|contains|all: + - '/doenterpagevariables.action' + keywords: + - 'u0027' + condition: selection_exploit or (selection_req and keywords) fields: - c-ip - c-uri From 82b81d2e87d9c96b20a3b43c9fbaed4bb2d02263 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Thu, 2 Sep 2021 21:55:22 +0700 Subject: [PATCH 013/303] Update web_cve_2021_26084_confluence_rce_exploit.yml refer: https://www.exploit-db.com/exploits/50243 --- .../web/web_cve_2021_26084_confluence_rce_exploit.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index 17baa3e77..f3579c5eb 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -3,7 +3,7 @@ id: 38825179-3c78-4fed-b222-2e2166b926b1 description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection status: experimental references: - - https://twitter.com/wvuuuuuuuuuuuuu/status/1432918959389614083 + - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html author: Sittikorn S, Nuttakorn T @@ -17,14 +17,12 @@ detection: selection_exploit: cs-method: 'POST' sc-status: '200' - c-uri|contains|all: - - '/doenterpagevariables.action' - - 'queryString=' - - 'u0027' + c-uri|contains: + - '/pages/createpage-entervariables.action?SpaceKey=x' selection_req: cs-method: 'POST' sc-status: '200' - c-uri|contains|all: + c-uri|contains: - '/doenterpagevariables.action' keywords: - 'u0027' From 90a1a750be6773a6c0503f5829e11b7d55bea5ea Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 17:51:24 +0700 Subject: [PATCH 014/303] update sed rules --- .../proc_creation_lnx_sed_command.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_sed_command.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml new file mode 100644 index 000000000..ebebaea5e --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -0,0 +1,23 @@ +title: Edit Linux Text +status: stable +description: Detects suspicious commands for edit text using sed +author: TuanLe (GTSC) +date: 2022/03/14 +references: + - https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/ +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - 'sed' + CommandLine|contains: + - '-i' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.privilege_escalation + From a9a61cc67af387ba198eb517c3eda031562f2f12 Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 20:07:39 +0700 Subject: [PATCH 015/303] Update rule use sed --- rules/linux/process_creation/proc_creation_lnx_sed_command.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml index ebebaea5e..b95a8df67 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -1,4 +1,5 @@ title: Edit Linux Text +id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 status: stable description: Detects suspicious commands for edit text using sed author: TuanLe (GTSC) @@ -10,7 +11,7 @@ logsource: category: process_creation detection: selection: - Image|endswith: + Image|contains: - 'sed' CommandLine|contains: - '-i' From 846016815269b47bd20c571fb4da0dcf4e10b8fd Mon Sep 17 00:00:00 2001 From: tuan Date: Mon, 14 Mar 2022 22:13:14 +0700 Subject: [PATCH 016/303] Update rule use sed --- .../process_creation/proc_creation_lnx_sed_command.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml index b95a8df67..6d2fbb43d 100644 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml @@ -1,6 +1,6 @@ -title: Edit Linux Text +title: Edit Linux Texts id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 -status: stable +status: test description: Detects suspicious commands for edit text using sed author: TuanLe (GTSC) date: 2022/03/14 @@ -12,7 +12,7 @@ logsource: detection: selection: Image|contains: - - 'sed' + - '/sed' CommandLine|contains: - '-i' condition: selection @@ -20,5 +20,4 @@ falsepositives: - Legitimate administration activities level: medium tags: - - attack.privilege_escalation - + - attack.privilege_escalation \ No newline at end of file From f83b8b00f2e3d0ab3dec75d63d9003086fdc390f Mon Sep 17 00:00:00 2001 From: tuan Date: Tue, 15 Mar 2022 17:36:10 +0700 Subject: [PATCH 017/303] rule detect add user to root group --- .../proc_creation_lnx_usermod_command.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_usermod_command.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml new file mode 100644 index 000000000..f5c77ad97 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml @@ -0,0 +1,24 @@ +title: Add User To Root Group +id: qg3fcgdf3-rd54-9f48-4gh3-659a29b3db89 +status: test +description: Detects add user to root group in linux using usermod +author: TuanLe (GTSC) +date: 2022/03/14 +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ +logsource: + product: linux + category: process_creation +detection: + selection: + Image|contains: + - 'usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.privilege_escalation From 562d29c432d8cf2e6edb0b8216af7f14c50da75b Mon Sep 17 00:00:00 2001 From: memory-shards <52757871+memory-shards@users.noreply.github.com> Date: Sun, 31 Jul 2022 12:46:52 -0400 Subject: [PATCH 018/303] Create proc_creation_win_lolbin_agentexecutor.yml Proposed rule for lolbin AgentExecutor that doesn't have much coverage. Rule created as final project for Detection Engineering with Sigma course final project. --- ...proc_creation_win_lolbin_agentexecutor.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml new file mode 100644 index 000000000..cc49ce397 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -0,0 +1,30 @@ + +title: Suspicious AgentExecutor PowerShell Execution +id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 +status: experimental +description: Detects AgentExecutor.exe execution of binary named powershell when the default ps path is absent from the command line. AgentExecutor will execute any binary named powershell.exe located in the $PSFolder path argument. AgentExecutor is included as part of Intune Managed Devices for Windows 10. +references: + - https://twitter.com/lefterispan/status/1286259016436514816 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ + - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension +tags: + - attack.defense_evasion + - attack.t1218 +date: 2022/07/31 +author: memory-shards +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: 'AgentExecutor.exe' + selection2: + CommandLine|contains: '-powershell' + filter: + CommandLine|contains: + - ' C:\Windows\SysWOW64\WindowsPowerShell\' + - ' C:\Windows\System32\WindowsPowerShell\' + condition: selection1 and selection2 and not filter +falsepositives: + - unknown +level: medium From 56467565870b1c74f84b4a1d8235acc02ddebd89 Mon Sep 17 00:00:00 2001 From: memory-shards <52757871+memory-shards@users.noreply.github.com> Date: Sun, 31 Jul 2022 13:32:31 -0400 Subject: [PATCH 019/303] Update proc_creation_win_lolbin_agentexecutor.yml --- ...proc_creation_win_lolbin_agentexecutor.yml | 35 +++++++++---------- 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index cc49ce397..791b5f3ac 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -1,30 +1,29 @@ - title: Suspicious AgentExecutor PowerShell Execution id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 status: experimental description: Detects AgentExecutor.exe execution of binary named powershell when the default ps path is absent from the command line. AgentExecutor will execute any binary named powershell.exe located in the $PSFolder path argument. AgentExecutor is included as part of Intune Managed Devices for Windows 10. references: - - https://twitter.com/lefterispan/status/1286259016436514816 - - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://twitter.com/lefterispan/status/1286259016436514816 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ + - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 date: 2022/07/31 author: memory-shards logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: 'AgentExecutor.exe' - selection2: - CommandLine|contains: '-powershell' - filter: - CommandLine|contains: - - ' C:\Windows\SysWOW64\WindowsPowerShell\' - - ' C:\Windows\System32\WindowsPowerShell\' - condition: selection1 and selection2 and not filter + selection1: + Image: 'AgentExecutor.exe' + selection2: + CommandLine|contains: '-powershell' + filter: + CommandLine|contains: + - ' C:\Windows\SysWOW64\WindowsPowerShell\' + - ' C:\Windows\System32\WindowsPowerShell\' + condition: selection1 and selection2 and not filter falsepositives: - - unknown + - unknown level: medium From 16fe47a8fa8d52c5e4f5e0abd315b5f6e4515740 Mon Sep 17 00:00:00 2001 From: memory-shards <52757871+memory-shards@users.noreply.github.com> Date: Sun, 31 Jul 2022 15:00:07 -0400 Subject: [PATCH 020/303] Update proc_creation_win_lolbin_agentexecutor.yml --- .../process_creation/proc_creation_win_lolbin_agentexecutor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index 791b5f3ac..8851dfc95 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -25,5 +25,5 @@ detection: - ' C:\Windows\System32\WindowsPowerShell\' condition: selection1 and selection2 and not filter falsepositives: - - unknown + - Unknown level: medium From 23220c3b03b998d744620daea8e482b4bf9a6cee Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 8 Nov 2022 22:30:04 +1100 Subject: [PATCH 021/303] Updated to include list apppool and /config https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA indicates two additional ways to retrieve the IIS service account credentials. Existing detection was updated to include them. --- ...on_win_iis_service_account_password_dumped.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 564767cb2..a73579389 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -4,8 +4,9 @@ status: experimental description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html -author: Tim Rauch -date: 2022/09/28 + - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA +author: Tim Rauch, Janantha Marasinghe +date: 2022/11/08 tags: - attack.credential_access - attack.t1003 @@ -20,11 +21,17 @@ detection: CommandLine|contains: - ' /list ' - ' list ' - selection_all: + selection_cmd1: CommandLine|contains|all: - ' /text' - ' password' - condition: all of selection* + selection_cmd2: + CommandLine|contains: + - ' /@t ' + - ' /text ' + - ' /config ' + - ' /@c' + condition: 1 of selection_cmd* and selection_list falsepositives: - Unknown level: high From 9e26ad75da8677c59f0931fdcbe046592ce962b1 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 15 Nov 2022 17:38:29 +0000 Subject: [PATCH 022/303] HAWK backend configuration update and bug fix. --- tools/config/hawk.yml | 21 +++++++++++++++------ tools/sigma/backends/hawk.py | 2 +- 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 4d81e1a27..7ed603035 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -166,6 +166,12 @@ logsources: conditions: product_name: "Sysmon" vendor_id: "11" + windows-file-change: + product: windows + category: file_change + conditions: + product_name: "Sysmon" + vendor_id: "11" windows-pipe-created: product: windows category: pipe_created @@ -240,14 +246,13 @@ logsources: conditions: vendor_name: "Zeek" vendor_type: "IDS" - zeek-category-firewall: + firewall: category: firewall conditions: - vendor_name: "Zeek" - vendor_type: "IDS" - rewrite: - product: zeek - service: conn + vendor_type: + - "Firewall" + - "Router" + - "WAP" zeek-category-dns: category: dns rewrite: @@ -857,6 +862,10 @@ fieldmappings: DestinationIp: ip_dst DestinationHostname: ip_dst_host DestinationPort: ip_dport + DestAddress: ip_dst + DestPort: ip_dport + SourceAddress: ip_src + SourcePort: ip_sport GrantedAccess: access_mask StartModule: target_process_name TargetProcessAddress: process_address diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index dd8556970..bd1e40acf 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -750,7 +750,7 @@ class HAWKBackend(SingleTextQueryBackend): "tags" : [ "sigma" ], "hawk_id" : sigmaparser.parsedyaml['id'] } - if 'tags' in sigmaparser.parsedyaml: + if 'tags' in sigmaparser.parsedyaml and isinstance(sigmaparser.parsedyaml, list): mitre_tactics = [ item.replace("attack.", "") for item in sigmaparser.parsedyaml['tags'] ] if len(mitre_tactics) > 0: record["tags"] = record['tags'] + mitre_tactics From e0c53c1948bdcc54a260d6222b55539fb9ca57ad Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 18 Nov 2022 16:35:48 +0000 Subject: [PATCH 023/303] FP: ignore calling function Convert-GuidToCompressedGuid, part of amazon ssm worker --- .../proc_creation_win_powershell_xor_commandline.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index c68ff242a..2ecee013f 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton date: 2018/09/05 -modified: 2022/01/10 +modified: 2022/11/18 tags: - attack.defense_evasion - attack.t1059.001 @@ -26,7 +26,8 @@ detection: - '-join`' - 'char' false_positives: - ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe + ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe' + CommandLine|contains: 'function Convert-GuidToCompressedGuid' condition: selection and filter and not false_positives falsepositives: - Unknown From 0de44fcf5baffa6481ddf455596c6ae35bfc6909 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Sat, 19 Nov 2022 15:06:01 +1100 Subject: [PATCH 024/303] Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_iis_service_account_password_dumped.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index a73579389..e4ec75500 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -5,6 +5,7 @@ description: Detects the Internet Information Services (IIS) command-line tool, references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA + - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe date: 2022/11/08 tags: From 09d6d3e4075908fb64b6dbfd2140bbbb93ad1779 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Sat, 19 Nov 2022 15:06:10 +1100 Subject: [PATCH 025/303] Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_iis_service_account_password_dumped.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index e4ec75500..9b49fdc66 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -32,7 +32,7 @@ detection: - ' /text ' - ' /config ' - ' /@c' - condition: 1 of selection_cmd* and selection_list + condition: all of selection_* falsepositives: - Unknown level: high From fcd41ed3e36343845e98e900d4ecaa49035653e3 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Sat, 19 Nov 2022 15:06:36 +1100 Subject: [PATCH 026/303] Update rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_iis_service_account_password_dumped.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 9b49fdc66..d0bf05e0d 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -19,9 +19,7 @@ detection: - Image|endswith: '\appcmd.exe' - OriginalFilename: 'appcmd.exe' selection_list: - CommandLine|contains: - - ' /list ' - - ' list ' + CommandLine|contains: 'list ' selection_cmd1: CommandLine|contains|all: - ' /text' From 4b9075e5570758ecf4654a56e9a5c4b7f9b7a2ee Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 28 Nov 2022 12:09:00 +0100 Subject: [PATCH 027/303] feat: new rules related to service creation New service creation rules related to remote software tools --- ...=> win_system_service_install_anydesk.yml} | 0 .../win_system_service_install_mesh_agent.yml | 25 +++++++++++++++++++ ...win_system_service_install_tacticalrmm.yml | 25 +++++++++++++++++++ 3 files changed, 50 insertions(+) rename rules/windows/builtin/system/{win_system_anydesk_service_installation.yml => win_system_service_install_anydesk.yml} (100%) create mode 100644 rules/windows/builtin/system/win_system_service_install_mesh_agent.yml create mode 100644 rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml diff --git a/rules/windows/builtin/system/win_system_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_service_install_anydesk.yml similarity index 100% rename from rules/windows/builtin/system/win_system_anydesk_service_installation.yml rename to rules/windows/builtin/system/win_system_service_install_anydesk.yml diff --git a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml new file mode 100644 index 000000000..2d51a1dad --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml @@ -0,0 +1,25 @@ +title: Mesh Agent Service Installation +id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc +status: experimental +description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'MeshAgent.exe' + - ServiceName|contains: 'Mesh Agent' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium diff --git a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml new file mode 100644 index 000000000..ea4a33722 --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml @@ -0,0 +1,25 @@ +title: TacticalRMM Service Installation +id: 4bb79b62-ef12-4861-981d-2aab43fab642 +status: experimental +description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'tacticalrmm.exe' + - ServiceName|contains: 'TacticalRMM Agent Service' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium From 81e8acf535753deb776fdc8330b145c0afb2324e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 28 Nov 2022 13:19:37 +0100 Subject: [PATCH 028/303] fix: fix fp in testing --- ...c_creation_win_raspberry_robin_single_dot_ending_file.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml index e909bcbd2..dabffeceb 100644 --- a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml +++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml @@ -1,11 +1,12 @@ title: Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: experimental -description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ date: 2022/10/28 +modified: 2022/11/28 tags: - attack.execution logsource: @@ -16,7 +17,7 @@ detection: # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png - CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}" + CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{1}" filter: # This filter is used to exclude double extension files CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}" From 1d7ee1cd197d3b35508e2a5bf34d9d3b6ca4f504 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 13:47:09 +0100 Subject: [PATCH 029/303] feat: enhance duplicate test (#3736) Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...rpc_potential_petit_potam_efs_rpc_call.yml | 6 +- .../network/zeek/zeek_dns_susp_zbit_flag.yml | 4 +- .../driver_load/driver_load_vuln_drivers.yml | 4 +- .../file_event_win_new_src_file.yml | 5 +- ...ation_win_susp_powershell_iex_patterns.yml | 25 +- ...oc_creation_win_susp_renamed_debugview.yml | 6 +- .../proc_creation_win_susp_service_stop.yml | 496 +++++++++--------- ...d_disk_access_using_illegitimate_tools.yml | 3 +- tests/test_rules.py | 31 +- 9 files changed, 288 insertions(+), 292 deletions(-) diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index df6565c0f..3ff369979 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -13,7 +13,7 @@ references: - https://threatpost.com/microsoft-petitpotam-poc/168163/ author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.t1557.001 - attack.t1187 @@ -22,9 +22,7 @@ logsource: service: dce_rpc detection: selection: - operation|startswith: - - 'Efs' - - 'efs' + operation|startswith: 'efs' condition: selection fields: - id.orig_h diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 453bcc009..6ac028468 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -14,7 +14,7 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' date: 2021/05/04 -modified: 2022/10/05 +modified: 2022/11/29 tags: - attack.t1095 - attack.t1571 @@ -40,9 +40,7 @@ detection: - '.azuregov-dns.org' exclude_query_types: qtype_name: - - 'NS' - 'ns' - - 'MX' - 'mx' exclude_responses: answers|endswith: '\\x00' diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 018868c3b..d544236f3 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -21,7 +21,7 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/10/19 +modified: 2022/11/28 tags: - attack.privilege_escalation - attack.t1543.003 @@ -864,8 +864,6 @@ detection: - 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653' - 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028' - '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3' - - 'DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D' - - '0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5' - '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3' - 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955' - 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339' diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 6ad24e0ed..65bf8e139 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 -modified: 2022/10/07 +modified: 2022/11/28 tags: - attack.t1218.011 - attack.defense_evasion @@ -19,10 +19,7 @@ detection: filter: TargetFilename|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\SysWow64\' - - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - 'C:\$WINDOWS.~BT\NewOS\' condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index 244c5f234..291c1ec16 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 author: Florian Roth date: 2022/03/24 -modified: 2022/10/28 +modified: 2022/11/28 logsource: product: windows category: process_creation @@ -16,25 +16,22 @@ detection: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - ' | iex;' - - ' | iex ' - - ' | iex}' - - ' | IEX;' - - ' | IEX ;' - - ' | IEX -Error' - - ' | IEX (new' - - ' | IEX (New' + - ' | iex;' + - ' | iex ' + - ' | iex}' + - ' | IEX ;' + - ' | IEX -Error' + - ' | IEX (new' - ');IEX ' selection_combined_2: CommandLine|contains: - '::FromBase64String' - '.GetString([System.Convert]::' selection_standalone: - CommandLine|contains: - - ')|iex;$' - - ')|IEX;$' - - ');iex($' - - ');iex $' + CommandLine|contains: + - ')|iex;$' + - ');iex($' + - ');iex $' - ' | IEX | ' condition: all of selection_combined* or selection_standalone falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml index 2fc43458a..9e0f2b328 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml @@ -6,7 +6,7 @@ references: - https://www.epicturla.com/blog/sysinturla author: Florian Roth date: 2020/05/28 -modified: 2021/11/27 +modified: 2022/11/29 tags: - attack.resource_development - attack.t1588.002 @@ -15,9 +15,7 @@ logsource: product: windows detection: selection: - Product: - - 'Sysinternals DebugView' - - 'Sysinternals Debugview' + Product: 'Sysinternals DebugView' filter: OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml index b71ae7f1a..7df638f02 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -10,6 +10,7 @@ references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html author: Nasreddine Bencherchali date: 2022/09/01 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1489 @@ -35,284 +36,281 @@ detection: CommandLine|contains: 'Stop-Service ' services: CommandLine|contains: - - 'VSS' - - 'HealthTLService' - - 'ThreatLockerService' - - '"Veritas System Recovery"' - - 'EPlntegrationService' - - 'EPRedline' - - '"Client Agent 7.60"' - - 'SQLAgent$SVSTEM_BGC' - - '"Sophos Device Control Service"' - - '"Zoolz 2 Service"' - - '"Sophos AutoUpdate Service"' - - '"Sophos System Protection Service"' - - 'POVFSService' - - 'MSSQLFDLauncherSTPSAMA' - - '"Symantec System Recovery"' - - 'Antivirus' - - '"Sophos Health Service"' - - 'MSSQLFDLauncherSTPS' - - 'AcrSch2Svc' - - 'MSSQLSSVSTEM_BGC' - - 'MSSQLFDLauncherSPROFXENGAGEMENT' - - 'SQLAgentSTPS' - - '"Sophos Message Router"' - - 'MSSQLFDLauncher$S8SMONITORING' - - 'MySQL80' - - 'MSSQLSECWDB2' - - 'MSSQLWEEAMSQL2008R2' - - '"Sophos Clean Service"' - - '"Sophos Web Control Service"' - - 'EhttpSry' - - 'MSOLAPSTPSAMA' - - '"Veeam Backup Catalog Data Service"' - - 'MSSQLSSBSMONITORIMG' - - 'AcronisAgent' - - 'MySQLS7' - - 'UTODetect' - - 'MSSQLFOLauncherSSVSTEM_BGC' - - 'MSSQLSBKUPEXEC' - - 'SQLAgentSPRACTTICEBGC' - - '"Sophos MCS Client"' - - 'BackupExeclobEngine' - - 'SQLAgentSVEEAMSQL2008R2' - - '143Svc' - - '"SQLsafe Backup Service"' - - 'SQLAgentSCXDB' - - '"Sophos Safestore Service"' - - 'svcienericHost' - - 'MSSQLSTPSAMA' - - 'SQLAgentSCITRIX_METAFRAME' - - 'WeanClOudSve' - - '"Sophos File Scanner Service"' - - '"Sophos Agent"' - - 'M8EndpointAgent' - - 'mSSQLSFRACTICEMGT' - - 'SQLAgentSTPSAMA' - - 'McAfeeframework' - - '"Enterprise Client Service"' - - 'SQLAgentSSBSMONITORING' - - 'MSSQLSVEEAMSQL2012' - - 'SQ1SafeOLRService' - - 'VeeamEnterpriseHanagerSvc' - - 'SQLAgentSSQL EXPRESS' - - 'MSSQ!I.SPROFXENGAGEMEHT' - - 'IMANSVC' - - 'ARSM' - - 'MSSQLFOLavocher' - - 'MSExchangeMIA' - - 'TruekeyScheduler' - - 'MSSQ0SOPHOS' - - '"SQL Backups"' - - 'MSSQLSTPS' - - 'Weems JY' - - 'MSSQ0SHAREPOINT' - - 'mfevto' - - 'msftesq1SPROO' - - 'wozyprobackup' - - 'MSSQLSSQL_2008' - - 'MSSQLSSQLEXPRESS' - - 'MSSQLSPRACTTICEBGE' - - 'VeeamRISTSvc' - - 'HMS' - - '"Sophos MCS Agent"' - '"Acronis VSS Provider"' - - 'MSSQLSVIEAMSQL2008112' - - 'HISSQLFDLauncherSSHAREPOINIT' - - '"SQLsafe Filter Service"' - - 'MSSQLSPROO' - - 'SQLAgentSPROO' - - 'MSOLAPSTPS' - - 'VeemaDep/oySvc' + - '"Client Agent 7.60"' + - '"Enterprise Client Service"' + - '"Sophos Agent"' + - '"Sophos AutoUpdate Service"' + - '"Sophos Clean Service"' + - '"Sophos Device Control Service"' + - '"Sophos File Scanner Service"' + - '"Sophos Health Service"' + - '"Sophos MCS Agent"' + - '"Sophos MCS Client"' + - '"Sophos Message Router"' + - '"Sophos Safestore Service"' + - '"Sophos System Protection Service"' + - '"Sophos Web Control Service"' + - '"SQL Backups"' - '"SQL Server (MSSQLSERVER)"' - '"SQL Server (SQLEXPRESS)' + - '"SQLsafe Backup Service"' + - '"SQLsafe Filter Service"' + - '"Symantec System Recovery"' + - '"Veeam Backup Catalog Data Service"' + - '"Veritas System Recovery"' + - '"Zoolz 2 Service"' + - '“Avast Business Console Client Antivirus Service”' + - '“avast! Antivirus”' + - '“SQL Backups”' + - '“Zoolz 2 Service”' + - '143Svc' + - 'AcronisAgent' + - 'AcrSch2Svc' + - 'Antivirus' + - 'ARSM' + - 'aswBcc' + - 'AVP' - 'BackupExecAgentAccelerator' - - 'McAfeeEngineService' - 'BackupExecAgentBrowser' - - 'McAfeeFramework' - 'BackupExecDeviceMediaService' - - 'McAfeeFrameworkMcAfeeFramework' - 'BackupExecJobEngine' - - 'McTaskManager' + - 'BackupExeclobEngine' - 'BackupExecManagementService' - - 'mfemms' - 'BackupExecRPCService' - - 'mfevtp' - 'BackupExecVSSProvider' - - 'MMS' - 'bedbg' - - 'mozyprobackup' + - 'BITS' + - 'BrokerInfrastructure' - 'DCAgent' + - 'EhttpSrv' + - 'EhttpSry' + - 'ekrn' + - 'epag' + - 'EPIntegrationService' + - 'EPlntegrationService' + - 'EPProtectedService' + - 'EPRedline' + - 'EPSecurityService' + - 'EPUpdateService' + - 'EraserSvc11710' + - 'EsgShKernel' + - 'ESHASRV' + - 'FA_Scheduler' + - 'HealthTLService' + - 'HISSQLFDLauncherSSHAREPOINIT' + - 'HMS' + - 'IISAdmin' + - 'IMANSVC' + - 'IMAP4Svc' + - 'KAVFS' + - 'KAVFSGT' + - 'kavfsslp' + - 'klnagent' + - 'LogProcessorService' + - 'M8EndpointAgent' + - 'macmnsvc' + - 'masvc' + - 'MBAMService' + - 'MBEndpointAgent' + - 'McAfeeEngineService' + - 'MCAFEEEVENTPARSERSRV' + - 'McAfeeFramework' + - 'McAfeeFrameworkMcAfeeFramework' + - 'MCAFEETOMCATSRV530' + - 'McShield' + - 'McTaskManager' + - 'mfefire' + - 'mfemms' + - 'mfevto' + - 'mfevtp' + - 'mfewc' + - 'MMS' + - 'mozyprobackup' - 'MsDtsServer' - 'MsDtsServer100' - 'MsDtsServer110' - - 'EraserSvc11710' + - 'MsDtsServer130' - 'MSExchangeES' - - 'EsgShKernel' - 'MSExchangeIS' - - 'FA_Scheduler' - 'MSExchangeMGMT' - - 'IISAdmin' + - 'MSExchangeMIA' - 'MSExchangeMTA' - - 'IMAP4Svc' - 'MSExchangeSA' - - 'macmnsvc' - 'MSExchangeSRS' - - 'masvc' - - 'MSOLAP$SQL_2008' - - 'MBAMService' - - 'MSOLAP$SYSTEM_BGC' - - 'MBEndpointAgent' - - 'MSOLAP$TPS' - - 'McShield' - - 'MSSQLSERVER' - - 'MSSQL$ECWDB2' - - 'MSSQLServerADHelper100' - - 'MSSQL$PRACTICEMGT' - - 'MSSQLServerOLAPService' - - 'MSSQL$PRACTTICEBGC' - - 'MySQL57' - - 'MSSQL$PROFXENGAGEMENT' - - 'ntrtscan' - - 'MSSQL$SBSMONITORING' - - 'OracleClientCache80' - - 'MSSQL$SHAREPOINT' - - 'PDVFSService' - - 'MSSQL$SQL_2008' - - 'POP3Svc' - - 'MSSQL$SYSTEM_BGC' - - 'ReportServer' - - 'MSSQL$TPS' - - 'ReportServer$SQL_2008' - - 'MSSQL$TPSAMA' - - 'ReportServer$SYSTEM_BGC' - - 'ReportServer$TPS' - - 'MSSQL$VEEAMSQL2012' - - 'ReportServer$TPSAMA' - - 'MSSQLFDLauncher' - - 'RESvc' - - 'MSSQLFDLauncher$PROFXENGAGEMENT' - - 'sacsvr' - - 'MSSQLFDLauncher$SBSMONITORING' - - 'MSSQLFDLauncher$SHAREPOINT' - - 'SamSs' - - 'MSSQLFDLauncher$SQL_2008' - - 'SAVAdminService' - - 'MSSQLFDLauncher$SYSTEM_BGC' - - 'SAVService' - - 'MSOLAP$TPSAMA' - - 'MSSQLFDLauncher$TPS' - - 'MSSQL$BKUPEXEC' - - 'MSSQLFDLauncher$TPSAMA' - - 'Smcinst' - - 'SQLTELEMETRY$ECWDB2' - - 'SmcService' - - 'SQLWriter' - - 'SMTPSvc' - - 'SstpSvc' - - 'SNAC' - - 'svcGenericHost' - - 'SntpService' - - 'swi_filter' - - 'sophossps' - - 'swi_service' - - 'SQLAgent$BKUPEXEC' - - 'swi_update_64' - - 'SQLAgent$ECWDB2' - - 'TmCCSF' - - 'SQLAgent$PRACTTICEBGC' - - 'tmlisten' - - 'SQLAgent$PRACTTICEMGT' - - 'TrueKey' - - 'SQLAgent$PROFXENGAGEMENT' - - 'TrueKeyScheduler' - - 'SQLAgent$SBSMONITORING' - - 'TrueKeyServiceHelper' - - 'SQLAgent$SHAREPOINT' - - 'SQLAgent$SQL_2008' - - 'UI0Detect' - - 'SQLAgent$SYSTEM_BGC' - - 'SQLAgent$TPS' - - 'VeeamBackupSvc' - - 'SQLAgent$TPSAMA' - - 'VeeamBrokerSvc' - - 'SQLAgent$VEEAMSQL2012' - - 'VeeamCatalogSvc' - - 'SQLBrowser' - - 'VeeamCloudSvc' - - 'SDRSVC' - - 'SQLSafeOLRService' - - 'SepMasterService' - - 'SQLSERVERAGENT' - - 'ShMonitor' - - 'SQLTELEMETRY' - - 'VeeamDeploymentService' - - 'NetMsmqActivator' - - 'VeeamDeploySvc' - - 'EhttpSrv' - - 'VeeamEnterpriseManagerSvc' - - 'ekrn' - - 'VeeamMountSvc' - - 'ESHASRV' - - 'VeeamNFSSvc' - - 'MSSQL$SOPHOS' - - 'VeeamRESTSvc' - - 'SQLAgent$SOPHOS' - - 'VeeamTransportSvc' - - 'AVP' - - 'W3Svc' - - 'klnagent' - - 'MSSQL$SQLEXPRESS' - - 'WRSVC' - - 'SQLAgent$SQLEXPRESS' - - 'wbengine' - - 'MSSQL$VEEAMSQL2008R2' - - 'kavfsslp' - - 'SQLAgent$VEEAMSQL2008R2' - - 'VeeamHvIntegrationSvc' - - 'KAVFSGT' - - 'swi_update' - - 'KAVFS' - - 'SQLAgent$CXDB' - - 'mfefire' - - 'SQLAgent$CITRIX_METAFRAME' - - '“SQL Backups”' - - '“avast! Antivirus”' - - 'MSSQL$PROD' - - 'aswBcc' - - '“Zoolz 2 Service”' - - '“Avast Business Console Client Antivirus Service”' - - 'MSSQLServerADHelper' - - 'mfewc' - - 'SQLAgent$PROD' - - 'Telemetryserver' + - 'msftesq1SPROO' - 'msftesql$PROD' - - 'WdNisSvc' - - 'WinDefend' - - 'MCAFEETOMCATSRV530' - - 'MCAFEEEVENTPARSERSRV' - - 'MSSQLFDLauncher$ITRIS' + - 'MSOLAP$SQL_2008' + - 'MSOLAP$SYSTEM_BGC' + - 'MSOLAP$TPS' + - 'MSOLAP$TPSAMA' + - 'MSOLAPSTPS' + - 'MSOLAPSTPSAMA' + - 'MSSQ!I.SPROFXENGAGEMEHT' + - 'MSSQ0SHAREPOINT' + - 'MSSQ0SOPHOS' + - 'MSSQL$BKUPEXEC' + - 'MSSQL$ECWDB2' - 'MSSQL$EPOSERVER' - 'MSSQL$ITRIS' + - 'MSSQL$PRACTICEMGT' + - 'MSSQL$PRACTTICEBGC' + - 'MSSQL$PROD' + - 'MSSQL$PROFXENGAGEMENT' + - 'MSSQL$SBSMONITORING' + - 'MSSQL$SHAREPOINT' + - 'MSSQL$SOPHOS' + - 'MSSQL$SQL_2008' + - 'MSSQL$SQLEXPRESS' + - 'MSSQL$SYSTEM_BGC' + - 'MSSQL$TPS' + - 'MSSQL$TPSAMA' + - 'MSSQL$VEEAMSQL2008R2' + - 'MSSQL$VEEAMSQL2012' + - 'MSSQLFDLauncher' + - 'MSSQLFDLauncher$ITRIS' + - 'MSSQLFDLauncher$PROFXENGAGEMENT' + - 'MSSQLFDLauncher$S8SMONITORING' + - 'MSSQLFDLauncher$SBSMONITORING' + - 'MSSQLFDLauncher$SHAREPOINT' + - 'MSSQLFDLauncher$SQL_2008' + - 'MSSQLFDLauncher$SYSTEM_BGC' + - 'MSSQLFDLauncher$TPS' + - 'MSSQLFDLauncher$TPSAMA' + - 'MSSQLFDLauncherSPROFXENGAGEMENT' + - 'MSSQLFDLauncherSTPS' + - 'MSSQLFDLauncherSTPSAMA' + - 'MSSQLFOLauncherSSVSTEM_BGC' + - 'MSSQLFOLavocher' + - 'MSSQLLaunchpad$ITRIS' + - 'MSSQLSBKUPEXEC' + - 'MSSQLSECWDB2' + - 'MSSQLSERVER' + - 'MSSQLServerADHelper' + - 'MSSQLServerADHelper100' + - 'MSSQLServerOLAPService' + - 'mSSQLSFRACTICEMGT' + - 'MSSQLSPRACTTICEBGE' + - 'MSSQLSPROO' + - 'MSSQLSSBSMONITORIMG' + - 'MSSQLSSQL_2008' + - 'MSSQLSSQLEXPRESS' + - 'MSSQLSSVSTEM_BGC' + - 'MSSQLSTPS' + - 'MSSQLSTPSAMA' + - 'MSSQLSVEEAMSQL2012' + - 'MSSQLSVIEAMSQL2008112' + - 'MSSQLWEEAMSQL2008R2' + - 'MySQL57' + - 'MySQL80' + - 'MySQLS7' + - 'NetMsmqActivator' + - 'ntrtscan' + - 'OracleClientCache80' + - 'PDVFSService' + - 'POP3Svc' + - 'POVFSService' + - 'ReportServer' + - 'ReportServer$SQL_2008' + - 'ReportServer$SYSTEM_BGC' + - 'ReportServer$TPS' + - 'ReportServer$TPSAMA' + - 'RESvc' + - 'sacsvr' + - 'SamSs' + - 'SAVAdminService' + - 'SAVService' + - 'SDRSVC' + - 'SentinelAgent' + - 'SentinelHelperService' + - 'SepMasterService' + - 'ShMonitor' + - 'Smcinst' + - 'SmcService' + - 'SMTPSvc' + - 'SNAC' + - 'SntpService' + - 'sophossps' + - 'SQ1SafeOLRService' + - 'SQLAgent$BKUPEXEC' + - 'SQLAgent$CITRIX_METAFRAME' + - 'SQLAgent$CXDB' + - 'SQLAgent$ECWDB2' - 'SQLAgent$EPOSERVER' - 'SQLAgent$ITRIS' + - 'SQLAgent$PRACTTICEBGC' + - 'SQLAgent$PRACTTICEMGT' + - 'SQLAgent$PROD' + - 'SQLAgent$PROFXENGAGEMENT' + - 'SQLAgent$SBSMONITORING' + - 'SQLAgent$SHAREPOINT' + - 'SQLAgent$SOPHOS' + - 'SQLAgent$SQL_2008' + - 'SQLAgent$SQLEXPRESS' + - 'SQLAgent$SVSTEM_BGC' + - 'SQLAgent$SYSTEM_BGC' + - 'SQLAgent$TPS' + - 'SQLAgent$TPSAMA' + - 'SQLAgent$VEEAMSQL2008R2' + - 'SQLAgent$VEEAMSQL2012' + - 'SQLAgentSCITRIX_METAFRAME' + - 'SQLAgentSCXDB' + - 'SQLAgentSPRACTTICEBGC' + - 'SQLAgentSPROO' + - 'SQLAgentSSBSMONITORING' + - 'SQLAgentSSQL EXPRESS' + - 'SQLAgentSTPS' + - 'SQLAgentSTPSAMA' + - 'SQLAgentSVEEAMSQL2008R2' + - 'SQLBrowser' + - 'SQLSafeOLRService' + - 'SQLSERVERAGENT' + - 'SQLTELEMETRY' + - 'SQLTELEMETRY$ECWDB2' - 'SQLTELEMETRY$ITRIS' - - 'SentinelHelperService' - - 'MsDtsServer130' - - 'LogProcessorService' + - 'SQLWriter' - 'SSISTELEMETRY130' - - 'EPUpdateService' - - 'MSSQLLaunchpad$ITRIS' + - 'SstpSvc' + - 'svcGenericHost' + - 'svcienericHost' + - 'swi_filter' + - 'swi_service' + - 'swi_update' + - 'swi_update_64' + - 'Telemetryserver' + - 'ThreatLockerService' + - 'TmCCSF' + - 'tmlisten' - 'TmPfw' - - 'BITS' - - 'SentinelAgent' - - 'BrokerInfrastructure' - - 'EPProtectedService' - - 'epag' - - 'epredline' - - 'EPIntegrationService' - - 'EPSecurityService' + - 'TrueKey' + - 'TruekeyScheduler' + - 'TrueKeyServiceHelper' + - 'UI0Detect' + - 'UTODetect' + - 'VeeamBackupSvc' + - 'VeeamBrokerSvc' + - 'VeeamCatalogSvc' + - 'VeeamCloudSvc' + - 'VeeamDeploymentService' + - 'VeeamDeploySvc' + - 'VeeamEnterpriseHanagerSvc' + - 'VeeamEnterpriseManagerSvc' + - 'VeeamHvIntegrationSvc' + - 'VeeamMountSvc' + - 'VeeamNFSSvc' + - 'VeeamRESTSvc' + - 'VeeamRISTSvc' + - 'VeeamTransportSvc' + - 'VeemaDep/oySvc' + - 'VSS' + - 'W3Svc' + - 'wbengine' + - 'WdNisSvc' + - 'WeanClOudSve' + - 'Weems JY' + - 'WinDefend' + - 'wozyprobackup' + - 'WRSVC' condition: services and (all of selection_sc_net* or selection_pwsh) falsepositives: - Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry diff --git a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml index 81ad32a3d..d7a701df1 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2022/11/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1006 @@ -24,7 +24,6 @@ detection: - 'C:\Windows\servicing\' - 'C:\Windows\CCM\' - 'C:\Windows\uus\' - - 'C:\Windows\WinSxs\' filter_3: ProcessId: 4 filter_specific: diff --git a/tests/test_rules.py b/tests/test_rules.py index a76aa41bb..ca972a980 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -13,6 +13,7 @@ import re from attackcti import attack_client from colorama import init from colorama import Fore +import collections class TestRules(unittest.TestCase): @@ -126,23 +127,35 @@ class TestRules(unittest.TestCase): "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth: int) -> None: + def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: if type(item) == list: - check_if_list_contain_duplicates(item, depth) + check_if_list_contain_duplicates(item, depth, special) elif type(item) == dict and depth <= MAX_DEPTH: - for sub_item in item.values(): - check_list_or_recurse_on_dict(sub_item, depth + 1) + for keys, sub_item in item.items(): + if "|base64" in keys: # Covers both "base64" and "base64offset" modifiers + check_list_or_recurse_on_dict(sub_item, depth + 1, True) + else: + check_list_or_recurse_on_dict(sub_item, depth + 1, special) - def check_if_list_contain_duplicates(item: list, depth: int) -> None: + def check_if_list_contain_duplicates(item: list, depth: int, special: bool) -> None: try: - if len(item) != len(set(item)): - print(Fore.RED + "Rule {} has duplicate filters".format(file)) + # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers + # - "base64offset" + # - "base64" + if special: + item_ = item + else: + item_= [i.lower() for i in item] + if len(item_) != len(set(item_)): + # We find the duplicates and then print them to the user + duplicates = [i for i, count in collections.Counter(item_).items() if count > 1] + print(Fore.RED + "Rule {} has duplicate filters {}".format(file, duplicates)) files_with_duplicate_filters.append(file) except: # unhashable types like dictionaries for sub_item in item: if type(sub_item) == dict and depth <= MAX_DEPTH: - check_list_or_recurse_on_dict(sub_item, depth + 1) + check_list_or_recurse_on_dict(sub_item, depth + 1, special) MAX_DEPTH = 3 files_with_duplicate_filters = [] @@ -150,7 +163,7 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") - check_list_or_recurse_on_dict(detection, 1) + check_list_or_recurse_on_dict(detection, 1, False) self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters") From 9c8e00fe6624d28c7a688dc2ad8e3e4c928962fd Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 29 Nov 2022 12:39:12 +0100 Subject: [PATCH 030/303] fix: FP found in testing --- .../proc_creation_win_susp_parent_of_conhost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml index 138df7b91..ee024ae05 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch date: 2022/09/28 -modified: 2022/11/23 +modified: 2022/11/29 tags: - attack.execution - attack.t1059 @@ -31,7 +31,7 @@ detection: - '\spoolsv.exe' # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe - - '\ctfmon.exe' + # - '\ctfmon.exe' # Seen several times in a testing environment filter: ParentCommandLine|contains: - '-k apphost -s AppHostSvc' @@ -39,6 +39,7 @@ detection: - '-k LocalSystemNetworkRestricted -p -s NgcSvc' - '-k netsvcs -p -s NetSetupSvc' - '-k netsvcs -p -s wlidsvc' + - '-k NetworkService -p -s DoSvc' - '-k wsappx -p -s AppXSvc' - '-k wsappx -p -s ClipSVC' - 'C:\Program Files (x86)\Dropbox\Client\' From 04a1d29eacf9645050656d05da4109f3f494cedd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:24:34 +0100 Subject: [PATCH 031/303] feat: update driver rules --- .../driver_load/driver_load_vuln_drivers.yml | 30 ++++++++++++++++++- .../driver_load_vuln_drivers_names.yml | 8 ++++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index d544236f3..5d9bf7866 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -21,7 +21,7 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/11/28 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 @@ -287,6 +287,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92' + - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327' + - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -540,6 +547,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -798,6 +812,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - '4927d843577bada119a17b249ff4e7f5e9983a92' + - 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - '755349d56cdd668ca22eebc4fc89f0cccef47327' + - '56af49e030eb85528e82849d7d1b6147f3c4973e' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -1059,6 +1080,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 36e520478..4cc6e8b17 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -20,7 +20,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 author: Nasreddine Bencherchali date: 2022/10/03 -modified: 2022/10/17 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 @@ -187,6 +187,7 @@ detection: - '\gmer.sys' - '\PCADRVX64.sys' - '\clfs.sys' + - '' # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) - '\ActiveHealth.sys' - '\CAM_V3.sys' @@ -203,6 +204,11 @@ detection: - '\ohm.sys' - '\sensorsview32_64.sys' - '\touchpointanalyticsclient.sys' + # PowerTool driver (kEvP64) renames from VT + - '\CQg5Jf.sys' + - '\HCdRDh.sys' + - '\NcDgDn.sys' + - '\vLTZ19.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. From 02e68a3d2658d8807d1afdcfbe7aea02b8cc2ee5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:24:49 +0100 Subject: [PATCH 032/303] feat: new powertool rule --- .../proc_creation_win_powertool_execution.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_powertool_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml new file mode 100644 index 000000000..89f26df5e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml @@ -0,0 +1,27 @@ +title: PowerTool Execution +id: a34f79a3-8e5f-4cc3-b765-de00695452c2 +status: experimental +description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ + - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html + - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en + - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml +author: Nasreddine Bencherchali +date: 2022/11/29 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: + - '\PowerTool.exe' + - '\PowerTool64.exe' + - OriginalFileName: 'PowerTool.exe' + condition: selection +falsepositives: + - Unlikely +level: high From 18d974c7510c4bb677074e6f2b7e8c977d309960 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:29:38 +0100 Subject: [PATCH 033/303] feat: new test for references case --- tests/test_rules.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index ca972a980..d4e6f1e60 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -672,6 +672,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") + def test_references_in_description(self): + # This test checks for the presence of a links and special keywords in the "description" field while there is no "references" field. + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + references = self.get_rule_part( + file_path=file, part_name="references") + # Reference field doesn't exist + if not references: + descriptionfield = self.get_rule_part( + file_path=file, part_name="description") + if descriptionfield: + for i in ["http://", "https://", "Internal Research"]: # Extends the list with other common references starters + if i in descriptionfield: + print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with malformed 'description' fields. (links and external references have to be in a seperate field named 'references'. see specification https://github.com/SigmaHQ/sigma-specification)") + def test_references_plural(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 92965e6f7eca419179e1c7cff168ebeb28d82599 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:43:03 +0100 Subject: [PATCH 034/303] fix: fix broken description --- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 06376a5b0..35990eb17 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -1,7 +1,10 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental -description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ +description: Detects Bitsadmin connections to domains with uncommon TLDs +references: + - https://twitter.com/jhencinski/status/1102695118455349248 + - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ author: Florian Roth, Tim Shelton date: 2019/03/07 modified: 2022/08/16 From d82e3de11ce582b03077936950ebfee377f479e7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 00:57:38 +0100 Subject: [PATCH 035/303] fix: fix empty field in selection --- rules/windows/driver_load/driver_load_vuln_drivers_names.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 4cc6e8b17..07d18c8ef 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -187,7 +187,6 @@ detection: - '\gmer.sys' - '\PCADRVX64.sys' - '\clfs.sys' - - '' # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) - '\ActiveHealth.sys' - '\CAM_V3.sys' From c2e85f4080482096c7b2a82a5bef9e6babd2a8ef Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:06:10 +0100 Subject: [PATCH 036/303] feat: update the test to test for lowercase Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index d4e6f1e60..8c2890d27 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -683,8 +683,8 @@ class TestRules(unittest.TestCase): descriptionfield = self.get_rule_part( file_path=file, part_name="description") if descriptionfield: - for i in ["http://", "https://", "Internal Research"]: # Extends the list with other common references starters - if i in descriptionfield: + for i in ["http://", "https://", "internal research"]: # Extends the list with other common references starters + if i in descriptionfield.lower(): print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) faulty_rules.append(file) From 25c41ea73c949d443789524f951d9a02ab7b7c44 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 10:21:24 +0100 Subject: [PATCH 037/303] fix: update error message Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 8c2890d27..407a30624 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -685,7 +685,7 @@ class TestRules(unittest.TestCase): if descriptionfield: for i in ["http://", "https://", "internal research"]: # Extends the list with other common references starters if i in descriptionfield.lower(): - print(Fore.RED + "Rule {} has malformed description field that contain references to external links.".format(file)) + print(Fore.RED + "Rule {} has a field that contains references to external links but no references set. Add a 'references' key and add URLs as list items.".format(file)) faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + From 76fece654a136b608ad5d628bdef3d3a656fe5be Mon Sep 17 00:00:00 2001 From: Fukusuke Takahashi <41001169+fukusuket@users.noreply.github.com> Date: Wed, 30 Nov 2022 19:43:49 +0900 Subject: [PATCH 038/303] fix: explicitly escape `{` to make it clear that it is a literal (#3737) --- .../powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_stdin.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml | 2 +- .../proc_creation_win_lolbin_class_exec_xwizard.yml | 2 +- .../proc_creation_win_powershell_cmdline_special_characters.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index 264ebea41..ec2017ce7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$?\{?input).*&&.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 1b6852542..206d3174b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index 43e172219..fadd177b3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\$\{?input).*&&.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml index 4142110c3..4d6688ff0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml @@ -16,7 +16,7 @@ logsource: detection: selection: Image|endswith: '\xwizard.exe' - CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' + CommandLine|re: '\{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}\}' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 64daeed83..50d2c0e20 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -30,7 +30,7 @@ detection: Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|re: '.*{.*{.*{.*{.*{.*' + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*' selection4: Image|endswith: - '\powershell.exe' From a674ee246bd02271f5e46d00010320112c9df17c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 30 Nov 2022 11:44:15 +0100 Subject: [PATCH 039/303] Update Title (#3739) --- ...in_security_invoke_obfuscation_stdin_services_security.yml | 4 ++-- .../win_security_invoke_obfuscation_var_services_security.yml | 4 ++-- ...rity_invoke_obfuscation_via_compress_services_security.yml | 4 ++-- ...curity_invoke_obfuscation_via_rundll_services_security.yml | 4 ++-- ...ecurity_invoke_obfuscation_via_stdin_services_security.yml | 4 ++-- ...rity_invoke_obfuscation_via_use_clip_services_security.yml | 4 ++-- ...ity_invoke_obfuscation_via_use_mshta_services_security.yml | 4 ++-- ..._invoke_obfuscation_via_use_rundll32_services_security.yml | 4 ++-- ..._security_invoke_obfuscation_via_var_services_security.yml | 4 ++-- .../windows/builtin/security/win_security_mal_creddumper.yml | 4 ++-- ..._meterpreter_or_cobaltstrike_getsystem_service_install.yml | 4 ++-- .../win_security_powershell_script_installed_as_service.yml | 4 ++-- .../win_security_susp_outbound_kerberos_connection.yml | 4 ++-- .../builtin/security/win_security_tap_driver_installation.yml | 4 ++-- .../windows/builtin/security/win_security_wmi_persistence.yml | 4 ++-- .../system/win_system_invoke_obfuscation_stdin_services.yml | 4 ++-- .../system/win_system_invoke_obfuscation_var_services.yml | 4 ++-- .../win_system_invoke_obfuscation_via_compress_services.yml | 4 ++-- .../win_system_invoke_obfuscation_via_rundll_services.yml | 4 ++-- .../win_system_invoke_obfuscation_via_stdin_services.yml | 4 ++-- .../win_system_invoke_obfuscation_via_use_clip_services.yml | 4 ++-- .../win_system_invoke_obfuscation_via_use_mshta_services.yml | 4 ++-- ...in_system_invoke_obfuscation_via_use_rundll32_services.yml | 4 ++-- .../system/win_system_invoke_obfuscation_via_var_services.yml | 4 ++-- rules/windows/builtin/system/win_system_mal_creddumper.yml | 4 ++-- ...rpreter_or_cobaltstrike_getsystem_service_installation.yml | 4 ++-- rules/windows/builtin/system/win_system_moriya_rootkit.yml | 4 ++-- .../file/file_event/file_event_win_advanced_ip_scanner.yml | 4 ++-- .../image_load/image_load_sysmon_disable_sharpevtmute.yml | 3 ++- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 4 ++-- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_compress.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_rundll.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_stdin.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_use_clip.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_use_mhsta.yml | 4 ++-- .../posh_pm_invoke_obfuscation_via_use_rundll32.yml | 4 ++-- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 4 ++-- .../powershell_script/posh_ps_invoke_obfuscation_stdin.yml | 4 ++-- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_compress.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_rundll.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_stdin.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_use_clip.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_use_mhsta.yml | 4 ++-- .../posh_ps_invoke_obfuscation_via_use_rundll32.yml | 4 ++-- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 4 ++-- .../proc_creation_win_wmic_computersystem_recon.yml | 3 ++- .../registry_add/registry_add_sysinternals_eula_accepted.yml | 4 ++-- .../registry_event/registry_event_net_ntlm_downgrade.yml | 4 ++-- 50 files changed, 100 insertions(+), 98 deletions(-) diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml index e92ba8390..e5410b21d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_stdin_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - Security id: 0c718a5e-4284-4fb9-b4d9-b9a50b3a1974 related: - id: 72862bf2-0eb1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml index 3e9ad2a3d..ccdbd306d 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_var_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - Security id: dcf2db1f-f091-425b-a821-c05875b8925a related: - id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml index 0d343062d..4fd05aae6 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_compress_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - Security id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/10/10 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml index 296db2432..e5aca8c5f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_rundll_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - Security id: f241cf1b-3a6b-4e1a-b4f9-133c00dd95ca related: - id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml index 5cf5c548e..8fbfc81c5 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_stdin_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - Security id: 80b708f3-d034-40e4-a6c8-d23b7a7db3d1 related: - id: 487c7524-f892-4054-b263-8a0ace63fc25 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml index c074a1adc..993ea36df 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_clip_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - Security id: 1a0a2ff1-611b-4dac-8216-8a7b47c618a6 related: - id: 63e3365d-4824-42d8-8b82-e56810fefa0c @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/04/26 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml index 9bbd74ce0..6d35db162 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_mshta_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - Security id: 9b8d9203-4e0f-4cd9-bb06-4cc4ea6d0e9a related: - id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/02/03 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml index 950410203..9162070c8 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - Security id: cd0f7229-d16f-42de-8fe3-fba365fbcb3a related: - id: 641a4bfb-c017-44f7-800c-2aee0184ce9b @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml index c14da7c1d..0d871fb2f 100644 --- a/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_security_invoke_obfuscation_via_var_services_security.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - Security id: 4c54ba8f-73d2-4d40-8890-d9cf1dca3d30 related: - id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 43921309e..f8146e092 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -1,4 +1,4 @@ -title: Credential Dumping Tools Service Execution +title: Credential Dumping Tools Service Execution - Security id: f0d1feba-4344-4ca9-8121-a6c97bd6df52 related: - id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed @@ -9,7 +9,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.credential_access - attack.execution diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index 67aff470d..72343baff 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -1,4 +1,4 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation +title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34 related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 @@ -10,7 +10,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1134.001 diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index 3b956de46..fd4ec339f 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -1,4 +1,4 @@ -title: PowerShell Scripts Installed as Services +title: PowerShell Scripts Installed as Services - Security id: 2a926e6a-4b81-4011-8a96-e36cc8c04302 related: - id: a2e5019d-a658-4c6a-92bf-7197b54e2cae @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml index b1cc85a8b..ee4e6a7a7 100644 --- a/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/security/win_security_susp_outbound_kerberos_connection.yml @@ -1,4 +1,4 @@ -title: Suspicious Outbound Kerberos Connection +title: Suspicious Outbound Kerberos Connection - Security id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 status: test description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. @@ -6,7 +6,7 @@ references: - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community date: 2019/10/24 -modified: 2022/08/15 +modified: 2022/11/29 tags: - attack.lateral_movement - attack.t1558.003 diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index 6e27ffa1b..8be8889b3 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -1,4 +1,4 @@ -title: Tap Driver Installation +title: Tap Driver Installation - Security id: 9c8afa4d-0022-48f0-9456-3712466f9701 related: - id: 8e4cf0e5-aa5d-4dc3-beff-dc26917744a9 @@ -7,7 +7,7 @@ status: test description: Well-known TAP software installation. Possible preparation for data exfiltration using tunnelling techniques author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.exfiltration - attack.t1048 diff --git a/rules/windows/builtin/security/win_security_wmi_persistence.yml b/rules/windows/builtin/security/win_security_wmi_persistence.yml index 557572482..2851c8613 100644 --- a/rules/windows/builtin/security/win_security_wmi_persistence.yml +++ b/rules/windows/builtin/security/win_security_wmi_persistence.yml @@ -1,4 +1,4 @@ -title: WMI Persistence +title: WMI Persistence - Security id: f033f3f3-fd24-4995-97d8-a3bb17550a88 related: - id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b @@ -10,7 +10,7 @@ references: - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml index 4cc044bd0..8d5f2f31c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_stdin_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - System id: 72862bf2-0eb1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of stdin to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml index b2403a616..60962b066 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_var_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - System id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 status: experimental description: Detects Obfuscated use of Environment Variables to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml index 595aefc44..a21bc34ef 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_compress_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - System id: 175997c5-803c-4b08-8bb0-70b099f47595 status: experimental description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/06 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml index 54bb0373f..843bd983c 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_rundll_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - System id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 status: experimental description: Detects Obfuscated Powershell via RUNDLL LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml index 8a4091b6a..d7f5b3c5f 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_stdin_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - System id: 487c7524-f892-4054-b263-8a0ace63fc25 status: experimental description: Detects Obfuscated Powershell via Stdin in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml index e9cd49642..b31c2f9c1 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_clip_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - System id: 63e3365d-4824-42d8-8b82-e56810fefa0c status: experimental description: Detects Obfuscated Powershell via use Clip.exe in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/04/26 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml index c109d7143..3445a5c0d 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_mshta_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - System id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 status: experimental description: Detects Obfuscated Powershell via use MSHTA in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/07/05 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml index 07b2781f8..6437adc9d 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_use_rundll32_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - System id: 641a4bfb-c017-44f7-800c-2aee0184ce9b status: experimental description: Detects Obfuscated Powershell via use Rundll32 in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml index 76e3dac8c..17620261e 100644 --- a/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/system/win_system_invoke_obfuscation_via_var_services.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - System id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 status: experimental description: Detects Obfuscated Powershell via VAR++ LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/17 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/builtin/system/win_system_mal_creddumper.yml b/rules/windows/builtin/system/win_system_mal_creddumper.yml index c43c90f65..6c946fc93 100644 --- a/rules/windows/builtin/system/win_system_mal_creddumper.yml +++ b/rules/windows/builtin/system/win_system_mal_creddumper.yml @@ -1,4 +1,4 @@ -title: Credential Dumping Tools Service Execution +title: Credential Dumping Tools Service Execution - System id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed status: experimental description: Detects well-known credential dumping tools execution via service execution events @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/11/30 +modified: 2022/11/29 tags: - attack.credential_access - attack.execution diff --git a/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 8f845be01..13ffaa6a1 100644 --- a/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/system/win_system_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -1,4 +1,4 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation +title: Meterpreter or Cobalt Strike Getsystem Service Installation - System id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 status: experimental description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation @@ -7,7 +7,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/02/01 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1134.001 diff --git a/rules/windows/builtin/system/win_system_moriya_rootkit.yml b/rules/windows/builtin/system/win_system_moriya_rootkit.yml index 29fa39cf3..e31568a2b 100644 --- a/rules/windows/builtin/system/win_system_moriya_rootkit.yml +++ b/rules/windows/builtin/system/win_system_moriya_rootkit.yml @@ -1,4 +1,4 @@ -title: Moriya Rootkit +title: Moriya Rootkit - System id: 25b9c01c-350d-4b95-bed1-836d04a4f324 status: experimental description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report @@ -6,7 +6,7 @@ references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 author: Bhabesh Raj date: 2021/05/06 -modified: 2021/11/30 +modified: 2022/11/29 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml index 3779cc8a0..3b5545d29 100644 --- a/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml +++ b/rules/windows/file/file_event/file_event_win_advanced_ip_scanner.yml @@ -1,4 +1,4 @@ -title: Advanced IP Scanner +title: Advanced IP Scanner - File Event id: fed85bf9-e075-4280-9159-fbe8a023d6fa related: - id: bef37fa2-f205-4a7b-b484-0759bfd5f86f @@ -13,7 +13,7 @@ references: - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer author: '@ROxPinTeddy' date: 2020/05/12 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml index 86f8dca1f..ee6c3c45f 100644 --- a/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml +++ b/rules/windows/image_load/image_load_sysmon_disable_sharpevtmute.yml @@ -1,4 +1,4 @@ -title: SharpEvtMute EvtMuteHook Load +title: SharpEvtMute Imphash EvtMuteHook Load id: 49329257-089d-46e6-af37-4afce4290685 status: experimental description: Detects the load of EvtMuteHook.dll, a key component of SharpEvtHook, a tool to tamper with Windows event logs @@ -6,6 +6,7 @@ references: - https://github.com/bats3c/EvtMute author: Florian Roth date: 2022/09/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1562.002 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index 7c6480e6a..c2fcb76a1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - PowerShell Module id: 9ac8b09b-45de-4a07-9da1-0de8c09304a3 related: - id: 779c8c12-0eb1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 1c4f947d8..cd0de1227 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - PowerShell Module id: 6bfb8fa7-b2e7-4f6c-8d9d-824e5d06ea9e related: - id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml index efece32de..c7c18db6b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_compress.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell Module id: 7034cbbb-cc55-4dc2-8dad-36c0b942e8f1 related: - id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml index 1b3a08617..e09c50f8b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_rundll.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell Module id: a23791fe-8846-485a-b16b-ca691e1b03d4 related: - id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml index ec2017ce7..b1a887eba 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - PowerShell Module id: c72aca44-8d52-45ad-8f81-f96c4d3c755e related: - id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml index 2f9dc757e..755309d8f 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_clip.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - PowerShell Module id: ebdf49d8-b89c-46c9-8fdf-2c308406f6bd related: - id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml index 26d7188af..8b68e2411 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_mhsta.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - PowerShell Module id: 07ad2ea8-6a55-4ac6-bf3e-91b8e59676eb related: - id: e55a5195-4724-480e-a77e-3ebe64bd3759 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml index a9fa7122f..6689266a0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_use_rundll32.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - PowerShell Module id: 88a22f69-62f9-4b8a-aa00-6b0212f2f05a related: - id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index e76e8230b..834abcae1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell Module id: f3c89218-8c3d-4ba9-9974-f1d8e6a1b4a6 related: - id: e54f5149-6ba3-49cf-b153-070d24679126 @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index 206d3174b..a38955b7f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation STDIN+ Launcher +title: Invoke-Obfuscation STDIN+ Launcher - Powershell id: 779c8c12-0eb1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of stdin to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 14acfefd5..ac368db0c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR+ Launcher +title: Invoke-Obfuscation VAR+ Launcher - PowerShell id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 status: experimental description: Detects Obfuscated use of Environment Variables to execute PowerShell @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml index 5fcc15619..02dd3b05a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_compress.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation COMPRESS OBFUSCATION +title: Invoke-Obfuscation COMPRESS OBFUSCATION - PowerShell id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 status: experimental description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml index c6b949baf..919c8b687 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_rundll.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation RUNDLL LAUNCHER +title: Invoke-Obfuscation RUNDLL LAUNCHER - PowerShell id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 status: experimental description: Detects Obfuscated Powershell via RUNDLL LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml index fadd177b3..241fcc730 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_stdin.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Stdin +title: Invoke-Obfuscation Via Stdin - Powershell id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 status: experimental description: Detects Obfuscated Powershell via Stdin in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml index f5d1c7c90..bf7d82f0e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_clip.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Clip +title: Invoke-Obfuscation Via Use Clip - Powershell id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 status: experimental description: Detects Obfuscated Powershell via use Clip.exe in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml index a92f74421..f65a26588 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_mhsta.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use MSHTA +title: Invoke-Obfuscation Via Use MSHTA - PowerShell id: e55a5195-4724-480e-a77e-3ebe64bd3759 status: experimental description: Detects Obfuscated Powershell via use MSHTA in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) author: Nikita Nazarov, oscd.community date: 2020/10/08 -modified: 2022/03/07 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml index 5cde95d40..feb23733c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_use_rundll32.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation Via Use Rundll32 +title: Invoke-Obfuscation Via Use Rundll32 - PowerShell id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b status: experimental description: Detects Obfuscated Powershell via use Rundll32 in Scripts @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 author: Nikita Nazarov, oscd.community date: 2019/10/08 -modified: 2022/03/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 08d14edf4..8b94e1e34 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -1,4 +1,4 @@ -title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION - PowerShell id: e54f5149-6ba3-49cf-b153-070d24679126 status: experimental description: Detects Obfuscated Powershell via VAR++ LAUNCHER @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/10/16 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml index cdecf03d6..dee3a59b6 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_computersystem_recon.yml @@ -1,4 +1,4 @@ -title: Suspicious Get Local Groups Information with WMIC +title: Suspicious Get ComputerSystem Information with WMIC id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f status: experimental description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc. @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali date: 2022/09/08 +modified: 2022/11/29 tags: - attack.discovery - attack.execution diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index 06cd58376..df087b4c1 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -1,4 +1,4 @@ -title: Usage of Sysinternals Tools +title: Usage of Sysinternals Tools - Registry id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 status: experimental description: Detects the usage of Sysinternals Tools due to accepteula key being added to Registry @@ -6,7 +6,7 @@ references: - https://twitter.com/Moti_B/status/1008587936735035392 author: Markus Neis date: 2017/08/28 -modified: 2022/06/26 +modified: 2022/11/29 tags: - attack.resource_development - attack.t1588.002 diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 83117c156..279985d14 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -1,4 +1,4 @@ -title: NetNTLM Downgrade Attack +title: NetNTLM Downgrade Attack - Registry id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 status: test description: Detects NetNTLM downgrade attack @@ -6,7 +6,7 @@ references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks author: Florian Roth, wagga date: 2018/03/20 -modified: 2022/10/09 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1562.001 From e936ae4e2771e6125cbb1f932f6fc429150235f9 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Wed, 30 Nov 2022 22:10:26 +1100 Subject: [PATCH 040/303] deleted win_sus_auditpol_usage.yaml --- .../win_sus_auditpol_usage.yaml | 27 ------------------- 1 file changed, 27 deletions(-) delete mode 100644 rules/windows/process_creation/win_sus_auditpol_usage.yaml diff --git a/rules/windows/process_creation/win_sus_auditpol_usage.yaml b/rules/windows/process_creation/win_sus_auditpol_usage.yaml deleted file mode 100644 index 40fd0c5c9..000000000 --- a/rules/windows/process_creation/win_sus_auditpol_usage.yaml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious Auditpol Usage -id: 0a13e132-651d-11eb-ae93-0242ac130002 -description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. -author: Janantha Marasinghe (https://github.com/blueteam0ps) -references: - - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ -date: 2021/02/02 -modified: 2021/02/02 -tags: - - attack.defense_evasion - - attack.t1562.002 -level: high -logsource: - category: process_creation - product: windows -detection: - selection_auditpol_binary: - Image|endswith: '\auditpol.exe' - selection_auditpol_command: - CommandLine|contains: - - 'disable' # disables a specific audit policy - - 'clear' # delete or clears audit policy - - 'remove' # removes an audit policy - - 'restore' # restores an audit policy - condition: selection_auditpol_binary and selection_auditpol_command -falsepositives: - - Admin activity From 7b1d23621c6adc16d615693f473c7babbc114388 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 20:17:39 +0900 Subject: [PATCH 041/303] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 53ca1e6a4..934b65cf7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index c2fcb76a1..d66aac660 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$\{?input\}?|noexit).+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 834abcae1..84cd69bd0 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index fdc6069f9..8370a7eb7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index ac368db0c..2a0cef3d2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown From 9b5560844fe50a50ebf582e2986e381dac6384d3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Dec 2022 12:18:11 +0100 Subject: [PATCH 042/303] fix: FP with Avast software --- .../registry_set_creation_service_susp_folder.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 0777c27a4..3ac79f4b9 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Florian Roth, frack113 date: 2022/05/02 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1112 @@ -39,7 +40,11 @@ detection: - '\Perflogs\' - '\ADMIN$\' - '\Temp\' - condition: 1 of selection_* + filter_1: + Image|contains|all: + - '\Common Files\' + - '\Temp\' + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Unknown level: high From b09842f60615dd0b6164dc7acb4cc127a41f0245 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:21:36 +1100 Subject: [PATCH 043/303] Create proc_creation_win_susp_secedit.yml (#3725) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_secedit.yml | 50 +++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_secedit.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml new file mode 100644 index 000000000..337be8505 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_secedit.yml @@ -0,0 +1,50 @@ +title: Potential Suspicious Activity Using SeCEdit +id: c2c76b77-32be-4d1f-82c9-7e544bdfe0eb +status: experimental +description: Detects potential suspicious behaviour using secedit.exe. Such as exporting or modifying the security policy +references: + - https://blueteamops.medium.com/secedit-and-i-know-it-595056dee53d + - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/secedit +author: Janantha Marasinghe +date: 2022/11/18 +tags: + - attack.discovery + - attack.persistence + - attack.defense_evasion + - attack.credential_access + - attack.privilege_escalation + - attack.t1562.002 + - attack.t1547.001 + - attack.t1505.005 + - attack.t1556.002 + - attack.t1562 + - attack.t1574.007 + - attack.t1564.002 + - attack.t1546.008 + - attack.t1546.007 + - attack.t1547.014 + - attack.t1547.010 + - attack.t1547.002 + - attack.t1557 + - attack.t1082 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\secedit.exe' + - OriginalFileName: 'SeCEdit' + selection_flags_discovery: + CommandLine|contains|all: + - '/export' + - '/cfg' + selection_flags_configure: + CommandLine|contains|all: + - '/configure' + - '/db' + filter: + SubjectUserName|endswith: '$' + condition: selection_img and (1 of selection_flags_*) and not filter +falsepositives: + - Legitimate administrative use +level: medium From a05742b4207f69277682cfdaa570d38fe44775a7 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:26:45 +0900 Subject: [PATCH 044/303] refactor: remove unnesessary escape. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 6 files changed, 6 insertions(+), 6 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index 934b65cf7..fc66daaec 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + Payload|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index cd0de1227..93f2d66d1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + Payload|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index 84cd69bd0..feb1b5446 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -21,7 +21,7 @@ logsource: definition: PowerShell Module Logging must be enabled detection: selection_4103: - Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?\-f.*&&.*cmd.*/c' # FPs with |\/r + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4103 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8370a7eb7..8bca2eca5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+\-f.+"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\"\{\d\}.+-f.+"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 2a0cef3d2..8b7dbcfc3 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?\-f(?:.*\)){1,}.*"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r)(?:\s|)"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\"\s+?-f(?:.*\)){1,}.*"' condition: selection_4104 falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 8b94e1e34..00d3ebee5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\"\s+?-f.*&&.*cmd.*/c' # FPs with |\/r condition: selection_4104 falsepositives: - Unknown From ead6831b2582641af693aacc3e027508471b3c53 Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Fri, 2 Dec 2022 21:57:37 +0900 Subject: [PATCH 045/303] update modified date. --- .../powershell_module/posh_pm_invoke_obfuscation_clip.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_stdin.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_var.yml | 2 +- .../powershell_module/posh_pm_invoke_obfuscation_via_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_clip.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_var.yml | 2 +- .../powershell_script/posh_ps_invoke_obfuscation_via_var.yml | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml index fc66daaec..94e7993f4 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_clip.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml index d66aac660..a121dcb1a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_stdin.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml index 93f2d66d1..15597a1fd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml index feb1b5446..fe9edfa52 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_via_var.yml @@ -9,7 +9,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml index 8bca2eca5..91814308c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_clip.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2022/11/27 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml index 8b7dbcfc3..95f709d0b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml index 00d3ebee5..0a2966fbf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_via_var.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 From 0f3eefdc9cb13995c4bdb0f4c9e42b21dfb356d5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Dec 2022 18:10:43 +0100 Subject: [PATCH 046/303] Update title (#3746) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../file_event_win_apt_unidentified_nov_18.yml | 4 ++-- .../file_event_win_cscript_wscript_dropper.yml | 4 ++-- .../file/file_event/file_event_win_hack_dumpert.yml | 4 ++-- .../file/file_event/file_event_win_mal_adwind.yml | 4 ++-- .../file_event/file_event_win_pingback_backdoor.yml | 4 ++-- .../file_event_win_wmiprvse_wbemcomn_dll_hijack.yml | 4 ++-- ...mage_load_alternate_powershell_hosts_moduleload.yml | 4 ++-- .../image_load/image_load_pingback_backdoor.yml | 4 ++-- .../image_load/image_load_tttracer_mod_load.yml | 4 ++-- .../powershell_classic/posh_pc_downgrade_attack.yml | 4 ++-- .../posh_pc_susp_athremotefxvgpudisablementcommand.yml | 4 ++-- .../powershell_classic/posh_pc_susp_zip_compress.yml | 4 ++-- .../powershell_classic/posh_pc_xor_commandline.yml | 4 ++-- .../posh_pm_alternate_powershell_hosts.yml | 4 ++-- .../posh_pm_clear_powershell_history.yml | 4 ++-- .../powershell/powershell_module/posh_pm_powercat.yml | 4 ++-- .../posh_pm_susp_athremotefxvgpudisablementcommand.yml | 4 ++-- .../powershell_module/posh_pm_susp_download.yml | 4 ++-- .../posh_pm_susp_get_nettcpconnection.yml | 3 ++- .../posh_pm_susp_invocation_generic.yml | 4 ++-- .../posh_pm_susp_invocation_specific.yml | 4 ++-- .../powershell_module/posh_pm_susp_smb_share_reco.yml | 3 ++- .../powershell_module/posh_pm_susp_zip_compress.yml | 4 ++-- .../posh_pm_syncappvpublishingserver_exe.yml | 4 ++-- .../posh_ps_clear_powershell_history.yml | 4 ++-- .../posh_ps_root_certificate_installed.yml | 4 ++-- .../posh_ps_set_policies_to_unsecure_level.yml | 4 ++-- .../powershell_script/posh_ps_software_discovery.yml | 4 ++-- .../powershell_script/posh_ps_susp_download.yml | 4 ++-- .../posh_ps_susp_win32_shadowcopy.yml | 3 ++- .../posh_ps_susp_win32_shadowcopy_deletion.yml | 3 ++- .../powershell_script/posh_ps_susp_zip_compress.yml | 4 ++-- .../proc_creation_win_apt_lazarus_activity_apr21.yml | 4 ++-- .../proc_creation_win_apt_lazarus_activity_dec20.yml | 4 ++-- .../proc_creation_win_apt_turla_commands_critical.yml | 2 +- .../proc_creation_win_apt_turla_commands_medium.yml | 4 ++-- .../process_creation/proc_creation_win_mal_ryuk.yml | 4 ++-- ...in_office_from_proxy_executing_regsvr32_payload.yml | 6 +++++- ...n_office_from_proxy_executing_regsvr32_payload2.yml | 10 +++++++--- ...oc_creation_win_office_spawning_wmi_commandline.yml | 4 ++-- ...eation_win_powershell_cmdline_susp_comb_methods.yml | 4 ++-- .../proc_creation_win_susp_ntlmrelay.yml | 3 ++- 42 files changed, 91 insertions(+), 78 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml index ba06ae6e2..22a3c70fb 100644 --- a/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml +++ b/rules/windows/file/file_event/file_event_win_apt_unidentified_nov_18.yml @@ -1,4 +1,4 @@ -title: Unidentified Attacker November 2018 +title: Unidentified Attacker November 2018 - File id: 3a3f81ca-652c-482b-adeb-b1c804727f74 related: - id: 7453575c-a747-40b9-839b-125a0aae324b @@ -9,7 +9,7 @@ references: - https://twitter.com/DrunkBinary/status/1063075530180886529 author: '@41thexplorer, Microsoft Defender ATP' date: 2018/11/20 -modified: 2021/09/19 +modified: 2022/12/02 tags: - attack.execution - attack.t1218.011 diff --git a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml index 3f2a81958..771b72aec 100644 --- a/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_cscript_wscript_dropper.yml @@ -1,4 +1,4 @@ -title: WScript or CScript Dropper +title: WScript or CScript Dropper - File id: 002bdb95-0cf1-46a6-9e08-d38c128a6127 related: - id: cea72823-df4d-4567-950c-0b579eaf0846 @@ -9,7 +9,7 @@ references: - WScript or CScript Dropper (cea72823-df4d-4567-950c-0b579eaf0846) author: Tim Shelton date: 2022/01/10 -modified: 2022/01/11 +modified: 2022/12/02 logsource: category: file_event product: windows diff --git a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml index a80f7ffeb..3a4290d13 100755 --- a/rules/windows/file/file_event/file_event_win_hack_dumpert.yml +++ b/rules/windows/file/file_event/file_event_win_hack_dumpert.yml @@ -1,4 +1,4 @@ -title: Dumpert Process Dumper +title: Dumpert Process Dumper Default File id: 93d94efc-d7ad-4161-ad7d-1638c4f908d8 related: - id: 2704ab9e-afe2-4854-a3b1-0c0706d03578 @@ -10,7 +10,7 @@ references: - https://unit42.paloaltonetworks.com/actors-still-exploiting-sharepoint-vulnerability/ author: Florian Roth date: 2020/02/04 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/file/file_event/file_event_win_mal_adwind.yml b/rules/windows/file/file_event/file_event_win_mal_adwind.yml index c4ce26312..1b454703c 100644 --- a/rules/windows/file/file_event/file_event_win_mal_adwind.yml +++ b/rules/windows/file/file_event/file_event_win_mal_adwind.yml @@ -1,4 +1,4 @@ -title: Adwind RAT / JRAT +title: Adwind RAT / JRAT File Artifact id: 0bcfabcb-7929-47f4-93d6-b33fb67d34d1 related: - id: 1fac1481-2dbc-48b2-9096-753c49b4ec71 @@ -10,7 +10,7 @@ references: - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.005 diff --git a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml index 01e27932c..e34e274bd 100644 --- a/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml +++ b/rules/windows/file/file_event/file_event_win_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - File id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 status: test description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml index dd0c53af5..eff3e341d 100644 --- a/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/file/file_event/file_event_win_wmiprvse_wbemcomn_dll_hijack.yml @@ -1,4 +1,4 @@ -title: Wmiprvse Wbemcomn DLL Hijack +title: Wmiprvse Wbemcomn DLL Hijack - File id: 614a7e17-5643-4d89-b6fe-f9df1a79641c status: test description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml index 198a753af..6b1b71242 100644 --- a/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/image_load_alternate_powershell_hosts_moduleload.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - Image id: fe6e002f-f244-4278-9263-20e4b593827f status: experimental description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190610201010.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2019/09/12 -modified: 2022/11/22 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/image_load/image_load_pingback_backdoor.yml b/rules/windows/image_load/image_load_pingback_backdoor.yml index 7b8c90b68..f26a922ae 100644 --- a/rules/windows/image_load/image_load_pingback_backdoor.yml +++ b/rules/windows/image_load/image_load_pingback_backdoor.yml @@ -1,4 +1,4 @@ -title: Pingback Backdoor +title: Pingback Backdoor - Image id: 35a7dc42-bc6f-46e0-9f83-81f8e56c8d4b status: experimental description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 author: Bhabesh Raj date: 2021/05/05 -modified: 2022/08/14 +modified: 2022/12/02 tags: - attack.persistence - attack.t1574.001 diff --git a/rules/windows/image_load/image_load_tttracer_mod_load.yml b/rules/windows/image_load/image_load_tttracer_mod_load.yml index 43e405e1f..a6f3981b7 100644 --- a/rules/windows/image_load/image_load_tttracer_mod_load.yml +++ b/rules/windows/image_load/image_load_tttracer_mod_load.yml @@ -1,4 +1,4 @@ -title: Time Travel Debugging Utility Usage +title: Time Travel Debugging Utility Usage - Image id: e76c8240-d68f-4773-8880-5c6f63595aaf status: test description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. @@ -8,7 +8,7 @@ references: - https://twitter.com/oulusoyum/status/1191329746069655553 author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.credential_access diff --git a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml index 9ce7332e3..8c46b03d4 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_downgrade_attack.yml @@ -1,4 +1,4 @@ -title: PowerShell Downgrade Attack +title: PowerShell Downgrade Attack - PowerShell id: 6331d09b-4785-4c13-980f-f96661356249 status: experimental description: Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 @@ -6,7 +6,7 @@ references: - http://www.leeholmes.com/blog/2017/03/17/detecting-and-preventing-powershell-downgrade-attacks/ author: Florian Roth (rule), Lee Holmes (idea), Harish Segar (improvements) date: 2017/03/22 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.execution diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index d81b9e4e6..6a079219a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell id: f65e22f9-819e-4f96-9c7b-498364ae7a25 related: - id: 38a7625e-b2cb-485d-b83d-aff137d859f4 @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 78d439ab8..394ae9e8a 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell id: 71ff406e-b633-4989-96ec-bc49d825a412 related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml index ccb752a5d..77839f775 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_xor_commandline.yml @@ -1,4 +1,4 @@ -title: Suspicious XOR Encoded PowerShell Command Line +title: Suspicious XOR Encoded PowerShell Command Line - PowerShell id: 812837bb-b17f-45e9-8bd0-0ec35d2e3bd6 status: experimental description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=46 author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/06/29 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 7f7928774..69e2ce0b7 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -1,4 +1,4 @@ -title: Alternate PowerShell Hosts +title: Alternate PowerShell Hosts - PowerShell Module id: 64e8e417-c19a-475a-8d19-98ea705394cc status: test description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2022/10/10 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 08affa1ba..95535ca0b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell Module id: f99276ad-d122-4989-a09a-d00904a5f9d2 related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2019/10/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index d0e211da3..c2c8b233a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -1,4 +1,4 @@ -title: Netcat The Powershell Version +title: Netcat The Powershell Version - PowerShell Module id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2 status: experimental description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md author: frack113 date: 2021/07/21 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.command_and_control - attack.t1095 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index d7bd34858..6e59a9f24 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -1,4 +1,4 @@ -title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand +title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand - PowerShell Module id: 38a7625e-b2cb-485d-b83d-aff137d859f4 status: experimental description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 author: frack113 date: 2021/07/13 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml index 5f36c7b73..0f8d9c8af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - PowerShell Module id: de41232e-12e8-49fa-86bc-c05c7e722df9 related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 0be65ca51..c5ffd17ef 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,4 +1,4 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection - PowerShell Module id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 +modified: 2022/12/02 tags: - attack.discovery - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml index 58ab9a87c..e37c54b48 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_generic.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Generic +title: Suspicious PowerShell Invocations - Generic - PowerShell Module id: bbb80e91-5746-4fbe-8898-122e2cafdbf4 related: - id: 3d304fda-78aa-43ed-975c-d740798a49c1 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule) date: 2017/03/12 -modified: 2021/12/02 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml index 0a8f13c05..8c224599e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_invocation_specific.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Invocations - Specific +title: Suspicious PowerShell Invocations - Specific - PowerShell Module id: 8ff28fdd-e2fa-4dfa-aeda-ef3d61c62090 related: - id: fce5f582-cc00-41e1-941a-c6fabf0fdb8c @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell invocation command parameters author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 -modified: 2022/02/21 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index fed54bbf6..76ec86dc2 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,4 +1,4 @@ -title: Suspicious Get Information for SMB Share +title: Suspicious Get Information for SMB Share - PowerShell Module id: 6942bd25-5970-40ab-af49-944247103358 status: experimental description: | @@ -9,6 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md author: frack113 date: 2021/12/15 +modified: 2022/12/02 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 1cd4292c4..0579a4f7a 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module id: daf7eb81-35fd-410d-9d7a-657837e602bb related: - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml index ec7d8c72a..ed0d1c132 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_syncappvpublishingserver_exe.yml @@ -1,4 +1,4 @@ -title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +title: SyncAppvPublishingServer Bypass Powershell Restriction - PS Module id: fe5ce7eb-dad8-467c-84a9-31ec23bd644a related: - id: fde7929d-8beb-4a4c-b922-be9974671667 @@ -11,7 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1218 diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index 6793baf4e..12f875418 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -1,4 +1,4 @@ -title: Clear PowerShell History +title: Clear PowerShell History - PowerShell id: 26b692dc-1722-49b2-b496-a8258aa6371d related: - id: dfba4ce1-e0ea-495f-986e-97140f31af2d @@ -9,7 +9,7 @@ references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community date: 2022/01/25 -modified: 2022/05/10 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 7340abc67..269775a91 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -1,4 +1,4 @@ -title: Root Certificate Installed +title: Root Certificate Installed - PowerShell id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 -modified: 2021/12/04 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1553.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 48c6e97fe..862c5127a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -1,4 +1,4 @@ -title: Change PowerShell Policies to an Insecure Level +title: Change PowerShell Policies to an Insecure Level - PowerShell id: 61d0475c-173f-4844-86f7-f3eebae1c66b status: experimental description: Detects use of Set-ExecutionPolicy to set insecure policies @@ -8,7 +8,7 @@ references: - https://adsecurity.org/?p=2604 author: frack113 date: 2021/10/20 -modified: 2022/09/10 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index 5e3bb6aec..1e7e08871 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -1,4 +1,4 @@ -title: Detected Windows Software Discovery +title: Detected Windows Software Discovery - PowerShell id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 status: experimental description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. @@ -7,7 +7,7 @@ references: - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna author: Nikita Nazarov, oscd.community date: 2020/10/16 -modified: 2021/11/12 +modified: 2022/12/02 tags: - attack.discovery - attack.t1518 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml index a216f6416..b8a2e0a53 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_download.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Download +title: Suspicious PowerShell Download - Powershell Script id: 403c2cc0-7f6b-4925-9423-bfa573bed7eb related: - id: 65531a81-a694-4e31-ae04-f8ba5bc33759 @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious PowerShell download command author: Florian Roth date: 2017/03/05 -modified: 2021/10/18 +modified: 2022/12/02 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index c3c9de7a3..863835803 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -1,4 +1,4 @@ -title: Delete Volume Shadow Copies via WMI with PowerShell +title: Delete Volume Shadow Copies via WMI with PowerShell - PS Script id: e17121b4-ef2a-4418-8a59-12fb1631fa9e status: test description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell author: frack113 date: 2021/12/26 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml index 97e19d2b6..5e1e90771 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy_deletion.yml @@ -1,4 +1,4 @@ -title: Deletion of Volume Shadow Copies via WMI with PowerShell +title: Deletion of Volume Shadow Copies via WMI with PowerShell - PS Script id: c1337eb8-921a-4b59-855b-4ba188ddcc42 related: - id: e17121b4-ef2a-4418-8a59-12fb1631fa9e @@ -12,6 +12,7 @@ references: - https://www.elastic.co/guide/en/security/current/volume-shadow-copy-deletion-via-powershell.html author: Tim Rauch date: 2022/09/20 +modified: 2022/12/02 tags: - attack.impact - attack.t1490 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index e8f63ef62..5c4423415 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,4 +1,4 @@ -title: Zip A Folder With PowerShell For Staging In Temp +title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 status: experimental description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md author: frack113 date: 2021/07/20 -modified: 2021/10/16 +modified: 2022/12/02 tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index fa062bb0d..fea8a4164 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Apr21 id: 4a12fa47-c735-4032-a214-6fab5b120670 status: test description: Detects different process creation events as described in Malwarebytes's threat report on Lazarus group activity @@ -6,7 +6,7 @@ references: - https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/ author: Bhabesh Raj date: 2021/04/20 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index bf721ab56..cb8a67a3f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -1,4 +1,4 @@ -title: Lazarus Activity +title: Lazarus Activity Dec20 id: 24c4d154-05a4-4b99-b57d-9b977472443a status: test description: Detects different process creation events as described in various threat reports on Lazarus group activity @@ -7,7 +7,7 @@ references: - https://www.hvs-consulting.de/lazarus-report/ author: Florian Roth date: 2020/12/23 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0032 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 5a05aff7b..b06bba960 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Turla Group Lateral Movement id: c601f20d-570a-4cde-a7d6-e17f99cb8e7f status: test description: Detects automated lateral movement by Turla group diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml index 86c0f3bf0..817a4cc14 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml @@ -1,4 +1,4 @@ -title: Turla Group Lateral Movement +title: Automated Turla Group Lateral Movement id: 75925535-ca97-4e0a-a850-00b5c00779dc status: test description: Detects automated lateral movement by Turla group @@ -6,7 +6,7 @@ references: - https://securelist.com/the-epic-turla-operation/65545/ author: Markus Neis date: 2017/11/07 -modified: 2022/10/09 +modified: 2022/12/02 tags: - attack.g0010 - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index acecd619c..da6d670b4 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -1,4 +1,4 @@ -title: Ryuk Ransomware +title: Ryuk Ransomware Command Line Activity id: 0acaad27-9f02-4136-a243-c357202edd74 status: stable description: Detects Ryuk Ransomware command lines @@ -6,7 +6,7 @@ references: - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Vasiliy Burov date: 2019/08/06 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.execution - attack.t1204 diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index 900099c2e..a400d0df0 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,7 +1,11 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 623ebbfac..24c808893 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,13 +1,17 @@ -title: Excel Proxy Executing Regsvr32 With Payload +title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 status: experimental -description: Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin).But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. +description: | + Excel called wmic to finally proxy execute regsvr32 with the payload. + An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). + But we have command-line in the event which allow us to "restore" this suspicious parent-child chain and detect it. + Monitor process creation with "wmic process call create" and LOLBins in command-line with parent Office application processes. references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/07/07 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml index aeabf14ca..4ca453a34 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml @@ -1,4 +1,4 @@ -title: Office Applications Spawning Wmi Cli +title: Office Applications Spawning Wmi Cli Alternate id: 04f5363a-6bca-42ff-be70-0d28bf629ead status: experimental description: Initial execution of malicious document calls wmic to execute the file with regsvr32 @@ -7,7 +7,7 @@ references: - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' date: 2021/08/23 -modified: 2022/06/16 +modified: 2022/12/02 tags: - attack.t1204.002 - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml index 7cc2ab57f..3085e60f1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_susp_comb_methods.yml @@ -1,4 +1,4 @@ -title: Suspicious Encoded PowerShell Command Line +title: Suspicious Xor PowerShell Command Line id: 5b572dcf-254b-425c-a8c5-d9af6bea35a6 related: - id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f @@ -9,7 +9,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton date: 2022/07/06 -modified: 2022/07/14 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml index f24eb0b05..4713f9807 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntlmrelay.yml @@ -1,4 +1,4 @@ -title: Suspicious WebDav Client Execution +title: Suspicious NTLM Authentication on the Printer Spooler Service id: bb76d96b-821c-47cf-944b-7ce377864492 status: experimental description: Detects a privilege elevation attempt by coercing NTLM authentication on the Printer Spooler service @@ -7,6 +7,7 @@ references: - https://github.com/elastic/detection-rules/blob/dd224fb3f81d0b4bf8593c5f02a029d647ba2b2d/rules/windows/credential_access_relay_ntlm_auth_via_http_spoolss.toml author: Elastic (idea), Tobias Michalski date: 2022/05/04 +modified: 2022/12/02 tags: - attack.privilege_escalation - attack.credential_access From b5e783a6d5f2ea0a77f68fb646bfb1b2304e3996 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Fri, 2 Dec 2022 13:44:44 -0500 Subject: [PATCH 047/303] =?UTF-8?q?Update=20and=20rename=20proc=5Fcreation?= =?UTF-8?q?=5Fwin=5Frundll32=5Fnot=5Ffrom=5Fc=5Fdrive.yml=20to=20=E2=80=A6?= =?UTF-8?q?=20(#3609)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ..._creation_win_lolbin_not_from_c_drive.yml} | 20 +++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) rename rules/windows/process_creation/{proc_creation_win_rundll32_not_from_c_drive.yml => proc_creation_win_lolbin_not_from_c_drive.yml} (57%) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml index fdb843257..906b0a985 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_not_from_c_drive.yml @@ -1,12 +1,13 @@ -title: Rundll32 From Abnormal Drive +title: LOLBIN From Abnormal Drive id: d4ca7c59-e9e4-42d8-bf57-91a776efcb87 status: experimental -description: Detects rundll32.exe executing from an abnormal drive such as a mounted ISO. -references: - - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +description: Detects LOLBINs executing from an abnormal drive such as a mounted ISO. author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2022/01/25 modified: 2022/02/14 +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ + - https://www.scythe.io/library/threat-emulation-qakbot tags: - attack.t1218.001 logsource: @@ -14,8 +15,15 @@ logsource: product: windows detection: selection: - Image|endswith: '\rundll32.exe' - filter: + - '\rundll32.exe' + - '\calc.exe' + - '\mshta.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\regsvr32.exe' + - '\installutil.exe' + - '\cmstp.exe' + filter_currentdirectory: - CurrentDirectory|contains: 'C:\' - CurrentDirectory: '' filter_null: From b6492e731bbe81541b75454f5c0acd55b8c6b674 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:16:03 +0100 Subject: [PATCH 048/303] feat: general updates and fixes --- ..._from_proxy_executing_regsvr32_payload.yml | 2 +- ...from_proxy_executing_regsvr32_payload2.yml | 2 +- .../win_bits_client_susp_domain.yml | 5 +- ...eate_stream_hash_susp_domain_ext_combo.yml | 5 ++ ..._stream_hash_susp_domain_ext_combo_med.yml | 5 ++ ...ile_event_win_create_non_existent_dlls.yml | 30 ++++++++++++ .../image_load/image_load_side_load_scm.yml | 29 +++++++++++ .../image_load_side_load_vmguestlib.yml | 29 +++++++++++ ...mage_load_susp_dll_load_system_process.yml | 8 +++- .../net_connection_win_binary_susp_com.yml | 6 ++- ...ion_win_bitsadmin_download_susp_domain.yml | 6 ++- .../proc_creation_win_gpg4win_susp_usage.yml | 33 +++++++++++++ ...oc_creation_win_office_proxy_exec_wmic.yml | 48 +++++++++++++++++++ .../proc_creation_win_tool_nircmd.yml | 5 +- ...proc_creation_win_wsudo_susp_execution.yml | 32 +++++++++++++ 15 files changed, 237 insertions(+), 8 deletions(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml (98%) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml (98%) create mode 100644 rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml create mode 100644 rules/windows/image_load/image_load_side_load_scm.yml create mode 100644 rules/windows/image_load/image_load_side_load_vmguestlib.yml create mode 100644 rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml index a400d0df0..990b256e8 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 -status: experimental +status: deprecated description: | Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml rename to rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 24c808893..9d70c250c 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules-deprecated/windows/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -1,6 +1,6 @@ title: Excel Proxy Executing Regsvr32 With Payload Alternate id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 -status: experimental +status: deprecated description: | Excel called wmic to finally proxy execute regsvr32 with the payload. An attacker wanted to break suspicious parent-child chain (Office app spawns LOLBin). diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 2f3880ab4..c3a6c072c 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -8,7 +8,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: Florian Roth date: 2022/06/28 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -35,6 +35,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: selection falsepositives: - Unknown diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml index 1e94c3ad2..5babf5085 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.exe:Zone' diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml index a32c292cc..b47dc0e17 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_domain_ext_combo_med.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the download of suspicious file type from a well-known file and paste sharing domain references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/08/24 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.s0139 @@ -32,6 +34,9 @@ detection: - 'storage.googleapis.com' - 'anonfiles.com' - 'send.exploit.in' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' selection_extension: TargetFilename|contains: - '.ps1:Zone' diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml new file mode 100644 index 000000000..9c9c65693 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -0,0 +1,30 @@ +title: Creation Of Non-Existent DLLs In System Folders +id: df6ecb8b-7822-4f4b-b412-08f524b4576c +status: experimental +description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + filter: + Image|startswith: 'C:\Windows\System32\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_scm.yml b/rules/windows/image_load/image_load_side_load_scm.yml new file mode 100644 index 000000000..fd244a0c5 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_scm.yml @@ -0,0 +1,29 @@ +title: SCM DLL Sideload +id: bc3cc333-48b9-467a-9d1f-d44ee594ef48 +status: experimental +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded: + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + Image: 'C:\Windows\System32\svchost.exe' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml new file mode 100644 index 000000000..28b560800 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -0,0 +1,29 @@ +title: SCM DLL Sideload +id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff +status: experimental +description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ +author: Nasreddine Bencherchali +date: 2022/12/01 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains: + - '\VMware\VMware Tools\vmStatsProvider\win32' + - '\vmGuestLib.dll' + Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe' + filter: + Signed: 'true' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index 38f4572c2..fc2acbb2e 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) author: Nasreddine Bencherchali date: 2022/07/17 -modified: 2022/10/12 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.t1070 @@ -28,6 +28,12 @@ detection: - ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - Image: + - 'C:\Windows\SysWOW64\rundll32.exe' # Typical for installers and updaters + - 'C:\Windows\System32\rundll32.exe' # Typical for installers and updaters + - CommandLine|contains|all: + - '\AppData\Local\Temp\' # Typical for installers and updaters + - '\setup.exe' filter_cleanmgr: # Example CLI that generates this event: C:\WINDOWS\system32\cleanmgr.exe /autocleanstoragesense /d C: # Sometimes the DLL gets loaded from %temp% diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 0a98c4d82..25641aa89 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -6,9 +6,10 @@ references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2018/08/30 -modified: 2022/08/09 +modified: 2022/12/02 tags: - attack.lateral_movement - attack.t1105 @@ -33,6 +34,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' Image|startswith: - 'C:\Windows\' - 'C:\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml index 78a3f092b..4b40ae44b 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_domain.yml @@ -7,9 +7,10 @@ references: - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/02 tags: - attack.defense_evasion - attack.persistence @@ -45,6 +46,9 @@ detection: - 'anonfiles.com' - 'send.exploit.in' - 'transfer.sh' + - 'privatlab.net' + - 'privatlab.com' + - 'sendspace.com' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml new file mode 100644 index 000000000..7f6b929e6 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -0,0 +1,33 @@ +title: Gpg4Win Decrypt Files From Suspicious Locations +id: e1e0b7d7-e10b-4ee4-ac49-a4bda05d320d +status: experimental +description: Detects usage of the Gpg4win to decrypt files located in suspicious locations from CLI +references: + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html +author: Nasreddine Bencherchali, X__Junior +date: 2022/11/30 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: + - '\gpg2.exe' + - Product: 'GNU Privacy Guard (GnuPG)' + - Company: 'g10 Code GmbH' + selection_cli: + CommandLine|contains: '-passphrase' + selection_paths: + CommandLine|contains: + - '\AppData\Roaming\' + - 'C:\Perflogs\' + - 'C:\Windows\Temp\' + - 'C:\temp' + - '' + condition: all of selection_* +falsepositives: + - Legitimate use +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml new file mode 100644 index 000000000..071b258dc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_office_proxy_exec_wmic.yml @@ -0,0 +1,48 @@ +title: Office Processes Proxy Execution Through WMIC +id: e1693bc8-7168-4eab-8718-cdcaa68a1738 +related: + - id: 9d1c72f5-43f0-4da5-9320-648cf2099dd0 + type: obsoletes + - id: c0e1c3d5-4381-4f18-8145-2583f06a1fe5 + type: obsoletes +status: experimental +description: Office application called wmic to proxye execution through a LOLBIN process. This is often used to break suspicious parent-child chain (Office app spawns LOLBin). +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml +author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' +date: 2021/08/23 +modified: 2022/12/02 +tags: + - attack.t1204.002 + - attack.t1047 + - attack.t1218.010 + - attack.execution + - attack.defense_evasion +logsource: + product: windows + category: process_creation +detection: + selection_wmic: + - Image|endswith: '\wbem\WMIC.exe' + - OriginalFileName: 'wmic.exe' + selection_parent: + ParentImage|endswith: + - '\winword.exe' + - '\excel.exe' + - '\powerpnt.exe' + CommandLine|contains|all: + - 'process' + - 'create' + - 'call' + CommandLine|contains: + # Add more suspicious LOLBINs as you see fit + - 'regsvr32' + - 'rundll32' + - 'msiexec' + - 'mshta' + - 'verclsid' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index 07538331c..b9162caf8 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -8,7 +8,7 @@ references: - https://www.nirsoft.net/utils/nircmd2.html#using author: Florian Roth, Nasreddine Bencherchali date: 2022/01/24 -modified: 2022/08/08 +modified: 2022/11/30 tags: - attack.execution - attack.t1569.002 @@ -18,7 +18,8 @@ logsource: product: windows detection: selection_org: - OriginalFileName: 'NirCmd.exe' + - Image|endswith: '\NirCmd.exe' + - OriginalFileName: 'NirCmd.exe' selection_cmd: CommandLine|contains: - ' execmd ' diff --git a/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml new file mode 100644 index 000000000..015d42d08 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wsudo_susp_execution.yml @@ -0,0 +1,32 @@ +title: Wsudo Suspicious Execution +id: bdeeabc9-ff2a-4a51-be59-bb253aac7891 +status: experimental +description: Detects usage of wsudo (Windows Sudo Utility). Which is a tool that let the user execute programs with different permissions (System, Trusted Installer, Administrator...etc) +references: + - https://github.com/M2Team/Privexec/ +author: Nasreddine Bencherchali +date: 2022/12/02 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection_metadata: + - Image|endswith: '\wsudo.exe' + - OriginalFileName: 'wsudo.exe' + - Description: 'Windows sudo utility' + - ParentImage|endswith: '\wsudo-bridge.exe' + selection_cli: + CommandLine|contains: + - '-u System' + - '-uSystem' + - '-u TrustedInstaller' + - '-uTrustedInstaller' + - ' --ti ' + condition: 1 of selection_* +falsepositives: + - Unknown +level: high From 3c90fb1c33f1f7274e3dcdbdac98fe2349536988 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:22:23 +0100 Subject: [PATCH 049/303] fix: fix metadata information --- .../windows/image_load/image_load_side_load_vmguestlib.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 28b560800..9f07a60cb 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -1,7 +1,7 @@ -title: SCM DLL Sideload +title: VMGuestLib DLL Sideload id: 70e8e9b4-6a93-4cb7-8cde-da69502e7aff status: experimental -description: Detects DLL sideloading of DLLs that are loaded by the SCM for some services (IKE, IKEEXT, SessionEnv) which do not exists on a typical modern system +description: Detects DLL sideloading of VMGuestLib.dll by the WmiApSrv service. references: - https://decoded.avast.io/martinchlumecky/png-steganography/ author: Nasreddine Bencherchali @@ -25,5 +25,5 @@ detection: Signed: 'true' condition: selection and not filter falsepositives: - - Unknown + - FP could occure if the legitimate version of vmGuestLib already exists level: medium From 0c3a0d4c39f1b6b19794fc0b60535e59aab5a56a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Dec 2022 23:38:18 +0100 Subject: [PATCH 050/303] fix: fp metadata --- rules/windows/image_load/image_load_side_load_vmguestlib.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 9f07a60cb..2951701a7 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -25,5 +25,5 @@ detection: Signed: 'true' condition: selection and not filter falsepositives: - - FP could occure if the legitimate version of vmGuestLib already exists + - FP could occure if the legitimate version of vmGuestLib already exists on the system level: medium From de0561edba220fdcc1983f819aff4818b894b93a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 3 Dec 2022 09:09:51 +0100 Subject: [PATCH 051/303] Update rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../registry_set/registry_set_creation_service_susp_folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml index 3ac79f4b9..83d8ea3cd 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_susp_folder.yml @@ -41,7 +41,7 @@ detection: - '\ADMIN$\' - '\Temp\' filter_1: - Image|contains|all: + Image|contains|all: # Filter FP with Avast software - '\Common Files\' - '\Temp\' condition: 1 of selection_* and not 1 of filter_* From cb5c19d696f047bede4cfbe1ec59427b49092bbc Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Sat, 3 Dec 2022 09:35:34 +0100 Subject: [PATCH 052/303] fix: FPs found in testing env (#3743) --- .../proc_creation_win_run_executable_invalid_extension.yml | 5 ++++- .../proc_creation_win_susp_parent_of_conhost.yml | 4 +++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 7009302df..b5243e4bc 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth, Yassine Oukessou (fix + fp) date: 2022/01/13 -modified: 2022/07/27 +modified: 2022/12/02 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: ParentCommandLine|contains: ' C:\Program Files\SplunkUniversalForwarder\' filter_localserver_fp: CommandLine|contains: ' -localserver ' + filter_mcafee: + - ParentCommandLine|startswith: 'C:\Windows\system32\rundll32.exe" "C:\Program Files\McAfee\MSC\mcmscins.dll",DllUninstallFunction ' + - CommandLine|startswith: 'C:\Windows\system32\rundll32.exe" /uninstall /longpath "C:\Program Files\McAfee\MSC\mscrem.inf' condition: selection and not 1 of filter* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml index ee024ae05..03e60f2b4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_parent_of_conhost.yml @@ -6,7 +6,7 @@ references: - https://www.elastic.co/guide/en/security/current/conhost-spawned-by-suspicious-parent-process.html author: Tim Rauch date: 2022/09/28 -modified: 2022/11/29 +modified: 2022/12/02 tags: - attack.execution - attack.t1059 @@ -36,7 +36,9 @@ detection: ParentCommandLine|contains: - '-k apphost -s AppHostSvc' - '-k imgsvc' + - '-k localService -p -s RemoteRegistry' - '-k LocalSystemNetworkRestricted -p -s NgcSvc' + - '-k NetSvcs -p -s NcaSvc' - '-k netsvcs -p -s NetSetupSvc' - '-k netsvcs -p -s wlidsvc' - '-k NetworkService -p -s DoSvc' From 77b12345726278078a4197d51b38af4d9bd069c0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 3 Dec 2022 11:55:54 +0100 Subject: [PATCH 053/303] fix: apply code review changes --- rules/windows/image_load/image_load_side_load_vmguestlib.yml | 2 +- .../process_creation/proc_creation_win_gpg4win_susp_usage.yml | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_vmguestlib.yml b/rules/windows/image_load/image_load_side_load_vmguestlib.yml index 2951701a7..952edea99 100644 --- a/rules/windows/image_load/image_load_side_load_vmguestlib.yml +++ b/rules/windows/image_load/image_load_side_load_vmguestlib.yml @@ -17,7 +17,7 @@ logsource: product: windows detection: selection: - ImageLoaded|contains: + ImageLoaded|contains|all: - '\VMware\VMware Tools\vmStatsProvider\win32' - '\vmGuestLib.dll' Image|endswith: '\Windows\System32\wbem\WmiApSrv.exe' diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml index 7f6b929e6..5f1dbf8fc 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection_metadata: - - Image|endswith: - - '\gpg2.exe' + - Image|endswith: '\gpg2.exe' - Product: 'GNU Privacy Guard (GnuPG)' - Company: 'g10 Code GmbH' selection_cli: From 3ab7ed6436054afab55b543d07876d9b65de8e93 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 3 Dec 2022 13:09:50 +0100 Subject: [PATCH 054/303] Update proc_creation_win_gpg4win_susp_usage.yml --- .../process_creation/proc_creation_win_gpg4win_susp_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml index 5f1dbf8fc..23a623135 100644 --- a/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_gpg4win_susp_usage.yml @@ -25,7 +25,7 @@ detection: - 'C:\Perflogs\' - 'C:\Windows\Temp\' - 'C:\temp' - - '' + #- '' condition: all of selection_* falsepositives: - Legitimate use From 9c76aac1fc070a7d78f81e7aeb275dd7ef2f2c1c Mon Sep 17 00:00:00 2001 From: fukusuket <41001169+fukusuket@users.noreply.github.com> Date: Sat, 3 Dec 2022 21:56:00 +0900 Subject: [PATCH 055/303] refactor: remove unnesessary escape. --- .../windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml | 4 ++-- .../powershell_script/posh_ps_invoke_obfuscation_stdin.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml index 3dcd47c86..079e16feb 100644 --- a/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml +++ b/rules/windows/pipe_created/pipe_created_mal_cobaltstrike_re.yml @@ -7,7 +7,7 @@ references: - https://gist.github.com/MHaggis/6c600e524045a6d49c35291a21e10752 author: Florian Roth date: 2021/07/30 -modified: 2022/10/09 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.privilege_escalation @@ -23,7 +23,7 @@ detection: - PipeName|re: '\\\\ntsvcs[0-9a-f]{2}' - PipeName|re: '\\\\DserNamePipe[0-9a-f]{2}' - PipeName|re: '\\\\SearchTextHarvester[0-9a-f]{2}' - - PipeName|re: '\\\\mypipe\-(?:f|h)[0-9a-f]{2}' + - PipeName|re: '\\\\mypipe-(?:f|h)[0-9a-f]{2}' - PipeName|re: '\\\\windows\.update\.manager[0-9a-f]{2,3}' - PipeName|re: '\\\\ntsvcs_[0-9a-f]{2}' - PipeName|re: '\\\\scerpc_?[0-9a-f]{2}' diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml index a38955b7f..3d3d7da09 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_stdin.yml @@ -6,7 +6,7 @@ references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2022/11/29 +modified: 2022/12/03 tags: - attack.defense_evasion - attack.t1027 @@ -18,7 +18,7 @@ logsource: definition: Script block logging must be enabled detection: selection_4104: - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$?\{?input\}?|noexit).+\"' + ScriptBlockText|re: '.*cmd.{0,5}(?:/c|/r).+powershell.+(?:\$?\{?input\}?|noexit).+"' condition: selection_4104 falsepositives: - Unknown From 75c6f44f124d90cf1670aebb4d67ed80ec32c359 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 4 Dec 2022 11:18:11 +0100 Subject: [PATCH 056/303] Update Workflow (#3752) --- .github/workflows/sigma-test.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 5cf624347..98de59882 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -22,13 +22,13 @@ jobs: - uses: actions/checkout@v2 with: submodules: true - - name: Set up Python 3.8 + - name: Set up Python 3.11 uses: actions/setup-python@v1 with: - python-version: 3.8 + python-version: 3.11 - name: Install dependencies run: | - pip install sigma-cli~=0.3.2 + pip install sigma-cli~=0.5.3 - name: Test Sigma Rule Syntax run: | sigma check rules From 6390915eb0c6280a709f84fc886bf58966e0c409 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Dec 2022 14:36:22 +0100 Subject: [PATCH 057/303] fix: FPs --- .../proc_creation_win_susp_rundll32_by_ordinal.yml | 3 ++- .../process_creation/proc_creation_win_sysmon_exploitation.yml | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml index 8c3cf5bd9..d0285fd93 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml @@ -9,7 +9,7 @@ references: - https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine/ author: Florian Roth date: 2019/10/22 -modified: 2022/11/13 +modified: 2022/12/04 tags: - attack.defense_evasion - attack.t1218.011 @@ -31,6 +31,7 @@ detection: filter_vsbuild_dll: ParentImage|contains: - '\Msbuild\Current\Bin\' + - '\VC\Tools\MSVC\' - '\Tracker.exe' CommandLine|contains: - '\FileTracker32.dll,#1' diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml index 5fef7c637..431b8345c 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml @@ -8,6 +8,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth date: 2022/11/10 +modified: 2022/12/04 tag: - attack.privilege_escalation - attack.t1068 @@ -24,6 +25,8 @@ detection: Image: - 'C:\Windows\Sysmon64.exe' - 'C:\Windows\System32\conhost.exe' + - 'wevtutil.exe' + - 'C:\WINDOWS\system32\wevtutil.exe' condition: selection and not filter falsepositives: - Unknown From 54739006a9ec0f35cf47d92755d6c783f630912b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 4 Dec 2022 15:29:08 +0100 Subject: [PATCH 058/303] Fix workflow warning --- .../win_security_service_installation_by_unusal_client.yml | 5 +++-- .../builtin/system/win_system_lpe_indicators_tabtip.yml | 3 ++- ...n_system_system_service_installation_by_unusal_client.yml | 3 ++- .../process_creation/proc_creation_win_susp_wermgr.yml | 3 ++- 4 files changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml index e49c724d3..f9f4dc85c 100644 --- a/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/security/win_security_service_installation_by_unusal_client.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/SBousseaden/status/1490608838701166596 author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -21,8 +22,8 @@ detection: selection: EventID: 4697 selection_pid: - - ClientProcessId: '0' - - ParentProcessId: '0' + - ClientProcessId: 0 + - ParentProcessId: 0 condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml index 2672ae2db..3ad2ff0ad 100644 --- a/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml +++ b/rules/windows/builtin/system/win_system_lpe_indicators_tabtip.yml @@ -6,6 +6,7 @@ references: - https://github.com/antonioCoco/JuicyPotatoNG author: Florian Roth date: 2022/10/07 +modified: 2022/12/04 tags: - attack.execution - attack.t1557.001 @@ -16,7 +17,7 @@ detection: selection: EventID: 10001 param1: 'C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe' # is the Binary starting/started - param2: '2147943140' # is ERROR id + param2: 2147943140 # is ERROR id param3: '{054AAE20-4BEA-4347-8A35-64A533254A9D}' # is DCOM Server condition: selection falsepositives: diff --git a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml index cfd318f9a..d5d3b1ff0 100644 --- a/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml +++ b/rules/windows/builtin/system/win_system_system_service_installation_by_unusal_client.yml @@ -9,6 +9,7 @@ references: - https://www.elastic.co/guide/en/security/current/windows-service-installed-via-an-unusual-client.html author: Tim Rauch date: 2022/09/15 +modified: 2022/12/04 tags: - attack.privilege_escalation - attack.t1543 @@ -19,7 +20,7 @@ detection: selection: Provider_Name: 'Service Control Manager' EventID: 7045 - ProcessId: '0' + ProcessId: 0 condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index c82b820ef..0b0bee2dd 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -1,5 +1,5 @@ title: Suspicious WERMGR Process Patterns -id: CBEC226F-63D9-4ECA-9F52-DFB6652F24DF +id: 396f6630-f3ac-44e3-bfc8-1b161bc00c4e status: experimental description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc. references: @@ -7,6 +7,7 @@ references: - https://www.echotrail.io/insights/search/wermgr.exe author: Florian Roth date: 2022/10/14 +modified: 2022/12/04 logsource: category: process_creation product: windows From e343d016e9d6a62cd56ee08d04de8efe3e78f62f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 00:31:51 +0100 Subject: [PATCH 059/303] feat: change check to lower --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 407a30624..5d88c97e9 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -336,12 +336,12 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) faulty_rules.append(file) - elif id in dict_id.keys(): + elif id.lower() in dict_id.keys(): print( Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file, dict_id[id])) faulty_rules.append(file) else: - dict_id[id] = file + dict_id[id.lower()] = file self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") From 122cb47d71f0a5e7ab31c56a5336960ae3537b61 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 5 Dec 2022 10:39:58 +0100 Subject: [PATCH 060/303] Gs3cl patch 1 (#3753) --- ...e_event_win_powershell_exploit_scripts.yml | 12 ++++++++++-- .../posh_ps_malicious_commandlets.yml | 19 ++++++++++++------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index acbf6fb28..ea8c16054 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -15,9 +15,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -145,12 +147,15 @@ detection: - '\Invoke-Get-RBCD-Threaded.ps1' - '\Invoke-Gopher.ps1' - '\Invoke-Grouper2.ps1' + - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' - '\Invoke-Internalmonologue.ps1' + - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - '\Invoke-MITM6.ps1' + - '\Invoke-MalSCCM.ps1' - '\Invoke-NanoDump.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' @@ -184,6 +189,7 @@ detection: - '\Invoke-SharpPrintNightmare.ps1' - '\Invoke-SharpPrinter.ps1' - '\Invoke-SharpRDP.ps1' + - '\Invoke-SharpSCCM.ps1' - '\Invoke-SharpSSDP.ps1' - '\Invoke-SharpSecDump.ps1' - '\Invoke-SharpSniper.ps1' @@ -191,6 +197,7 @@ detection: - '\Invoke-SharpSpray.ps1' - '\Invoke-SharpStay.ps1' - '\Invoke-SharpUp.ps1' + - '\Invoke-SharpWSUS.ps1' - '\Invoke-SharpWatson.ps1' - '\Invoke-Sharphound2.ps1' - '\Invoke-Sharphound3.ps1' @@ -205,6 +212,7 @@ detection: - '\Invoke-StickyNotesExtract.ps1' - '\Invoke-Thunderfox.ps1' - '\Invoke-Tokenvator.ps1' + - '\Invoke-TotalExec.ps1' - '\Invoke-UrbanBishop.ps1' - '\Invoke-Whisker.ps1' - '\Invoke-WireTap.ps1' diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index acb76e795..91ccf529d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -9,9 +9,11 @@ references: - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 - https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/6f23bb41f9675d7e2d32bacccff75e931ae00554/OfficeMemScraper.ps1 - https://github.com/dafthack/DomainPasswordSpray/blob/b13d64a5834694aa73fd2aea9911a83027c465a7/DomainPasswordSpray.ps1 -author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update) + - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec + - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update), Nasreddine Bencherchali (update), Tim Shelton (fp), Mustafa Kaan Demir (update), Georg Lauenstein (update) date: 2017/03/05 -modified: 2022/10/28 +modified: 2022/12/04 tags: - attack.execution - attack.t1059.001 @@ -128,13 +130,14 @@ detection: - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - - 'Invoke-Grouper2' + - 'Invoke-Grouper' # cover Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - - 'Invoke-KrbRelayUp' + - 'Invoke-KrbRelay' - 'Invoke-LdapSignCheck' - 'Invoke-Lockless' - 'Invoke-MITM6' + - 'Invoke-MalSCCM' - 'Invoke-NanoDump' - 'Invoke-OxidResolver' - 'Invoke-P0wnedshell' @@ -144,6 +147,7 @@ detection: - 'Invoke-SafetyKatz' - 'Invoke-SauronEye' - 'Invoke-Seatbelt' + - 'Invoke-ShadowSpray' - 'Invoke-SharPersist' - 'Invoke-SharpAllowedToAct' - 'Invoke-SharpBlock' @@ -157,7 +161,6 @@ detection: - 'Invoke-SharpGPOAbuse' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - - 'Invoke-SharpHound4' - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' @@ -167,6 +170,7 @@ detection: - 'Invoke-SharpPrintNightmare' - 'Invoke-SharpPrinter' - 'Invoke-SharpRDP' + - 'Invoke-SharpSCCM' - 'Invoke-SharpSSDP' - 'Invoke-SharpSecDump' - 'Invoke-SharpSniper' @@ -174,9 +178,9 @@ detection: - 'Invoke-SharpSpray' - 'Invoke-SharpStay' - 'Invoke-SharpUp' + - 'Invoke-SharpWSUS' - 'Invoke-SharpWatson' - - 'Invoke-Sharphound2' - - 'Invoke-Sharphound3' + - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. - 'Invoke-Sharplocker' - 'Invoke-Sharpshares' - 'Invoke-Sharpview' @@ -185,6 +189,7 @@ detection: - 'Invoke-Spoolsample' - 'Invoke-StandIn' - 'Invoke-StickyNotesExtract' + - 'Invoke-TotalExec' - 'Invoke-Thunderfox' - 'Invoke-Tokenvator' - 'Invoke-UrbanBishop' From 3bcce887866bddf7c053a2f130906a4586bb4108 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:14 +0100 Subject: [PATCH 061/303] fix: fix issue #3742 --- ..._creation_win_creation_mavinject_process_injection.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml index 1754f8f63..b42c2bcfa 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -26,6 +28,8 @@ logsource: detection: selection_flag: CommandLine|contains: ' /INJECTRUNNING ' + filter_parent: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" selection_renamed: OriginalFileName: - 'mavinject32.exe' @@ -34,7 +38,7 @@ detection: Image|endswith: - '\mavinject32.exe' - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) + condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) fields: - ComputerName - User From d50739ed3e8d3d6f917c0e201ead299b0abc19b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:18:51 +0100 Subject: [PATCH 062/303] fix: rename rule for lolbin convention --- ...l => proc_creation_win_lolbin_mavinject_process_injection.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_process_injection.yml => proc_creation_win_lolbin_mavinject_process_injection.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml From f81a960044060d7e533a5fdd541895a5b69ddbaa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 12:23:48 +0100 Subject: [PATCH 063/303] fix: split mavinject rule --- ...win_lolbin_mavinject_process_injection.yml | 23 +++--------- .../proc_creation_win_renamed_mavinject.yml | 36 +++++++++++++++++++ 2 files changed, 41 insertions(+), 18 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index b42c2bcfa..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -26,24 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - filter_parent: + filter: ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: (selection_flag and not filter_parent) or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From 1796502b900add5b1acf124d9c20deb23d173637 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Dec 2022 17:39:42 +0100 Subject: [PATCH 064/303] fix: FPs noticed in Nextron testing CI --- .../win_codeintegrity_attempted_dll_load.yml | 8 ++------ .../create_stream_hash_susp_ip_domains.yml | 19 +++++-------------- ...proc_access_win_cred_dump_lsass_access.yml | 4 +++- .../registry_set_windows_defender_tamper.yml | 7 ++++++- 4 files changed, 16 insertions(+), 22 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 0ce0c383d..430b3738a 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log date: 2022/01/20 -modified: 2022/11/07 +modified: 2022/12/05 tags: - attack.execution logsource: @@ -71,10 +71,6 @@ detection: FileNameBuffer|endswith: - '\Program Files\Avast Software\Avast\aswAMSI.dll' - '\Program Files (x86)\Avast Software\Avast\aswAMSI.dll' - ProcessNameBuffer|endswith: - - '\Windows\System32\SIHClient.exe' - - '\Windows\System32\svchost.exe' - - '\Windows Defender\MpCmdRun.exe' RequestedPolicy: - 8 - 12 @@ -90,5 +86,5 @@ detection: ValidatedPolicy: 2 condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Antivirus products level: high diff --git a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml index e173ec41c..c8d2af60c 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_susp_ip_domains.yml @@ -4,8 +4,9 @@ status: experimental description: Detects the download of suspicious file type from URLs with IP references: - https://github.com/trustedsec/SysmonCommunityGuide/blob/adcdfee20999f422b974c8d4149bf4c361237db7/chapters/file-stream-creation-hash.md -author: Nasreddine Bencherchali +author: Nasreddine Bencherchali, Florian Roth date: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.t1564.004 @@ -13,18 +14,8 @@ logsource: product: windows category: create_stream_hash detection: - selection_domain: - Contents|contains: - - '://1' - - '://2' - - '://3' - - '://4' - - '://5' - - '://6' - - '://7' - - '://8' - - '://9' - selection_extension: + selection: + Contents|re: 'http[s]?://[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' TargetFilename|contains: - '.ps1:Zone' - '.bat:Zone' @@ -32,7 +23,7 @@ detection: - '.vbe:Zone' - '.vbs:Zone' - '.dll:Zone' - condition: all of selection* + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 68cdb7742..610234168 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -69,7 +69,9 @@ detection: SourceImage|endswith: '\vmtoolsd.exe' filter6: SourceImage: 'C:\WINDOWS\system32\svchost.exe' - GrantedAccess: '0x100000' + GrantedAccess: + - '0x100000' + - '0x1410' filter7: SourceImage: - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 887e5ad1a..f84e93c9b 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -14,6 +14,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker author: AlertIQ, Ján Trenčanský, frack113, Nasreddine Bencherchali date: 2022/08/01 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -42,7 +43,11 @@ detection: - '\SpyNet\SubmitSamplesConsent' - '\MpEngine\MpEnablePus' Details: 'DWORD (0x00000000)' - condition: root and 1 of selection_* + filter_msmpeng: + Image|contains|all: + - 'C:\ProgramData\Microsoft\Windows Defender\platform\' + - '\MsMpEng.exe' + condition: ( root and 1 of selection_* ) and not 1 of filter* falsepositives: - Administrator actions level: high From 2b769fcfc861ddf1c1c97828c26836e9b5285843 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Dec 2022 19:58:10 +0100 Subject: [PATCH 065/303] fix: missing modified date update --- .../process_access/proc_access_win_cred_dump_lsass_access.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 610234168..819c68f88 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -9,7 +9,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/11/13 +modified: 2022/12/05 tags: - attack.credential_access - attack.t1003.001 From dbf114e7cb395b2b506fb0e7404efebc1819aa26 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Dec 2022 23:52:11 +0100 Subject: [PATCH 066/303] feat: add rules related to scheduled tasks --- .../win_security_disable_event_logging.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 60 +++++++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 41 +++++++++++++ ...in_security_susp_scheduled_task_update.yml | 60 +++++++++++++++++++ .../win_rare_schtask_creation.yml | 1 + ...win_task_scheduler_susp_task_locations.yml | 35 +++++++++++ ...proc_creation_win_susp_schtasks_delete.yml | 2 +- 7 files changed, 200 insertions(+), 3 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..9678fc815 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..b19494759 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,41 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks> + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml new file mode 100644 index 000000000..57ef589c5 --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: test +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali From 4184d05e8074361fa06a73c0e2080772cb771bc1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:16:09 +0100 Subject: [PATCH 067/303] fix: escape special "?" character --- .../process_creation/proc_creation_win_susp_conhost.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..11935cf0d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -46,8 +46,9 @@ detection: Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' + - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 72bba4c8224280677105a77fd1c72a370e0119f0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 00:37:07 +0100 Subject: [PATCH 068/303] fix: update rule to be more generic --- .../registry_event_persistence_recycle_bin.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown From c541d52d44c77595d423fe92dca4fc9a41f4e68c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:32:46 +0100 Subject: [PATCH 069/303] fix: update mitre tags and `OriginalFileName` --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..f8610ea4c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -6,15 +6,18 @@ references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ author: frack113 date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_cli: CommandLine|contains|all: - '-s ' - '-f ' @@ -26,7 +29,7 @@ detection: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: all of selection_* and not 1 of filter* falsepositives: - Unknown level: medium From f673ac923575e20c2c358baa0cabf12b860806eb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 01:41:18 +0100 Subject: [PATCH 070/303] feat: add parent selection --- .../proc_creation_win_lolbin_wlrmdr.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index f8610ea4c..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,7 +4,7 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 modified: 2022/12/06 tags: @@ -14,22 +14,25 @@ logsource: category: process_creation product: windows detection: - selection_img: + selection_child_img: - Image|endswith: '\wlrmdr.exe' - OriginalFileName: 'WLRMNDR.EXE' - selection_cli: + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: all of selection_* and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium From 96574466473d3c62eeb1dc459004658440033ad2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:53:57 +0100 Subject: [PATCH 071/303] fix: apply suggestions from code review Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../security/win_security_susp_scheduled_task_creation.yml | 2 +- .../taskscheduler/win_task_scheduler_susp_task_locations.yml | 2 +- .../process_creation/proc_creation_win_susp_conhost.yml | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 9678fc815..0351da356 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -1,7 +1,7 @@ title: Suspicious Scheduled Task Creation id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 status: experimental -description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags...etc +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml index 57ef589c5..3a4008f9c 100644 --- a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -1,6 +1,6 @@ title: Suspicious Scheduled Tasks Locations id: 424273ea-7cf8-43a6-b712-375f925e481f -status: test +status: experimental description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task author: Nasreddine Bencherchali date: 2022/12/05 diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 11935cf0d..9fc6350aa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -47,8 +47,8 @@ detection: filter_image_conhost2: ParentCommandLine: # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0x4' - - '\\?\?\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' From 1c5e4371e7f98eaa7abd690292d9f688b9f29e5e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 10:56:06 +0100 Subject: [PATCH 072/303] fix: add missing modified date --- .../windows/process_creation/proc_creation_win_susp_conhost.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 9fc6350aa..fe79e160d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1202 From 4b82b00ae95af48a4eec39efa3946fa1eaf39264 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 6 Dec 2022 12:12:43 +0100 Subject: [PATCH 073/303] Sysmoneop CMd shell (#3760) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_cmd.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_cmd.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml new file mode 100644 index 000000000..0878576b8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -0,0 +1,35 @@ +title: Suspicious Elevated System Shell +id: 178e615d-e666-498b-9630-9ed363038101 +status: experimental +description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges. +references: + - https://github.com/Wh04m1001/SysmonEoP +author: frack113 +date: 2022/12/05 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + product: windows + category: process_creation +detection: + selection_shell: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - '\cmd.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'Cmd.Exe' + selection_user: + User|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + LogonId: '0x3e7' + condition: all of selection_* +falsepositives: + - Unknown +level: high From 42b99b165dd8ba35ed4305d2729c24b27c4c8462 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 12:13:20 +0100 Subject: [PATCH 074/303] feat: new rules and fixes (#3759) Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../win_security_disable_event_logging.yml | 4 +- ..._security_susp_scheduled_task_creation.yml | 60 +++++++++++++++++++ ...in_security_susp_scheduled_task_delete.yml | 41 +++++++++++++ ...in_security_susp_scheduled_task_update.yml | 60 +++++++++++++++++++ .../win_rare_schtask_creation.yml | 1 + ...win_task_scheduler_susp_task_locations.yml | 35 +++++++++++ ...in_lolbin_mavinject_process_injection.yml} | 27 +++------ .../proc_creation_win_lolbin_wlrmdr.yml | 16 +++-- .../proc_creation_win_renamed_mavinject.yml | 36 +++++++++++ .../proc_creation_win_susp_conhost.yml | 7 ++- ...proc_creation_win_susp_schtasks_delete.yml | 2 +- ...registry_event_persistence_recycle_bin.yml | 7 ++- 12 files changed, 265 insertions(+), 31 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml create mode 100644 rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml create mode 100644 rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename rules/windows/process_creation/{proc_creation_win_creation_mavinject_process_injection.yml => proc_creation_win_lolbin_mavinject_process_injection.yml} (68%) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml diff --git a/rules/windows/builtin/security/win_security_disable_event_logging.yml b/rules/windows/builtin/security/win_security_disable_event_logging.yml index f088c7d46..6b3e4985b 100644 --- a/rules/windows/builtin/security/win_security_disable_event_logging.yml +++ b/rules/windows/builtin/security/win_security_disable_event_logging.yml @@ -7,7 +7,7 @@ description: | Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc". Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways. references: - - https://bit.ly/WinLogsZero2Hero + - https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit author: '@neu5ron' date: 2017/11/19 modified: 2021/11/27 @@ -23,7 +23,7 @@ detection: EventID: 4719 AuditPolicyChanges|contains: - '%%8448' # This is "Success removed" - - '%%8450' # This is "Failure removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml new file mode 100644 index 000000000..0351da356 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Creation +id: 3a734d25-df5c-4b99-8034-af1ddb5883a4 +status: experimental +description: Detects suspicious scheduled task creation events. Based on attributes such as paths, commands line flags, etc. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4698 + selection_paths: + TaskContent|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContent|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml new file mode 100644 index 000000000..b19494759 --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -0,0 +1,41 @@ +title: Important Scheduled Task Deleted/Disabled +id: 7595ba94-cf3b-4471-aa03-4f6baa9e5fad +related: + - id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 + type: similar + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: similar +status: experimental +description: Detects when adversaries stop services or processes by deleting or disabling their respective schdueled tasks in order to conduct data destructive activities +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: + - 4699 # Task Deleted Event + - 4701 # Task Disabled Event + TaskName|contains: + # Add more important tasks> + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml new file mode 100644 index 000000000..6c487bf1b --- /dev/null +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_update.yml @@ -0,0 +1,60 @@ +title: Suspicious Scheduled Task Update +id: 614cf376-6651-47c4-9dcc-6b9527f749f4 +status: experimental +description: Detects update to a scheduled task event that contain suspicious keywords. +references: + - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.execution + - attack.privilege_escalation + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection_eid: + EventID: 4702 + selection_paths: + TaskContentNew|contains: + - '\AppData\Local\Temp\' + - '\AppData\Roaming\' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - 'C:\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Temporary Internet' + - 'C:\ProgramData\' + - 'C:\Perflogs\' + selection_commands: + TaskContentNew|contains: + - 'regsvr32' + - 'rundll32' + - 'cmd.exe' + - 'cmd' + - '/c ' + - '/k ' + - '/r ' + - 'powershell' + - 'pwsh' + - 'mshta' + - 'wscript' + - 'cscript' + - 'certutil' + - 'bitsadmin' + - 'bash.exe' + - 'bash ' + - 'scrcons' + - 'wmic ' + - 'wmic.exe' + - 'forfiles' + - 'scriptrunner' + - 'hh.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index a3e475175..c614618fc 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,6 +12,7 @@ tags: logsource: product: windows service: taskscheduler + definition: the "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and should be enabled in order for this detection to work detection: selection: EventID: 106 diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml new file mode 100644 index 000000000..3a4008f9c --- /dev/null +++ b/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml @@ -0,0 +1,35 @@ +title: Suspicious Scheduled Tasks Locations +id: 424273ea-7cf8-43a6-b712-375f925e481f +status: experimental +description: Detects the execution of Scheduled Tasks where the Program being run is located in a suspicious location or it's an unusale program to be run from a Scheduled Task +author: Nasreddine Bencherchali +date: 2022/12/05 +tags: + - attack.persistence + - attack.t1053.005 +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: 129 # Created Task Process + Path|contains: + - 'C:\Windows\Temp\' + - '\AppData\Local\Temp\' + - '\Desktop\' + - '\Downloads\' + - '\Users\Public\' + - 'C:\Temp\' + # Add more suspicious LOLBINs below + - 'C:\Windows\System32\calc.exe' + - 'C:\Windows\System32\regsvr32.exe' + - 'C:\Windows\System32\rundll32.exe' + # If you experience FP. Uncomment the filter below and add the specific TaskName with the Program to it + #filter: + # TaskName: '\Exact\Task\Name' + # Path: 'Exact\Path' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml similarity index 68% rename from rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml index 1754f8f63..2229928fb 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_mavinject_process_injection.yml @@ -4,7 +4,7 @@ related: - id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 type: obsoletes status: experimental -description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag or a renamed execution of the tool +description: Detects process injection using the signed Windows tool "Mavinject" via the "INJECTRUNNING" flag references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md @@ -12,9 +12,11 @@ references: - https://twitter.com/gN3mes1s/status/941315826107510784 - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection author: frack113, Florian Roth date: 2021/07/12 -modified: 2022/09/07 +modified: 2022/12/05 tags: - attack.defense_evasion - attack.privilege_escalation @@ -24,22 +26,11 @@ logsource: category: process_creation product: windows detection: - selection_flag: + selection: CommandLine|contains: ' /INJECTRUNNING ' - selection_renamed: - OriginalFileName: - - 'mavinject32.exe' - - 'mavinject64.exe' - filter_renamed: - Image|endswith: - - '\mavinject32.exe' - - '\mavinject64.exe' - condition: selection_flag or (selection_renamed and not filter_renamed) -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine + filter: + ParentImage: 'C:\Windows\System32\AppVClient.exe' # This parent is the expected process to launch "mavinject" + condition: selection and not filter falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml index 3fbfaedfd..9849fbac3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_wlrmdr.yml @@ -4,29 +4,35 @@ status: experimental description: Detects use of Wlrmdr.exe in which the -u parameter is passed to ShellExecute references: - https://twitter.com/0gtweet/status/1493963591745220608?s=20&t=xUg9DsZhJy1q9bPTUWgeIQ -author: frack113 +author: frack113, manasmbellani date: 2022/02/16 -modified: 2022/11/09 +modified: 2022/12/06 tags: - attack.defense_evasion + - attack.t1218 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wlrmdr.exe' + selection_child_img: + - Image|endswith: '\wlrmdr.exe' + - OriginalFileName: 'WLRMNDR.EXE' + selection_child_cli: CommandLine|contains|all: + # Note that the dash "-" can be replaced with a slash "/" (TODO: Use the "windash" modifier when it's introduced) - '-s ' - '-f ' - '-t ' - '-m ' - '-a ' - '-u ' + selection_parent: # This selection is looking for processes spawned from wlrmdr using the "-u" flag + ParentImage|endswith: '\wlrmdr.exe' filter: ParentImage: 'C:\Windows\System32\winlogon.exe' filter_null: ParentImage: '-' - condition: selection and not 1 of filter* + condition: selection_parent or (all of selection_child_* and not 1 of filter*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml new file mode 100644 index 000000000..cc6c21e46 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_mavinject.yml @@ -0,0 +1,36 @@ +title: Rename Mavinject Execution +id: e6474a1b-5390-49cd-ab41-8d88655f7394 +status: experimental +description: Detects execution of a renamed version of the "Mavinject" process. Which can be abused to perform process injection using the "/INJECTRUNNING" flag +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.004/T1056.004.md + - https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 # Deleted tweet + - https://github.com/SigmaHQ/sigma/issues/3742 + - https://github.com/keyboardcrunch/SentinelOne-ATTACK-Queries/blob/6a228d23eefe963ca81f2d52f94b815f61ef5ee0/Tactics/DefenseEvasion.md#t1055-process-injection +author: frack113, Florian Roth +date: 2022/12/05 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.001 + - attack.t1218.013 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + filter: + Image|endswith: + - '\mavinject32.exe' + - '\mavinject64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index 74aca0737..fe79e160d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/11/08 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1202 @@ -46,8 +46,9 @@ detection: Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: - - '\??\C:\WINDOWS\system32\conhost.exe 0x4' - - '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + # The "?" needs to be escaped as they considered special characters in SIGMA (https://github.com/SigmaHQ/sigma-specification) + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' + - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml index 84bb696c4..18bf23836 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -4,7 +4,7 @@ related: - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 type: derived status: experimental -description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +description: Detects when adversaries stop services or processes by deleting their respective schdueled tasks in order to conduct data destructive activities references: - Internal Research author: Nasreddine Bencherchali diff --git a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml index c60319ecb..337c3cd4e 100644 --- a/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml +++ b/rules/windows/registry/registry_event/registry_event_persistence_recycle_bin.yml @@ -4,8 +4,11 @@ status: experimental description: Detects persistence registry keys for Recycle Bin references: - https://github.com/vxunderground/VXUG-Papers/blob/751edb8d50f95bd7baa730adf2c6c3bb1b034276/The%20Persistence%20Series/Persistence%20via%20Recycle%20Bin/Persistence_via_Recycle_Bin.pdf + - https://persistence-info.github.io/Data/recyclebin.html + - https://www.hexacorn.com/blog/2018/05/28/beyond-good-ol-run-key-part-78-2/ author: frack113 date: 2021/11/18 +modified: 2022/12/06 tags: - attack.persistence - attack.t1547 @@ -15,10 +18,10 @@ logsource: detection: selection_create: EventType: RenameKey - NewName: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open + NewName|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open' selection_set: EventType: SetValue - TargetObject: HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default) + TargetObject|contains: '\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell\open\command\(Default)' condition: 1 of selection_* falsepositives: - Unknown From 1ad66a3c0f97a018b20c55e5ed7dd02e103a70e5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 6 Dec 2022 12:28:28 +0100 Subject: [PATCH 075/303] fix: broken selection --- ...on_win_iis_service_account_password_dumped.yml | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index d0bf05e0d..2616aca73 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -8,6 +8,7 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe date: 2022/11/08 +modified: 2022/12/06 tags: - attack.credential_access - attack.t1003 @@ -20,16 +21,12 @@ detection: - OriginalFilename: 'appcmd.exe' selection_list: CommandLine|contains: 'list ' - selection_cmd1: - CommandLine|contains|all: - - ' /text' - - ' password' - selection_cmd2: + selection_cmd: CommandLine|contains: - - ' /@t ' - - ' /text ' - - ' /config ' - - ' /@c' + - ' /@t' # Covers both "/@text:*" and "/@t:*" + - ' /text' + - ' /show' + - ' /config' condition: all of selection_* falsepositives: - Unknown From 8fa8a7355141b525f5764ad5ff86caf6afc641c7 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 6 Dec 2022 23:10:58 +1100 Subject: [PATCH 076/303] Updated proc_creation_win_iis_service_account_password_dumped.yml (#3682) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...in_iis_service_account_password_dumped.yml | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 564767cb2..2616aca73 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -4,8 +4,11 @@ status: experimental description: Detects the Internet Information Services (IIS) command-line tool, AppCmd, being used to list passwords references: - https://www.elastic.co/guide/en/security/current/microsoft-iis-service-account-password-dumped.html -author: Tim Rauch -date: 2022/09/28 + - https://twitter.com/0gtweet/status/1588815661085917186?cxt=HHwWhIDUyaDbzYwsAAAA + - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ +author: Tim Rauch, Janantha Marasinghe +date: 2022/11/08 +modified: 2022/12/06 tags: - attack.credential_access - attack.t1003 @@ -17,14 +20,14 @@ detection: - Image|endswith: '\appcmd.exe' - OriginalFilename: 'appcmd.exe' selection_list: + CommandLine|contains: 'list ' + selection_cmd: CommandLine|contains: - - ' /list ' - - ' list ' - selection_all: - CommandLine|contains|all: + - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - - ' password' - condition: all of selection* + - ' /show' + - ' /config' + condition: all of selection_* falsepositives: - Unknown level: high From 850d4fcd50d051fbcd21733be500ce2d9c460482 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 00:20:56 +0100 Subject: [PATCH 077/303] feat: update windefend rules --- .../windefend/win_defender_amsi_trigger.yml | 2 +- .../windefend/win_defender_disabled.yml | 14 +++---- .../windefend/win_defender_exclusions.yml | 10 ++--- .../win_defender_exploit_guard_tamper.yml | 15 ++++---- .../windefend/win_defender_history_delete.yml | 7 ++-- .../win_defender_restored_quarantine_file.yml | 21 ++++++++++ ...defender_suspicious_features_tampering.yml | 38 +++++++++++++++++++ ...win_defender_tamper_protection_trigger.yml | 20 +++++++--- .../builtin/windefend/win_defender_threat.yml | 8 ++-- 9 files changed, 101 insertions(+), 34 deletions(-) create mode 100644 rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml create mode 100644 rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 9f80f5e71..1f80579fe 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -15,7 +15,7 @@ logsource: service: windefend detection: selection: - EventID: 1116 + EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. Source_Name: 'AMSI' condition: selection falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 7791cd210..432ddf5d0 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md author: Ján Trenčanský, frack113 date: 2020/07/28 -modified: 2022/05/06 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -17,11 +17,11 @@ logsource: detection: selection: EventID: - - 5001 - - 5010 - - 5012 - - 5101 + - 5001 # Real-time protection is disabled. + - 5010 # Scanning for malware and other potentially unwanted software is disabled. + - 5012 # Scanning for viruses is disabled. + - 5101 # The antimalware platform is expired. condition: selection falsepositives: - - Administrator actions -level: low + - Administrator actions (should be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 37b8c1c4d..580404ce4 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/_nullbind/status/1204923340810543109 author: Christian Burkard date: 2021/07/06 -modified: 2022/02/02 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,10 +14,10 @@ logsource: product: windows service: windefend detection: - selection1: - EventID: 5007 - NewValue|contains: '\Microsoft\Windows Defender\Exclusions' - condition: selection1 + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + condition: selection falsepositives: - Administrator actions level: medium diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index 4840c3746..c2924356e 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -6,18 +6,19 @@ references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali date: 2022/08/05 +modified: 2022/12/06 tags: - - attack.execution - - attack.t1059 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows service: windefend detection: allowed_apps_key: - EventID: 5007 - NewValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - NewValue|contains: + New_Value|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -25,9 +26,9 @@ detection: - '\PerfLogs\' - '\Windows\Temp\' protected_folders: - EventID: 5007 + EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - OldValue|contains: '\SOFTWARE\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_history_delete.yml b/rules/windows/builtin/windefend/win_defender_history_delete.yml index 0cfba55f8..8a0b8629b 100644 --- a/rules/windows/builtin/windefend/win_defender_history_delete.yml +++ b/rules/windows/builtin/windefend/win_defender_history_delete.yml @@ -4,23 +4,22 @@ status: test description: Windows Defender logs when the history of detected infections is deleted. Log file will contain the message "Windows Defender Antivirus has removed history of malware and other potentially unwanted software". references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus + - https://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/microsoft-antimalware-has-removed-history-of/f15af6c9-01a9-4065-8c6c-3f2bdc7de45e author: Cian Heasley date: 2020/08/13 modified: 2022/10/09 tags: - attack.defense_evasion - - attack.t1070.001 logsource: product: windows service: windefend detection: selection: - EventID: 1013 - EventType: 4 + EventID: 1013 # The antimalware platform deleted history of malware and other potentially unwanted software. condition: selection fields: - EventID - EventType falsepositives: - Deletion of Defender malware detections history for legitimate reasons -level: high +level: low diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml new file mode 100644 index 000000000..d997b9ae7 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -0,0 +1,21 @@ +title: Win Defender Restored Quarantine File +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +status: experimental +description: Detects the restoration of files from the defender quarantine +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 1009 # The antimalware platform restored an item from quarantine. + condition: selection +falsepositives: + - Legitimate administrator activity restoring a file +level: high diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml new file mode 100644 index 000000000..49431e1f1 --- /dev/null +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -0,0 +1,38 @@ +title: Windows Defender Suspicious Configuration Changes +id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +related: + - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + type: similar + - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 + type: similar +status: stable +description: Detects suspicious changes to the windows defender configuration +references: + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide + - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware +author: Nasreddine Bencherchali +date: 2022/12/06 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + service: windefend +detection: + selection: + EventID: 5007 # The antimalware platform configuration changed. + New_Value|contains: + # TODO: Add more suspicious values + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\Features\TamperProtection' + - '\Windows Defender\Scan\DisableRemovableDriveScanning' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' + - '\Real-Time Protection\SpyNetReporting' + - '\Real-Time Protection\SubmitSamplesConsent' + # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f + # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 + condition: selection +falsepositives: + - Administrator activity (must be investigated) +level: high diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 5c7202a37..887b9ac52 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -1,11 +1,13 @@ title: Microsoft Defender Tamper Protection Trigger id: 49e5bc24-8b86-49f1-b743-535f332c2856 status: stable -description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +description: Detects blocked attempts to change any of Defender's settings such as "Real Time Monitoring" and "Behavior Monitoring" references: - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection -author: Bhabesh Raj + - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide +author: Bhabesh Raj, Nasreddine Bencherchali date: 2021/07/05 +modified: 2022/12/06 tags: - attack.defense_evasion - attack.t1562.001 @@ -14,11 +16,17 @@ logsource: service: windefend detection: selection: - EventID: 5013 + EventID: 5013 # Tamper protection blocked a change to Microsoft Defender Antivirus. If Tamper protection is enabled then, any attempt to change any of Defender's settings is blocked. Event ID 5013 is generated and states which setting change was blocked. Value|endswith: - - '\Windows Defender\DisableAntiSpyware = 0x1()' - - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + - '\Windows Defender\DisableAntiSpyware' + - '\Windows Defender\DisableAntiVirus' + - '\Windows Defender\Scan\DisableArchiveScanning' + - '\Windows Defender\Scan\DisableScanningNetworkFiles' + - '\Real-Time Protection\DisableRealtimeMonitoring' + - '\Real-Time Protection\DisableBehaviorMonitoring' + - '\Real-Time Protection\DisableIOAVProtection' + - '\Real-Time Protection\DisableScriptScanning' condition: selection falsepositives: - - Administrator actions + - Administrator might try to disable defender features during testing (must be investigated) level: high diff --git a/rules/windows/builtin/windefend/win_defender_threat.yml b/rules/windows/builtin/windefend/win_defender_threat.yml index e2bdd262e..4e917229c 100644 --- a/rules/windows/builtin/windefend/win_defender_threat.yml +++ b/rules/windows/builtin/windefend/win_defender_threat.yml @@ -15,10 +15,10 @@ logsource: detection: selection: EventID: - - 1006 - - 1116 - - 1015 - - 1117 + - 1006 # The antimalware engine found malware or other potentially unwanted software. + - 1116 # The antimalware platform detected malware or other potentially unwanted software. + - 1015 # The antimalware platform detected suspicious behavior. + - 1117 # he antimalware platform performed an action to protect your system from malware or other potentially unwanted software. condition: selection falsepositives: - Unlikely From 0d3cb5226691ec196f0f1fd67898000535edffa8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 01:04:25 +0100 Subject: [PATCH 078/303] feat: enhance typos test --- tests/test_rules.py | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..452028809 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -907,12 +907,21 @@ class TestRules(unittest.TestCase): typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): + # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases + # We check first the logsource to handle special cases + logsource = self.get_rule_part(file_path=file, part_name="logsource") + # The current special cases are: + # - 'windefend' + if "windefend" in logsource.values(): + typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + else: + typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") if detection: for search_identifier in detection: if isinstance(detection[search_identifier], dict): for field in detection[search_identifier]: - for typo in typos: + for typo in typos_: if typo[0] in field: print(Fore.RED + "Rule {} has a common typo ({}) which should be ({}) in selection ({}/{})".format(file, typo[0], typo[1], search_identifier, field)) faulty_rules.append(file) From a7bfb349eee1daf6565033376dc4cdb11513ade0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:25:52 +0100 Subject: [PATCH 079/303] fix: fix fp found in testing --- .../win_security_user_driver_loaded.yml | 20 ++++++++++--------- .../registry_set_susp_service_installed.yml | 7 +++++-- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 510820c61..32dd4b9af 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2021/11/30 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1562.001 @@ -27,14 +27,16 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' filter: - ProcessName|endswith: - - '\Windows\System32\Dism.exe' - - '\Windows\System32\rundll32.exe' - - '\Windows\System32\fltMC.exe' - - '\Windows\HelpPane.exe' - - '\Windows\System32\mmc.exe' - - '\Windows\System32\svchost.exe' - - '\Windows\System32\wimserv.exe' + - ProcessName: + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\rundll32.exe' + - 'C:\Windows\System32\fltMC.exe' + - 'C:\Windows\HelpPane.exe' + - 'C:\Windows\System32\mmc.exe' + - 'C:\Windows\System32\svchost.exe' + - 'C:\Windows\System32\wimserv.exe' + - 'C:\Windows\System32\RuntimeBroker.exe' + - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index ef1c0a2b7..3952c6ac1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -5,10 +5,10 @@ description: | Detects installation of NalDrv or PROCEXP152 services via registry-keys to non-system32 folders. Both services are used in the tool Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs), which uses KDU (https://github.com/hfiref0x/KDU) references: - - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ + - https://web.archive.org/web/20200419024230/https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/11/22 +modified: 2022/12/07 tags: - attack.t1562.001 - attack.defense_evasion @@ -23,10 +23,13 @@ detection: - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' filter: Image|endswith: + # Please add the full paths that you use in your environment to tighten the rule - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' + - '\handle.exe' + - '\handle64.exe' Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection and not filter falsepositives: From a425ef65e5bd7e2602ee6fd6762dd8fb1065104f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:26:21 +0100 Subject: [PATCH 080/303] feat: update metadata and add more cases for rules --- ...urity_susp_codeintegrity_check_failure.yml | 2 +- .../file_event_win_susp_dropper.yml | 1 + .../proc_creation_win_chisel_usage.yml | 8 +++-- .../proc_creation_win_sharp_chisel_usage.yml | 23 ++++--------- ...add_renamed_sysinternals_eula_accepted.yml | 32 +++++++++++++------ 5 files changed, 35 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 78d011da9..19f0bf9c4 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Code integrity failures may indicate tampered executables. +description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 3f768d093..ae5f00683 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -80,5 +80,6 @@ detection: falsepositives: - Software installers - Update utilities + - 32bit applications launching their 64bit versions #Please contribute to FP to increase the level level: low diff --git a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml index 694b2775a..002083247 100644 --- a/rules/windows/process_creation/proc_creation_win_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_chisel_usage.yml @@ -8,8 +8,10 @@ description: Detects usage of the Chisel tunneling tool via the commandline argu references: - https://github.com/jpillora/chisel/ - https://arcticwolf.com/resources/blog/lorenz-ransomware-chiseling-in/ + - https://blog.sekoia.io/lucky-mouse-incident-response-to-detection-engineering/ author: Florian Roth date: 2022/09/13 +modified: 2022/12/07 tags: - attack.command_and_control - attack.t1090.001 @@ -25,11 +27,11 @@ detection: - 'exe server ' selection_param2: CommandLine|contains: - - ' --socks5' - - ' --reverse' + - '-socks5' + - '-reverse' - ' r:' - ':127.0.0.1:' - - ' --tls-skip-verify ' + - '-tls-skip-verify ' - ':socks' condition: selection_img or all of selection_param* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml index 012766883..ed5fe8397 100644 --- a/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_sharp_chisel_usage.yml @@ -18,22 +18,11 @@ logsource: category: process_creation product: windows detection: - selection_1_img: - Image|endswith: '\SharpChisel.exe' - selection_1_pe: - Product: 'SharpChisel' - # Covered by Chisel Rule - # selection_2_client_server: - # CommandLine|contains: - # - 'exe client ' - # - 'exe server ' - # selection_2_flags: - # CommandLine|contains: - # - ' --socks5' - # - ' --reverse' - # - ' r:' - # - ':127.0.0.1:' - condition: 1 of selection* + selection: + - Image|endswith: '\SharpChisel.exe' + - Product: 'SharpChisel' + # See rule 8b0e12da-d3c3-49db-bb4f-256703f380e5 for Chisel.exe coverage + condition: selection falsepositives: - - Some false positives may occure with other tools with similar commandlines + - Unlikely level: high diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml index 0bf48f7de..c0e5aab00 100644 --- a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -6,11 +6,12 @@ related: - id: 8023f872-3f1d-4301-a384-801889917ab4 type: similar status: experimental -description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +description: Detects the "accepteula" key related to sysinternals tools being created from non sysinternals tools references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/24 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1588.002 @@ -21,33 +22,44 @@ detection: selection: EventType: CreateKey TargetObject|contains: - - '\PsExec' - - '\ProcDump' + # Please add new values while respecting the alphabetical order + - '\Active Directory Explorer' - '\Handle' - '\LiveKd' + - '\ProcDump' - '\Process Explorer' + - '\PsExec' + - '\PsLoggedon' - '\PsLoglist' - '\PsPasswd' - - '\Active Directory Explorer' + - '\PsPing' + - '\PsService' TargetObject|endswith: '\EulaAccepted' filter: Image|endswith: - - '\PsExec.exe' - - '\PsExec64.exe' - - '\procdump.exe' - - '\procdump64.exe' + # Please add new values while respecting the alphabetical order + - '\ADExplorer.exe' + - '\ADExplorer64.exe' - '\handle.exe' - '\handle64.exe' - '\livekd.exe' - '\livekd64.exe' + - '\procdump.exe' + - '\procdump64.exe' - '\procexp.exe' - '\procexp64.exe' + - '\PsExec.exe' + - '\PsExec64.exe' + - '\PsLoggedon.exe' + - '\PsLoggedon64.exe' - '\psloglist.exe' - '\psloglist64.exe' - '\pspasswd.exe' - '\pspasswd64.exe' - - '\ADExplorer.exe' - - '\ADExplorer64.exe' + - '\PsPing.exe' + - '\PsPing64.exe' + - '\PsService.exe' + - '\PsService64.exe' condition: selection and not filter falsepositives: - Unlikely From 899b1606f8165f4e303d45179fd8296f81167426 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:38:19 +0100 Subject: [PATCH 081/303] fix: duplicate id --- .../builtin/windefend/win_defender_restored_quarantine_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml index d997b9ae7..81aea09c4 100644 --- a/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml +++ b/rules/windows/builtin/windefend/win_defender_restored_quarantine_file.yml @@ -1,5 +1,5 @@ title: Win Defender Restored Quarantine File -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: bc92ca75-cd42-4d61-9a37-9d5aa259c88b status: experimental description: Detects the restoration of files from the defender quarantine references: From 1d749cee54c6985ce8bf65731aacd3d1c9dc6652 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 02:44:31 +0100 Subject: [PATCH 082/303] fix: duplicate id --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 49431e1f1..3f38a6d85 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -1,5 +1,5 @@ title: Windows Defender Suspicious Configuration Changes -id: 57b649ef-ff42-4fb0-8bf6-62da243a1708 +id: 801bd44f-ceed-4eb6-887c-11544633c0aa related: - id: 1321dc4e-a1fe-481d-a016-52c45f0c8b4f type: similar From b59566ad0f39ed76c36fcc26086c98dd49299106 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 11:52:38 +0100 Subject: [PATCH 083/303] fix: fix FP found in testing --- .../file/file_event/file_event_win_susp_dropper.yml | 7 ++++++- .../process_creation/proc_creation_win_susp_cmd.yml | 12 +++++++++--- .../proc_creation_win_susp_conhost.yml | 11 +++++++---- 3 files changed, 22 insertions(+), 8 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index ae5f00683..c52e47eb5 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2022/11/08 +modified: 2022/12/07 tags: - attack.resource_development - attack.t1587.001 @@ -76,6 +76,11 @@ detection: Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' Image|endswith: '\mscorsvw.exe' TargetFilename|startswith: 'C:\Windows\assembly\NativeImages_' + filter_vscode: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\' + Image|endswith: '\Microsoft VS Code\Code.exe' + TargetFilename|contains: '\.vscode\extensions\' condition: selection and not 1 of filter_* falsepositives: - Software installers diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml index 0878576b8..5af183017 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cmd.yml @@ -6,6 +6,7 @@ references: - https://github.com/Wh04m1001/SysmonEoP author: frack113 date: 2022/12/05 +modified: 2022/12/07 tags: - attack.privilege_escalation - attack.defense_evasion @@ -16,11 +17,11 @@ logsource: category: process_creation detection: selection_shell: - - Image|endswith: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - '\cmd.exe' - - OriginalFileName: + - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - 'Cmd.Exe' @@ -29,7 +30,12 @@ detection: - 'AUTHORI' - 'AUTORI' LogonId: '0x3e7' - condition: all of selection_* + filter_compattelrunner: + ParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + ParentCommandLine|contains: '-m:appraiser.dll -f:DoScheduledTelemetryRun' + OriginalFileName: 'PowerShell.EXE' + CommandLine|contains: '-ExecutionPolicy Restricted -Command Write-Host' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index fe79e160d..ea149ab69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -6,7 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 -modified: 2022/12/06 +modified: 2022/12/07 tags: - attack.defense_evasion - attack.t1202 @@ -42,7 +42,9 @@ detection: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" cat-file -s 4ca60c8a054f7eaa05f0438a8292762f2015d228 Provider_Name: 'Microsoft-Windows-Kernel-Process' - ParentCommandLine|contains: ' cat-file -s ' + ParentCommandLine|contains: + - ' cat-file -s ' + - 'show --textconv' Image: 'C:\Windows\System32\conhost.exe' filter_image_conhost2: ParentCommandLine: @@ -51,9 +53,10 @@ detection: - '\\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' Image: 'C:\Windows\System32\conhost.exe' filter_image_git: - ParentCommandLine: '\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1' + ParentCommandLine: + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1' + - \\\?\?\\C:\\WINDOWS\\system32\\conhost.exe 0x4' Image: 'C:\Program Files\Git\mingw64\bin\git.exe' - CommandLine|contains: 'show --textconv :' condition: selection and not 1 of filter_* fields: - Image From 9a5a0fed207f4a5e3b2c03ed3a55ebdba7ed7211 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:21:05 +0100 Subject: [PATCH 084/303] feat: update test to include more cases --- .../builtin/windefend/win_defender_amsi_trigger.yml | 4 ++-- .../builtin/windefend/win_defender_exclusions.yml | 2 +- .../windefend/win_defender_exploit_guard_tamper.yml | 6 +++--- .../win_defender_suspicious_features_tampering.yml | 2 +- tests/test_rules.py | 13 ++++++++----- 5 files changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml index 1f80579fe..1c18c99c1 100644 --- a/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_amsi_trigger.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/amsi/how-amsi-helps author: Bhabesh Raj date: 2020/09/14 -modified: 2021/10/13 +modified: 2022/12/07 tags: - attack.execution - attack.t1059 @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 1116 # The antimalware platform detected malware or other potentially unwanted software. - Source_Name: 'AMSI' + SourceName: 'AMSI' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_exclusions.yml b/rules/windows/builtin/windefend/win_defender_exclusions.yml index 580404ce4..9ecb61821 100644 --- a/rules/windows/builtin/windefend/win_defender_exclusions.yml +++ b/rules/windows/builtin/windefend/win_defender_exclusions.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Microsoft\Windows Defender\Exclusions' + NewValue|contains: '\Microsoft\Windows Defender\Exclusions' condition: selection falsepositives: - Administrator actions diff --git a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml index c2924356e..692e62478 100644 --- a/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml +++ b/rules/windows/builtin/windefend/win_defender_exploit_guard_tamper.yml @@ -16,9 +16,9 @@ logsource: detection: allowed_apps_key: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' + NewValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\AllowedApplications\' allowed_apps_path: - New_Value|contains: + NewValue|contains: # Add more paths you don't allow in your org - '\Users\Public\' - '\AppData\Local\Temp\' @@ -28,7 +28,7 @@ detection: protected_folders: EventID: 5007 # The antimalware platform configuration changed. # This will trigger on any folder removal. If you experience FP's then add another selection with specific paths - Old_Value|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' + OldValue|contains: '\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access\ProtectedFolders\' condition: all of allowed_apps* or protected_folders falsepositives: - Unlikely diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3f38a6d85..3fac677bf 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -21,7 +21,7 @@ logsource: detection: selection: EventID: 5007 # The antimalware platform configuration changed. - New_Value|contains: + NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware' - '\Windows Defender\Features\TamperProtection' diff --git a/tests/test_rules.py b/tests/test_rules.py index 452028809..e2cd3cf18 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -909,11 +909,14 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases # We check first the logsource to handle special cases - logsource = self.get_rule_part(file_path=file, part_name="logsource") - # The current special cases are: - # - 'windefend' - if "windefend" in logsource.values(): - typos_ = typos + [("NewValue", "New_Value"), ("OldValue", "Old_Value")] + logsource = self.get_rule_part(file_path=file, part_name="logsource").values() + # add more typos in specific logsources below + if "windefend" in logsource: + typos_ = typos + [("New_Value", "NewValue"), ("Old_Value", "OldValue"), ('Source_Name', 'SourceName'), ("Newvalue", "NewValue"), ("Oldvalue", "OldValue"), ('Sourcename', 'SourceName')] + elif "registry_set" in logsource or "registry_add" in logsource or "registry_event" in logsource: + typos_ = typos + [("Targetobject", "TargetObject"), ("Eventtype", "EventType"), ("Newname", "NewName")] + elif "process_creation" in logsource: + typos_ = typos + [("Parentimage", "ParentImage"), ("Integritylevel", "IntegrityLevel"), ("IntegritiLevel", "IntegrityLevel")] else: typos_ = typos detection = self.get_rule_part(file_path=file, part_name="detection") From 8482d33708ad31025dc02ab1a588ca356185d322 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:14 +0100 Subject: [PATCH 085/303] fix: add rule to fp filter --- .github/workflows/known-FPs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..696bedc49 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From b1a657b7de08fd2162dacbd0ebd4172d6ff0b1d9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:27:27 +0100 Subject: [PATCH 086/303] fix: add spaces to avoid fp with other keys --- .../win_defender_suspicious_features_tampering.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 3fac677bf..65117fb6b 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -23,13 +23,13 @@ detection: EventID: 5007 # The antimalware platform configuration changed. NewValue|contains: # TODO: Add more suspicious values - - '\Windows Defender\DisableAntiSpyware' - - '\Windows Defender\Features\TamperProtection' - - '\Windows Defender\Scan\DisableRemovableDriveScanning' - - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan' - - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen' - - '\Real-Time Protection\SpyNetReporting' - - '\Real-Time Protection\SubmitSamplesConsent' + - '\Windows Defender\DisableAntiSpyware ' + - '\Windows Defender\Features\TamperProtection ' + - '\Windows Defender\Scan\DisableRemovableDriveScanning ' + - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' + - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' + - '\Real-Time Protection\SpyNetReporting ' + - '\Real-Time Protection\SubmitSamplesConsent ' # Exclusions changes are covered in 1321dc4e-a1fe-481d-a016-52c45f0c8b4f # Exploit guard changes are covered in a3ab73f1-bd46-4319-8f06-4b20d0617886 condition: selection From f12975bc6b6af39c2f35493f2cfb6f1bb26bd0e2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 7 Dec 2022 22:34:56 +0100 Subject: [PATCH 087/303] fix: update description Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- .../security/win_security_susp_codeintegrity_check_failure.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml index 19f0bf9c4..9ea2d5750 100644 --- a/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml +++ b/rules/windows/builtin/security/win_security_susp_codeintegrity_check_failure.yml @@ -1,7 +1,7 @@ title: Failed Code Integrity Checks id: 470ec5fa-7b4e-4071-b200-4c753100f49b status: stable -description: Detects Code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a signe of tampered binaries. +description: Detects code integrity failures such as missing page hashes or corrupted drivers due unauthorized modification. This could be a sign of tampered binaries. author: Thomas Patzke date: 2019/12/03 modified: 2020/08/23 From d393b57c361f1f25c0558e7a1cc9397c34d05a2d Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:49:53 +0530 Subject: [PATCH 088/303] Detection for LSASS Shtinkering --- .../file_event_lsass_shtinkering.yml | 23 +++++++++++++ .../proc_creation_lsass_shtinkering.yml | 32 +++++++++++++++++++ .../registry_add_usermode_dumping_enabled.yml | 23 +++++++++++++ ...ass_usermode_dumping_lsass_shtinkering.yml | 24 ++++++++++++++ 4 files changed, 102 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_lsass_shtinkering.yml create mode 100644 rules/windows/process_creation/proc_creation_lsass_shtinkering.yml create mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml create mode 100644 rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml new file mode 100644 index 000000000..ccd828eff --- /dev/null +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -0,0 +1,23 @@ +title: Suspicious LSASS Dump using LSASS Shtinkering +id: 6902955a-01b7-432c-b32a-6f5f81d8f625 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains|all: + - 'lsass.exe' + - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|endswith: '.dmp' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml new file mode 100644 index 000000000..0bb7a5920 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -0,0 +1,32 @@ +title: Suspicious LSASS Dumping using Windows Error Reporting +id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 +status: experimental +description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: '\Werfault.exe' + - OriginalFileName: 'WerFault.Exe' + - CommandLine|contains: + - '-u ' + - '-p' + - '-ip ' + - '-s ' + # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + selection_parent: + ParentImage|endswith: '\7zFM.exe' + filter_lsass: + ParentImage|endswith: 'C:\Windows\System32\lsass.exe' + condition: selection and not filter_lsass +falsepositives: + - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. +level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml new file mode 100644 index 000000000..16cc7d143 --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -0,0 +1,23 @@ +title: Adding of a registry key for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_add + product: windows +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' + condition: selection +falsepositives: + - Legitimate usage of enabling user mode dumping (Not seen in the wild) +level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml new file mode 100644 index 000000000..b282b2d17 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml @@ -0,0 +1,24 @@ +title: Setting of a registry key's value for LSASS Shtinkering +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +status: experimental +description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +references: + - https://github.com/deepinstinct/Lsass-Shtinkering +author: '@pbssubhash' +date: 2022/12/08 +modified: 2022/12/08 +tags: + - attack.credential_access +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject: + - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps + Details: 2 + condition: selection +falsepositives: + - Unknown +level: high From 9ea5fac51c876ed758aa00385f593062b9108aed Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 11:56:40 +0530 Subject: [PATCH 089/303] Update proc_creation_lsass_shtinkering.yml --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 0bb7a5920..e4887f13c 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -16,7 +16,7 @@ detection: selection: - Image|endswith: '\Werfault.exe' - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains: + - CommandLine|contains|all: - '-u ' - '-p' - '-ip ' From 4bb1df9f6e0631585b219cacbe5d0623a9ef680c Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:03:02 +0530 Subject: [PATCH 090/303] Update to remove FP --- .../process_creation/proc_creation_lsass_shtinkering.yml | 2 -- .../registry_add/registry_add_usermode_dumping_enabled.yml | 4 +++- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index e4887f13c..1aa5c4f40 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -22,8 +22,6 @@ detection: - '-ip ' - '-s ' # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 - selection_parent: - ParentImage|endswith: '\7zFM.exe' filter_lsass: ParentImage|endswith: 'C:\Windows\System32\lsass.exe' condition: selection and not filter_lsass diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml index 16cc7d143..c610cd2d6 100644 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml @@ -17,7 +17,9 @@ detection: EventType: CreateKey TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - condition: selection + filter: + TargetObject|endswith: '.exe' + condition: selection and not filter falsepositives: - Legitimate usage of enabling user mode dumping (Not seen in the wild) level: high From bea46b2b9ef171d8a989a059085e85196fe7a227 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Thu, 8 Dec 2022 12:13:25 +0530 Subject: [PATCH 091/303] Update to modify FP and UUID --- .github/workflows/known-FPs.csv | 1 + ..._shtinkering.yml => registry_set_lsass_usermode_dumping.yml} | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) rename rules/windows/registry/registry_set/{registry_set_lsass_usermode_dumping_lsass_shtinkering.yml => registry_set_lsass_usermode_dumping.yml} (94%) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..9b7911bb3 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,4 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml similarity index 94% rename from rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml rename to rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index b282b2d17..dab1b1a9c 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping_lsass_shtinkering.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,5 +1,5 @@ title: Setting of a registry key's value for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 +id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. references: From edc99c92a2e2a7eda7516df6f7aef5a562095ef2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:02:56 +0100 Subject: [PATCH 092/303] fix: enhance rules related to Lsass-Shtinkering --- .github/workflows/known-FPs.csv | 1 - .../file_event_lsass_shtinkering.yml | 17 +++++---- .../proc_creation_lsass_shtinkering.yml | 37 +++++++++++-------- .../registry_add_usermode_dumping_enabled.yml | 25 ------------- .../registry_set_lsass_usermode_dumping.yml | 17 +++++---- 5 files changed, 41 insertions(+), 56 deletions(-) delete mode 100644 rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 9b7911bb3..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -33efc23c-6ea2-4503-8cfe-bdf82ce8f718;Adding of a registry key for LSASS Shtinkering;\\SOFTWARE\\Microsoft\\Windows\\Windows Error Reporting\\LocalDumps diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml index ccd828eff..522ab6eb3 100644 --- a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml +++ b/rules/windows/file/file_event/file_event_lsass_shtinkering.yml @@ -1,23 +1,24 @@ -title: Suspicious LSASS Dump using LSASS Shtinkering +title: LSASS Process Dump Artefact In CrashDumps Folder id: 6902955a-01b7-432c-b32a-6f5f81d8f625 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects the presence of an LSASS dump file in the "CrashDumps" folder. This could be a sign of LSASS credential dumping. Techniques such as the LSASS Shtinkering have been seen abusing the Windows Error Reporting to dump said process. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' -modified: 2022/12/08 +date: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: file_event detection: selection: - TargetFilename|contains|all: - - 'lsass.exe' - - 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps' + TargetFilename|startswith: 'C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps\' + TargetFilename|contains: 'lsass.exe.' TargetFilename|endswith: '.dmp' condition: selection falsepositives: - - Unknown -level: high \ No newline at end of file + - Rare legitimate dump of the process by the operating system due to a crash of lsass +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index 1aa5c4f40..a88adb413 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,30 +1,37 @@ -title: Suspicious LSASS Dumping using Windows Error Reporting +title: Potential Credential Dumping Via Windows Error Reporting id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental -description: LSASS Shtinkering is a technique where using Windows Error Reporting, LSASS can be dumped. +description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass references: - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf +author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: product: windows category: process_creation detection: - selection: + selection_img: - Image|endswith: '\Werfault.exe' - - OriginalFileName: 'WerFault.Exe' - - CommandLine|contains|all: - - '-u ' - - '-p' - - '-ip ' - - '-s ' - # C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - OriginalFileName: 'WerFault.exe' + selection_cli: + ParentUser|contains: # covers many language settings + - 'AUTHORI' + - 'AUTORI' + User|contains: + - 'AUTHORI' + - 'AUTORI' + CommandLine|contains|all: + # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + - ' -u -p ' + - ' -ip ' + - ' -s ' filter_lsass: - ParentImage|endswith: 'C:\Windows\System32\lsass.exe' - condition: selection and not filter_lsass + ParentImage: 'C:\Windows\System32\lsass.exe' + condition: all of selection_* and not 1 of filter_* falsepositives: - - Windows Error Reporting might have similar behavior and in that case, check the process associated with "-ip" parameter in CommandLine. + - Windows Error Reporting might produce similar behavior. In that case, check the PID associated with the "-p" parameter in the CommandLine. level: high diff --git a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml b/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml deleted file mode 100644 index c610cd2d6..000000000 --- a/rules/windows/registry/registry_add/registry_add_usermode_dumping_enabled.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Adding of a registry key for LSASS Shtinkering -id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f718 -status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. -references: - - https://github.com/deepinstinct/Lsass-Shtinkering -author: '@pbssubhash' -date: 2022/12/08 -modified: 2022/12/08 -tags: - - attack.credential_access -logsource: - category: registry_add - product: windows -detection: - selection: - EventType: CreateKey - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps' - filter: - TargetObject|endswith: '.exe' - condition: selection and not filter -falsepositives: - - Legitimate usage of enabling user mode dumping (Not seen in the wild) -level: high diff --git a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml index dab1b1a9c..c362fe0e6 100644 --- a/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml +++ b/rules/windows/registry/registry_set/registry_set_lsass_usermode_dumping.yml @@ -1,24 +1,27 @@ -title: Setting of a registry key's value for LSASS Shtinkering +title: Lsass Full Dump Request Via DumpType Registry Settings id: 33efc23c-6ea2-4503-8cfe-bdf82ce8f719 status: experimental -description: Detects when an attacker adds a registry key that's required to perform LSASS Shtinkering attack. +description: Detects the setting of the "DumpType" registry value to "2" which stands for a "Full Dump". Technique such as LSASS Shtinkering requires this value to be "2" in order to dump LSASS. references: - https://github.com/deepinstinct/Lsass-Shtinkering + - https://learn.microsoft.com/en-us/windows/win32/wer/collecting-user-mode-dumps + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash' date: 2022/12/08 -modified: 2022/12/08 tags: - attack.credential_access + - attack.t1003.001 logsource: category: registry_set product: windows detection: selection: EventType: SetValue - TargetObject: - - HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps - Details: 2 + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\DumpType' + - '\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps\lsass.exe\DumpType' + Details: 'DWORD (0x00000002)' # Full Dump condition: selection falsepositives: - - Unknown + - Legitimate application that needs to do a full dump of their process level: high From bfcdcf2b9c21191905f293ae54aaf5599c4c9eb9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:44:59 +0100 Subject: [PATCH 093/303] fix: remove fp filter --- .github/workflows/known-FPs.csv | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 696bedc49..bbb1f00d1 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,4 +44,3 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe -801bd44f-ceed-4eb6-887c-11544633c0aa;Windows Defender Suspicious Configuration Changes;.* From 2506d29bc9b0043c6be21a6ccb5c54763139319a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:26 +0100 Subject: [PATCH 094/303] feat: add more checks for the test --- tests/test_rules.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 5d88c97e9..22d3bd755 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -882,8 +882,12 @@ class TestRules(unittest.TestCase): continue if selection == "timeframe": continue - if selection in condition: + + # remove special keywords + condition_list = condition.replace("not ", '').replace("1 of ", '').replace("all of ", '').replace(' or ', ' ').replace(' and ', ' ').replace('(', '').replace(')', '').split(" ") + if selection in condition_list: continue + # find all wildcards in condition found = False for wildcard_selection in wildcard_selections.findall(condition): From 0567ca8ca3b055efca601f4f8686d9cdab118b90 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 11:57:40 +0100 Subject: [PATCH 095/303] fix: fix unused selection --- .../security/win_security_susp_scheduled_task_creation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml index 0351da356..4da7fb242 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_creation.yml @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4698 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/07 tags: - attack.execution - attack.privilege_escalation @@ -16,7 +17,7 @@ logsource: service: security definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: - selection: + selection_eid: EventID: 4698 selection_paths: TaskContent|contains: From 18c3c8528d3d2df49701c862d20423220581a29a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 12:13:14 +0100 Subject: [PATCH 096/303] fix: remove tamper protection value --- .../windefend/win_defender_suspicious_features_tampering.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index 65117fb6b..1aa0edf42 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -24,7 +24,7 @@ detection: NewValue|contains: # TODO: Add more suspicious values - '\Windows Defender\DisableAntiSpyware ' - - '\Windows Defender\Features\TamperProtection ' + #- '\Windows Defender\Features\TamperProtection ' # Might produce FP - '\Windows Defender\Scan\DisableRemovableDriveScanning ' - '\Windows Defender\Scan\DisableScanningMappedNetworkDrivesForFullScan ' - '\Windows Defender\SpyNet\DisableBlockAtFirstSeen ' From c560baf67337410da12f863dd434c39138acd11b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:48 +0100 Subject: [PATCH 097/303] feat: enhance test --- tests/test_rules.py | 55 +++++++++++++++++++++++++++++++++------------ 1 file changed, 41 insertions(+), 14 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 22d3bd755..64c355adc 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -838,32 +838,59 @@ class TestRules(unittest.TestCase): "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") def test_selection_list_one_value(self): + + def treat_list(file, values, valid_, selection_name): + # rule with only list of Keywords term + if len(values) == 1 and not isinstance(values[0], str): + print( + Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key) + ) + valid_ = False + elif isinstance(values[0], dict): + valid_ = treat_dict(file, values, valid_, selection_name) + return valid_ + + def treat_dict(file, values, valid_, selection_name): + if isinstance(values, list): + for dict_ in values: + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + else: + dict_ = values + for key_ in dict_.keys(): + if isinstance(dict_[key_], list): + if len(dict_[key_]) == 1: + print( + Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, selection_name, key_) + ) + valid_ = False + return valid_ + faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") if detection: + valid = True for key in detection: + values = detection[key] if isinstance(detection[key], list): - # rule with only list of Keywords term - if len(detection[key]) == 1 and not isinstance(detection[key][0], str): - print( - Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) - valid = False + valid = treat_list(file, values, valid, key) + if isinstance(detection[key], dict): - for sub_key in detection[key]: - # split in 2 if as get a error "int has not len()" - if isinstance(detection[key][sub_key], list): - if len(detection[key][sub_key]) == 1: - print( - Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - valid = False + valid = treat_dict(file, values, valid, key) + if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules using list with only 1 element") + "There are rules using list with only 1 element") def test_unused_selection(self): faulty_rules = [] From 80ef3b70dc5eee9b1c0a3ccf20429a0c0ceaf82b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 8 Dec 2022 16:23:58 +0100 Subject: [PATCH 098/303] fix: broken single item lists --- rules/application/antivirus/av_hacktool.yml | 3 +-- .../builtin/system/win_system_service_install_hacktools.yml | 3 +-- .../file_event_win_hivenightmare_file_exports.yml | 3 +-- .../image_load/image_load_abusing_azure_browser_sso.yml | 3 +-- .../image_load/image_load_susp_python_image_load.yml | 3 +-- .../net_connection_win_rdp_reverse_tunnel.yml | 6 ++---- .../net_connection_win_rundll32_net_connections.yml | 3 +-- ...connection_win_susp_prog_location_network_connection.yml | 6 ++---- .../posh_ps_set_policies_to_unsecure_level.yml | 3 +-- .../proc_creation_win_apt_hurricane_panda.yml | 3 +-- .../process_creation/proc_creation_win_mmc_spawn_shell.yml | 3 +-- .../proc_creation_win_mshta_spawn_shell.yml | 3 +-- .../registry_event/registry_event_mal_flowcloud.yml | 3 +-- .../registry_set_susp_reg_persist_explorer_run.yml | 3 +-- 14 files changed, 16 insertions(+), 32 deletions(-) diff --git a/rules/application/antivirus/av_hacktool.yml b/rules/application/antivirus/av_hacktool.yml index 8c29fdb92..a00032666 100644 --- a/rules/application/antivirus/av_hacktool.yml +++ b/rules/application/antivirus/av_hacktool.yml @@ -19,8 +19,7 @@ detection: - 'HKTL' - 'SecurityTool' - 'ATK/' # Sophos - - Signature|contains: - - 'Hacktool' + - Signature|contains: 'Hacktool' condition: selection fields: - FileName diff --git a/rules/windows/builtin/system/win_system_service_install_hacktools.yml b/rules/windows/builtin/system/win_system_service_install_hacktools.yml index 69d804443..7441654f1 100644 --- a/rules/windows/builtin/system/win_system_service_install_hacktools.yml +++ b/rules/windows/builtin/system/win_system_service_install_hacktools.yml @@ -28,8 +28,7 @@ detection: - 'pwdump' - 'gsecdump' - 'cachedump' - - ImagePath|contains: - - 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 + - ImagePath|contains: 'bypass' # https://gist.github.com/tyranid/c24cfd1bd141d14d4925043ee7e03c82#file-scmuacbypass-cpp-L159 condition: service and selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml index 889b3c559..e5532258a 100644 --- a/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml +++ b/rules/windows/file/file_event/file_event_win_hivenightmare_file_exports.yml @@ -26,8 +26,7 @@ detection: - '\SAM-2023-' # C++ version - '\SAM-haxx' # Early C++ versions - '\Sam.save' # PowerShell version - - TargetFilename: - - 'C:\windows\temp\sam' # C# version of HiveNightmare + - TargetFilename: 'C:\windows\temp\sam' # C# version of HiveNightmare condition: selection fields: - CommandLine diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index d7c7b4b0c..5f9316e43 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -30,8 +30,7 @@ detection: - '\AppData\Local\Microsoft\OneDrive\OneDrive.exe' - '\msedgewebview2.exe' - '\OneDrive.exe' - - Image|startswith: - - 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' + - Image|startswith: 'C:\Program Files (x86)\Microsoft\EdgeWebView\Application\' - Image: null condition: selection_dll and not filter_legit falsepositives: diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index d707c3081..4a169cff3 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -18,8 +18,7 @@ detection: selection: Description: 'Python Core' filter_generic: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. + - Image|contains: 'Python' # FPs with python38.dll, python.exe etc. - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index a031d7218..d2e43c75c 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -22,10 +22,8 @@ detection: Initiated: 'true' SourcePort: 3389 selection2: - - DestinationIp|startswith: - - '127.' - - DestinationIp: - - '::1' + - DestinationIp|startswith: '127.' + - DestinationIp: '::1' condition: selection and selection2 falsepositives: - Unknown diff --git a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml index 72440a3e0..bfeb4b580 100755 --- a/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_rundll32_net_connections.yml @@ -43,8 +43,7 @@ detection: - '51.103.' # Microsoft range, caused some FPs - '51.104.' # Microsoft range, caused some FPs - '51.105.' # Microsoft range, caused some FPs - - CommandLine|contains: - - 'PcaSvc.dll,PcaPatchSdbTask' + - CommandLine|contains: 'PcaSvc.dll,PcaPatchSdbTask' filter_update_processes: ParentImage: 'C:\Windows\System32\svchost.exe' RemoteAddress|endswith: ':443' diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 0c1c0c605..06c238c9f 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -27,10 +27,8 @@ detection: - '\Windows\Fonts\' - '\Windows\IME\' - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' + - Image|endswith: '\$Recycle.bin' + - Image|startswith: 'C:\Perflogs\' false_positive1: Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location condition: selection and not 1 of false_positive* diff --git a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml index 862c5127a..3bbce1ac4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_set_policies_to_unsecure_level.yml @@ -25,8 +25,7 @@ detection: - 'bypass' - 'RemoteSigned' filter: - - ParentImage: - - 'C:\ProgramData\chocolatey\choco.exe' + - ParentImage: 'C:\ProgramData\chocolatey\choco.exe' - ScriptBlockText|contains: - "(New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1')" - "(New-Object System.Net.WebClient).DownloadString('https://chocolatey.org/install.ps1')" diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index b7c40f826..bb2986d64 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -20,8 +20,7 @@ detection: - 'localgroup' - 'admin' - '/add' - - CommandLine|contains: - - '\Win64.exe' + - CommandLine|contains: '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml index 3e83ac024..7fb2f061e 100644 --- a/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mmc_spawn_shell.yml @@ -27,8 +27,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml index ff534cdd5..ba499f84d 100644 --- a/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_mshta_spawn_shell.yml @@ -30,8 +30,7 @@ detection: - '\bash.exe' - '\reg.exe' - '\regsvr32.exe' - - Image|contains: - - '\BITSADMIN' + - Image|contains: '\BITSADMIN' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml index d9f20e6c5..dc8b279ac 100644 --- a/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml +++ b/rules/windows/registry/registry_event/registry_event_mal_flowcloud.yml @@ -19,8 +19,7 @@ detection: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - TargetObject|startswith: - - 'HKLM\SYSTEM\Setup\PrintResponsor\' + - TargetObject|startswith: 'HKLM\SYSTEM\Setup\PrintResponsor\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml index a288c972d..1c86770c1 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_reg_persist_explorer_run.yml @@ -25,8 +25,7 @@ detection: - 'C:\Temp\' - 'C:\Users\Public\' - 'C:\Users\Default\' - - Details|contains: - - '\AppData\' + - Details|contains: '\AppData\' condition: selection and selection2 fields: - Image From c18f634c021c0ba75c28323fa3640e7ea6071c03 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Thu, 8 Dec 2022 21:08:01 +0500 Subject: [PATCH 099/303] Added more FPs --- .../proc_creation_win_msiexec_execute_dll.yml | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 3a6122f98..67f0c66df 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/01/16 -modified: 2022/10/23 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1218.007 @@ -30,7 +30,13 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\' #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' + - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' + - '\MsiExec.exe" -Y "C:\Windows\CCM\' + - '\MsiExec.exe" -Y C:\Windows\CCM\' #also need non-quoted execution condition: selection and not 1 of filter_* falsepositives: - Legitimate script From ece1d01038e260e0d4867c17ec28890bef3dd490 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 8 Dec 2022 17:34:56 +0100 Subject: [PATCH 100/303] fix: syntax error, additional comma --- .../process_creation/proc_creation_win_msiexec_execute_dll.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 67f0c66df..cf29b211d 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -30,7 +30,7 @@ detection: - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' - '\MsiExec.exe" /Y "C:\Program Files (x86)\Apple Software Update\SoftwareUpdateAdmin.dll' - '\MsiExec.exe" /Y "C:\Windows\CCM\' - - '\MsiExec.exe" /Y C:\Windows\CCM\', #also need non-quoted execution + - '\MsiExec.exe" /Y C:\Windows\CCM\' # also need non-quoted execution - '\MsiExec.exe" -Y "C:\Program Files\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Bonjour\mdnsNSP.dll' - '\MsiExec.exe" -Y "C:\Program Files (x86)\Apple Software Update\ScriptingObjectModel.dll' From 47b5272fcdb5bd068934bee367b630d7fb932df3 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 9 Dec 2022 06:21:02 +1100 Subject: [PATCH 101/303] Create azure_ad_azurehound_discovery.yml (#3762) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../azure/azure_ad_azurehound_discovery.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_azurehound_discovery.yml diff --git a/rules/cloud/azure/azure_ad_azurehound_discovery.yml b/rules/cloud/azure/azure_ad_azurehound_discovery.yml new file mode 100644 index 000000000..41bada855 --- /dev/null +++ b/rules/cloud/azure/azure_ad_azurehound_discovery.yml @@ -0,0 +1,23 @@ +title: Discovery Using AzureHound +id: 35b781cc-1a08-4a5a-80af-42fd7c315c6b +status: experimental +description: Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication. +references: + - https://github.com/BloodHoundAD/AzureHound +author: Janantha Marasinghe +date: 2022/11/27 +tags: + - attack.discovery + - attack.t1087.004 + - attack.t1526 +logsource: + product: azure + service: signinlogs +detection: + selection: + userAgent|contains: 'azurehound' + ResultType: 0 + condition: selection +falsepositives: + - Unknown +level: high From ab18539fcecec8bb5110ace04a91712ed02431d1 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 9 Dec 2022 05:18:26 +0000 Subject: [PATCH 102/303] chore(deps): bump certifi from 2021.5.30 to 2022.12.7 Bumps [certifi](https://github.com/certifi/python-certifi) from 2021.5.30 to 2022.12.7. - [Release notes](https://github.com/certifi/python-certifi/releases) - [Commits](https://github.com/certifi/python-certifi/compare/2021.05.30...2022.12.07) --- updated-dependencies: - dependency-name: certifi dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Pipfile.lock | 898 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 608 insertions(+), 290 deletions(-) diff --git a/Pipfile.lock b/Pipfile.lock index 2416e3258..f56216248 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,7 +1,7 @@ { "_meta": { "hash": { - "sha256": "08bbbed72c177a3a7a43aff79af8fdde3a0ac42e15d7e112d64cac2c5d5b6e68" + "sha256": "7353b17b3a357cace77fb11fbbc501c2b619c7644c676d360f67f70a7feeb9c8" }, "pipfile-spec": 6, "requires": { @@ -18,42 +18,43 @@ "default": { "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "deprecated": { "hashes": [ - "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", - "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" + "sha256:43ac5335da90c31c24ba028af536a91d41d53f9e6901ddb021bcc572ce44e38d", + "sha256:64756e3e14c8c5eea9795d93c524551432a0be75629f8f29e67ab8caf076c76d" ], "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.2.12" + "version": "==1.2.13" }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "jsonschema": { "hashes": [ @@ -80,30 +81,31 @@ }, "pyrsistent": { "hashes": [ - "sha256:097b96f129dd36a8c9e33594e7ebb151b1515eb52cceb08474c10a5479e799f2", - "sha256:2aaf19dc8ce517a8653746d98e962ef480ff34b6bc563fc067be6401ffb457c7", - "sha256:404e1f1d254d314d55adb8d87f4f465c8693d6f902f67eb6ef5b4526dc58e6ea", - "sha256:48578680353f41dca1ca3dc48629fb77dfc745128b56fc01096b2530c13fd426", - "sha256:4916c10896721e472ee12c95cdc2891ce5890898d2f9907b1b4ae0f53588b710", - "sha256:527be2bfa8dc80f6f8ddd65242ba476a6c4fb4e3aedbf281dfbac1b1ed4165b1", - "sha256:58a70d93fb79dc585b21f9d72487b929a6fe58da0754fa4cb9f279bb92369396", - "sha256:5e4395bbf841693eaebaa5bb5c8f5cdbb1d139e07c975c682ec4e4f8126e03d2", - "sha256:6b5eed00e597b5b5773b4ca30bd48a5774ef1e96f2a45d105db5b4ebb4bca680", - "sha256:73ff61b1411e3fb0ba144b8f08d6749749775fe89688093e1efef9839d2dcc35", - "sha256:772e94c2c6864f2cd2ffbe58bb3bdefbe2a32afa0acb1a77e472aac831f83427", - "sha256:773c781216f8c2900b42a7b638d5b517bb134ae1acbebe4d1e8f1f41ea60eb4b", - "sha256:a0c772d791c38bbc77be659af29bb14c38ced151433592e326361610250c605b", - "sha256:b29b869cf58412ca5738d23691e96d8aff535e17390128a1a52717c9a109da4f", - "sha256:c1a9ff320fa699337e05edcaae79ef8c2880b52720bc031b219e5b5008ebbdef", - "sha256:cd3caef37a415fd0dae6148a1b6957a8c5f275a62cca02e18474608cb263640c", - "sha256:d5ec194c9c573aafaceebf05fc400656722793dac57f254cd4741f3c27ae57b4", - "sha256:da6e5e818d18459fa46fac0a4a4e543507fe1110e808101277c5a2b5bab0cd2d", - "sha256:e79d94ca58fcafef6395f6352383fa1a76922268fa02caa2272fff501c2fdc78", - "sha256:f3ef98d7b76da5eb19c37fda834d50262ff9167c65658d1d8f974d2e4d90676b", - "sha256:f4c8cabb46ff8e5d61f56a037974228e978f26bfefce4f61a4b1ac0ba7a2ab72" + "sha256:055ab45d5911d7cae397dc418808d8802fb95262751872c841c170b0dbf51eed", + "sha256:111156137b2e71f3a9936baf27cb322e8024dac3dc54ec7fb9f0bcf3249e68bb", + "sha256:187d5730b0507d9285a96fca9716310d572e5464cadd19f22b63a6976254d77a", + "sha256:21455e2b16000440e896ab99e8304617151981ed40c29e9507ef1c2e4314ee95", + "sha256:2aede922a488861de0ad00c7630a6e2d57e8023e4be72d9d7147a9fcd2d30712", + "sha256:3ba4134a3ff0fc7ad225b6b457d1309f4698108fb6b35532d015dca8f5abed73", + "sha256:456cb30ca8bff00596519f2c53e42c245c09e1a4543945703acd4312949bfd41", + "sha256:71d332b0320642b3261e9fee47ab9e65872c2bd90260e5d225dabeed93cbd42b", + "sha256:879b4c2f4d41585c42df4d7654ddffff1239dc4065bc88b745f0341828b83e78", + "sha256:9cd3e9978d12b5d99cbdc727a3022da0430ad007dacf33d0bf554b96427f33ab", + "sha256:a178209e2df710e3f142cbd05313ba0c5ebed0a55d78d9945ac7a4e09d923308", + "sha256:b39725209e06759217d1ac5fcdb510e98670af9e37223985f330b611f62e7425", + "sha256:bfa0351be89c9fcbcb8c9879b826f4353be10f58f8a677efab0c017bf7137ec2", + "sha256:bfd880614c6237243ff53a0539f1cb26987a6dc8ac6e66e0c5a40617296a045e", + "sha256:c43bec251bbd10e3cb58ced80609c5c1eb238da9ca78b964aea410fb820d00d6", + "sha256:d690b18ac4b3e3cab73b0b7aa7dbe65978a172ff94970ff98d82f2031f8971c2", + "sha256:d6982b5a0237e1b7d876b60265564648a69b14017f3b5f908c5be2de3f9abb7a", + "sha256:dec3eac7549869365fe263831f576c8457f6c833937c68542d08fde73457d291", + "sha256:e371b844cec09d8dc424d940e54bba8f67a03ebea20ff7b7b0d56f526c71d584", + "sha256:e5d8f84d81e3729c3b506657dddfe46e8ba9c330bf1858ee33108f8bb2adb38a", + "sha256:ea6b79a02a28550c98b6ca9c35b9f492beaa54d7c5c9e9949555893c8a9234d0", + "sha256:f1258f4e6c42ad0b20f9cfcc3ada5bd6b83374516cd01c0960e3cb75fdca6770" ], - "markers": "python_version >= '3.6'", - "version": "==0.18.0" + "markers": "python_version >= '3.7'", + "version": "==0.19.2" }, "python-dateutil": { "hashes": [ @@ -115,10 +117,11 @@ }, "python-utils": { "hashes": [ - "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", - "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" + "sha256:22990259324eae88faa3389d302861a825dbdd217ab40e3ec701851b3337d592", + "sha256:7e329c427a6d23036cfcc4501638afb31b2ddc8896f25393562833874b8c6e0a" ], - "version": "==2.5.6" + "markers": "python_version >= '3.7'", + "version": "==3.4.5" }, "pyyaml": { "hashes": [ @@ -165,38 +168,59 @@ }, "ruamel.yaml": { "hashes": [ - "sha256:106bc8d6dc6a0ff7c9196a47570432036f41d556b779c6b4e618085f57e39e67", - "sha256:ffb9b703853e9e8b7861606dfdab1026cf02505bade0653d1880f4b2db47f815" + "sha256:742b35d3d665023981bd6d16b3d24248ce5df75fdb4e2924e93a05c1f8b61ca7", + "sha256:8b7ce697a2f212752a35c1ac414471dc16c424c9573be4926b56ff3f5d23b7af" ], "index": "pypi", - "version": "==0.17.10" + "version": "==0.17.21" }, "ruamel.yaml.clib": { "hashes": [ - "sha256:0847201b767447fc33b9c235780d3aa90357d20dd6108b92be544427bea197dd", - "sha256:1866cf2c284a03b9524a5cc00daca56d80057c5ce3cdc86a52020f4c720856f0", - "sha256:31ea73e564a7b5fbbe8188ab8b334393e06d997914a4e184975348f204790277", - "sha256:3fb9575a5acd13031c57a62cc7823e5d2ff8bc3835ba4d94b921b4e6ee664104", - "sha256:4ff604ce439abb20794f05613c374759ce10e3595d1867764dd1ae675b85acbd", - "sha256:72a2b8b2ff0a627496aad76f37a652bcef400fd861721744201ef1b45199ab78", - "sha256:78988ed190206672da0f5d50c61afef8f67daa718d614377dcd5e3ed85ab4a99", - "sha256:7b2927e92feb51d830f531de4ccb11b320255ee95e791022555971c466af4527", - "sha256:7f7ecb53ae6848f959db6ae93bdff1740e651809780822270eab111500842a84", - "sha256:825d5fccef6da42f3c8eccd4281af399f21c02b32d98e113dbc631ea6a6ecbc7", - "sha256:846fc8336443106fe23f9b6d6b8c14a53d38cef9a375149d61f99d78782ea468", - "sha256:89221ec6d6026f8ae859c09b9718799fea22c0e8da8b766b0b2c9a9ba2db326b", - "sha256:9efef4aab5353387b07f6b22ace0867032b900d8e91674b5d8ea9150db5cae94", - "sha256:a32f8d81ea0c6173ab1b3da956869114cae53ba1e9f72374032e33ba3118c233", - "sha256:a49e0161897901d1ac9c4a79984b8410f450565bbad64dbfcbf76152743a0cdb", - "sha256:ada3f400d9923a190ea8b59c8f60680c4ef8a4b0dfae134d2f2ff68429adfab5", - "sha256:bf75d28fa071645c529b5474a550a44686821decebdd00e21127ef1fd566eabe", - "sha256:cfdb9389d888c5b74af297e51ce357b800dd844898af9d4a547ffc143fa56751", - "sha256:d67f273097c368265a7b81e152e07fb90ed395df6e552b9fa858c6d2c9f42502", - "sha256:dc6a613d6c74eef5a14a214d433d06291526145431c3b964f5e16529b1842bed", - "sha256:de9c6b8a1ba52919ae919f3ae96abb72b994dd0350226e28f3686cb4f142165c" + "sha256:045e0626baf1c52e5527bd5db361bc83180faaba2ff586e763d3d5982a876a9e", + "sha256:15910ef4f3e537eea7fe45f8a5d19997479940d9196f357152a09031c5be59f3", + "sha256:184faeaec61dbaa3cace407cffc5819f7b977e75360e8d5ca19461cd851a5fc5", + "sha256:1f08fd5a2bea9c4180db71678e850b995d2a5f4537be0e94557668cf0f5f9497", + "sha256:2aa261c29a5545adfef9296b7e33941f46aa5bbd21164228e833412af4c9c75f", + "sha256:3110a99e0f94a4a3470ff67fc20d3f96c25b13d24c6980ff841e82bafe827cac", + "sha256:3243f48ecd450eddadc2d11b5feb08aca941b5cd98c9b1db14b2fd128be8c697", + "sha256:370445fd795706fd291ab00c9df38a0caed0f17a6fb46b0f607668ecb16ce763", + "sha256:40d030e2329ce5286d6b231b8726959ebbe0404c92f0a578c0e2482182e38282", + "sha256:41d0f1fa4c6830176eef5b276af04c89320ea616655d01327d5ce65e50575c94", + "sha256:4a4d8d417868d68b979076a9be6a38c676eca060785abaa6709c7b31593c35d1", + "sha256:4b3a93bb9bc662fc1f99c5c3ea8e623d8b23ad22f861eb6fce9377ac07ad6072", + "sha256:5bc0667c1eb8f83a3752b71b9c4ba55ef7c7058ae57022dd9b29065186a113d9", + "sha256:721bc4ba4525f53f6a611ec0967bdcee61b31df5a56801281027a3a6d1c2daf5", + "sha256:763d65baa3b952479c4e972669f679fe490eee058d5aa85da483ebae2009d231", + "sha256:7bdb4c06b063f6fd55e472e201317a3bb6cdeeee5d5a38512ea5c01e1acbdd93", + "sha256:8831a2cedcd0f0927f788c5bdf6567d9dc9cc235646a434986a852af1cb54b4b", + "sha256:91a789b4aa0097b78c93e3dc4b40040ba55bef518f84a40d4442f713b4094acb", + "sha256:92460ce908546ab69770b2e576e4f99fbb4ce6ab4b245345a3869a0a0410488f", + "sha256:99e77daab5d13a48a4054803d052ff40780278240a902b880dd37a51ba01a307", + "sha256:a234a20ae07e8469da311e182e70ef6b199d0fbeb6c6cc2901204dd87fb867e8", + "sha256:a7b301ff08055d73223058b5c46c55638917f04d21577c95e00e0c4d79201a6b", + "sha256:be2a7ad8fd8f7442b24323d24ba0b56c51219513cfa45b9ada3b87b76c374d4b", + "sha256:bf9a6bc4a0221538b1a7de3ed7bca4c93c02346853f44e1cd764be0023cd3640", + "sha256:c3ca1fbba4ae962521e5eb66d72998b51f0f4d0f608d3c0347a48e1af262efa7", + "sha256:d000f258cf42fec2b1bbf2863c61d7b8918d31ffee905da62dede869254d3b8a", + "sha256:d5859983f26d8cd7bb5c287ef452e8aacc86501487634573d260968f753e1d71", + "sha256:d5e51e2901ec2366b79f16c2299a03e74ba4531ddcfacc1416639c557aef0ad8", + "sha256:debc87a9516b237d0466a711b18b6ebeb17ba9f391eb7f91c649c5c4ec5006c7", + "sha256:df5828871e6648db72d1c19b4bd24819b80a755c4541d3409f0f7acd0f335c80", + "sha256:ecdf1a604009bd35c674b9225a8fa609e0282d9b896c03dd441a91e5f53b534e", + "sha256:efa08d63ef03d079dcae1dfe334f6c8847ba8b645d08df286358b1f5293d24ab", + "sha256:f01da5790e95815eb5a8a138508c01c758e5f5bc0ce4286c4f7028b8dd7ac3d0", + "sha256:f34019dced51047d6f70cb9383b2ae2853b7fc4dce65129a5acd49f4f9256646" ], - "markers": "python_version < '3.10' and platform_python_implementation == 'CPython'", - "version": "==0.2.6" + "markers": "python_version < '3.11' and platform_python_implementation == 'CPython'", + "version": "==0.2.7" + }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" }, "six": { "hashes": [ @@ -206,6 +230,14 @@ "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", "version": "==1.16.0" }, + "termcolor": { + "hashes": [ + "sha256:67cee2009adc6449c650f6bcf3bdeed00c8ba53a8cda5362733c53e0a39fb70b", + "sha256:fa852e957f97252205e105dd55bbc23b419a70fec0085708fc0515e399f304fd" + ], + "index": "pypi", + "version": "==2.1.1" + }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -216,69 +248,191 @@ }, "wrapt": { "hashes": [ - "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" + "sha256:00b6d4ea20a906c0ca56d84f93065b398ab74b927a7a3dbd470f6fc503f95dc3", + "sha256:01c205616a89d09827986bc4e859bcabd64f5a0662a7fe95e0d359424e0e071b", + "sha256:02b41b633c6261feff8ddd8d11c711df6842aba629fdd3da10249a53211a72c4", + "sha256:07f7a7d0f388028b2df1d916e94bbb40624c59b48ecc6cbc232546706fac74c2", + "sha256:11871514607b15cfeb87c547a49bca19fde402f32e2b1c24a632506c0a756656", + "sha256:1b376b3f4896e7930f1f772ac4b064ac12598d1c38d04907e696cc4d794b43d3", + "sha256:21ac0156c4b089b330b7666db40feee30a5d52634cc4560e1905d6529a3897ff", + "sha256:257fd78c513e0fb5cdbe058c27a0624c9884e735bbd131935fd49e9fe719d310", + "sha256:2b39d38039a1fdad98c87279b48bc5dce2c0ca0d73483b12cb72aa9609278e8a", + "sha256:2cf71233a0ed05ccdabe209c606fe0bac7379fdcf687f39b944420d2a09fdb57", + "sha256:2fe803deacd09a233e4762a1adcea5db5d31e6be577a43352936179d14d90069", + "sha256:3232822c7d98d23895ccc443bbdf57c7412c5a65996c30442ebe6ed3df335383", + "sha256:34aa51c45f28ba7f12accd624225e2b1e5a3a45206aa191f6f9aac931d9d56fe", + "sha256:36f582d0c6bc99d5f39cd3ac2a9062e57f3cf606ade29a0a0d6b323462f4dd87", + "sha256:380a85cf89e0e69b7cfbe2ea9f765f004ff419f34194018a6827ac0e3edfed4d", + "sha256:40e7bc81c9e2b2734ea4bc1aceb8a8f0ceaac7c5299bc5d69e37c44d9081d43b", + "sha256:43ca3bbbe97af00f49efb06e352eae40434ca9d915906f77def219b88e85d907", + "sha256:4fcc4649dc762cddacd193e6b55bc02edca674067f5f98166d7713b193932b7f", + "sha256:5a0f54ce2c092aaf439813735584b9537cad479575a09892b8352fea5e988dc0", + "sha256:5a9a0d155deafd9448baff28c08e150d9b24ff010e899311ddd63c45c2445e28", + "sha256:5b02d65b9ccf0ef6c34cba6cf5bf2aab1bb2f49c6090bafeecc9cd81ad4ea1c1", + "sha256:60db23fa423575eeb65ea430cee741acb7c26a1365d103f7b0f6ec412b893853", + "sha256:642c2e7a804fcf18c222e1060df25fc210b9c58db7c91416fb055897fc27e8cc", + "sha256:6a9a25751acb379b466ff6be78a315e2b439d4c94c1e99cb7266d40a537995d3", + "sha256:6b1a564e6cb69922c7fe3a678b9f9a3c54e72b469875aa8018f18b4d1dd1adf3", + "sha256:6d323e1554b3d22cfc03cd3243b5bb815a51f5249fdcbb86fda4bf62bab9e164", + "sha256:6e743de5e9c3d1b7185870f480587b75b1cb604832e380d64f9504a0535912d1", + "sha256:709fe01086a55cf79d20f741f39325018f4df051ef39fe921b1ebe780a66184c", + "sha256:7b7c050ae976e286906dd3f26009e117eb000fb2cf3533398c5ad9ccc86867b1", + "sha256:7d2872609603cb35ca513d7404a94d6d608fc13211563571117046c9d2bcc3d7", + "sha256:7ef58fb89674095bfc57c4069e95d7a31cfdc0939e2a579882ac7d55aadfd2a1", + "sha256:80bb5c256f1415f747011dc3604b59bc1f91c6e7150bd7db03b19170ee06b320", + "sha256:81b19725065dcb43df02b37e03278c011a09e49757287dca60c5aecdd5a0b8ed", + "sha256:833b58d5d0b7e5b9832869f039203389ac7cbf01765639c7309fd50ef619e0b1", + "sha256:88bd7b6bd70a5b6803c1abf6bca012f7ed963e58c68d76ee20b9d751c74a3248", + "sha256:8ad85f7f4e20964db4daadcab70b47ab05c7c1cf2a7c1e51087bfaa83831854c", + "sha256:8c0ce1e99116d5ab21355d8ebe53d9460366704ea38ae4d9f6933188f327b456", + "sha256:8d649d616e5c6a678b26d15ece345354f7c2286acd6db868e65fcc5ff7c24a77", + "sha256:903500616422a40a98a5a3c4ff4ed9d0066f3b4c951fa286018ecdf0750194ef", + "sha256:9736af4641846491aedb3c3f56b9bc5568d92b0692303b5a305301a95dfd38b1", + "sha256:988635d122aaf2bdcef9e795435662bcd65b02f4f4c1ae37fbee7401c440b3a7", + "sha256:9cca3c2cdadb362116235fdbd411735de4328c61425b0aa9f872fd76d02c4e86", + "sha256:9e0fd32e0148dd5dea6af5fee42beb949098564cc23211a88d799e434255a1f4", + "sha256:9f3e6f9e05148ff90002b884fbc2a86bd303ae847e472f44ecc06c2cd2fcdb2d", + "sha256:a85d2b46be66a71bedde836d9e41859879cc54a2a04fad1191eb50c2066f6e9d", + "sha256:a9a52172be0b5aae932bef82a79ec0a0ce87288c7d132946d645eba03f0ad8a8", + "sha256:aa31fdcc33fef9eb2552cbcbfee7773d5a6792c137b359e82879c101e98584c5", + "sha256:b014c23646a467558be7da3d6b9fa409b2c567d2110599b7cf9a0c5992b3b471", + "sha256:b21bb4c09ffabfa0e85e3a6b623e19b80e7acd709b9f91452b8297ace2a8ab00", + "sha256:b5901a312f4d14c59918c221323068fad0540e34324925c8475263841dbdfe68", + "sha256:b9b7a708dd92306328117d8c4b62e2194d00c365f18eff11a9b53c6f923b01e3", + "sha256:d1967f46ea8f2db647c786e78d8cc7e4313dbd1b0aca360592d8027b8508e24d", + "sha256:d52a25136894c63de15a35bc0bdc5adb4b0e173b9c0d07a2be9d3ca64a332735", + "sha256:d77c85fedff92cf788face9bfa3ebaa364448ebb1d765302e9af11bf449ca36d", + "sha256:d79d7d5dc8a32b7093e81e97dad755127ff77bcc899e845f41bf71747af0c569", + "sha256:dbcda74c67263139358f4d188ae5faae95c30929281bc6866d00573783c422b7", + "sha256:ddaea91abf8b0d13443f6dac52e89051a5063c7d014710dcb4d4abb2ff811a59", + "sha256:dee0ce50c6a2dd9056c20db781e9c1cfd33e77d2d569f5d1d9321c641bb903d5", + "sha256:dee60e1de1898bde3b238f18340eec6148986da0455d8ba7848d50470a7a32fb", + "sha256:e2f83e18fe2f4c9e7db597e988f72712c0c3676d337d8b101f6758107c42425b", + "sha256:e3fb1677c720409d5f671e39bac6c9e0e422584e5f518bfd50aa4cbbea02433f", + "sha256:ee2b1b1769f6707a8a445162ea16dddf74285c3964f605877a20e38545c3c462", + "sha256:ee6acae74a2b91865910eef5e7de37dc6895ad96fa23603d1d27ea69df545015", + "sha256:ef3f72c9666bba2bab70d2a8b79f2c6d2c1a42a7f7e2b0ec83bb2f9e383950af" ], - "version": "==1.12.1" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.14.1" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", - "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", - "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", - "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", - "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", - "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", - "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", - "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", - "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", - "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", - "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", - "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", - "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", - "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", - "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", - "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", - "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", - "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", - "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", - "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", - "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", - "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", - "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", - "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", - "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", - "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", - "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", - "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", - "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", - "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", - "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", - "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", - "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", - "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", - "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", - "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", - "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" + "sha256:02f9a2c72fc95d59b881cf38a4b2be9381b9527f9d328771e90f72ac76f31ad8", + "sha256:059a91e88f2c00fe40aed9031b3606c3f311414f86a90d696dd982e7aec48142", + "sha256:05a3c31c6d7cd08c149e50dc7aa2568317f5844acd745621983380597f027a18", + "sha256:08c78317e950e0762c2983f4dd58dc5e6c9ff75c8a0efeae299d363d439c8e34", + "sha256:09e28f572b21642128ef31f4e8372adb6888846f32fecb288c8b0457597ba61a", + "sha256:0d2c6d8c6872df4a6ec37d2ede71eff62395b9e337b4e18efd2177de883a5033", + "sha256:16c121ba0b1ec2b44b73e3a8a171c4f999b33929cd2397124a8c7fcfc8cd9e06", + "sha256:1d90043c1882067f1bd26196d5d2db9aa6d268def3293ed5fb317e13c9413ea4", + "sha256:1e56b9cafcd6531bab5d9b2e890bb4937f4165109fe98e2b98ef0dcfcb06ee9d", + "sha256:20acae4f268317bb975671e375493dbdbc67cddb5f6c71eebdb85b34444ac46b", + "sha256:21b30885a63c3f4ff5b77a5d6caf008b037cb521a5f33eab445dc566f6d092cc", + "sha256:21d69797eb951f155026651f7e9362877334508d39c2fc37bd04ff55b2007091", + "sha256:256deb4b29fe5e47893fa32e1de2d73c3afe7407738bd3c63829874661d4822d", + "sha256:25892c92bee6d9449ffac82c2fe257f3a6f297792cdb18ad784737d61e7a9a85", + "sha256:2ca9af5f8f5812d475c5259393f52d712f6d5f0d7fdad9acdb1107dd9e3cb7eb", + "sha256:2d252771fc85e0cf8da0b823157962d70639e63cb9b578b1dec9868dd1f4f937", + "sha256:2dea10edfa1a54098703cb7acaa665c07b4e7568472a47f4e64e6319d3821ccf", + "sha256:2df5f139233060578d8c2c975128fb231a89ca0a462b35d4b5fcf7c501ebdbe1", + "sha256:2feebbb6074cdbd1ac276dbd737b40e890a1361b3cc30b74ac2f5e24aab41f7b", + "sha256:309aa21c1d54b8ef0723181d430347d7452daaff93e8e2363db8e75c72c2fb2d", + "sha256:3828fb41b7203176b82fe5d699e0d845435f2374750a44b480ea6b930f6be269", + "sha256:398701865e7a9565d49189f6c90868efaca21be65c725fc87fc305906be915da", + "sha256:43046a319664a04b146f81b40e1545d4c8ac7b7dd04c47e40bf09f65f2437346", + "sha256:437399385f2abcd634865705bdc180c8314124b98299d54fe1d4c8990f2f9494", + "sha256:45d88b016c849d74ebc6f2b6e8bc17cabf26e7e40c0661ddd8fae4c00f015697", + "sha256:47841407cc89a4b80b0c52276f3cc8138bbbfba4b179ee3acbd7d77ae33f7ac4", + "sha256:4a4fbc769ea9b6bd97f4ad0b430a6807f92f0e5eb020f1e42ece59f3ecfc4585", + "sha256:4ab94426ddb1ecc6a0b601d832d5d9d421820989b8caa929114811369673235c", + "sha256:4b0f30372cef3fdc262f33d06e7b411cd59058ce9174ef159ad938c4a34a89da", + "sha256:4e3a23ec214e95c9fe85a58470b660efe6534b83e6cbe38b3ed52b053d7cb6ad", + "sha256:512bd5ab136b8dc0ffe3fdf2dfb0c4b4f49c8577f6cae55dca862cd37a4564e2", + "sha256:527b3b87b24844ea7865284aabfab08eb0faf599b385b03c2aa91fc6edd6e4b6", + "sha256:54d107c89a3ebcd13228278d68f1436d3f33f2dd2af5415e3feaeb1156e1a62c", + "sha256:5835f258ca9f7c455493a57ee707b76d2d9634d84d5d7f62e77be984ea80b849", + "sha256:598adde339d2cf7d67beaccda3f2ce7c57b3b412702f29c946708f69cf8222aa", + "sha256:599418aaaf88a6d02a8c515e656f6faf3d10618d3dd95866eb4436520096c84b", + "sha256:5bf651afd22d5f0c4be16cf39d0482ea494f5c88f03e75e5fef3a85177fecdeb", + "sha256:5c59fcd80b9049b49acd29bd3598cada4afc8d8d69bd4160cd613246912535d7", + "sha256:653acc3880459f82a65e27bd6526e47ddf19e643457d36a2250b85b41a564715", + "sha256:66bd5f950344fb2b3dbdd421aaa4e84f4411a1a13fca3aeb2bcbe667f80c9f76", + "sha256:6f3553510abdbec67c043ca85727396ceed1272eef029b050677046d3387be8d", + "sha256:7018ecc5fe97027214556afbc7c502fbd718d0740e87eb1217b17efd05b3d276", + "sha256:713d22cd9643ba9025d33c4af43943c7a1eb8547729228de18d3e02e278472b6", + "sha256:73a4131962e6d91109bca6536416aa067cf6c4efb871975df734f8d2fd821b37", + "sha256:75880ed07be39beff1881d81e4a907cafb802f306efd6d2d15f2b3c69935f6fb", + "sha256:75e14eac916f024305db517e00a9252714fce0abcb10ad327fb6dcdc0d060f1d", + "sha256:8135fa153a20d82ffb64f70a1b5c2738684afa197839b34cc3e3c72fa88d302c", + "sha256:84b14f36e85295fe69c6b9789b51a0903b774046d5f7df538176516c3e422446", + "sha256:86fc24e58ecb32aee09f864cb11bb91bc4c1086615001647dbfc4dc8c32f4008", + "sha256:87f44875f2804bc0511a69ce44a9595d5944837a62caecc8490bbdb0e18b1342", + "sha256:88c70ed9da9963d5496d38320160e8eb7e5f1886f9290475a881db12f351ab5d", + "sha256:88e5be56c231981428f4f506c68b6a46fa25c4123a2e86d156c58a8369d31ab7", + "sha256:89d2e02167fa95172c017732ed7725bc8523c598757f08d13c5acca308e1a061", + "sha256:8d6aaa4e7155afaf994d7924eb290abbe81a6905b303d8cb61310a2aba1c68ba", + "sha256:92a2964319d359f494f16011e23434f6f8ef0434acd3cf154a6b7bec511e2fb7", + "sha256:96372fc29471646b9b106ee918c8eeb4cca423fcbf9a34daa1b93767a88a2290", + "sha256:978b046ca728073070e9abc074b6299ebf3501e8dee5e26efacb13cec2b2dea0", + "sha256:9c7149272fb5834fc186328e2c1fa01dda3e1fa940ce18fded6d412e8f2cf76d", + "sha256:a0239da9fbafd9ff82fd67c16704a7d1bccf0d107a300e790587ad05547681c8", + "sha256:ad5383a67514e8e76906a06741febd9126fc7c7ff0f599d6fcce3e82b80d026f", + "sha256:ad61a9639792fd790523ba072c0555cd6be5a0baf03a49a5dd8cfcf20d56df48", + "sha256:b29bfd650ed8e148f9c515474a6ef0ba1090b7a8faeee26b74a8ff3b33617502", + "sha256:b97decbb3372d4b69e4d4c8117f44632551c692bb1361b356a02b97b69e18a62", + "sha256:ba71c9b4dcbb16212f334126cc3d8beb6af377f6703d9dc2d9fb3874fd667ee9", + "sha256:c37c5cce780349d4d51739ae682dec63573847a2a8dcb44381b174c3d9c8d403", + "sha256:c971bf3786b5fad82ce5ad570dc6ee420f5b12527157929e830f51c55dc8af77", + "sha256:d1fde0f44029e02d02d3993ad55ce93ead9bb9b15c6b7ccd580f90bd7e3de476", + "sha256:d24b8bb40d5c61ef2d9b6a8f4528c2f17f1c5d2d31fed62ec860f6006142e83e", + "sha256:d5ba88df9aa5e2f806650fcbeedbe4f6e8736e92fc0e73b0400538fd25a4dd96", + "sha256:d6f76310355e9fae637c3162936e9504b4767d5c52ca268331e2756e54fd4ca5", + "sha256:d737fc67b9a970f3234754974531dc9afeea11c70791dcb7db53b0cf81b79784", + "sha256:da22885266bbfb3f78218dc40205fed2671909fbd0720aedba39b4515c038091", + "sha256:da37dcfbf4b7f45d80ee386a5f81122501ec75672f475da34784196690762f4b", + "sha256:db19d60d846283ee275d0416e2a23493f4e6b6028825b51290ac05afc87a6f97", + "sha256:db4c979b0b3e0fa7e9e69ecd11b2b3174c6963cebadeecfb7ad24532ffcdd11a", + "sha256:e164e0a98e92d06da343d17d4e9c4da4654f4a4588a20d6c73548a29f176abe2", + "sha256:e168a7560b7c61342ae0412997b069753f27ac4862ec7867eff74f0fe4ea2ad9", + "sha256:e381581b37db1db7597b62a2e6b8b57c3deec95d93b6d6407c5b61ddc98aca6d", + "sha256:e65bc19919c910127c06759a63747ebe14f386cda573d95bcc62b427ca1afc73", + "sha256:e7b8813be97cab8cb52b1375f41f8e6804f6507fe4660152e8ca5c48f0436017", + "sha256:e8a78079d9a39ca9ca99a8b0ac2fdc0c4d25fc80c8a8a82e5c8211509c523363", + "sha256:ebf909ea0a3fc9596e40d55d8000702a85e27fd578ff41a5500f68f20fd32e6c", + "sha256:ec40170327d4a404b0d91855d41bfe1fe4b699222b2b93e3d833a27330a87a6d", + "sha256:f178d2aadf0166be4df834c4953da2d7eef24719e8aec9a65289483eeea9d618", + "sha256:f88df3a83cf9df566f171adba39d5bd52814ac0b94778d2448652fc77f9eb491", + "sha256:f973157ffeab5459eefe7b97a804987876dd0a55570b8fa56b4e1954bf11329b", + "sha256:ff25f48fc8e623d95eca0670b8cc1469a83783c924a602e0fbd47363bb54aaca" ], "markers": "python_version >= '3.6'", - "version": "==3.7.4.post0" + "version": "==3.8.3" + }, + "aiosignal": { + "hashes": [ + "sha256:54cd96e15e1649b75d6c87526a6ff0b6c1b0dd3459f43d9ca11d48c339b68cfc", + "sha256:f8376fb07dd1e86a584e4fcdec80b36b7f81aac666ebc724e2c090300dd83b17" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.1" }, "antlr4-python3-runtime": { "hashes": [ - "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + "sha256:f224469b4168294902bb1efa80a8bf7855f24c99aef99cbefc1bcd3cce77881b" ], "markers": "python_version >= '3'", - "version": "==4.8" + "version": "==4.9.3" }, "async-timeout": { "hashes": [ - "sha256:0c3c816a028d47f659d6ff5c745cb2acf1f966da1fe5c19c77a70282b25f4c5f", - "sha256:4291ca197d287d274d0b6cb5d6f8f8f82d434ed288f962539ff18cc9012f9ea3" + "sha256:2163e1640ddb52b7a8c80d0a67a08587e5d245cc9c553a74a847056bc2976b15", + "sha256:8ca1e4fcf50d07413d66d1a5e416e42cfdf5851c981d679a09851a6853383b3c" ], - "markers": "python_full_version >= '3.5.3'", - "version": "==3.0.1" + "markers": "python_version >= '3.6'", + "version": "==4.0.2" }, "attackcti": { "hashes": [ @@ -290,34 +444,27 @@ }, "attrs": { "hashes": [ - "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", - "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" + "sha256:29adc2665447e5191d0e7c568fde78b21f9672d344281d0c6e1ab085429b22b6", + "sha256:86efa402f67bf2df34f51a335487cf46b1ec130d02b8d39fd248abfd30da551c" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==21.2.0" + "markers": "python_version >= '3.5'", + "version": "==22.1.0" }, "certifi": { "hashes": [ - "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", - "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + "sha256:35824b4c3a97115964b408844d64aa14db1cc518f6562e8d7261699d1350a9e3", + "sha256:4ad3232f5e926d6718ec31cfc1fcadfde020920e278684144551c91769c7bc18" ], - "version": "==2021.5.30" - }, - "chardet": { - "hashes": [ - "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", - "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" - ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", - "version": "==4.0.0" + "index": "pypi", + "version": "==2022.12.7" }, "charset-normalizer": { "hashes": [ - "sha256:0c8911edd15d19223366a194a513099a302055a962bca2cec0f54b8b63175d8b", - "sha256:f23667ebe1084be45f6ae0538e4a5a865206544097e4e8bbcacf42cd02a348f3" + "sha256:2857e29ff0d34db842cd7ca3230549d1a697f96ee6d3fb071cfa6c7393832597", + "sha256:6881edbebdb17b39b4eaaa821b438bf6eddffb4468cf344f09f89def34a8b1df" ], "markers": "python_version >= '3'", - "version": "==2.0.4" + "version": "==2.0.12" }, "colorama": { "hashes": [ @@ -401,79 +548,197 @@ "index": "pypi", "version": "==6.2.0" }, + "frozenlist": { + "hashes": [ + "sha256:008a054b75d77c995ea26629ab3a0c0d7281341f2fa7e1e85fa6153ae29ae99c", + "sha256:02c9ac843e3390826a265e331105efeab489ffaf4dd86384595ee8ce6d35ae7f", + "sha256:034a5c08d36649591be1cbb10e09da9f531034acfe29275fc5454a3b101ce41a", + "sha256:05cdb16d09a0832eedf770cb7bd1fe57d8cf4eaf5aced29c4e41e3f20b30a784", + "sha256:0693c609e9742c66ba4870bcee1ad5ff35462d5ffec18710b4ac89337ff16e27", + "sha256:0771aed7f596c7d73444c847a1c16288937ef988dc04fb9f7be4b2aa91db609d", + "sha256:0af2e7c87d35b38732e810befb9d797a99279cbb85374d42ea61c1e9d23094b3", + "sha256:14143ae966a6229350021384870458e4777d1eae4c28d1a7aa47f24d030e6678", + "sha256:180c00c66bde6146a860cbb81b54ee0df350d2daf13ca85b275123bbf85de18a", + "sha256:1841e200fdafc3d51f974d9d377c079a0694a8f06de2e67b48150328d66d5483", + "sha256:23d16d9f477bb55b6154654e0e74557040575d9d19fe78a161bd33d7d76808e8", + "sha256:2b07ae0c1edaa0a36339ec6cce700f51b14a3fc6545fdd32930d2c83917332cf", + "sha256:2c926450857408e42f0bbc295e84395722ce74bae69a3b2aa2a65fe22cb14b99", + "sha256:2e24900aa13212e75e5b366cb9065e78bbf3893d4baab6052d1aca10d46d944c", + "sha256:303e04d422e9b911a09ad499b0368dc551e8c3cd15293c99160c7f1f07b59a48", + "sha256:352bd4c8c72d508778cf05ab491f6ef36149f4d0cb3c56b1b4302852255d05d5", + "sha256:3843f84a6c465a36559161e6c59dce2f2ac10943040c2fd021cfb70d58c4ad56", + "sha256:394c9c242113bfb4b9aa36e2b80a05ffa163a30691c7b5a29eba82e937895d5e", + "sha256:3bbdf44855ed8f0fbcd102ef05ec3012d6a4fd7c7562403f76ce6a52aeffb2b1", + "sha256:40de71985e9042ca00b7953c4f41eabc3dc514a2d1ff534027f091bc74416401", + "sha256:41fe21dc74ad3a779c3d73a2786bdf622ea81234bdd4faf90b8b03cad0c2c0b4", + "sha256:47df36a9fe24054b950bbc2db630d508cca3aa27ed0566c0baf661225e52c18e", + "sha256:4ea42116ceb6bb16dbb7d526e242cb6747b08b7710d9782aa3d6732bd8d27649", + "sha256:58bcc55721e8a90b88332d6cd441261ebb22342e238296bb330968952fbb3a6a", + "sha256:5c11e43016b9024240212d2a65043b70ed8dfd3b52678a1271972702d990ac6d", + "sha256:5cf820485f1b4c91e0417ea0afd41ce5cf5965011b3c22c400f6d144296ccbc0", + "sha256:5d8860749e813a6f65bad8285a0520607c9500caa23fea6ee407e63debcdbef6", + "sha256:6327eb8e419f7d9c38f333cde41b9ae348bec26d840927332f17e887a8dcb70d", + "sha256:65a5e4d3aa679610ac6e3569e865425b23b372277f89b5ef06cf2cdaf1ebf22b", + "sha256:66080ec69883597e4d026f2f71a231a1ee9887835902dbe6b6467d5a89216cf6", + "sha256:783263a4eaad7c49983fe4b2e7b53fa9770c136c270d2d4bbb6d2192bf4d9caf", + "sha256:7f44e24fa70f6fbc74aeec3e971f60a14dde85da364aa87f15d1be94ae75aeef", + "sha256:7fdfc24dcfce5b48109867c13b4cb15e4660e7bd7661741a391f821f23dfdca7", + "sha256:810860bb4bdce7557bc0febb84bbd88198b9dbc2022d8eebe5b3590b2ad6c842", + "sha256:841ea19b43d438a80b4de62ac6ab21cfe6827bb8a9dc62b896acc88eaf9cecba", + "sha256:84610c1502b2461255b4c9b7d5e9c48052601a8957cd0aea6ec7a7a1e1fb9420", + "sha256:899c5e1928eec13fd6f6d8dc51be23f0d09c5281e40d9cf4273d188d9feeaf9b", + "sha256:8bae29d60768bfa8fb92244b74502b18fae55a80eac13c88eb0b496d4268fd2d", + "sha256:8df3de3a9ab8325f94f646609a66cbeeede263910c5c0de0101079ad541af332", + "sha256:8fa3c6e3305aa1146b59a09b32b2e04074945ffcfb2f0931836d103a2c38f936", + "sha256:924620eef691990dfb56dc4709f280f40baee568c794b5c1885800c3ecc69816", + "sha256:9309869032abb23d196cb4e4db574232abe8b8be1339026f489eeb34a4acfd91", + "sha256:9545a33965d0d377b0bc823dcabf26980e77f1b6a7caa368a365a9497fb09420", + "sha256:9ac5995f2b408017b0be26d4a1d7c61bce106ff3d9e3324374d66b5964325448", + "sha256:9bbbcedd75acdfecf2159663b87f1bb5cfc80e7cd99f7ddd9d66eb98b14a8411", + "sha256:a4ae8135b11652b08a8baf07631d3ebfe65a4c87909dbef5fa0cdde440444ee4", + "sha256:a6394d7dadd3cfe3f4b3b186e54d5d8504d44f2d58dcc89d693698e8b7132b32", + "sha256:a97b4fe50b5890d36300820abd305694cb865ddb7885049587a5678215782a6b", + "sha256:ae4dc05c465a08a866b7a1baf360747078b362e6a6dbeb0c57f234db0ef88ae0", + "sha256:b1c63e8d377d039ac769cd0926558bb7068a1f7abb0f003e3717ee003ad85530", + "sha256:b1e2c1185858d7e10ff045c496bbf90ae752c28b365fef2c09cf0fa309291669", + "sha256:b4395e2f8d83fbe0c627b2b696acce67868793d7d9750e90e39592b3626691b7", + "sha256:b756072364347cb6aa5b60f9bc18e94b2f79632de3b0190253ad770c5df17db1", + "sha256:ba64dc2b3b7b158c6660d49cdb1d872d1d0bf4e42043ad8d5006099479a194e5", + "sha256:bed331fe18f58d844d39ceb398b77d6ac0b010d571cba8267c2e7165806b00ce", + "sha256:c188512b43542b1e91cadc3c6c915a82a5eb95929134faf7fd109f14f9892ce4", + "sha256:c21b9aa40e08e4f63a2f92ff3748e6b6c84d717d033c7b3438dd3123ee18f70e", + "sha256:ca713d4af15bae6e5d79b15c10c8522859a9a89d3b361a50b817c98c2fb402a2", + "sha256:cd4210baef299717db0a600d7a3cac81d46ef0e007f88c9335db79f8979c0d3d", + "sha256:cfe33efc9cb900a4c46f91a5ceba26d6df370ffddd9ca386eb1d4f0ad97b9ea9", + "sha256:d5cd3ab21acbdb414bb6c31958d7b06b85eeb40f66463c264a9b343a4e238642", + "sha256:dfbac4c2dfcc082fcf8d942d1e49b6aa0766c19d3358bd86e2000bf0fa4a9cf0", + "sha256:e235688f42b36be2b6b06fc37ac2126a73b75fb8d6bc66dd632aa35286238703", + "sha256:eb82dbba47a8318e75f679690190c10a5e1f447fbf9df41cbc4c3afd726d88cb", + "sha256:ebb86518203e12e96af765ee89034a1dbb0c3c65052d1b0c19bbbd6af8a145e1", + "sha256:ee78feb9d293c323b59a6f2dd441b63339a30edf35abcb51187d2fc26e696d13", + "sha256:eedab4c310c0299961ac285591acd53dc6723a1ebd90a57207c71f6e0c2153ab", + "sha256:efa568b885bca461f7c7b9e032655c0c143d305bf01c30caf6db2854a4532b38", + "sha256:efce6ae830831ab6a22b9b4091d411698145cb9b8fc869e1397ccf4b4b6455cb", + "sha256:f163d2fd041c630fed01bc48d28c3ed4a3b003c00acd396900e11ee5316b56bb", + "sha256:f20380df709d91525e4bee04746ba612a4df0972c1b8f8e1e8af997e678c7b81", + "sha256:f30f1928162e189091cf4d9da2eac617bfe78ef907a761614ff577ef4edfb3c8", + "sha256:f470c92737afa7d4c3aacc001e335062d582053d4dbe73cda126f2d7031068dd", + "sha256:ff8bf625fe85e119553b5383ba0fb6aa3d0ec2ae980295aaefa552374926b3f4" + ], + "markers": "python_version >= '3.7'", + "version": "==1.3.3" + }, "idna": { "hashes": [ - "sha256:14475042e284991034cb48e06f6851428fb14c4dc953acd9be9a5e95c7b6dd7a", - "sha256:467fbad99067910785144ce333826c71fb0e63a425657295239737f7ecd125f3" + "sha256:814f528e8dead7d329833b91c5faa87d60bf71824cd12a7530b5526063d02cb4", + "sha256:90b77e79eaa3eba6de819a0c442c0b4ceefc341a7a2ab77d7562bf49f425c5c2" ], "markers": "python_version >= '3'", - "version": "==3.2" + "version": "==3.4" }, "more-itertools": { "hashes": [ - "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", - "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" + "sha256:250e83d7e81d0c87ca6bd942e6aeab8cc9daa6096d12c5308f3f92fa5e5c1f41", + "sha256:5a6257e40878ef0520b1803990e3e22303a41b5714006c32a3fd8304b26ea1ab" ], - "markers": "python_version >= '3.5'", - "version": "==8.8.0" + "markers": "python_version >= '3.7'", + "version": "==9.0.0" }, "multidict": { "hashes": [ - "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", - "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", - "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", - "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", - "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", - "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", - "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", - "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", - "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", - "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", - "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", - "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", - "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", - "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", - "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", - "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", - "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", - "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", - "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", - "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", - "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", - "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", - "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", - "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", - "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", - "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", - "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", - "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", - "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", - "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", - "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", - "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", - "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", - "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", - "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", - "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", - "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" + "sha256:018c8e3be7f161a12b3e41741b6721f9baeb2210f4ab25a6359b7d76c1017dce", + "sha256:01b456046a05ff7cceefb0e1d2a9d32f05efcb1c7e0d152446304e11557639ce", + "sha256:114a4ab3e5cfbc56c4b6697686ecb92376c7e8c56893ef20547921552f8bdf57", + "sha256:12e0d396faa6dc55ff5379eee54d1df3b508243ff15bfc8295a6ec7a4483a335", + "sha256:190626ced82d4cc567a09e7346340d380154a493bac6905e0095d8158cdf1e38", + "sha256:1f5d5129a937af4e3c4a1d6c139f4051b7d17d43276cefdd8d442a7031f7eef2", + "sha256:21e1ce0b187c4e93112304dcde2aa18922fdbe8fb4f13d8aa72a5657bce0563a", + "sha256:24e8d513bfcaadc1f8b0ebece3ff50961951c54b07d5a775008a882966102418", + "sha256:2523a29006c034687eccd3ee70093a697129a3ffe8732535d3b2df6a4ecc279d", + "sha256:26fbbe17f8a7211b623502d2bf41022a51da3025142401417c765bf9a56fed4c", + "sha256:2b66d61966b12e6bba500e5cbb2c721a35e119c30ee02495c5629bd0e91eea30", + "sha256:2cf5d19e12eff855aa198259c0b02fd3f5d07e1291fbd20279c37b3b0e6c9852", + "sha256:2cfda34b7cb99eacada2072e0f69c0ad3285cb6f8e480b11f2b6d6c1c6f92718", + "sha256:3541882266247c7cd3dba78d6ef28dbe704774df60c9e4231edaa4493522e614", + "sha256:36df958b15639e40472adaa4f0c2c7828fe680f894a6b48c4ce229f59a6a798b", + "sha256:38d394814b39be1c36ac709006d39d50d72a884f9551acd9c8cc1ffae3fc8c4e", + "sha256:4159fc1ec9ede8ab93382e0d6ba9b1b3d23c72da39a834db7a116986605c7ab4", + "sha256:445c0851a1cbc1f2ec3b40bc22f9c4a235edb3c9a0906122a9df6ea8d51f886c", + "sha256:47defc0218682281a52fb1f6346ebb8b68b17538163a89ea24dfe4da37a8a9a3", + "sha256:4cc5c8cd205a9810d16a5cd428cd81bac554ad1477cb87f4ad722b10992e794d", + "sha256:4ccf55f28066b4f08666764a957c2b7c241c7547b0921d69c7ceab5f74fe1a45", + "sha256:4fb3fe591956d8841882c463f934c9f7485cfd5f763a08c0d467b513dc18ef89", + "sha256:526f8397fc124674b8f39748680a0ff673bd6a715fecb4866716d36e380f015f", + "sha256:578bfcb16f4b8675ef71b960c00f174b0426e0eeb796bab6737389d8288eb827", + "sha256:5b51969503709415a35754954c2763f536a70b8bf7360322b2edb0c0a44391f6", + "sha256:5e58ec0375803526d395f6f7e730ecc45d06e15f68f7b9cdbf644a2918324e51", + "sha256:62db44727d0befea68e8ad2881bb87a9cfb6b87d45dd78609009627167f37b69", + "sha256:67090b17a0a5be5704fd109f231ee73cefb1b3802d41288d6378b5df46ae89ba", + "sha256:6cd14e61f0da2a2cfb9fe05bfced2a1ed7063ce46a7a8cd473be4973de9a7f91", + "sha256:70740c2bc9ab1c99f7cdcb104f27d16c63860c56d51c5bf0ef82fc1d892a2131", + "sha256:73009ea04205966d47e16d98686ac5c438af23a1bb30b48a2c5da3423ec9ce37", + "sha256:791458a1f7d1b4ab3bd9e93e0dcd1d59ef7ee9aa051dcd1ea030e62e49b923fd", + "sha256:7f9511e48bde6b995825e8d35e434fc96296cf07a25f4aae24ff9162be7eaa46", + "sha256:81c3d597591b0940e04949e4e4f79359b2d2e542a686ba0da5e25de33fec13e0", + "sha256:8230a39bae6c2e8a09e4da6bace5064693b00590a4a213e38f9a9366da10e7dd", + "sha256:8b92a9f3ab904397a33b193000dc4de7318ea175c4c460a1e154c415f9008e3d", + "sha256:94cbe5535ef150546b8321aebea22862a3284da51e7b55f6f95b7d73e96d90ee", + "sha256:960ce1b790952916e682093788696ef7e33ac6a97482f9b983abdc293091b531", + "sha256:99341ca1f1db9e7f47914cb2461305665a662383765ced6f843712564766956d", + "sha256:9aac6881454a750554ed4b280a839dcf9e2133a9d12ab4d417d673fb102289b7", + "sha256:9d359b0a962e052b713647ac1f13eabf2263167b149ed1e27d5c579f5c8c7d2c", + "sha256:9dbab2a7e9c073bc9538824a01f5ed689194db7f55f2b8102766873e906a6c1a", + "sha256:a27b029caa3b555a4f3da54bc1e718eb55fcf1a11fda8bf0132147b476cf4c08", + "sha256:a8b817d4ed68fd568ec5e45dd75ddf30cc72a47a6b41b74d5bb211374c296f5e", + "sha256:ad7d66422b9cc51125509229693d27e18c08f2dea3ac9de408d821932b1b3759", + "sha256:b46e79a9f4db53897d17bc64a39d1c7c2be3e3d4f8dba6d6730a2b13ddf0f986", + "sha256:baa96a3418e27d723064854143b2f414a422c84cc87285a71558722049bebc5a", + "sha256:beeca903e4270b4afcd114f371a9602240dc143f9e944edfea00f8d4ad56c40d", + "sha256:c2a1168e5aa7c72499fb03c850e0f03f624fa4a5c8d2e215c518d0a73872eb64", + "sha256:c5790cc603456b6dcf8a9a4765f666895a6afddc88b3d3ba7b53dea2b6e23116", + "sha256:cb4a08f0aaaa869f189ffea0e17b86ad0237b51116d494da15ef7991ee6ad2d7", + "sha256:cd5771e8ea325f85cbb361ddbdeb9ae424a68e5dfb6eea786afdcd22e68a7d5d", + "sha256:ce8e51774eb03844588d3c279adb94efcd0edeccd2f97516623292445bcc01f9", + "sha256:d09daf5c6ce7fc6ed444c9339bbde5ea84e2534d1ca1cd37b60f365c77f00dea", + "sha256:d0e798b072cf2aab9daceb43d97c9c527a0c7593e67a7846ad4cc6051de1e303", + "sha256:d325d61cac602976a5d47b19eaa7d04e3daf4efce2164c630219885087234102", + "sha256:d408172519049e36fb6d29672f060dc8461fc7174eba9883c7026041ef9bfb38", + "sha256:d52442e7c951e4c9ee591d6047706e66923d248d83958bbf99b8b19515fffaef", + "sha256:dc4cfef5d899f5f1a15f3d2ac49f71107a01a5a2745b4dd53fa0cede1419385a", + "sha256:df7b4cee3ff31b3335aba602f8d70dbc641e5b7164b1e9565570c9d3c536a438", + "sha256:e068dfeadbce63072b2d8096486713d04db4946aad0a0f849bd4fc300799d0d3", + "sha256:e07c24018986fb00d6e7eafca8fcd6e05095649e17fcf0e33a592caaa62a78b9", + "sha256:e0bce9f7c30e7e3a9e683f670314c0144e8d34be6b7019e40604763bd278d84f", + "sha256:e1925f78a543b94c3d46274c66a366fee8a263747060220ed0188e5f3eeea1c0", + "sha256:e322c94596054352f5a02771eec71563c018b15699b961aba14d6dd943367022", + "sha256:e4a095e18847c12ec20e55326ab8782d9c2d599400a3a2f174fab4796875d0e2", + "sha256:e5a811aab1b4aea0b4be669363c19847a8c547510f0e18fb632956369fdbdf67", + "sha256:eddf604a3de2ace3d9a4e4d491be7562a1ac095a0a1c95a9ec5781ef0273ef11", + "sha256:ee9b1cae9a6c5d023e5a150f6f6b9dbb3c3bbc7887d6ee07d4c0ecb49a473734", + "sha256:f1650ea41c408755da5eed52ac6ccbc8938ccc3e698d81e6f6a1be02ff2a0945", + "sha256:f2c0957b3e8c66c10d27272709a5299ab3670a0f187c9428f3b90d267119aedb", + "sha256:f76109387e1ec8d8e2137c94c437b89fe002f29e0881aae8ae45529bdff92000", + "sha256:f8a728511c977df6f3d8af388fcb157e49f11db4a6637dd60131b8b6e40b0253", + "sha256:fb6c3dc3d65014d2c782f5acf0b3ba14e639c6c33d3ed8932ead76b9080b3544" ], - "markers": "python_version >= '3.6'", - "version": "==5.1.0" + "markers": "python_version >= '3.7'", + "version": "==6.0.3" }, "packaging": { "hashes": [ - "sha256:7dc96269f53a4ccec5c0670940a4281106dd0bb343f47b7471f779df49c2fbe7", - "sha256:c86254f9220d55e31cc94d69bade760f0847da8000def4dfe1c6b872fd14ff14" + "sha256:2198ec20bd4c017b8f9717e00f0c8714076fc2fd93816750ab48e2c41de2cfd3", + "sha256:957e2148ba0e1a3b282772e791ef1d8083648bc131c8ab0c1feba110ce1146c3" ], - "markers": "python_version >= '3.6'", - "version": "==21.0" + "markers": "python_version >= '3.7'", + "version": "==22.0" }, "pathspec": { "hashes": [ - "sha256:7d15c4ddb0b5c802d161efc417ec1a2558ea2653c2e8ad9c19098201dc1c993a", - "sha256:e564499435a2673d586f6b2130bb5b95f04a3ba06f81b8f895b651a3c76aabb1" + "sha256:88c2606f2c1e818b978540f73ecc908e13999c6c3a383daf3705652ae79807a5", + "sha256:8f6bf73e5758fd365ef5d58ce09ac7c27d2833a8d7da51712eac6e27e35141b0" ], - "version": "==0.9.0" + "markers": "python_version >= '3.7'", + "version": "==0.10.2" }, "pluggy": { "hashes": [ @@ -485,19 +750,11 @@ }, "py": { "hashes": [ - "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", - "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" + "sha256:51c75c4126074b472f746a24399ad32f6053d1b34b68d2fa41e558e6f4a98719", + "sha256:607c53218732647dff4acdfcd50cb62615cedf612e72d1724fb1a0cc6405b378" ], - "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==1.10.0" - }, - "pyparsing": { - "hashes": [ - "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", - "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" - ], - "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==2.4.7" + "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'", + "version": "==1.11.0" }, "pytest": { "hashes": [ @@ -509,10 +766,10 @@ }, "pytz": { "hashes": [ - "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", - "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + "sha256:222439474e9c98fced559f1709d89e6c9cbf8d79c794ff3eb9f8800064291427", + "sha256:e89512406b793ca39f5971bc999cc538ce125c0e51c27941bef4568b460095e2" ], - "version": "==2021.1" + "version": "==2022.6" }, "pyyaml": { "hashes": [ @@ -557,49 +814,80 @@ "index": "pypi", "version": "==2.26.0" }, + "setuptools": { + "hashes": [ + "sha256:57f6f22bde4e042978bcd50176fdb381d7c21a9efa4041202288d3737a0c6a54", + "sha256:a7620757bf984b58deaf32fc8a4577a9bbc0850cf92c20e1ce41c38c19e5fb75" + ], + "markers": "python_version >= '3.7'", + "version": "==65.6.3" + }, "simplejson": { "hashes": [ - "sha256:02bc0b7b643fa255048862f580bb4b7121b88b456bc64dabf9bf11df116b05d7", - "sha256:02c04b89b0a456a97d5313357dd9f2259c163a82c5307e39e7d35bb38d7fd085", - "sha256:05cd392c1c9b284bda91cf9d7b6f3f46631da459e8546fe823622e42cf4794bb", - "sha256:1331a54fda3c957b9136402943cf8ebcd29c0c92101ba70fa8c2fc9cdf1b8476", - "sha256:18302970ce341c3626433d4ffbdac19c7cca3d6e2d54b12778bcb8095f695473", - "sha256:1ebbaa48447b60a68043f58e612021e8893ebcf1662a1b18a2595ca262776d7e", - "sha256:2104475a0263ff2a3dffca214c9676eb261e90d06d604ac7063347bd289ac84c", - "sha256:23169d78f74fd25f891e89c779a63fcb857e66ab210096f4069a5b1c9e2dc732", - "sha256:32edf4e491fe174c54bf6682d794daf398736158d1082dbcae526e4a5af6890b", - "sha256:3904b528e3dc0facab73a4406ebf17f007f32f0a8d7f4c6aa9ed5cbad3ea0f34", - "sha256:391a8206e698557a4155354cf6996c002aa447a21c5c50fb94a0d26fd6cca586", - "sha256:3c80b343503da8b13fa7d48d1a2395be67e97b67a849eb79d88ad3b12783e7da", - "sha256:3dddd31857d8230aee88c24f485ebca36d1d875404b2ef11ac15fa3c8a01dc34", - "sha256:56f57c231cdd01b6a1c0532ea9088dff2afe7f4f4bda61c060bcb1a853e6b564", - "sha256:5b080be7de4c647fa84252cf565298a13842658123bd1a322a8c32b6359c8f1e", - "sha256:6285b91cfa37e024f372b9b77d14f279380eebc4f709db70c593c069602e1926", - "sha256:6510e886d9e9006213de2090c55f504b12f915178a2056b94840ed1d89abe68e", - "sha256:6ff6710b824947ef5a360a5a5ae9809c32cedc6110df3b64f01080c1bc1a1f08", - "sha256:79545a6d93bb38f86a00fbc6129cb091a86bb858e7d53b1aaa10d927d3b6732e", - "sha256:88a69c7e8059a4fd7aa2a31d2b3d89077eaae72eb741f18a32cb57d04018ff4c", - "sha256:8f174567c53413383b8b7ec2fbe88d41e924577bc854051f265d4c210cd72999", - "sha256:a52b80b9d1085db6e216980d1d28a8f090b8f2203a8c71b4ea13441bd7a2e86e", - "sha256:b25748e71c5df3c67b5bda2cdece373762d319cb5f773f14ae2f90dfb4320314", - "sha256:b45b5f6c9962953250534217b18002261c5b9383349b95fb0140899cdac2bf95", - "sha256:b4ed7b233e812ef1244a29fb0dfd3e149dbc34a2bd13b174a84c92d0cb580277", - "sha256:b60f48f780130f27f8d9751599925c3b78cf045f5d62dd918003effb65b45bda", - "sha256:c69a213ae72b75e8948f06a87d3675855bccb3037671222ffd235095e62f5a61", - "sha256:c91d0f2fc2ee1bd376f5a991c24923f12416d8c31a9b74a82c4b38b942fc2640", - "sha256:d61fb151be068127a0ce7758341cbe778495819622bc1e15eadf59fdb3a0481e", - "sha256:da72a452bcf4349fc467a12b54ab0e63e654a571cacc44084826d52bde12b6ee", - "sha256:dbcd6cd1a9abb5a13c5df93cdc5687f6877efcfefdc9350c22d4094dc4a7dd86", - "sha256:e056056718246c9cdd82d1e3d4ad854a7ceb057498bf994b529750a190a6bd98", - "sha256:e3aa10cce4053f3c1487aaf847a0faa4ae208e11f85a8e6f98de2291713a6616", - "sha256:e7433c604077a17dd71e8b29c96a15e486a70a97f4ed9c7f5e0df6e428af2f0b", - "sha256:f02db159e0afa9cb350f15f4f7b86755eae95267b9012ee90bde329aa643f76c", - "sha256:f32a703fe10cfc2d1020e296eeeeb650faa039678f6b79d9b820413a4c015ddc", - "sha256:fed5e862d9b501c5673c163c8593ebdb2c5422386089c529dfac28d70cd55858", - "sha256:ff7fe042169dd6fce8213c173a4c337f2e807ed5178093143c778eb0484c12ec" + "sha256:002f069c7bb9a86826616a78f1214fea5b993435720990eecb0bf10955b9cd0e", + "sha256:00b673f0b3caf37a3d993bccf30a97290da6313b6ecc7d66937e9cd906d8f840", + "sha256:07e408222931b1a2aab71e60e5f169fa7c0d74cacd4e0a6a0199716cb18dad76", + "sha256:0de746c8f76355c79fd15eccd7ecde0b137cd911bdcdc463fc5c36ec3d8b98ea", + "sha256:0f33d16fa7b5e2ed6ea85d7b31bc84cf8c73c40cc2c9f87071e0fffcd52f5342", + "sha256:0f49858b5fc802081b71269f4a3aa5c5500ec6553637c9a0630f30a2a6541ea7", + "sha256:17dbc7f71fa5b7e4a2acef38cf0be30461ae6659456a978ce7eeebeb5bdf9e1a", + "sha256:17ec5e408fb6615250c1f18fb4eac3b2b99a85e8613bfc2dfa54827d0bf7f3e1", + "sha256:1b4085151e00ab7ca66f269aff7153f0ec18589cb22e7ceb8b365709c723fdd0", + "sha256:1f169402069f8cf93e359f607725b1d920c4dbe5bda4c520025d5fad8d20c1b7", + "sha256:1fbacdbba3cf5a471c67a9ca6cd270bba9578d5bc22aef6028faebbdb98bbb15", + "sha256:252f7cc5524bb5507a08377a4a75aa7ff4645f3dfca814d38bdbcf0f3c34d1ce", + "sha256:2aeed35db00cdf5d49ff1e7d878afd38c86a5fead0f1d364d539ad4d7a869e0e", + "sha256:2cc76435569e6c19574a8e913cfccbed832249b2b3b360caee9a4caf8ff866bf", + "sha256:448ab14fa67b3ac235a8445d14ec6d56268c3dabbce78720f9efa6d698466710", + "sha256:4609feb2ae66c132c6dcbe01dbfd4f6431afb4ff17303e37ca128fb6297cebd2", + "sha256:46bafa7e794f0e91fde850d906b0dc29a624c726b27e75d23bc8c3e35a48f28b", + "sha256:4a6199d302ec7d889e1aa6b493aa8e40b4dfa4bd85708f8c8f0c64ce5b8e0986", + "sha256:4d8d016f70d241f82189bc9f6d1eb8558b3599861f2c501b3f32da7fdf4e92ac", + "sha256:503da91993cc671fe7ebbf120c3ce868278de8226f158336afde874f7b7aa871", + "sha256:54c63cc7857f16a20aa170ffda9ebce45a3b7ba764b67a5a95bfe7ae613a2710", + "sha256:58a429d2c2fa80834115b923ff689622de8f214cf0dc4afa9f59e824b444ab31", + "sha256:599e9c53d3203bc36ef68efec138ca76d201da7ac06a114fae78536a8c10e35b", + "sha256:5f3dd31309ae5cc9f2df51d2d5cac89722dac3c853042ebefcaf7ad06ca19387", + "sha256:6187cbea7fdede732fe0347ad08cd920ebd9faa30b6c48782cee494051ca97c6", + "sha256:622cf0e1f870f189a0757fdcad7998a0c1dd46b0e53aeac9960556c141319c83", + "sha256:638bdd2deaccd3b8e02b1783280bd82341df5e1faa59c4f0276f03f16eec13ea", + "sha256:6804ad50aaf581df5c982fc101b0d932638066fe191074ded783602eb1c8982a", + "sha256:7a4d9b266ae6db578719f1255c742e76ee4676593087f4f6b79a2bbae2b1dcc5", + "sha256:7a9476dcd72aeba7d55c4800b9cd2204201af3539894b8512d74597e35a3033a", + "sha256:7b95c5cf71c16e4fdaa724719aaf8ccbed533e2df57a20bcff825ceeead27688", + "sha256:8493d2c1a940471b07d7c9c356a3f4eee780df073da2917418d0fe8669b54f99", + "sha256:875cfb43b622672218045dc927a86fc7c4c8111264c1d303aca5de33d5df479e", + "sha256:8d762267c4af617e1798bd0151f626105d06a88f214e3874b77eb89106f899fe", + "sha256:94c17d01e4c65e63deec46c984bb810de5e3a1259eb6bacdca63f3efc9c4c673", + "sha256:96979ff7f0daf47422d5f95d2d006da3210e0490a166bce2529f59f55047fc67", + "sha256:97139bf5134d713710665a6edb9500d69b93642c4b6b44b20800232dbd0f5b39", + "sha256:989b31d586954e65170ad3ec597218a6790c401b82da6193e8a897a06aa7946e", + "sha256:98b4c824f15436f1b22fe6d73c42ffacb246f7efc4d9dbbee542dd72355ecc43", + "sha256:9aff3c24017a7819c76b2f177d4fe8334b3d4cb6f702a2d7c666b3d57c36ffb4", + "sha256:9db78e18624f94d7b5642bf487244f803dab844e771d92e83f85f22da21ffe2d", + "sha256:a0e6dd5a0b8c76fb7522470789f1af793d39d6edbd4e40853e7be550ad49c430", + "sha256:a2f70d8170c7e02166a4c91462581e6ae5f35e3351a6b6c5142adcb04c7153ac", + "sha256:a814227fa08cae435ac7a42dcd2a04a7ec4a3cee23b7f83f9544cd26f452dcc4", + "sha256:aa9ecdd1d7ecbc7d1066c37cfbe52f65adf64b11b22d481a98fe1d3675dfff4b", + "sha256:b2b19d7aa4e9a1e7bf8caaf5f478a790190c60136314f45bb7702cb5a9337266", + "sha256:b4997bd8332cef3923402a07351571788f552f55ea1394ffbfccd4d203a8a05f", + "sha256:b71fef8ee41d59509c7f4afac7f627ed143c9e6db9eb08cfbba85e4c4dc5e67b", + "sha256:bd67d6fad7f4cd7c9cb7fad32d78ce32862fdb574b898447987a5de22fd37d73", + "sha256:ca22993a1a00440392c6c76f39addab8d97c706d2a8bcc2c9b2b6cb2cd7f41df", + "sha256:ce1c0580372d3c9bfa151bd0721a9bd5647b9b2245d0588d813fdbd2eb5d6f22", + "sha256:d522f28f7b252454df86ac3db5a0e1fe5ae03c8fc0cd1592c912b07c9fad6c29", + "sha256:d5d25cc5dad31a10d7a8196125515cc3aa68187c8953459fcaf127c2c8410f51", + "sha256:d9f7a692c11de20cb8ec680584815315e03d1404a6e299d36489b0fb6447d98d", + "sha256:d9fa2ad4cabb5054faa8d4a44b84134b0ec9d1421f5e9264d057d6be4d13c7fa", + "sha256:db53a85f4db0dbd9e5f6277d9153bcaa2ccb87b0d672c6a35f19432b3f2301a3", + "sha256:db9d36c4c7997c2a2513a5d218fd90b53bfeaf7e727f94aaf3576973378b3bce", + "sha256:e80f02e68d25c222471fcc5d1933275b8eb396e5e40b7863e4e0a43b3c810059", + "sha256:e84bd1c29e83ec74a95de070473742eb52d08502f2428eff5751671081e0a0a6", + "sha256:f0e12bdafdf7e32c5ad4a073e325ea0d659d4277af8b3d8eccf3101c56879619", + "sha256:fd56a9e0c63a1f9c37621fe298c77795aefd2a26dca80dcae27688586c40b4bb" ], "markers": "python_version >= '2.5' and python_version not in '3.0, 3.1, 3.2, 3.3'", - "version": "==3.17.3" + "version": "==3.18.0" }, "six": { "hashes": [ @@ -618,10 +906,11 @@ }, "stix2-patterns": { "hashes": [ - "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", - "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + "sha256:07750c5a5af2c758e9d2aa4dde9d8e04bcd162ac2a9b0b4c4de4481d443efa08", + "sha256:ca4d68b2db42ed99794a418388769d2676ca828e9cac0b8629e73cd3f68f6458" ], - "version": "==1.3.2" + "markers": "python_version >= '3.6'", + "version": "==2.0.0" }, "taxii2-client": { "hashes": [ @@ -630,14 +919,6 @@ ], "version": "==2.3.0" }, - "typing-extensions": { - "hashes": [ - "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", - "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", - "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" - ], - "version": "==3.10.0.0" - }, "urllib3": { "hashes": [ "sha256:39fb8672126159acb139a7718dd10806104dec1e2f0f6c88aab05d17df10c8d4", @@ -662,46 +943,83 @@ }, "yarl": { "hashes": [ - "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", - "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", - "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", - "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", - "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", - "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", - "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", - "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", - "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", - "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", - "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", - "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", - "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", - "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", - "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", - "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", - "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", - "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", - "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", - "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", - "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", - "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", - "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", - "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", - "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", - "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", - "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", - "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", - "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", - "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", - "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", - "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", - "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", - "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", - "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", - "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", - "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" + "sha256:009a028127e0a1755c38b03244c0bea9d5565630db9c4cf9572496e947137a87", + "sha256:0414fd91ce0b763d4eadb4456795b307a71524dbacd015c657bb2a39db2eab89", + "sha256:0978f29222e649c351b173da2b9b4665ad1feb8d1daa9d971eb90df08702668a", + "sha256:0ef8fb25e52663a1c85d608f6dd72e19bd390e2ecaf29c17fb08f730226e3a08", + "sha256:10b08293cda921157f1e7c2790999d903b3fd28cd5c208cf8826b3b508026996", + "sha256:1684a9bd9077e922300ecd48003ddae7a7474e0412bea38d4631443a91d61077", + "sha256:1b372aad2b5f81db66ee7ec085cbad72c4da660d994e8e590c997e9b01e44901", + "sha256:1e21fb44e1eff06dd6ef971d4bdc611807d6bd3691223d9c01a18cec3677939e", + "sha256:2305517e332a862ef75be8fad3606ea10108662bc6fe08509d5ca99503ac2aee", + "sha256:24ad1d10c9db1953291f56b5fe76203977f1ed05f82d09ec97acb623a7976574", + "sha256:272b4f1599f1b621bf2aabe4e5b54f39a933971f4e7c9aa311d6d7dc06965165", + "sha256:2a1fca9588f360036242f379bfea2b8b44cae2721859b1c56d033adfd5893634", + "sha256:2b4fa2606adf392051d990c3b3877d768771adc3faf2e117b9de7eb977741229", + "sha256:3150078118f62371375e1e69b13b48288e44f6691c1069340081c3fd12c94d5b", + "sha256:326dd1d3caf910cd26a26ccbfb84c03b608ba32499b5d6eeb09252c920bcbe4f", + "sha256:34c09b43bd538bf6c4b891ecce94b6fa4f1f10663a8d4ca589a079a5018f6ed7", + "sha256:388a45dc77198b2460eac0aca1efd6a7c09e976ee768b0d5109173e521a19daf", + "sha256:3adeef150d528ded2a8e734ebf9ae2e658f4c49bf413f5f157a470e17a4a2e89", + "sha256:3edac5d74bb3209c418805bda77f973117836e1de7c000e9755e572c1f7850d0", + "sha256:3f6b4aca43b602ba0f1459de647af954769919c4714706be36af670a5f44c9c1", + "sha256:3fc056e35fa6fba63248d93ff6e672c096f95f7836938241ebc8260e062832fe", + "sha256:418857f837347e8aaef682679f41e36c24250097f9e2f315d39bae3a99a34cbf", + "sha256:42430ff511571940d51e75cf42f1e4dbdded477e71c1b7a17f4da76c1da8ea76", + "sha256:44ceac0450e648de86da8e42674f9b7077d763ea80c8ceb9d1c3e41f0f0a9951", + "sha256:47d49ac96156f0928f002e2424299b2c91d9db73e08c4cd6742923a086f1c863", + "sha256:48dd18adcf98ea9cd721a25313aef49d70d413a999d7d89df44f469edfb38a06", + "sha256:49d43402c6e3013ad0978602bf6bf5328535c48d192304b91b97a3c6790b1562", + "sha256:4d04acba75c72e6eb90745447d69f84e6c9056390f7a9724605ca9c56b4afcc6", + "sha256:57a7c87927a468e5a1dc60c17caf9597161d66457a34273ab1760219953f7f4c", + "sha256:58a3c13d1c3005dbbac5c9f0d3210b60220a65a999b1833aa46bd6677c69b08e", + "sha256:5df5e3d04101c1e5c3b1d69710b0574171cc02fddc4b23d1b2813e75f35a30b1", + "sha256:63243b21c6e28ec2375f932a10ce7eda65139b5b854c0f6b82ed945ba526bff3", + "sha256:64dd68a92cab699a233641f5929a40f02a4ede8c009068ca8aa1fe87b8c20ae3", + "sha256:6604711362f2dbf7160df21c416f81fac0de6dbcf0b5445a2ef25478ecc4c778", + "sha256:6c4fcfa71e2c6a3cb568cf81aadc12768b9995323186a10827beccf5fa23d4f8", + "sha256:6d88056a04860a98341a0cf53e950e3ac9f4e51d1b6f61a53b0609df342cc8b2", + "sha256:705227dccbe96ab02c7cb2c43e1228e2826e7ead880bb19ec94ef279e9555b5b", + "sha256:728be34f70a190566d20aa13dc1f01dc44b6aa74580e10a3fb159691bc76909d", + "sha256:74dece2bfc60f0f70907c34b857ee98f2c6dd0f75185db133770cd67300d505f", + "sha256:75c16b2a900b3536dfc7014905a128a2bea8fb01f9ee26d2d7d8db0a08e7cb2c", + "sha256:77e913b846a6b9c5f767b14dc1e759e5aff05502fe73079f6f4176359d832581", + "sha256:7a66c506ec67eb3159eea5096acd05f5e788ceec7b96087d30c7d2865a243918", + "sha256:8c46d3d89902c393a1d1e243ac847e0442d0196bbd81aecc94fcebbc2fd5857c", + "sha256:93202666046d9edadfe9f2e7bf5e0782ea0d497b6d63da322e541665d65a044e", + "sha256:97209cc91189b48e7cfe777237c04af8e7cc51eb369004e061809bcdf4e55220", + "sha256:a48f4f7fea9a51098b02209d90297ac324241bf37ff6be6d2b0149ab2bd51b37", + "sha256:a783cd344113cb88c5ff7ca32f1f16532a6f2142185147822187913eb989f739", + "sha256:ae0eec05ab49e91a78700761777f284c2df119376e391db42c38ab46fd662b77", + "sha256:ae4d7ff1049f36accde9e1ef7301912a751e5bae0a9d142459646114c70ecba6", + "sha256:b05df9ea7496df11b710081bd90ecc3a3db6adb4fee36f6a411e7bc91a18aa42", + "sha256:baf211dcad448a87a0d9047dc8282d7de59473ade7d7fdf22150b1d23859f946", + "sha256:bb81f753c815f6b8e2ddd2eef3c855cf7da193b82396ac013c661aaa6cc6b0a5", + "sha256:bcd7bb1e5c45274af9a1dd7494d3c52b2be5e6bd8d7e49c612705fd45420b12d", + "sha256:bf071f797aec5b96abfc735ab97da9fd8f8768b43ce2abd85356a3127909d146", + "sha256:c15163b6125db87c8f53c98baa5e785782078fbd2dbeaa04c6141935eb6dab7a", + "sha256:cb6d48d80a41f68de41212f3dfd1a9d9898d7841c8f7ce6696cf2fd9cb57ef83", + "sha256:ceff9722e0df2e0a9e8a79c610842004fa54e5b309fe6d218e47cd52f791d7ef", + "sha256:cfa2bbca929aa742b5084fd4663dd4b87c191c844326fcb21c3afd2d11497f80", + "sha256:d617c241c8c3ad5c4e78a08429fa49e4b04bedfc507b34b4d8dceb83b4af3588", + "sha256:d881d152ae0007809c2c02e22aa534e702f12071e6b285e90945aa3c376463c5", + "sha256:da65c3f263729e47351261351b8679c6429151ef9649bba08ef2528ff2c423b2", + "sha256:de986979bbd87272fe557e0a8fcb66fd40ae2ddfe28a8b1ce4eae22681728fef", + "sha256:df60a94d332158b444301c7f569659c926168e4d4aad2cfbf4bce0e8fb8be826", + "sha256:dfef7350ee369197106805e193d420b75467b6cceac646ea5ed3049fcc950a05", + "sha256:e59399dda559688461762800d7fb34d9e8a6a7444fd76ec33220a926c8be1516", + "sha256:e6f3515aafe0209dd17fb9bdd3b4e892963370b3de781f53e1746a521fb39fc0", + "sha256:e7fd20d6576c10306dea2d6a5765f46f0ac5d6f53436217913e952d19237efc4", + "sha256:ebb78745273e51b9832ef90c0898501006670d6e059f2cdb0e999494eb1450c2", + "sha256:efff27bd8cbe1f9bd127e7894942ccc20c857aa8b5a0327874f30201e5ce83d0", + "sha256:f37db05c6051eff17bc832914fe46869f8849de5b92dc4a3466cd63095d23dfd", + "sha256:f8ca8ad414c85bbc50f49c0a106f951613dfa5f948ab69c10ce9b128d368baf8", + "sha256:fb742dcdd5eec9f26b61224c23baea46c9055cf16f62475e11b9b15dfd5c117b", + "sha256:fc77086ce244453e074e445104f0ecb27530d6fd3a46698e33f6c38951d5a0f1", + "sha256:ff205b58dc2929191f68162633d5e10e8044398d7a45265f90a0f1d51f85f72c" ], - "markers": "python_version >= '3.6'", - "version": "==1.6.3" + "markers": "python_version >= '3.7'", + "version": "==1.8.2" } } } From 868be248ddb7ac7cc36180d5cffc16c99151af0a Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 11:27:28 +0500 Subject: [PATCH 103/303] Fix the filter --- .../proc_creation_win_susp_userinit_child.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml index a84f52be0..18301a4a1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_userinit_child.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1055 @@ -20,7 +20,7 @@ detection: CommandLine|contains: '\netlogon\' filter2: - Image|endswith: '\explorer.exe' - - ImageFileName: 'explorer.exe' + - OriginalFileName: 'explorer.exe' condition: selection and not 1 of filter* fields: - CommandLine From fb8e0894b0d4e68114c0edb042ae072b11e2dcf0 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Fri, 9 Dec 2022 13:42:49 +0500 Subject: [PATCH 104/303] fix: condition --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index 91cb6862a..f1f4d118b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -10,7 +10,7 @@ references: - https://twitter.com/bryon_/status/975835709587075072 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 -modified: 2022/02/25 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -21,14 +21,13 @@ logsource: product: windows detection: selection_1: - Image|endswith: '\sqlps.exe' + - Image|endswith: '\sqlps.exe' + - OriginalFileName: 'sqlps.exe' selection_2: ParentImage|endswith: '\sqlps.exe' - selection_3: - OriginalFileName: '\sqlps.exe' filter: ParentImage|endswith: '\sqlagent.exe' - condition: 1 of selection_* and not filter + condition: (selection_1 and not filter) or selection_2 falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From a0e80197805563393e82bbb07d0c676c70430199 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:33 +0100 Subject: [PATCH 105/303] fix: issue raised by PR #3769 --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 6f797afe6..b58d0884a 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -935,7 +935,7 @@ class TestRules(unittest.TestCase): # add "OriginalFilename" after Aurora switched to SourceFilename # add "ProviderName" after special case powershell classic is resolved # typos is a list of tuples where each tuple contains ("The typo", "The correct version") - typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName")] + typos = [("ServiceFilename", "ServiceFileName"), ("TargetFileName", "TargetFilename"), ("SourceFileName", "OriginalFileName"), ("Commandline", "CommandLine"), ("Targetobject", "TargetObject"), ("OriginalName", "OriginalFileName"), ("ImageFileName", "OriginalFileName")] faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): # Some fields exists in certain log sources in different forms than other log sources. We need to handle these as special cases From 6f6cb9648dec2e0429c10fb9b8a9b2723bf9e441 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:33:52 +0100 Subject: [PATCH 106/303] fix: fp found in testing --- .../security/win_security_susp_scheduled_task_delete.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..3b3d77ad5 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/08 tags: - attack.execution - attack.privilege_escalation @@ -27,7 +28,7 @@ detection: - 4699 # Task Deleted Event - 4701 # Task Disabled Event TaskName|contains: - # Add more important tasks> + # Add more important tasks - '\Windows\SystemRestore\SR' - '\Windows\Windows Defender\' - '\Windows\BitLocker' @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter_ac_power_download: + Task|contains: '\Windows\UpdateOrchestrator\AC Power Download' + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high From 7cd15d0bc1e7c49a193b9c4cdf67769f85c7dc1b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 10:34:06 +0100 Subject: [PATCH 107/303] fix: update metadata --- .../proc_creation_win_false_sysinternalsuite.yml | 5 +++-- .../proc_creation_win_impacket_lateralization.yml | 4 ++-- .../process_creation/proc_creation_win_renamed_procdump.yml | 6 +++--- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml index ba28010ce..c1feb1bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml +++ b/rules/windows/process_creation/proc_creation_win_false_sysinternalsuite.yml @@ -1,11 +1,12 @@ -title: False Sysinternals Suite Tools +title: Potential Binary Impersonating Sysinternals Tools id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 status: experimental -description: Rename as a legitimate Sysinternals Suite tool to evade detection +description: Detects binaries that use the same name as legitimate sysinternals tools to evade detection references: - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite author: frack113 date: 2021/12/20 +modified: 2022/12/08 tags: - attack.execution - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index fb8f65ecb..ba53f5896 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -9,7 +9,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 -modified: 2021/11/27 +modified: 2022/12/08 tags: - attack.execution - attack.t1047 @@ -46,7 +46,7 @@ detection: - 'cmd.exe' - '/Q' - '/c' - - '\\\\127.0.0.1\' + - '\\\\127.0.0.1\\' - '&1' selection_atexec: ParentCommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9a09c3246..0e7a7715a 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,4 +1,4 @@ -title: Renamed ProcDump +title: Renamed ProcDump Execution id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 related: - id: 03795938-1387-481b-9f4c-3f6241e604fe @@ -9,7 +9,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2022/08/12 +modified: 2022/12/08 tags: - attack.defense_evasion - attack.t1036.003 @@ -34,5 +34,5 @@ detection: condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries (and should be investigated) + - Administrators who rename binaries (should be investigated) level: high From 0783d6df2265657a407127c3fd62d7ce3d752c13 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 12:22:50 +0100 Subject: [PATCH 108/303] feat: update Lsass-Shtinkering rules --- ...in_werfault_susp_lsass_credential_dump.yml | 26 +++++++++++++++++++ .../proc_creation_lsass_shtinkering.yml | 6 ++++- 2 files changed, 31 insertions(+), 1 deletion(-) create mode 100644 rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml diff --git a/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml new file mode 100644 index 000000000..d4ac076dd --- /dev/null +++ b/rules/windows/builtin/application/win_werfault_susp_lsass_credential_dump.yml @@ -0,0 +1,26 @@ +title: Potential Credential Dumping Via WER - Application +id: a18e0862-127b-43ca-be12-1a542c75c7c5 +status: experimental +description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +references: + - https://github.com/deepinstinct/Lsass-Shtinkering + - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf + - https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-erref/596a1078-e883-4972-9bbc-49e60bebca55 +author: Nasreddine Bencherchali +date: 2022/12/07 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'Application Error' + EventID: 1000 + AppName: 'lsass.exe' + ExceptionCode: 'c0000001' # STATUS_UNSUCCESSFUL + condition: selection +falsepositives: + - Rare legitimate crashing of the lsass process +level: high diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml index a88adb413..cc021edaa 100644 --- a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml +++ b/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml @@ -1,4 +1,4 @@ -title: Potential Credential Dumping Via Windows Error Reporting +title: Potential Credential Dumping Via WER id: 9a4ccd1a-3526-4d99-b980-9f9c5d3a6ff3 status: experimental description: Detects potential credential dumping via Windows Error Reporting LSASS Shtinkering technique which uses the Windows Error Reporting to dump lsass @@ -7,6 +7,7 @@ references: - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf author: '@pbssubhash , Nasreddine Bencherchali' date: 2022/12/08 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -25,7 +26,10 @@ detection: - 'AUTHORI' - 'AUTORI' CommandLine|contains|all: + # Doc: WerFault.exe -u -p -ip -s # Example: C:\Windows\system32\Werfault.exe -u -p 744 -ip 1112 -s 244 + # If the source process is not equal to the target process and the target process is LSASS then this is an indication of this technique + # Example: If the "-p" points the PID of "lsass.exe" and "-ip" points to a different process than "lsass.exe" then this is a sign of malicious activity - ' -u -p ' - ' -ip ' - ' -s ' From 356ab98ada7cf220183c42519da6090155634c29 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Dec 2022 12:55:41 +0100 Subject: [PATCH 109/303] fix: FPs with Important Scheduled Task Deleted --- .../security/win_security_susp_scheduled_task_delete.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml index b19494759..78b60d3fe 100644 --- a/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml +++ b/rules/windows/builtin/security/win_security_susp_scheduled_task_delete.yml @@ -12,6 +12,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4701 author: Nasreddine Bencherchali date: 2022/12/05 +modified: 2022/12/09 tags: - attack.execution - attack.privilege_escalation @@ -35,7 +36,9 @@ detection: - '\Windows\WindowsUpdate\' - '\Windows\UpdateOrchestrator\' - '\Windows\ExploitGuard' - condition: selection + filter: + SubjectUserName|endswith: '$' # False positives during upgrades of Defender, where its tasks get removed and added + condition: selection and not filter falsepositives: - Unknown level: high From 1143ec85b4808d3215dc481ae948fff2e552bffc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:38:32 +0100 Subject: [PATCH 110/303] feat: enhance pssnapin rule --- ...reation_win_powershell_snapins_hafnium.yml | 25 +++++++++++++------ 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml index f1143d516..bc5a795f5 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_snapins_hafnium.yml @@ -1,13 +1,14 @@ -title: Exchange PowerShell Snap-Ins Used by HAFNIUM +title: Exchange PowerShell Snap-Ins Usage id: 25676e10-2121-446e-80a4-71ff8506af47 status: experimental -description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data. As seen used by HAFNIUM and APT27 references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ -author: FPT.EagleEye + - https://www.intrinsec.com/apt27-analysis/ +author: FPT.EagleEye, Nasreddine Bencherchali date: 2021/03/03 -modified: 2022/07/14 +modified: 2022/12/09 tags: - attack.execution - attack.t1059.001 @@ -17,12 +18,20 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'add-pssnapin microsoft.exchange.powershell.snapin' - condition: selection + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: 'Add-PSSnapin' + selection_module: + CommandLine|contains: + - 'Microsoft.Exchange.Powershell.Snapin' + - 'Microsoft.Exchange.Management.PowerShell.SnapIn' + condition: all of selection_* fields: - CommandLine - ParentCommandLine From 9f346ce7d1b03aba4945caf5d281cc2ec7ea3d49 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 16:41:36 +0100 Subject: [PATCH 111/303] fix: typo in rule filename --- ...p_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/file/file_event/{file_event_win_mimimaktz_memssp_log_file.yml => file_event_win_mimikatz_memssp_log_file.yml} (100%) diff --git a/rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_mimimaktz_memssp_log_file.yml rename to rules/windows/file/file_event/file_event_win_mimikatz_memssp_log_file.yml From cde2bdfc22c08925d6f58282bdd265e9265a5856 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:11:03 +0100 Subject: [PATCH 112/303] fix: fix typo in fieldname and close #2101 --- rules/windows/image_load/image_load_foggyweb_nobelium.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_foggyweb_nobelium.yml b/rules/windows/image_load/image_load_foggyweb_nobelium.yml index eaf808b22..8c0ca56f2 100644 --- a/rules/windows/image_load/image_load_foggyweb_nobelium.yml +++ b/rules/windows/image_load/image_load_foggyweb_nobelium.yml @@ -1,12 +1,12 @@ title: FoggyWeb Backdoor DLL Loading id: 640dc51c-7713-4faa-8a0e-e7c0d9d4654c status: test -description: Detects DLL image load activity as used by FoggyWeb backdoor loader +description: Detects DLL hijacking technique used by NOBELIUM in their FoggyWeb backdoor. Which loads a malicious version of the expected "version.dll" dll references: - https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/ author: Florian Roth date: 2021/09/27 -modified: 2022/10/09 +modified: 2022/12/09 tags: - attack.resource_development - attack.t1587 @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: C:\Windows\ADFS\version.dll + ImageLoaded: 'C:\Windows\ADFS\version.dll' condition: selection falsepositives: - Unlikely From 14d174e218b837d1d27b96a6f1f3f2e12161866b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 17:36:24 +0100 Subject: [PATCH 113/303] feat: update rules related to dll sideloading --- ...ile_event_win_create_non_existent_dlls.yml | 7 +++ ...oad_side_load_from_non_system_location.yml | 9 +++- ...image_load_side_load_non_existent_dlls.yml | 43 +++++++++++++++++++ .../image_load_susp_dbghelp_dbgcore_load.yml | 4 +- 4 files changed, 60 insertions(+), 3 deletions(-) create mode 100644 rules/windows/image_load/image_load_side_load_non_existent_dlls.yml diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 9c9c65693..522c8f4fd 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,10 +1,16 @@ title: Creation Of Non-Existent DLLs In System Folders id: df6ecb8b-7822-4f4b-b412-08f524b4576c +related: + - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 + type: similar status: experimental description: Detects the creation of system dlls that are not present on the system. Usualy to achieve dll hijacking references: - https://decoded.avast.io/martinchlumecky/png-steganography/ - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 tags: @@ -22,6 +28,7 @@ detection: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 7df5528b4..342b35fc7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/10/25 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence @@ -433,6 +433,13 @@ detection: - '\igd10iumd64.dll' - '\igd12umd64.dll' - '\igdusc64.dll' + # Other + - '\WLBSCTRL.dll' + - '\TSMSISrv.dll' + - '\TSVIPSrv.dll' + - '\wow64log.dll' + - '\WptsExtensions.dll' + - '\wbemcomn.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml new file mode 100644 index 000000000..619f4fdf7 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -0,0 +1,43 @@ +title: Sideloading Of Non-Existent DLLs From System Folders +id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 +related: + - id: df6ecb8b-7822-4f4b-b412-08f524b4576c + type: similar +status: experimental +description: Detects DLL sideloading of system dlls that are not present on the system by default. Usualy to achieve techniques such as UAC bypass and privilege escalation +references: + - https://decoded.avast.io/martinchlumecky/png-steganography/ + - https://posts.specterops.io/lateral-movement-scm-and-dll-hijacking-primer-d2f61e8ab992 + - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ + - https://github.com/Wh04m1001/SysmonEoP + - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ + - http://remoteawesomethoughts.blogspot.com/2019/05/windows-10-task-schedulerservice.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + # Add other DLLs + - 'C:\Windows\System32\WLBSCTRL.dll' + - 'C:\Windows\System32\TSMSISrv.dll' + - 'C:\Windows\System32\TSVIPSrv.dll' + - 'C:\Windows\System32\wow64log.dll' + - 'C:\Windows\System32\WptsExtensions.dll' + - 'C:\Windows\System32\wbem\wbemcomn.dll' + filter_ms_signed: + Signed: 'true' + # There could be other signatures (please add when found) + Signature: 'Microsoft Windows' + condition: selection and not 1 of filter_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index bc7467c9c..5d2a23294 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -11,7 +11,7 @@ references: - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 author: Perez Diego (@darkquassar), oscd.community, Ecco date: 2019/10/27 -modified: 2022/09/15 +modified: 2022/12/09 tags: - attack.credential_access - attack.t1003.001 @@ -50,7 +50,7 @@ detection: ImageLoaded|endswith: - '\dbghelp.dll' - '\dbgcore.dll' - Signed: 'FALSE' + Signed: 'false' filter1: - Image|contains: 'Visual Studio' - CommandLine|contains: From 89e44d46cb66871a2bd4b9f532960c8ba6c34754 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:20 +0100 Subject: [PATCH 114/303] feat: update .net etw tamper rules --- .../win_security_etw_modification.yml | 20 +++++++++++++++---- ..._creation_win_etw_modification_cmdline.yml | 11 ++++++---- .../registry_set_etw_disabled.yml | 18 ++++++++++++++--- 3 files changed, 38 insertions(+), 11 deletions(-) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_etw_modification.yml index e05e6598e..e7225550f 100644 --- a/rules/windows/builtin/security/win_security_etw_modification.yml +++ b/rules/windows/builtin/security/win_security_etw_modification.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification +title: ETW Logging Disabled In .NET Processes - Registry id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc +related: + - id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,22 +15,31 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/10/05 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows service: security detection: - selection: + selection_etw_enabled: EventID: 4657 ObjectName|endswith: '\SOFTWARE\Microsoft\.NETFramework' ObjectValueName: 'ETWEnabled' NewValue: 0 - condition: selection + selection_complus: + EventID: 4657 + ObjectName|endswith: '\Environment\' + ObjectValueName: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' + NewValue: 0 + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index 1d03d645c..cc7917676 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,7 +1,7 @@ -title: COMPlus_ETWEnabled Command Line Arguments +title: ETW Logging Disabled In .NET Processes - CommandLine id: 41421f44-58f9-455d-838a-c398859841d4 status: test -description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. +description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. references: - https://twitter.com/_xpn_/status/1268712093928378368 - https://social.msdn.microsoft.com/Forums/vstudio/en-US/0878832e-39d7-4eaf-8e16-a729c4c40975/what-can-i-use-e13c0d23ccbc4e12931bd9cc2eee27e4-for?forum=clr @@ -12,9 +12,10 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1562 @@ -23,7 +24,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'COMPlus_ETWEnabled=0' + CommandLine|contains: + - 'COMPlus_ETWEnabled' + - 'COMPlus_ETWFlags' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml index 93b500a35..4e888c2de 100644 --- a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_etw_disabled.yml @@ -1,5 +1,8 @@ -title: COMPlus_ETWEnabled Registry Modification - Registry +title: ETW Logging Disabled In .NET Processes - Sysmon Registry id: bf4fc428-dcc3-4bbd-99fe-2422aeee2544 +related: + - id: a4c90ea1-2634-4ca0-adbb-35eae169b6fc + type: similar status: test description: Potential adversaries stopping ETW providers recording loaded .NET assemblies. references: @@ -12,20 +15,29 @@ references: - https://bunnyinside.com/?term=f71e8cb9c76a - http://managed670.rssing.com/chan-5590147/all_p1.html - https://github.com/dotnet/runtime/blob/4f9ae42d861fcb4be2fcd5d3d55d5f227d30e723/docs/coding-guidelines/clr-jit-coding-conventions.md#1412-disabling-code + - https://blog.xpnsec.com/hiding-your-dotnet-complus-etwenabled/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/11/26 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.t1112 + - attack.t1562 logsource: product: windows category: registry_set detection: - selection: + selection_etw_enabled: EventType: SetValue TargetObject|endswith: 'SOFTWARE\Microsoft\.NETFramework\ETWEnabled' Details: 'DWORD (0x00000000)' + selection_complus: + EventType: SetValue + TargetObject|endswith: + - '\COMPlus_ETWEnabled' + - '\COMPlus_ETWFlags' + Details: 0 condition: selection falsepositives: - Unknown From 7c7057d9d39c95987b69fb32230da87a5f5c0797 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 18:06:58 +0100 Subject: [PATCH 115/303] fix: rename .net etw tamper rules --- ...y_etw_modification.yml => win_security_dot_net_etw_tamper.yml} | 0 ...y_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/security/{win_security_etw_modification.yml => win_security_dot_net_etw_tamper.yml} (100%) rename rules/windows/registry/registry_set/{registry_set_etw_disabled.yml => registry_set_dot_net_etw_tamper.yml} (100%) diff --git a/rules/windows/builtin/security/win_security_etw_modification.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/builtin/security/win_security_etw_modification.yml rename to rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_etw_disabled.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml similarity index 100% rename from rules/windows/registry/registry_set/registry_set_etw_disabled.yml rename to rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml From fa1cbb314ab972561be714c98139420bdf4f39e9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:09:24 +0100 Subject: [PATCH 116/303] feat: more updates to etw tamper rules --- ...gistry_set_disable_autologger_sessions.yml | 5 ++-- .../registry_set_rpcrt4_etw_tamper.yml | 27 +++++++++++++++++++ .../registry_set_services_etw_tamper.yml | 24 +++++++++++++++++ 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml create mode 100644 rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 38c4c79fa..0254cdb81 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -5,9 +5,10 @@ description: Detects tampering of autologger trace sessions which is a technique references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ + - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Nasreddine Bencherchali date: 2022/08/01 -modified: 2022/09/18 +modified: 2022/12/09 tags: - attack.defense_evasion logsource: @@ -22,7 +23,7 @@ detection: - '\EventLog-' - '\Defender' TargetObject|endswith: - - '\Enabled' + - '\Enable' - '\Start' Details: DWORD (0x00000000) filter_legitimate: diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml new file mode 100644 index 000000000..c157026fb --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -0,0 +1,27 @@ +title: ETW Logging Disabled For rpcrt4.dll +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' + Details: + # This is disabled by default for some reason + - 'DWORD (0x00000000)' # Off + - 'DWORD (0x00000002)' # Off with exceptions + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml new file mode 100644 index 000000000..e45aa08c3 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -0,0 +1,24 @@ +title: ETW Logging Disabled For SCM +id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +status: experimental +description: Detects changes to the "TracingDisabled" key in order to disable ETW logging for services.exe (SCM) +references: + - http://redplait.blogspot.com/2020/07/whats-wrong-with-etw.html +author: Nasreddine Bencherchali +date: 2022/12/09 +tags: + - attack.defense_evasion + - attack.t1112 + - attack.t1562 +logsource: + product: windows + category: registry_set +detection: + selection_etw_enabled: + EventType: SetValue + TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' + Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. + condition: selection +falsepositives: + - Unknown +level: low From a8472bf4df92c7b55fde896636d7fa230eeb7d00 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:13:59 +0100 Subject: [PATCH 117/303] fix: add missing selection --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 4e888c2de..3a670b85e 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -38,7 +38,7 @@ detection: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' Details: 0 - condition: selection + condition: 1 of selection_* falsepositives: - Unknown level: high From fb988ab25e6436ed15656819086fecadb9379043 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:15:35 +0100 Subject: [PATCH 118/303] fix: typos and errors --- .../registry/registry_set/registry_set_rpcrt4_etw_tamper.yml | 4 ++-- .../registry_set/registry_set_services_etw_tamper.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml index c157026fb..3377d03c1 100644 --- a/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_rpcrt4_etw_tamper.yml @@ -1,5 +1,5 @@ title: ETW Logging Disabled For rpcrt4.dll -id: 4f281b83-0200-4b34-bf35-d24687ea57c2 +id: 90f342e1-1aaa-4e43-b092-39fda57ed11e status: experimental description: Detects changes to the "ExtErrorInformation" key in order to disable ETW logging for rpcrt4.dll references: @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: '\Microsoft\Windows NT\Rpc\ExtErrorInformation' Details: diff --git a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml index e45aa08c3..073cddb27 100644 --- a/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_services_etw_tamper.yml @@ -14,7 +14,7 @@ logsource: product: windows category: registry_set detection: - selection_etw_enabled: + selection: EventType: SetValue TargetObject|endswith: 'Software\Microsoft\Windows NT\CurrentVersion\Tracing\SCM\Regular\TracingDisabled' Details: 'DWORD (0x00000001)' # Funny (sad) enough, this value is by default 1. From bacd8078c557929d350739f6547b6fca6d94bd6c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:18:09 +0100 Subject: [PATCH 119/303] feat: update detection section --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index f1f4d118b..6c8c49a0e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -20,14 +20,14 @@ logsource: category: process_creation product: windows detection: - selection_1: + selection_parent: + ParentImage|endswith: '\sqlps.exe' + selection_image: - Image|endswith: '\sqlps.exe' - OriginalFileName: 'sqlps.exe' - selection_2: - ParentImage|endswith: '\sqlps.exe' - filter: + filter_image: ParentImage|endswith: '\sqlagent.exe' - condition: (selection_1 and not filter) or selection_2 + condition: selection_parent or (selection_image and not filter_image) falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium From 26cd02cff4edf3247a6756fb1d30f8825bc8a427 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:24:44 +0100 Subject: [PATCH 120/303] fix: add modified date --- .../file/file_event/file_event_win_create_non_existent_dlls.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 522c8f4fd..23c65c682 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -13,6 +13,7 @@ references: - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ author: Nasreddine Bencherchali date: 2022/12/01 +modified: 2022/12/09 tags: - attack.defense_evasion - attack.persistence From 76fca5aa4b76e9b6cfa1a8eee1535c9b354d643a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:37:53 +0100 Subject: [PATCH 121/303] fix: update title to reflect logic --- .../proc_creation_win_etw_modification_cmdline.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml index cc7917676..906bffd2f 100644 --- a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml @@ -1,4 +1,4 @@ -title: ETW Logging Disabled In .NET Processes - CommandLine +title: ETW Logging Tamper In .NET Processes id: 41421f44-58f9-455d-838a-c398859841d4 status: test description: Detects changes to environment variables related to ETW logging. This could indicate potential adversaries stopping ETW providers recording loaded .NET assemblies. From 1a9d7960e7141badae731238eb67651a13bc5318 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Dec 2022 19:44:44 +0100 Subject: [PATCH 122/303] fix: add dword version --- .../registry/registry_set/registry_set_dot_net_etw_tamper.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml index 3a670b85e..f32870645 100644 --- a/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_dot_net_etw_tamper.yml @@ -37,7 +37,9 @@ detection: TargetObject|endswith: - '\COMPlus_ETWEnabled' - '\COMPlus_ETWFlags' - Details: 0 + Details: + - 0 # For REG_SZ type + - 'DWORD (0x00000000)' condition: 1 of selection_* falsepositives: - Unknown From 96628974425b567c57c219ada11882f264c15409 Mon Sep 17 00:00:00 2001 From: Veramine Date: Fri, 9 Dec 2022 12:13:58 -0800 Subject: [PATCH 123/303] Update proc_creation_win_susp_conhost_option.yml (#3763) --- .../proc_creation_win_susp_conhost_option.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml index 31816d30e..970f2a353 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost_option.yml @@ -1,12 +1,13 @@ -title: Suspicious Conhost Legacy Option +title: Suspicious High IntegrityLevel Conhost Legacy Option id: 3037d961-21e9-4732-b27a-637bcc7bf539 status: experimental -description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application +description: ForceV1 asks for information directly from the kernel space. Conhost connects to the console application. High IntegrityLevel means the process is running with elevated privileges, such as an Administrator context. references: - https://cybercryptosec.medium.com/covid-19-cyber-infection-c615ead7c29 - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/mandatory-integrity-control author: frack113 -date: 2022/04/04 +date: 2022/12/09 tags: - attack.defense_evasion - attack.t1202 @@ -15,11 +16,12 @@ logsource: category: process_creation detection: selection: + IntegrityLevel: 'High' CommandLine|contains|all: - 'conhost.exe' - '0xffffffff' - '-ForceV1' condition: selection falsepositives: - - Unknown + - Very Likely, including launching cmd.exe via Run As Administrator level: informational From 646d8614718cbeadfca7a300a527c6aa7a705203 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:57:28 +0100 Subject: [PATCH 124/303] Redcannary --- .../proc_creation_create_link_osk_cmd.yml | 27 +++++++++++++++++++ .../proc_creation_wmic_tamper_defender.yml | 25 +++++++++++++++++ 2 files changed, 52 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml create mode 100644 rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml new file mode 100644 index 000000000..fe8f3e2d9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -0,0 +1,27 @@ +title: Create Symbolic Link From osk.exe to cmd.exe +id: e9b61244-893f-427c-b287-3e708f321c6b +status: experimental +description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\cmd.exe' + - OriginalFileName: 'Cmd.exe' + selection_cli: + CommandLine|contains|all: + - 'mklink' + - '\System32\osk.exe' + - '\System32\cmd.exe' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml new file mode 100644 index 000000000..2b2e08744 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -0,0 +1,25 @@ +title: WMIC Tamper Windows Defender +id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a +status: experimental +description: Detects tampering Windows Defender with wmic +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md + - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ +author: frack113 +date: 2022/12/11 +tags: + - attack.credential_access + - attack.t1546.008 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - OriginalFileName: 'wmic.exe' + - Image|endswith: '\WMIC.exe' + selection_cli: + CommandLine|contains: '/Namespace:\\\\root\\Microsoft\\Windows\\Defender' + condition: all of selection_* +falsepositives: + - Unknown +level: high From fec7756b8b7ee8d4a18ad2660bd217fb7c42936f Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:00:05 -0500 Subject: [PATCH 125/303] Create proc_creation_win_lolbin_setres.yml --- .../proc_creation_win_lolbin_setres.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_setres.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml new file mode 100644 index 000000000..c76c85b81 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -0,0 +1,31 @@ +title: Use of Setres.exe +id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 +status: experimental +description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +references: + - https://lolbas-project.github.io/lolbas/Binaries/Setres/ + - https://twitter.com/0gtweet/status/1583356502340870144 + - https://strontic.github.io/xcyclopedia/library/setres.exe-0E30E4C09637D7A128A37B59A3BC4D09.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.defense_evasion + - attack.t1202 +logsource: + category: process_creation + product: windows +detection: + selection_ldif: + - Image|endswith: '\setres.exe' + - OriginalFileName: 'setres.exe' + selection_cmd: + CommandLine|contains|all: + - '-w' + - '-h' + condition: all of selection_* +falsepositives: + - Legitimate usage of Setres +level: medium From ff14120ee52a08f018c0ae1370e596e56f978fbb Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:17:53 -0500 Subject: [PATCH 126/303] Update proc_creation_win_lolbin_setres.yml corrected duplicate tags --- .../windows/process_creation/proc_creation_win_lolbin_setres.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c76c85b81..69b09f3c9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -12,7 +12,6 @@ date: 2022/12/11 tags: - attack.defense_evasion - attack.t1218 - - attack.defense_evasion - attack.t1202 logsource: category: process_creation From 89d2d00a5b2ca20a217c1b29dd6bae625cdb6cfb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Dec 2022 16:46:32 +0100 Subject: [PATCH 127/303] Redcannary --- .../registry_set_legalnotice_susp_message.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml new file mode 100644 index 000000000..e1c330d6f --- /dev/null +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -0,0 +1,28 @@ +title: Set Display Ransom Message +id: 8b9606c9-28be-4a38-b146-0e313cc232c1 +status: experimental +description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md +author: frack113 +date: 2022/12/11 +tags: + - attack.impact + - attack.t1491.001 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeCaption' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LegalNoticeText' + Details|contains: + - 'encrypted' + - 'Unlock-Password' + - 'paying' + condition: selection +falsepositives: + - Unknown +level: high From af0b1e61b4e76630e65f6edcebaeda06a4b80968 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 10:53:38 -0500 Subject: [PATCH 128/303] Create web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 30 +++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/web/web_apache_solr_lfi_exploit.yml diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml new file mode 100644 index 000000000..2827ac4a8 --- /dev/null +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -0,0 +1,30 @@ +title: Potential Apache Solr Local File Read Exploit +id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 +status: experimental +description: | + All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. + After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +references: + - https://twitter.com/Al1ex4/status/1382981479727128580 + - https://twitter.com/sec715/status/1373472323538362371 + - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ + - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 +author: '@gott_cyber' +date: 2022/12/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection_request: + c-uri|contains|all: + - '/solr/' + - '/debug/dump?' + - 'param=ContentStream' + sc-status: '200' + condition: selection_request +falsepositives: + - Unknown +level: medium From 3a1fe165703526cfd6abc5259a7e993c0ba149ff Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:25:12 -0500 Subject: [PATCH 129/303] Update proc_creation_win_lolbin_setres.yml selection correction and detection logic correction --- .../proc_creation_win_lolbin_setres.yml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 69b09f3c9..c004f58a8 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -17,14 +17,11 @@ logsource: category: process_creation product: windows detection: - selection_ldif: - - Image|endswith: '\setres.exe' - - OriginalFileName: 'setres.exe' - selection_cmd: - CommandLine|contains|all: - - '-w' - - '-h' - condition: all of selection_* + selection: + ParentImage|endswith: '\setres.exe' + Image|endswith: + - '\choice' + condition: all of selection* falsepositives: - Legitimate usage of Setres level: medium From 063aac1b4d6f075b85ca6a4a71c3d08f83868003 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sun, 11 Dec 2022 11:57:22 -0500 Subject: [PATCH 130/303] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index c004f58a8..32ff6c23c 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -19,8 +19,7 @@ logsource: detection: selection: ParentImage|endswith: '\setres.exe' - Image|endswith: - - '\choice' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From 04b3d8885f135480e6536d010fa4c50c094c56ff Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 10:41:52 +0100 Subject: [PATCH 131/303] fix: deprecate `72671447-4352-4413-bb91-b85569687135` --- .../proc_creation_win_nslookup_pwsh_download_cradle.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_nslookup_pwsh_download_cradle.yml (96%) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml rename to rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml index 44dd578da..59ae7f8c2 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -1,6 +1,6 @@ title: Nslookup PwSh Download Cradle id: 72671447-4352-4413-bb91-b85569687135 -status: experimental +status: deprecated description: This rule tries to detect powershell download cradles, e.g. powershell . (nslookup -q=txt http://some.owned.domain.com)[-1] references: - https://twitter.com/alh4zr3d/status/1566489367232651264 From f4cebfe7acbfda5f3c84cf4837bdba96a8470acc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 10:42:34 +0100 Subject: [PATCH 132/303] fix: update title and description to reflect logic --- .../proc_creation_win_nslookup_poweshell_download.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index a25ed13bc..3d3b48e65 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -1,11 +1,15 @@ -title: Nslookup PowerShell Download +title: Nslookup PowerShell Download Cradle - ProcessCreation id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 +related: + - id: 72671447-4352-4413-bb91-b85569687135 + type: obsoletes status: experimental -description: Detects usage of powershell in conjunction with nslookup as a mean of download. +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali date: 2022/09/05 +modified: 2022/12/12 tags: - attack.defense_evasion logsource: From d1e47d836af39af708bb6713debb32f12a415381 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 10:44:11 +0100 Subject: [PATCH 133/303] feat: add related id --- .../proc_creation_win_nslookup_poweshell_download.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 3d3b48e65..9f94a97e3 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -3,6 +3,8 @@ id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 related: - id: 72671447-4352-4413-bb91-b85569687135 type: obsoletes + - id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 + type: similar status: experimental description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records references: From d797bf0eb112b6895fe8c13c89dd5a88907d96c2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 12 Dec 2022 13:23:59 +0100 Subject: [PATCH 134/303] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_create_link_osk_cmd.yml | 9 +++++---- .../proc_creation_wmic_tamper_defender.yml | 2 +- .../registry_set_legalnotice_susp_message.yml | 4 ++-- 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml index fe8f3e2d9..cef5457d6 100644 --- a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -1,9 +1,10 @@ -title: Create Symbolic Link From osk.exe to cmd.exe +title: Potential Privilege Escalation Using Symlink Between Osk and Cmd id: e9b61244-893f-427c-b287-3e708f321c6b status: experimental -description: Detects creation of a link from accessiblity executable with cmd.exe to provide elevated command prompt from login screen without logging in. +description: Detects the creation of a symbolic link between "cmd.exe" and the accessibility on-screen keyboard binary (osk.exe) using "mklink". This technique provides an elevated command prompt to the user from the login screen without the need to log in. references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1546.008/T1546.008.md + - https://ss64.com/nt/mklink.html author: frack113 date: 2022/12/11 tags: @@ -19,8 +20,8 @@ detection: selection_cli: CommandLine|contains|all: - 'mklink' - - '\System32\osk.exe' - - '\System32\cmd.exe' + - '\osk.exe' + - '\cmd.exe' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml index 2b2e08744..84ed9bd12 100644 --- a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml +++ b/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml @@ -1,7 +1,7 @@ title: WMIC Tamper Windows Defender id: 51cbac1e-eee3-4a90-b1b7-358efb81fa0a status: experimental -description: Detects tampering Windows Defender with wmic +description: Detects potential tampering with Windows Defender settings such as adding exclusion using wmic references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1562.001/T1562.001.md - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ diff --git a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml index e1c330d6f..4780d88a6 100644 --- a/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml +++ b/rules/windows/registry/registry_event/registry_set_legalnotice_susp_message.yml @@ -1,7 +1,7 @@ -title: Set Display Ransom Message +title: Potential Ransomware Activity Using LegalNotice Message id: 8b9606c9-28be-4a38-b146-0e313cc232c1 status: experimental -description: Detect modification of LegalNoticeCaption or LegalNoticeText to set a ransom message +description: Detect changes to the "LegalNoticeCaption" or "LegalNoticeText" registry values where the message set contains keywords often used in ransomware ransom messages references: - https://github.com/redcanaryco/atomic-red-team/blob/5c1e6f1b4fafd01c8d1ece85f510160fc1275fbf/atomics/T1491.001/T1491.001.md author: frack113 From 5a46cd3efd4fedadb1f6d7517199847a98859c97 Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:54:46 +0530 Subject: [PATCH 135/303] Create Abuse Nslookup with DNS Records (#3773) Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...osh_pc_abuse_nslookup_with_dns_records.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml new file mode 100644 index 000000000..e1e309369 --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -0,0 +1,30 @@ +title: Nslookup PowerShell Download Cradle +id: 999bff6d-dc15-44c9-9f5c-e1051bfc86e1 +related: + - id: 1b3b01c7-84e9-4072-86e5-fc285a41ff23 + type: similar +status: experimental +description: Detects suspicious powershell download cradle using nslookup. This cradle uses nslookup to extract payloads from DNS records +references: + - https://twitter.com/Alh4zr3d/status/1566489367232651264 +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/10 +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: ps_classic_start + definition: fields have to be extract from event +detection: + selection: + HostApplication|contains|all: + - 'powershell' + - 'nslookup' + HostApplication|contains: + - '-q=txt' + - '-querytype=txt' + condition: selection +falsepositives: + - Unknown +level: high From 1cfd7794d2dc8754a3584b8798eaa0b8f7d20743 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 13:40:55 +0100 Subject: [PATCH 136/303] fix: fix FP found in testing --- .../win_codeintegrity_attempted_dll_load.yml | 9 ++++++++- .../proc_creation_win_ntfs_short_name_use_image.yml | 3 ++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml index 430b3738a..f777c4dc8 100644 --- a/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml +++ b/rules/windows/builtin/code_integrity/win_codeintegrity_attempted_dll_load.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/SBousseaden/status/1483810148602814466 - https://github.com/MicrosoftDocs/windows-itpro-docs/blob/40fe118976734578f83e5e839b9c63ae7a4af82d/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md#windows-codeintegrity-operational-log date: 2022/01/20 -modified: 2022/12/05 +modified: 2022/12/12 tags: - attack.execution logsource: @@ -84,6 +84,13 @@ detection: ProcessNameBuffer|contains: '\Windows\Microsoft.NET\' RequestedPolicy: 8 ValidatedPolicy: 2 + filter_google_drive: + # Example: \Program Files\Google\Drive File Stream\67.0.2.0\crashpad_handler.exe + FileNameBuffer|contains: '\Program Files\Google\Drive File Stream\' + FileNameBuffer|endswith: '\crashpad_handler.exe' + ProcessNameBuffer|endswith: '\Windows\ImmersiveControlPanel\SystemSettings.exe' + RequestedPolicy: 8 + ValidatedPolicy: 1 condition: selection and not 1 of filter_* falsepositives: - Antivirus products diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 989cb7972..572d79db8 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/jonasLyk/status/1555914501802921984 author: frack113, Nasreddine Bencherchali date: 2022/08/06 -modified: 2022/09/18 +modified: 2022/12/12 tags: - attack.defense_evasion - attack.t1564.004 @@ -45,6 +45,7 @@ detection: - '\thor\thor64.exe' - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe - Image|contains: '\vcredi' + - ParentImage: 'C:\Windows\explorer.exe' condition: selection and not filter falsepositives: - Unknown From da2d06fa37d2a8f00a26950efce7e80f21953d3b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:28:57 -0800 Subject: [PATCH 137/303] Added suspicious rcedit rule. --- .../proc_creation_susp_rcedit_execution.yml | 37 +++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml new file mode 100644 index 000000000..772917603 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -0,0 +1,37 @@ +title: Suspicious Use of rcedit utility +id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 +status: experimental +description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +references: + - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe + - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 + - https://github.com/electron/rcedit +author: Micah Babinski +date: 2022/12/11 +tags: + - attack.defense_evasion + - attack.t1036.003 + - attack.t1036 + - attack.t1027.005 + - attack.t1027 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\rcedit-x64.exe' + - '\rcedit-x86.exe' + CommandLine|contains: '--set-resource-string' + selection2: + CommandLine|contains: + - 'OriginalFileName' + - 'CompanyName' + - 'FileDescription' + - 'ProductName' + - 'ProductVersion' + - 'LegalCopyright' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high From e8a980161c7ff4cdb52f29b1853370914a5c565b Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:32:26 -0800 Subject: [PATCH 138/303] Fixed rule description and title. --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 772917603..d4da0bf3d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of rcedit utility +title: Suspicious Use of Rcedit Utility to Alter Executable Metadata id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious child use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 From 52997da9b25d4ad1221d7625327fc509ab30555c Mon Sep 17 00:00:00 2001 From: Micah Babinski Date: Mon, 12 Dec 2022 07:33:47 -0800 Subject: [PATCH 139/303] Modified level (reduce severity) --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index d4da0bf3d..4b320ebac 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -34,4 +34,4 @@ detection: condition: selection1 and selection2 falsepositives: - Unknown -level: high +level: medium From 622fb687b7c062b00810a4ca31fe0b97faca96fe Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 21:58:17 +0100 Subject: [PATCH 140/303] fix: update logic and other information --- .../proc_creation_susp_rcedit_execution.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 4b320ebac..1ad1b4900 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,7 +1,7 @@ -title: Suspicious Use of Rcedit Utility to Alter Executable Metadata +title: Potential Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental -description: Detects the suspicious use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. +description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. references: - https://security.stackexchange.com/questions/210843/is-it-possible-to-change-original-filename-of-an-exe - https://www.virustotal.com/gui/file/02e8e8c5d430d8b768980f517b62d7792d690982b9ba0f7e04163cbc1a6e7915 @@ -18,12 +18,16 @@ logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: + selection_img: + - Image|endswith: - '\rcedit-x64.exe' - '\rcedit-x86.exe' - CommandLine|contains: '--set-resource-string' - selection2: + - Description: 'Edit resources of exe' + - Product: 'rcedit' + selection_flags: + CommandLine|contains: + - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + selection_attributes: CommandLine|contains: - 'OriginalFileName' - 'CompanyName' @@ -31,7 +35,7 @@ detection: - 'ProductName' - 'ProductVersion' - 'LegalCopyright' - condition: selection1 and selection2 + condition: all of selection_* falsepositives: - - Unknown + - Legitimate use of the tool by administrators or users to update metadata of a binary level: medium From 14a2bf3b596bbf0980346b31eb3fd10aeb23ed5c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 22:16:38 +0100 Subject: [PATCH 141/303] fix: error in selection --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index 1ad1b4900..c9ca2c50d 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -25,8 +25,7 @@ detection: - Description: 'Edit resources of exe' - Product: 'rcedit' selection_flags: - CommandLine|contains: - - '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" + CommandLine|contains: '--set-' # Covers multiple edit commands such as "--set-resource-string" or "--set-version-string" selection_attributes: CommandLine|contains: - 'OriginalFileName' From 681c720509254979c765ab4524bb28f34f422992 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 22:30:08 +0100 Subject: [PATCH 142/303] fix: fp in user_driver_loaded rule --- .../builtin/security/win_security_user_driver_loaded.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 32dd4b9af..b7f5c465b 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/12/07 +modified: 2022/12/12 tags: - attack.defense_evasion - attack.t1562.001 @@ -36,6 +36,7 @@ detection: - 'C:\Windows\System32\svchost.exe' - 'C:\Windows\System32\wimserv.exe' - 'C:\Windows\System32\RuntimeBroker.exe' + - 'C:\Windows\System32\SystemSettingsBroker.exe' - ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' From a7662a7350cbe6db9f574858442d5e852ddeb74e Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:07:05 -0500 Subject: [PATCH 143/303] Update rules/windows/process_creation/proc_creation_win_lolbin_setres.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_lolbin_setres.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index 32ff6c23c..da47af9ae 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -1,7 +1,7 @@ title: Use of Setres.exe id: 835e75bf-4bfd-47a4-b8a6-b766cac8bcb7 status: experimental -description: Detects the use of Setres.exe to set the screen resolution and then to potentially launch a file named "choice" from the local path +description: Detects the use of Setres.exe to set the screen resolution and then potentially launch a file named "choice" (with any executable extension such as ".cmd" or ".exe") from the current execution path references: - https://lolbas-project.github.io/lolbas/Binaries/Setres/ - https://twitter.com/0gtweet/status/1583356502340870144 From 120bff21f878f634e64c855f13a55ea1e125432b Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:09:26 -0500 Subject: [PATCH 144/303] Update proc_creation_win_lolbin_setres.yml --- .../process_creation/proc_creation_win_lolbin_setres.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml index da47af9ae..924eea112 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_setres.yml @@ -18,8 +18,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '\setres.exe' - Image|endswith: '\choice' + ParentImage|endswith: '\setres.exe' + Image|endswith: '\choice' condition: all of selection* falsepositives: - Legitimate usage of Setres From b9b88b13822293922989b3c1be2d7b598c63a212 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:03 -0500 Subject: [PATCH 145/303] Update web_apache_solr_lfi_exploit.yml --- rules/web/web_apache_solr_lfi_exploit.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_apache_solr_lfi_exploit.yml index 2827ac4a8..31240079f 100644 --- a/rules/web/web_apache_solr_lfi_exploit.yml +++ b/rules/web/web_apache_solr_lfi_exploit.yml @@ -15,6 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 + - cve.2021-27905 logsource: category: webserver detection: From c91c775f587bc7c7edb90d104e95d7032fe60e08 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:16:52 -0500 Subject: [PATCH 146/303] Rename web_apache_solr_lfi_exploit.yml to web_cve_2021-27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_apache_solr_lfi_exploit.yml => web_cve_2021-27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml From 11351b78dd5b277556ac741078829306e6fc9f40 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:17:11 -0500 Subject: [PATCH 147/303] Rename web_cve_2021-27905_apache_solr_lfi_exploit.yml to web_cve_2021_27905_apache_solr_lfi_exploit.yml --- ...exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/web/{web_cve_2021-27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_lfi_exploit.yml} (100%) diff --git a/rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml similarity index 100% rename from rules/web/web_cve_2021-27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml From 14ccb7b00ecf481d3877addc64d683f1752698df Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Dec 2022 23:26:19 +0100 Subject: [PATCH 148/303] fix: broken tag --- rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 31240079f..006c8f823 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -15,7 +15,7 @@ date: 2022/12/11 tags: - attack.initial_access - attack.t1190 - - cve.2021-27905 + - cve.2021.27905 logsource: category: webserver detection: From 796db1479fb73ddf66228935da3035ef55e39c21 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Mon, 12 Dec 2022 17:31:32 -0500 Subject: [PATCH 149/303] Update web_cve_2021_27905_apache_solr_lfi_exploit.yml --- .../web_cve_2021_27905_apache_solr_lfi_exploit.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml index 006c8f823..c7fb08329 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml @@ -10,6 +10,7 @@ references: - https://twitter.com/sec715/status/1373472323538362371 - https://nsfocusglobal.com/apache-solr-arbitrary-file-read-and-ssrf-vulnerability-threat-alert/ - https://mp.weixin.qq.com/s?__biz=Mzg3NDU2MTg0Ng==&mid=2247484117&idx=1&sn=2fdab8cbe4b873f8dd8abb35d935d186 + - https://github.com/murataydemir/CVE-2021-27905 author: '@gott_cyber' date: 2022/12/11 tags: @@ -19,13 +20,19 @@ tags: logsource: category: webserver detection: - selection_request: + selection_request1: c-uri|contains|all: - '/solr/' - '/debug/dump?' - 'param=ContentStream' sc-status: '200' - condition: selection_request + selection_request2: + cs-method: 'GET' + c-uri|contains|all: + - '/solr/' + - '?command=fetchindex&masterUrl=' + sc-status: '200' + condition: selection_request1 or selection_request2 falsepositives: - Unknown level: medium From aca5dccd7fdda232309cb4698cebecb8280f71b3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:01:46 +0100 Subject: [PATCH 150/303] fix: change title --- .../process_creation/proc_creation_susp_rcedit_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml index c9ca2c50d..776cd622a 100644 --- a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml +++ b/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml @@ -1,4 +1,4 @@ -title: Potential Metadata Tamper Using Rcedit +title: Potential PE Metadata Tamper Using Rcedit id: 0c92f2e6-f08f-4b73-9216-ecb0ca634689 status: experimental description: Detects the use of rcedit to potentially alter executable PE metadata properties, which could conceal efforts to rename system utilities for defense evasion. From 8011ef23a314d9f0650a1e44aa08a2498c9206bb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:15:49 +0100 Subject: [PATCH 151/303] fix: enhance logic, description and title --- ...l => web_cve_2021_27905_apache_solr_exploit.yml} | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) rename rules/web/{web_cve_2021_27905_apache_solr_lfi_exploit.yml => web_cve_2021_27905_apache_solr_exploit.yml} (78%) diff --git a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml similarity index 78% rename from rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml rename to rules/web/web_cve_2021_27905_apache_solr_exploit.yml index c7fb08329..8652e3408 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_lfi_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,8 +1,8 @@ -title: Potential Apache Solr Local File Read Exploit +title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental description: | - All Apache Solr versions <= 8.8.1 are impacted by an arbitrary file read and server-side request forgery (SSRF) vulnerability. + Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. references: @@ -29,10 +29,11 @@ detection: selection_request2: cs-method: 'GET' c-uri|contains|all: - - '/solr/' - - '?command=fetchindex&masterUrl=' + - '/solr/' + - 'command=fetchindex' + - 'masterUrl=' sc-status: '200' - condition: selection_request1 or selection_request2 + condition: 1 of selection_* falsepositives: - - Unknown + - Vulnerability Scanners level: medium From 078fcaab28380eeb36b46599c82c94b7a2bf5ce8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 00:17:04 +0100 Subject: [PATCH 152/303] fix: update description --- rules/web/web_cve_2021_27905_apache_solr_exploit.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml index 8652e3408..697558820 100644 --- a/rules/web/web_cve_2021_27905_apache_solr_exploit.yml +++ b/rules/web/web_cve_2021_27905_apache_solr_exploit.yml @@ -1,10 +1,7 @@ title: Potential CVE-2021-27905 Exploitation Attempt id: 0bbcd74b-0596-41a4-94a0-4e88a76ffdb3 status: experimental -description: | - Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. - Unauthenticated attackers could turn on requestDis patcher.requestParsers.enableRemoteStreaming via the Config API. - After configured, remote attackers can can thereby read local files on the vulnerable devices through ContentStream. +description: Detects exploitation attempt of the CVE-2021-27905 which affects all Apache Solr versions prior to and including 8.8.1. references: - https://twitter.com/Al1ex4/status/1382981479727128580 - https://twitter.com/sec715/status/1373472323538362371 From 3b88cab510f91c0032c98f7086cc104d583b7253 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 13 Dec 2022 10:26:21 +0100 Subject: [PATCH 153/303] Add image_load_side_load_classicexplorer32 --- ...image_load_side_load_classicexplorer32.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_classicexplorer32.yml diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml new file mode 100644 index 000000000..ee43824ed --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -0,0 +1,27 @@ +title: ClassicExplorer32 DLL Sideloading +id: caa02837-f659-466f-bca6-48bde2826ab4 +status: experimental +description: Detects DLL sideloading of DLLs classic Windows Explorer features +references: + - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets + - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ +author: frack113 +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_classicexplorer: + ImageLoaded|endswith: '\ClassicExplorer32.dll' + filter_classicexplorer: + ImageLoaded|startswith: ' C:\Program Files\Classic Shell\' + condition: selection_classicexplorer and not filter_classicexplorer +falsepositives: + - Unknown +level: medium From 5232094c71799336cbdccf95220235682c736602 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:25:23 +0100 Subject: [PATCH 154/303] fix: more fp found in testing and enhance fp metadata --- .../azure/azure_privileged_account_no_saw_paw.yml | 2 +- ...zure_privileged_account_sigin_expected_controls.yml | 2 +- .../win_msi_install_from_susp_locations.yml | 2 +- .../posh_pc_alternate_powershell_hosts.yml | 1 + .../posh_pm_alternate_powershell_hosts.yml | 10 +++++----- .../proc_creation_win_cmd_redirect.yml | 2 +- .../proc_creation_win_susp_taskkill.yml | 2 +- 7 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 3acc5d8f0..3f5cc3ce6 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -10,7 +10,7 @@ logsource: product: azure service: signinlogs detection: - # You have to tune the rule for your environnement before use it + # You have to tune the rule for your environment before use it selection: properties.message|contains: Add memmber to role completed (PIM aciviation) # Countries you DO operate out of e,g GB, use list for mulitple diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index 7949f61dd..aa690ee70 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -10,7 +10,7 @@ logsource: product: azure service: signinlogs detection: - # You have to tune the rule for your environnement before use it + # You have to tune the rule for your environment before use it selection: Status: failure # Countries you do NOT operate out of e,g GB, use list for mulitple diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml index e60913cb0..fc5d77a72 100644 --- a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -34,5 +34,5 @@ detection: Data|contains: 'C:\Windows\TEMP\UpdHealthTools.msi' condition: selection and not 1 of filter_* falsepositives: - - Some false positives may occur depending on the environnement + - False positives may occur if you allow installation from folders such as the desktop, the public folder or remote shares level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml index 79c370e09..d93797ba2 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_alternate_powershell_hosts.yml @@ -21,6 +21,7 @@ detection: selection: HostApplication|contains: '*' filter: + # If you extracted the fields from this event. Use the filter list described in 64e8e417-c19a-475a-8d19-98ea705394cc to filter FPs - HostApplication|startswith: 'C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe' - ContextInfo|contains: 'Citrix\ConfigSync\ConfigSync.ps1' condition: selection and not filter diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 69e2ce0b7..f5681b205 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/11 -modified: 2022/12/02 +modified: 2022/12/13 tags: - attack.execution - attack.t1059.001 @@ -17,7 +17,7 @@ logsource: detection: selection: ContextInfo|contains: '*' - filter: + filter_powershell: # This filter covers the following use cases # - When powershell is called directly from commandline via keyword powershell or powershell.exe # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell @@ -28,8 +28,8 @@ detection: # In some cases powershell was invoked with inverted slashes - '= C:/Windows/System32/WindowsPowerShell/v1.0/powershell' - '= C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell' - # When MSDT is launched - - '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding ' + filter_sdiagnhost: + ContextInfo|contains: '= C:\WINDOWS\System32\sdiagnhost.exe -Embedding' # When MSDT is launched for example filter_citrix: ContextInfo|contains: 'ConfigSyncRun.exe' filter_adace: # Active Directory Administrative Center Enhancements @@ -40,7 +40,7 @@ detection: Payload|contains: - 'Update-Help' - 'Failed to update Help for the module' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml index f48f2fde9..b21d331a4 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirect.yml @@ -21,5 +21,5 @@ detection: CommandLine|contains: '>' condition: all of selection_* falsepositives: - - Unknown + - Internet Download Manager extensions use named pipes and redirection via CLI. Filter it out if you use it in your environment level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml index 522a0bb09..c1eb9f34e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_taskkill.yml @@ -23,5 +23,5 @@ detection: - ' /im ' condition: all of selection* falsepositives: - - Unknown + - Expected FP with some processes using this techniques to terminate one of their processes during installations and updates level: low From 5dd4df421d07085e9b81801d236ba727eb02ab68 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:31:12 +0100 Subject: [PATCH 155/303] fix: order placeholder rules and enhance descriptions --- ...ad_account_created_deleted_nonapproved_user.yml | 14 +++++++------- .../azure_ad_account_signin_outside_hours.yml | 12 ++++++------ .../azure/azure_privileged_account_no_saw_paw.yml | 14 +++++++------- ..._privileged_account_sigin_expected_controls.yml | 12 ++++++------ ...ure_privileged_account_signin_outside_hours.yml | 14 +++++++------- 5 files changed, 33 insertions(+), 33 deletions(-) diff --git a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml index eba50e063..aa9d8b3e6 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_created_deleted_nonapproved_user.yml @@ -1,17 +1,20 @@ title: Account Created And Deleted By Non Approved Users id: c98184ba-4a27-4e10-b7b7-da48e71f4d25 status: experimental -description: Detects when accounts are created and deleted by non-approved users. -author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +description: Detects accounts that are created or deleted by non-approved users. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.t1078 logsource: product: azure service: auditlogs detection: selection: - properties.message: + properties.message: - Add user - Delete user Status: Sucess @@ -20,7 +23,4 @@ detection: condition: selection and not valid_admin falsepositives: - Legit administrative action -tags: - - attack.defense_evasion - - attack.t1078 level: medium diff --git a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml index e573ef7a3..df931f828 100644 --- a/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml @@ -1,11 +1,14 @@ title: Authentication Occuring Outside Normal Business Hours id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526 status: experimental -description: Detects when an a user signs in outside of normal business hours. -author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' -date: 2022/08/11 +description: Detects user signs ins outside of normal business hours. references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins +author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1' +date: 2022/08/11 +tags: + - attack.persistence + - attack.t1078 logsource: product: azure service: signinlogs @@ -19,7 +22,4 @@ detection: condition: selection falsepositives: - User doing actual work outside of normal business hours. -tags: - - attack.persistence - - attack.t1078 level: low diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml index 3f5cc3ce6..6e2438b90 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_no_saw_paw.yml @@ -1,11 +1,15 @@ title: Privilege Role Elevation Not Occuring on SAW or PAW id: 38a5e67b-436a-4e77-9f73-f48a82626890 status: experimental -description: Detects when an account fails a sign-in when in from a PAW or SAW device -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects failed sign-in from a PAW or SAW device references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1078 logsource: product: azure service: signinlogs @@ -25,8 +29,4 @@ detection: condition: selection falsepositives: - Not using a PAW/SAW in the environment -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1078 level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml index aa690ee70..95d3033d7 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_sigin_expected_controls.yml @@ -1,11 +1,14 @@ title: Privilege Role Sign-In Outside Expected Controls id: cf1e5687-84e1-41af-97a9-158094efef53 status: experimental -description: Detects when an account fails a sign-in when it doesn't meet expected controls for admins -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects failed sign-in due to user not meeting expected controls for adminitrators references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.defense_evasion + - attack.t1078 logsource: product: azure service: signinlogs @@ -21,7 +24,4 @@ detection: condition: selection falsepositives: - A legit admin not following proper processes -tags: - - attack.defense_evasion - - attack.t1078 level: high diff --git a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml index 403ce5eb2..fd702d956 100644 --- a/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml +++ b/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml @@ -1,11 +1,14 @@ title: Privilege Role Sign-In Outside Of Normal Hours id: e927a2f5-e7af-424f-ace7-70ebb49e8976 status: experimental -description: Detects when an account signs in from outside normal hours or locations. Admin accounts should be investigated -author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' -date: 2022/08/11 +description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor +author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' +date: 2022/08/11 +tags: + - attack.persistence + - attack.t1078 logsource: product: azure service: signinlogs @@ -20,8 +23,5 @@ detection: Initiatied.By: '%ApprovedUserUpn%' condition: selection falsepositives: - - An admin doing actual work outside of normal business hours. -tags: - - attack.persistence - - attack.t1078 + - An admin doing actual work outside of normal business hours level: high From 53cfd3b7a1a46c94e1f32af6f66a763b2e198290 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:23:50 +1100 Subject: [PATCH 156/303] Multiple AWS use cases Multiple AWS use cases based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ --- rules/cloud/aws/aws_delete_identity.yml | 23 ++++++++++++++ rules/cloud/aws/aws_enum_logging.yml | 31 +++++++++++++++++++ rules/cloud/aws/aws_enum_network.yml | 28 +++++++++++++++++ rules/cloud/aws/aws_enum_storage.yml | 29 +++++++++++++++++ rules/cloud/aws/aws_ses_messaging_enabled.yml | 28 +++++++++++++++++ 5 files changed, 139 insertions(+) create mode 100644 rules/cloud/aws/aws_delete_identity.yml create mode 100644 rules/cloud/aws/aws_enum_logging.yml create mode 100644 rules/cloud/aws/aws_enum_network.yml create mode 100644 rules/cloud/aws/aws_enum_storage.yml create mode 100644 rules/cloud/aws/aws_ses_messaging_enabled.yml diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml new file mode 100644 index 000000000..16adddd41 --- /dev/null +++ b/rules/cloud/aws/aws_delete_identity.yml @@ -0,0 +1,23 @@ +title: Delete SES Identity +id: 20f754db-d025-4a8f-9d74-e0037e999a9a +status: experimental +description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ses.amazonaws.com + - delete-identity + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml new file mode 100644 index 000000000..5f37586ce --- /dev/null +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -0,0 +1,31 @@ +title: Enumerate Backup Configuration on AWS +id: 76255e09-755e-4675-8b6b-dbce9842cd2a +status: experimental +description: Identifies enumeration activity targeting the AWS backups +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1580 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ec2.amazonaws.com + - GetPasswordData + - GetEbsEncryptionByDefault + - GetEbsDefaultKmsKeyId + - GetBucketReplication + - DescribeVolumes + - DescribeVolumesModifications + - DescribeSnapshotAttribute + - DescribeSnapshotTierStatus + - DescribeImages + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml new file mode 100644 index 000000000..1b3e0a8b4 --- /dev/null +++ b/rules/cloud/aws/aws_enum_network.yml @@ -0,0 +1,28 @@ +title: Network Enumeration on AWS +id: c3d53999-4b14-4ddd-9d9b-e618c366b54d +status: experimental +description: Identifies when network enumeration is performed on AWS. +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1016 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ec2.amazonaws.com + - DescribeCarrierGateways + - DescribeVpcEndpointConnectionNotifications + - DescribeTransitGatewayMulticastDomains + - DescribeClientVpnRoutes + - DescribeDhcpOptions + - GetTransitGatewayRouteTableAssociations + condition: selection +falsepositives: + - Unknown +level: low \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml new file mode 100644 index 000000000..f2fa2fac4 --- /dev/null +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -0,0 +1,29 @@ +title: Storage Enumeration on AWS +id: 4723218f-2048-41f6-bcb0-417f2d784f61 +status: experimental +description: Identifies enumeration activity targeting AWS storage +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1619 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: s3.amazonaws.com + - ListBuckets + - GetBucketCors + - GetBucketInventoryConfiguration + - GetBucketPublicAccessBlock + - GetBucketMetricsConfiguration + - GetBucketPolicy + - GetBucketTagging + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml new file mode 100644 index 000000000..52e57cf6d --- /dev/null +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -0,0 +1,28 @@ +title: Configure AWS SES To Send Messages +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +status: experimental +description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/12 +tags: + - attack.t1583.006 + - attack.resource_development +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: ses.amazonaws.com + eventName: + - UpdateAccountSendingEnabled + selection2: + eventSource: ses.amazonaws.com + eventName: + - VerifyEmailIdentity + timeframe: 5m + condition: selection1 and selection2 +falsepositives: + - Legitimate SES configuration activity +level: medium \ No newline at end of file From 4debb454a7894349e46c7c31a5a9b2a0b24f7b86 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:28:27 +1100 Subject: [PATCH 157/303] Delete aws_enum_logging.yml --- rules/cloud/aws/aws_enum_logging.yml | 31 ---------------------------- 1 file changed, 31 deletions(-) delete mode 100644 rules/cloud/aws/aws_enum_logging.yml diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml deleted file mode 100644 index 5f37586ce..000000000 --- a/rules/cloud/aws/aws_enum_logging.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Enumerate Backup Configuration on AWS -id: 76255e09-755e-4675-8b6b-dbce9842cd2a -status: experimental -description: Identifies enumeration activity targeting the AWS backups -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1580 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ec2.amazonaws.com - - GetPasswordData - - GetEbsEncryptionByDefault - - GetEbsDefaultKmsKeyId - - GetBucketReplication - - DescribeVolumes - - DescribeVolumesModifications - - DescribeSnapshotAttribute - - DescribeSnapshotTierStatus - - DescribeImages - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file From 155aa8412e05767ebbb928d762de02dc579a77bc Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:28:36 +1100 Subject: [PATCH 158/303] Delete aws_enum_network.yml --- rules/cloud/aws/aws_enum_network.yml | 28 ---------------------------- 1 file changed, 28 deletions(-) delete mode 100644 rules/cloud/aws/aws_enum_network.yml diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml deleted file mode 100644 index 1b3e0a8b4..000000000 --- a/rules/cloud/aws/aws_enum_network.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Network Enumeration on AWS -id: c3d53999-4b14-4ddd-9d9b-e618c366b54d -status: experimental -description: Identifies when network enumeration is performed on AWS. -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1016 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ec2.amazonaws.com - - DescribeCarrierGateways - - DescribeVpcEndpointConnectionNotifications - - DescribeTransitGatewayMulticastDomains - - DescribeClientVpnRoutes - - DescribeDhcpOptions - - GetTransitGatewayRouteTableAssociations - condition: selection -falsepositives: - - Unknown -level: low \ No newline at end of file From d2f0f6ddec4233783510d4fd297e0898c39b8aff Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:28:48 +1100 Subject: [PATCH 159/303] Delete aws_enum_storage.yml --- rules/cloud/aws/aws_enum_storage.yml | 29 ---------------------------- 1 file changed, 29 deletions(-) delete mode 100644 rules/cloud/aws/aws_enum_storage.yml diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml deleted file mode 100644 index f2fa2fac4..000000000 --- a/rules/cloud/aws/aws_enum_storage.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Storage Enumeration on AWS -id: 4723218f-2048-41f6-bcb0-417f2d784f61 -status: experimental -description: Identifies enumeration activity targeting AWS storage -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1619 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: s3.amazonaws.com - - ListBuckets - - GetBucketCors - - GetBucketInventoryConfiguration - - GetBucketPublicAccessBlock - - GetBucketMetricsConfiguration - - GetBucketPolicy - - GetBucketTagging - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file From 77accc82d780a50b190814e2cfc0b486bd7e24b7 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:29:00 +1100 Subject: [PATCH 160/303] Delete aws_ses_messaging_enabled.yml --- rules/cloud/aws/aws_ses_messaging_enabled.yml | 28 ------------------- 1 file changed, 28 deletions(-) delete mode 100644 rules/cloud/aws/aws_ses_messaging_enabled.yml diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml deleted file mode 100644 index 52e57cf6d..000000000 --- a/rules/cloud/aws/aws_ses_messaging_enabled.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Configure AWS SES To Send Messages -id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 -status: experimental -description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/12 -tags: - - attack.t1583.006 - - attack.resource_development -logsource: - product: aws - service: cloudtrail -detection: - selection1: - eventSource: ses.amazonaws.com - eventName: - - UpdateAccountSendingEnabled - selection2: - eventSource: ses.amazonaws.com - eventName: - - VerifyEmailIdentity - timeframe: 5m - condition: selection1 and selection2 -falsepositives: - - Legitimate SES configuration activity -level: medium \ No newline at end of file From 2958fc35e586938f779b1c249a3d75884ba1954f Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:29:16 +1100 Subject: [PATCH 161/303] Delete aws_delete_identity.yml --- rules/cloud/aws/aws_delete_identity.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 rules/cloud/aws/aws_delete_identity.yml diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml deleted file mode 100644 index 16adddd41..000000000 --- a/rules/cloud/aws/aws_delete_identity.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Delete SES Identity -id: 20f754db-d025-4a8f-9d74-e0037e999a9a -status: experimental -description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.defense_evasion - - attack.t1070 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ses.amazonaws.com - - delete-identity - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file From f1c53264b292553b0bbe9a5fe5fd57cbffc9a5aa Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Tue, 13 Dec 2022 22:30:28 +1100 Subject: [PATCH 162/303] Multiple AWS rules Multiple AWS rules based on https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ --- rules/cloud/aws/aws_delete_identity.yml | 23 ++++++++++++++ rules/cloud/aws/aws_enum_logging.yml | 31 +++++++++++++++++++ rules/cloud/aws/aws_enum_network.yml | 28 +++++++++++++++++ rules/cloud/aws/aws_enum_storage.yml | 29 +++++++++++++++++ rules/cloud/aws/aws_ses_messaging_enabled.yml | 28 +++++++++++++++++ 5 files changed, 139 insertions(+) create mode 100644 rules/cloud/aws/aws_delete_identity.yml create mode 100644 rules/cloud/aws/aws_enum_logging.yml create mode 100644 rules/cloud/aws/aws_enum_network.yml create mode 100644 rules/cloud/aws/aws_enum_storage.yml create mode 100644 rules/cloud/aws/aws_ses_messaging_enabled.yml diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml new file mode 100644 index 000000000..16adddd41 --- /dev/null +++ b/rules/cloud/aws/aws_delete_identity.yml @@ -0,0 +1,23 @@ +title: Delete SES Identity +id: 20f754db-d025-4a8f-9d74-e0037e999a9a +status: experimental +description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ses.amazonaws.com + - delete-identity + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml new file mode 100644 index 000000000..5f37586ce --- /dev/null +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -0,0 +1,31 @@ +title: Enumerate Backup Configuration on AWS +id: 76255e09-755e-4675-8b6b-dbce9842cd2a +status: experimental +description: Identifies enumeration activity targeting the AWS backups +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1580 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ec2.amazonaws.com + - GetPasswordData + - GetEbsEncryptionByDefault + - GetEbsDefaultKmsKeyId + - GetBucketReplication + - DescribeVolumes + - DescribeVolumesModifications + - DescribeSnapshotAttribute + - DescribeSnapshotTierStatus + - DescribeImages + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml new file mode 100644 index 000000000..1b3e0a8b4 --- /dev/null +++ b/rules/cloud/aws/aws_enum_network.yml @@ -0,0 +1,28 @@ +title: Network Enumeration on AWS +id: c3d53999-4b14-4ddd-9d9b-e618c366b54d +status: experimental +description: Identifies when network enumeration is performed on AWS. +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1016 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: ec2.amazonaws.com + - DescribeCarrierGateways + - DescribeVpcEndpointConnectionNotifications + - DescribeTransitGatewayMulticastDomains + - DescribeClientVpnRoutes + - DescribeDhcpOptions + - GetTransitGatewayRouteTableAssociations + condition: selection +falsepositives: + - Unknown +level: low \ No newline at end of file diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml new file mode 100644 index 000000000..f2fa2fac4 --- /dev/null +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -0,0 +1,29 @@ +title: Storage Enumeration on AWS +id: 4723218f-2048-41f6-bcb0-417f2d784f61 +status: experimental +description: Identifies enumeration activity targeting AWS storage +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1619 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: cloudtrail + eventName: s3.amazonaws.com + - ListBuckets + - GetBucketCors + - GetBucketInventoryConfiguration + - GetBucketPublicAccessBlock + - GetBucketMetricsConfiguration + - GetBucketPolicy + - GetBucketTagging + condition: selection +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml new file mode 100644 index 000000000..52e57cf6d --- /dev/null +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -0,0 +1,28 @@ +title: Configure AWS SES To Send Messages +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +status: experimental +description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/12 +tags: + - attack.t1583.006 + - attack.resource_development +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: ses.amazonaws.com + eventName: + - UpdateAccountSendingEnabled + selection2: + eventSource: ses.amazonaws.com + eventName: + - VerifyEmailIdentity + timeframe: 5m + condition: selection1 and selection2 +falsepositives: + - Legitimate SES configuration activity +level: medium \ No newline at end of file From ad55efd25f4612b3c884f7dc86a289d61dcca38c Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 13 Dec 2022 09:50:43 -0500 Subject: [PATCH 163/303] Update proc_creation_win_susp_runonce_execution.yml Added coverage for a new procedure identified here: https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA --- .../proc_creation_win_susp_runonce_execution.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index adfda748c..da7c289fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -5,9 +5,10 @@ description: This rule detects the execution of Run Once task as configured in t references: - https://twitter.com/pabraeken/status/990717080805789697 - https://lolbas-project.github.io/lolbas/Binaries/Runonce/ -author: 'Avneet Singh @v3t0_, oscd.community' + - https://twitter.com/0gtweet/status/1602644163824156672?s=20&t=kuxbUnZPltpvFPZdCrqPXA +author: 'Avneet Singh @v3t0_, oscd.community, Christopher Peacock @SecurePeacock (updated)' date: 2020/10/18 -modified: 2022/07/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.t1112 @@ -19,8 +20,13 @@ detection: - Image|endswith: '\runonce.exe' - Description: 'Run Once Wrapper' selection_cli: - CommandLine|contains: ' /AlternateShellStartup' - condition: all of selection* + CommandLine|contains: + - '/AlternateShellStartup' + - '/r' + filter: + CommandLine|contains: + - '/Run6432' + condition: all of selection* and not filter falsepositives: - Unknown level: low From af3857b42f319ca4820100a2f7f681436b791df7 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 13 Dec 2022 10:27:21 -0500 Subject: [PATCH 164/303] Update proc_creation_win_susp_runonce_execution.yml --- .../proc_creation_win_susp_runonce_execution.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index da7c289fe..8db6cb610 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -24,8 +24,7 @@ detection: - '/AlternateShellStartup' - '/r' filter: - CommandLine|contains: - - '/Run6432' + CommandLine|contains: '/Run6432' condition: all of selection* and not filter falsepositives: - Unknown From fea413849b185ed23a880f72f8744c4c727f9cb8 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 13 Dec 2022 11:12:55 -0500 Subject: [PATCH 165/303] Update proc_creation_win_susp_runonce_execution.yml --- .../proc_creation_win_susp_runonce_execution.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index 8db6cb610..be345e8d1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -24,7 +24,9 @@ detection: - '/AlternateShellStartup' - '/r' filter: - CommandLine|contains: '/Run6432' + CommandLine|contains: + - '/Run6432' + - '/RunOnce6432' condition: all of selection* and not filter falsepositives: - Unknown From fd76082c142b8671f13d1dafdf694c41ee1439dc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 13 Dec 2022 18:26:42 +0100 Subject: [PATCH 166/303] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../image_load/image_load_side_load_classicexplorer32.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml index ee43824ed..04b3c3755 100644 --- a/rules/windows/image_load/image_load_side_load_classicexplorer32.yml +++ b/rules/windows/image_load/image_load_side_load_classicexplorer32.yml @@ -1,7 +1,7 @@ -title: ClassicExplorer32 DLL Sideloading +title: Potential DLL Sideloading Via ClassicExplorer32.dll id: caa02837-f659-466f-bca6-48bde2826ab4 status: experimental -description: Detects DLL sideloading of DLLs classic Windows Explorer features +description: Detects potential DLL sideloading using ClassicExplorer32.dll from the Classic Shell software references: - https://blogs.blackberry.com/en/2022/12/mustang-panda-uses-the-russian-ukrainian-war-to-attack-europe-and-asia-pacific-targets - https://app.any.run/tasks/6d8cabb0-dcda-44b6-8050-28d6ce281687/ @@ -20,7 +20,7 @@ detection: selection_classicexplorer: ImageLoaded|endswith: '\ClassicExplorer32.dll' filter_classicexplorer: - ImageLoaded|startswith: ' C:\Program Files\Classic Shell\' + ImageLoaded|startswith: 'C:\Program Files\Classic Shell\' condition: selection_classicexplorer and not filter_classicexplorer falsepositives: - Unknown From ca74357016e9f5de6fe31f27cfa124de5c458c78 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 18:42:21 +0100 Subject: [PATCH 167/303] fix: enhance logic and metadata --- ..._cve_2021_26084_confluence_rce_exploit.yml | 38 +++++++++---------- 1 file changed, 18 insertions(+), 20 deletions(-) diff --git a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml index f3579c5eb..a22076843 100644 --- a/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml +++ b/rules/web/web_cve_2021_26084_confluence_rce_exploit.yml @@ -1,35 +1,33 @@ -title: Atlassian Confluence RCE Exploit CVE-2021-26084 +title: Potential CVE-2021-26084 Exploitation Attempt id: 38825179-3c78-4fed-b222-2e2166b926b1 -description: Detects CVE-2021-260841 Confluence Server Webwork OGNL injection +description: Detects potential exploitation of CVE-2021-260841 a Confluence RCE using OGNL injection status: experimental references: - https://github.com/TesterCC/exp_poc_library/blob/master/exp_poc/CVE-2021-26084_Confluence_OGNL_injection/CVE-2021-26084.md - https://github.com/httpvoid/writeups/blob/main/Confluence-RCE.md - https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html + - https://mraddon.blog/2017/03/20/confluence-trick-to-create-pages-from-blueprint-templates/ author: Sittikorn S, Nuttakorn T -date: 2021/09/01 +date: 2022/12/13 tags: -- attack.initial_access -- attack.t1190 + - attack.initial_access + - attack.t1190 logsource: category: webserver detection: - selection_exploit: + selection_main: cs-method: 'POST' sc-status: '200' - c-uri|contains: - - '/pages/createpage-entervariables.action?SpaceKey=x' - selection_req: - cs-method: 'POST' - sc-status: '200' - c-uri|contains: - - '/doenterpagevariables.action' - keywords: - - 'u0027' - condition: selection_exploit or (selection_req and keywords) -fields: - - c-ip - - c-uri + username: 'anonymous' # This string is used to reduce possible FP you could remove it to get authenticated attempts + selection_exploit_1: + c-uri|contains|all: + - '/pages/createpage-entervariables.action' + - 'SpaceKey=x' # This URI assume that you can't have a space ID of "X" + selection_exploit_2_uri: + c-uri|contains: '/doenterpagevariables.action' + selection_exploit_2_keyword: + - 'u0027' # This string should appear in the post body as a value of the parameter "queryString" + condition: selection_main and (selection_exploit_1 or all of selection_exploit_2_*) falsepositives: - Unknown -level: critical +level: high From 287916fa8b010824b91111623a20c610cafaed46 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Dec 2022 23:49:58 +0100 Subject: [PATCH 168/303] fix: update logic --- .../proc_creation_win_bitsadmin_download_susp_ip.yml | 9 +++++++-- ...creation_win_bitsadmin_download_susp_targetfolder.yml | 5 ++++- ...tion_win_bitsadmin_download_uncommon_targetfolder.yml | 1 + 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml index c22ab4171..ed27eae69 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_ip.yml @@ -6,9 +6,10 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.persistence @@ -47,7 +48,11 @@ detection: - 'https://7' - 'https://8' - 'https://9' - condition: all of selection_* + filter: + CommandLine|contains: + - 'https://7-' # For https://7-zip.org/ + - 'http://7-' + condition: all of selection_* and not filter fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml index c465cbada..5d8e61ee1 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_susp_targetfolder.yml @@ -6,9 +6,10 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 -modified: 2022/11/11 +modified: 2022/12/13 tags: - attack.defense_evasion - attack.persistence @@ -32,6 +33,8 @@ detection: - 'C:\Users\Public\' - '%public%' - '\Desktop\' + - 'C:\Temp' + - 'C:\Perflogs' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index c2952164f..48f738718 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -6,6 +6,7 @@ references: - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - https://isc.sans.edu/diary/22264 - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ + - https://blog.talosintelligence.com/breaking-the-silence-recent-truebot-activity/ author: Florian Roth date: 2022/06/28 modified: 2022/11/11 From 5dc48bd3e029861eebbc5fa99ab6887762967934 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 10:32:11 +0100 Subject: [PATCH 169/303] fix: add missing modified field --- .../windows/proc_creation_win_nslookup_pwsh_download_cradle.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml index 59ae7f8c2..edd810bf5 100644 --- a/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml +++ b/rules-deprecated/windows/proc_creation_win_nslookup_pwsh_download_cradle.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/alh4zr3d/status/1566489367232651264 author: Zach Mathis (@yamatosecurity) date: 2022/09/06 +modified: 2022/12/14 # Deprecation date tags: - attack.command_and_control - attack.t1105 From 41fcd73fad014bc8e8f29638aff0235969e0c5c8 Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 14 Dec 2022 02:06:40 -0800 Subject: [PATCH 170/303] Add System to list of built-in Windows processes --- .../process_creation/proc_creation_win_susp_non_exe_image.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 5d35e391a..54ad4d29a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt date: 2021/12/09 -modified: 2022/11/10 +modified: 2022/12/14 tags: - attack.defense_evasion logsource: @@ -21,6 +21,7 @@ detection: Image: null filter_image: # Windows utilities without extension Image: + - 'System' - 'Registry' - 'MemCompression' - 'vmmem' From 8a529a14c09eb2f12bfeddcb7ba4a27d046f0883 Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 14 Dec 2022 02:08:30 -0800 Subject: [PATCH 171/303] Add System to list of built-in Windows processes with no extension --- .../process_creation/proc_creation_win_susp_image_missing.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 035bc209d..749b17f76 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -23,10 +23,12 @@ detection: - '' filter_4688: - Image: + - 'System' - 'Registry' - 'MemCompression' - 'vmmem' - CommandLine: + - 'System' - 'Registry' - 'MemCompression' - 'vmmem' From a848537bac542f503168a705207d64d73ea6c09a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 11:09:35 +0100 Subject: [PATCH 172/303] fix: update commandline selection --- .../proc_creation_win_susp_runonce_execution.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index be345e8d1..750b7a738 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -20,9 +20,8 @@ detection: - Image|endswith: '\runonce.exe' - Description: 'Run Once Wrapper' selection_cli: - CommandLine|contains: - - '/AlternateShellStartup' - - '/r' + - CommandLine|contains: '/AlternateShellStartup' + - CommandLine|endswith: '/r' filter: CommandLine|contains: - '/Run6432' From d8e29c80fae1c23e13d11898f5f9bb9f251598b1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 11:09:46 +0100 Subject: [PATCH 173/303] fix: remove filter --- .../proc_creation_win_susp_runonce_execution.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index 750b7a738..61195b186 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -22,11 +22,7 @@ detection: selection_cli: - CommandLine|contains: '/AlternateShellStartup' - CommandLine|endswith: '/r' - filter: - CommandLine|contains: - - '/Run6432' - - '/RunOnce6432' - condition: all of selection* and not filter + condition: all of selection_* falsepositives: - Unknown level: low From 6540ca0ed97665e5e396ef839756aba6d7fb865b Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 14 Dec 2022 02:13:53 -0800 Subject: [PATCH 174/303] Update modified date --- .../process_creation/proc_creation_win_susp_image_missing.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 749b17f76..56b118c9d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt date: 2021/12/09 -modified: 2022/09/20 +modified: 2022/12/14 tags: - attack.defense_evasion logsource: From a6a41eae8f3d63c2d38961426540be9adb36fb56 Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 14 Dec 2022 02:25:21 -0800 Subject: [PATCH 175/303] Removed System from CommandLine --- .../process_creation/proc_creation_win_susp_image_missing.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 56b118c9d..fa68132c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -28,7 +28,6 @@ detection: - 'MemCompression' - 'vmmem' - CommandLine: - - 'System' - 'Registry' - 'MemCompression' - 'vmmem' From 232d7f840ac2d58a0806785e72694f914e756fda Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:05:58 +0100 Subject: [PATCH 176/303] fix: FPs noticed with Aurora --- .../image_load/image_load_susp_vss_dll_load.yml | 2 ++ ..._set_asep_reg_keys_modification_wow6432node.yml | 14 ++++++++------ 2 files changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml index 94cbfed76..6f05a265b 100644 --- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml @@ -6,6 +6,7 @@ references: - https://github.com/ORCx41/DeleteShadowCopies author: frack113 date: 2022/10/31 +modified: 2022/12/14 tags: - attack.defense_evasion - attack.impact @@ -23,6 +24,7 @@ detection: - 'C:\Windows\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Package Cache\' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 4a79e6514..72e95dc08 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split) date: 2019/10/25 -modified: 2022/11/01 +modified: 2022/12/14 tags: - attack.persistence - attack.t1547.001 @@ -65,8 +65,7 @@ detection: - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' Details|startswith: - - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-' - - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' + - '"C:\ProgramData\Package Cache\' Details|endswith: '.exe" /burn.runonce' filter_office: Image|startswith: @@ -78,12 +77,15 @@ detection: filter_vcredist: Image|endswith: '\VC_redist.x64.exe' Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' - filter_winsdk: + filter_upgrades: Image|startswith: - 'C:\ProgramData\Package Cache' - 'C:\Windows\Temp\' - Image|endswith: '\winsdksetup.exe' - Details|endswith: '\winsdksetup.exe" /burn.runonce' + Image|contains: + - '\winsdksetup.exe' + - '\windowsdesktop-runtime-' # C:\WINDOWS\Temp\{751E2E78-46DC-4376-9205-99219CDC34AE}\.be\windowsdesktop-runtime-6.0.12-win-x86.exe + - '\AspNetCoreSharedFrameworkBundle-' # "C:\ProgramData\Package Cache\{b52191c1-a9c0-4b34-9a4e-930c2dd8a540}\AspNetCoreSharedFrameworkBundle-x86.exe" /burn.runonce + Details|endswith: ' /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID From 7365e12478da009186a232468e5784e9d6632cf2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:08:10 +0100 Subject: [PATCH 177/303] docs: explanation for filter --- rules/windows/image_load/image_load_susp_vss_dll_load.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/rules/windows/image_load/image_load_susp_vss_dll_load.yml b/rules/windows/image_load/image_load_susp_vss_dll_load.yml index 6f05a265b..c3914694b 100644 --- a/rules/windows/image_load/image_load_susp_vss_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_vss_dll_load.yml @@ -24,6 +24,12 @@ detection: - 'C:\Windows\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' + # The following filter is required because of many FPs cause by : + # C:\ProgramData\Package Cache\{10c6cfdc-27af-43fe-bbd3-bd20aae88451}\dotnet-sdk-3.1.425-win-x64.exe + # C:\ProgramData\Package Cache\{b9cfa33e-ace4-49f4-8bb4-82ded940990a}\windowsdesktop-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{50264ff2-ad47-4569-abc4-1c350f285fb9}\aspnetcore-runtime-6.0.11-win-x86.exe + # C:\ProgramData\Package Cache\{2dcef8c3-1563-4149-a6ec-5b6c98500d7d}\dotnet-sdk-6.0.306-win-x64.exe + # etc. - 'C:\ProgramData\Package Cache\' condition: selection and not 1 of filter_* falsepositives: From 643a06766e74ef3e7c0313520285e36dbd869c26 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:21:54 +0100 Subject: [PATCH 178/303] fix: FP with NVIDIA driver installation --- .../create_remote_thread_win_susp_remote_thread_source.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml index be58155f7..fd56e9755 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml @@ -10,7 +10,7 @@ references: - https://lolbas-project.github.io author: Perez Diego (@darkquassar), oscd.community date: 2019/10/27 -modified: 2022/08/26 +modified: 2022/12/14 tags: - attack.privilege_escalation - attack.defense_evasion @@ -95,6 +95,9 @@ detection: - 'C:\Windows\System32\schtasks.exe' - 'C:\Windows\SysWOW64\schtasks.exe' TargetImage: 'C:\Windows\System32\conhost.exe' + filter_nvidia: + SourceImage: 'C:\Windows\explorer.exe' + TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' condition: selection and not 1 of filter* fields: - ComputerName From c98e9ec3cc9c62c35609d935719825786d4c708e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Dec 2022 13:23:28 +0100 Subject: [PATCH 179/303] fix: list with one element issue --- .../registry_set_asep_reg_keys_modification_wow6432node.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 72e95dc08..b575c0acf 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -64,8 +64,7 @@ detection: TargetObject|endswith: - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}' - '\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{7037b699-7382-448c-89a7-4765961d2537}' - Details|startswith: - - '"C:\ProgramData\Package Cache\' + Details|startswith: '"C:\ProgramData\Package Cache\' Details|endswith: '.exe" /burn.runonce' filter_office: Image|startswith: From b41ba894e5b4c07691b20c7c0252350e6c308d85 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 15:37:28 +0100 Subject: [PATCH 180/303] fix: rename rule to follow convention --- ...ss_shtinkering.yml => proc_creation_win_lsass_shtinkering.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_lsass_shtinkering.yml => proc_creation_win_lsass_shtinkering.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_lsass_shtinkering.yml b/rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_lsass_shtinkering.yml rename to rules/windows/process_creation/proc_creation_win_lsass_shtinkering.yml From d6d41c12d184d4727d95f30b570f53b7fc934956 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 15:37:46 +0100 Subject: [PATCH 181/303] feat: new rule related to using type as lolbin --- .../proc_creation_win_lolbin_type.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_type.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_type.yml b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml new file mode 100644 index 000000000..f52f1e88b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_type.yml @@ -0,0 +1,28 @@ +title: Potential Download/Upload Activity Using Type Command +id: aa0b3a82-eacc-4ec3-9150-b5a9a3e3f82f +status: experimental +description: Detects usage of the "type" command to download/upload data from WebDAV server +references: + - https://mr0range.com/a-new-lolbin-using-the-windows-type-command-to-upload-download-files-81d7b6179e22 +author: Nasreddine Bencherchali +date: 2022/12/14 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + product: windows + category: process_creation +detection: + # Note that since built in CMD commands do not trigger a process creation. This would be detected only if used in a "/c" command + selection_upload: + CommandLine|contains|all: + - 'type ' + - ' > \\\\' + selection_download: + CommandLine|contains|all: + - 'type \\\\' + - ' > ' # Space are added to increase atom length and speed up matching. If your backend can handle this remove the space + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium From 79e83766eb77d92213e8d34a31e87aa52c5c6165 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 16:52:04 +0100 Subject: [PATCH 182/303] feat: update ldap rule with additional strings --- rules/windows/builtin/ldap/win_ldap_recon.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index b7ff1f8b5..b9ffd061d 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -1,14 +1,15 @@ -title: LDAP Reconnaissance / Active Directory Enumeration +title: Potential Active Directory Reconnaissance/Enumeration id: 31d68132-4038-47c7-8f8e-635a39a7c174 status: test -description: Detects possible Active Directory enumeration via LDAP +description: Detects potential Active Directory enumeration via LDAP references: - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1 - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs + - https://medium.com/falconforce/falconfriday-detecting-active-directory-data-collection-0xff21-c22d1a57494c author: Adeem Mawani date: 2021/06/22 -modified: 2022/10/09 +modified: 2022/12/14 tags: - attack.discovery - attack.t1069.002 @@ -51,6 +52,8 @@ detection: - '(primaryGroupID=515)' - '(primaryGroupID=512)' - 'Domain Admins' + - 'objectGUID=\*' + - '(schemaIDGUID=\*)' suspicious_flag: EventID: 30 SearchFilter|contains: From c7e772eff9d858a4e526f2c02c35eefe6ab2dd70 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 14 Dec 2022 19:24:32 +0100 Subject: [PATCH 183/303] Add image_load_side_load_jsschhlp --- .../image_load_side_load_jsschhlp.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/image_load/image_load_side_load_jsschhlp.yml diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml new file mode 100644 index 000000000..2be0ab53d --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -0,0 +1,26 @@ +title: Potential DLL Sideloading Via JsSchHlp +id: 68654bf0-4412-43d5-bfe8-5eaa393cd939 +status: experimental +description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor +references: + - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ +author: frack113 +date: 2022/12/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: '\JSESPR.dll' + filter: + ImageLoaded|startswith: 'C:\Program Files\Common Files\Justsystem\JsSchHlp\' + condition: selection and not filter +falsepositives: + - Unknown +level: medium From ec63adb32f06fde2e9fceab7f7af438425711080 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 23:12:23 +0100 Subject: [PATCH 184/303] fix: update title --- rules/windows/builtin/ldap/win_ldap_recon.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index b9ffd061d..d9d3365e3 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -1,4 +1,4 @@ -title: Potential Active Directory Reconnaissance/Enumeration +title: Potential Active Directory Reconnaissance/Enumeration Via LDAP id: 31d68132-4038-47c7-8f8e-635a39a7c174 status: test description: Detects potential Active Directory enumeration via LDAP From cc658743e640fe18f4da89b2ab9e00642da58190 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Dec 2022 23:25:13 +0100 Subject: [PATCH 185/303] fix: add additional reference --- rules/windows/image_load/image_load_side_load_jsschhlp.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/image_load/image_load_side_load_jsschhlp.yml b/rules/windows/image_load/image_load_side_load_jsschhlp.yml index 2be0ab53d..43ef42e0b 100644 --- a/rules/windows/image_load/image_load_side_load_jsschhlp.yml +++ b/rules/windows/image_load/image_load_side_load_jsschhlp.yml @@ -4,6 +4,7 @@ status: experimental description: Detects potential DLL sideloading using JUSTSYSTEMS Japanese word processor references: - https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ + - http://www.windowexe.com/bbs/board.php?q=jsschhlp-exe-c-program-files-common-files-justsystem-jsschhlp-jsschhlp author: frack113 date: 2022/12/14 tags: From 544081f3c7974ce4b5a947a4ca0d024961bde4dd Mon Sep 17 00:00:00 2001 From: frack113 Date: Thu, 15 Dec 2022 12:55:18 +0100 Subject: [PATCH 186/303] Space remove --- tools/config/winlogbeat-modules-enabled.yml | 70 ++++++++++----------- 1 file changed, 35 insertions(+), 35 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index b3b0a6b9f..2b1bb553a 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -563,43 +563,43 @@ fieldmappings: # # Microsoft-Windows-Windows Defender/Operational # - Action_ID: winlog.event_data.Action\ ID - Action_Name: winlog.event_data.Action\ Name - Additional_Actions_ID: winlog.event_data.Additional\ Actions\ ID - Additional_Actions_String: winlog.event_data.Additional\ Actions\ String - Category_ID: winlog.event_data.Category\ ID - Category_Name: winlog.event_data.Category\ Name - Detection_ID: winlog.event_data.Detection\ ID - Detection_Time: winlog.event_data.Detection\ Time - Detection_User: winlog.event_data.Detection\ User - Engine_Version: winlog.event_data.Engine\ Version - Error_Code: winlog.event_data.Error\ Code - Error_Description: winlog.event_data.Error\ Description - Execution_ID: winlog.event_data.Execution\ ID - Execution_Name: winlog.event_data.Execution\ Name + ActionID: winlog.event_data.Action\ ID + ActionName: winlog.event_data.Action\ Name + AdditionalActionsID: winlog.event_data.Additional\ Actions\ ID + AdditionalActionsString: winlog.event_data.Additional\ Actions\ String + CategoryID: winlog.event_data.Category\ ID + CategoryName: winlog.event_data.Category\ Name + DetectionID: winlog.event_data.Detection\ ID + DetectionTime: winlog.event_data.Detection\ Time + DetectionUser: winlog.event_data.Detection\ User + EngineVersion: winlog.event_data.Engine\ Version + ErrorCode: winlog.event_data.Error\ Code + ErrorDescription: winlog.event_data.Error\ Description + ExecutionID: winlog.event_data.Execution\ ID + ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - New_Value: winlog.event_data.New\ Value - Old_Value: winlog.event_data.Old\ Value - Origin_ID: winlog.event_data.Origin\ ID - Origin_Name: winlog.event_data.Origin\ Name + NewValue: winlog.event_data.New\ Value + OldValue: winlog.event_data.Old\ Value + OriginID: winlog.event_data.Origin\ ID + OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path - Post_Clean_Status: winlog.event_data.Post\ Clean\ Status - Pre_Execution_Status: winlog.event_data.Pre\ Execution\ Status - Process_Name: winlog.event_data.Process\ Name - Product_Name: winlog.event_data.Product\ Name - Product_Version: winlog.event_data.Product\ Version - Remediation_User: winlog.event_data.Remediation\ User - Security_intelligence_Version: winlog.event_data.Security\ intelligence\ Version - Severity_ID: winlog.event_data.Severity\ ID - Severity_Name: winlog.event_data.Severity\ Name - Source_ID: winlog.event_data.Source\ ID - Source_Name: winlog.event_data.Source\ Name - Status_Code: winlog.event_data.Status\ Code - Status_Description: winlog.event_data.Status\ Description - Threat_ID: winlog.event_data.Threat\ ID - Threat_Name: winlog.event_data.Threat\ Name - Type_ID: winlog.event_data.Type\ ID - Type_Name: winlog.event_data.Type\ Name + PostCleanStatus: winlog.event_data.Post\ Clean\ Status + PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status + ProcessName: winlog.event_data.Process\ Name + ProductName: winlog.event_data.Product\ Name + ProductVersion: winlog.event_data.Product\ Version + RemediationUser: winlog.event_data.Remediation\ User + SecurityintelligenceVersion: winlog.event_data.Security\ intelligence\ Version + SeverityID: winlog.event_data.Severity\ ID + SeverityName: winlog.event_data.Severity\ Name + SourceID: winlog.event_data.Source\ ID + SourceName: winlog.event_data.Source\ Name + StatusCode: winlog.event_data.Status\ Code + StatusDescription: winlog.event_data.Status\ Description + ThreatID: winlog.event_data.Threat\ ID + ThreatName: winlog.event_data.Threat\ Name + TypeID: winlog.event_data.Type\ ID + TypeName: winlog.event_data.Type\ Name # # Microsoft-Windows-Windows Firewall With Advanced Security/Firewall # From 0f9b2fff71a273871cc8e78b2a1163724b3e031a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 15 Dec 2022 13:57:56 +0100 Subject: [PATCH 187/303] refactor: NotPetya rule --- .../proc_creation_win_malware_notpetya.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 3f04250f4..e1724f884 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -7,7 +7,7 @@ references: - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 author: Florian Roth, Tom Ueltschi date: 2019/01/16 -modified: 2022/03/05 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1218.011 @@ -19,21 +19,22 @@ logsource: category: process_creation product: windows detection: - select_pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\\\.\\pipe\\' - select_rundll32_dash1: + selection_pattern: + CommandLine|contains: + - 'wevtutil cl Application & fsutil usn deletejournal /D C:' + - 'dllhost.dat %WINDIR%\ransoms' + selection_rundll32_dash1: Image|endswith: '\rundll32.exe' CommandLine|endswith: - '.dat,#1' - '.dat #1' # Sysmon removes comma - select_perfc_keyword: + - '.zip.dll",#1' + selection_perfc_keyword: - '\perfc.dat' - condition: 1 of select* + condition: 1 of selection* fields: - CommandLine - ParentCommandLine falsepositives: - - Admin activity + - Unknown level: critical From 84041dde1fd24acc225132bdb1db2120a91188f5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 15 Dec 2022 17:31:36 +0100 Subject: [PATCH 188/303] fix: FPs with wuauclt rule --- .../net_connection_win_wuauclt_network_connection.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 772359d25..2ac32898b 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -8,7 +8,7 @@ references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2021/11/27 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1218 @@ -18,6 +18,11 @@ logsource: detection: selection: Image|contains: wuauclt + # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer + filter_ms_range: # Sysmon + DestinationIp|startswith: '51.10' # Microsoft Range + filter_cmdline: + CommandLine|contains: '\UpdateDeploy.dll /ClassId ' condition: selection falsepositives: - Legitimate use of wuauclt.exe over the network. From 2f945478dc7e83c7b2e150e5deb8ad9b49d2c6c5 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 15 Dec 2022 17:54:34 +0100 Subject: [PATCH 189/303] Fix duplicate --- tools/config/winlogbeat-modules-enabled.yml | 22 ++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 2b1bb553a..cbc432525 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -190,7 +190,9 @@ fieldmappings: ClassId: winlog.event_data.ClassId DeviceDescription: winlog.event_data.DeviceDescription # ErrorCode => printservice-admin EventID: 4909 or 808 - ErrorCode: winlog.event_data.ErrorCode + ErrorCode: + service=windefend: winlog.event_data.Error\ Code + default: winlog.event_data.ErrorCode FilePath: winlog.event_data.FilePath # Filename => category: antivirus Filename: winlog.event_data.Filename @@ -337,6 +339,7 @@ fieldmappings: CommandType: powershell.command.type EngineVersion: service=powershell-classic: powershell.engine.version + service=windefend: winlog.event_data.Engine\ Version default: winlog.event_data.EngineVersion HostApplication: process.command_line HostId: process.entity_id @@ -446,7 +449,9 @@ fieldmappings: NewTargetUserName: winlog.event_data.NewTargetUserName NewTime: winlog.event_data.NewTime NewUacValue: winlog.event_data.NewUacValue - NewValue: winlog.event_data.NewValue + NewValue: + service=windefend: winlog.event_data.New\ Value + default: winlog.event_data.NewValue NewValueType: winlog.event_data.NewValueType ObjectClass: winlog.event_data.ObjectClass ObjectDN: winlog.event_data.ObjectDN @@ -459,7 +464,9 @@ fieldmappings: OldSd: winlog.event_data.OldSd OldTargetUserName: winlog.event_data.OldTargetUserName OldUacValue: winlog.event_data.OldUacValue - OldValue: winlog.event_data.OldValue + OldValue: + service=windefend: winlog.event_data.Old\ Value + default: winlog.event_data.OldValue OldValueType: winlog.event_data.OldValueType OpCorrelationID: winlog.event_data.OpCorrelationID OperationType: winlog.event_data.OperationType @@ -472,7 +479,9 @@ fieldmappings: PreviousTime: winlog.event_data.PreviousTime PrimaryGroupId: winlog.event_data.PrimaryGroupId PrivilegeList: winlog.event_data.PrivilegeList - ProcessName: process.executable + ProcessName: + service=windefend: winlog.event_data.Process\ Name + default: process.executable ProfilePath: winlog.event_data.ProfilePath Properties: winlog.event_data.Properties PuaCount: winlog.event_data.PuaCount @@ -572,20 +581,15 @@ fieldmappings: DetectionID: winlog.event_data.Detection\ ID DetectionTime: winlog.event_data.Detection\ Time DetectionUser: winlog.event_data.Detection\ User - EngineVersion: winlog.event_data.Engine\ Version - ErrorCode: winlog.event_data.Error\ Code ErrorDescription: winlog.event_data.Error\ Description ExecutionID: winlog.event_data.Execution\ ID ExecutionName: winlog.event_data.Execution\ Name FWLink: winlog.event_data.FWLink - NewValue: winlog.event_data.New\ Value - OldValue: winlog.event_data.Old\ Value OriginID: winlog.event_data.Origin\ ID OriginName: winlog.event_data.Origin\ Name Path: winlog.event_data.Path PostCleanStatus: winlog.event_data.Post\ Clean\ Status PreExecutionStatus: winlog.event_data.Pre\ Execution\ Status - ProcessName: winlog.event_data.Process\ Name ProductName: winlog.event_data.Product\ Name ProductVersion: winlog.event_data.Product\ Version RemediationUser: winlog.event_data.Remediation\ User From 0b3a0683278a3cb2ea84c6f27381e98d27d34b7b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 15 Dec 2022 18:00:07 +0100 Subject: [PATCH 190/303] fix: FP with NVIDIA driver installation --- .../proc_creation_win_susp_clsid_foldername.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 1f73adb0d..6c8e07fec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/Kostastsale/status/1565257924204986369 author: Nasreddine Bencherchali date: 2022/09/01 -modified: 2022/10/26 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.t1027 @@ -33,6 +33,8 @@ detection: - '}\' filter_null: Image: null + filter_driver_inst: # DrvInst.exe "4" "0" "C:\Users\venom\AppData\Local\Temp\{a0753cc2-fcea-4d49-a787-2290b564b06f}\nvvhci.inf" "9" "43a2fa8e7" "00000000000001C0" "WinSta0\Default" "00000000000001C4" "208" "c:\program files\nvidia corporation\installer2\nvvhci.{eb7b4460-7ec9-42d6-b73f-d487d4550526}" + Image: 'C:\Windows\System32\drvinst.exe' condition: all of selection_* and not 1 of filter* falsepositives: - Some FP is expected with some installers From b1504c7632d6c0a43f61ba45b26b847c5a17d5b1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 15 Dec 2022 19:02:56 +0100 Subject: [PATCH 191/303] fix: wrong condition --- .../net_connection_win_wuauclt_network_connection.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index 2ac32898b..d0694ab32 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -23,7 +23,7 @@ detection: DestinationIp|startswith: '51.10' # Microsoft Range filter_cmdline: CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection + condition: selection and not 1 of filter* falsepositives: - Legitimate use of wuauclt.exe over the network. level: medium From 3b6403fc8ad765b74c53ea9176750fef3c6a7e81 Mon Sep 17 00:00:00 2001 From: Veramine Date: Thu, 15 Dec 2022 14:54:46 -0800 Subject: [PATCH 192/303] Update proc_creation_win_rundll32_parent_explorer.yml Remove the false positive of explorer.exe launching rundll32.exe to load a DLL already present on the system. The specific false positive case we encountered was "CommandLine": "\"C:\\Windows\\System32\\rundll32.exe\" C:\\Windows\\System32\\LogiLDA.dll,LogiFetch". The BumbleBee case loaded a DLL from the ISO so that should still be detected. --- .../proc_creation_win_rundll32_parent_explorer.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index e9d945a77..3730ef49d 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,12 +1,12 @@ title: Rundll32 With Suspicious Parent Process id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. +description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. Does not detect explorer executing rundll32.exe with a DLL already present in the system folder. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ -date: 2022/05/21 +date: 2022/12/15 tags: - attack.defense_evasion logsource: @@ -17,7 +17,9 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' + - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' + - CommandLine|contains: 'rundll32.exe" C:\Windows\System32\' + - CommandLine|contains: 'rundll32.exe C:\Windows\System32\' condition: selection and not filter fields: - Image From bfa5e4ecf5fbb176affea3d7bf1cc405d3e37276 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Dec 2022 08:28:45 +0100 Subject: [PATCH 193/303] Update rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_rundll32_parent_explorer.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 3730ef49d..b9c8c39ab 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -6,7 +6,8 @@ references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ -date: 2022/12/15 +date: 2022/05/21 +modified: 2022/12/15 tags: - attack.defense_evasion logsource: From 5563195c770b094097834af93377d14655000684 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 16 Dec 2022 18:55:09 +1100 Subject: [PATCH 194/303] fixed up eventName --- rules/cloud/aws/aws_enum_storage.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml index f2fa2fac4..45046240e 100644 --- a/rules/cloud/aws/aws_enum_storage.yml +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -14,16 +14,16 @@ logsource: service: cloudtrail detection: selection: - eventSource: cloudtrail - eventName: s3.amazonaws.com - - ListBuckets - - GetBucketCors - - GetBucketInventoryConfiguration - - GetBucketPublicAccessBlock - - GetBucketMetricsConfiguration - - GetBucketPolicy - - GetBucketTagging + eventSource: s3.amazonaws.com + eventName: + - 'ListBuckets' + - 'GetBucketCors' + - 'GetBucketInventoryConfiguration' + - 'GetBucketPublicAccessBlock' + - 'GetBucketMetricsConfiguration' + - 'GetBucketPolicy' + - 'GetBucketTagging' condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium From 02fdcf037e918694b891a5cd37f52071414acba9 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Fri, 16 Dec 2022 18:56:15 +1100 Subject: [PATCH 195/303] fixed the eventNames to be inline --- rules/cloud/aws/aws_ses_messaging_enabled.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml index 52e57cf6d..a0a56844f 100644 --- a/rules/cloud/aws/aws_ses_messaging_enabled.yml +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -15,14 +15,12 @@ logsource: detection: selection1: eventSource: ses.amazonaws.com - eventName: - - UpdateAccountSendingEnabled + eventName: 'UpdateAccountSendingEnabled' selection2: eventSource: ses.amazonaws.com - eventName: - - VerifyEmailIdentity + eventName: 'VerifyEmailIdentity' timeframe: 5m condition: selection1 and selection2 falsepositives: - Legitimate SES configuration activity -level: medium \ No newline at end of file +level: medium From 066ab2680db573f543fff174a2730b94c06b1df8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Dec 2022 09:24:19 +0100 Subject: [PATCH 196/303] Change to LF --- rules/cloud/aws/aws_delete_identity.yml | 45 +++++++------- rules/cloud/aws/aws_enum_logging.yml | 62 +++++++++---------- rules/cloud/aws/aws_enum_network.yml | 56 ++++++++--------- rules/cloud/aws/aws_enum_storage.yml | 58 ++++++++--------- rules/cloud/aws/aws_ses_messaging_enabled.yml | 52 ++++++++-------- 5 files changed, 136 insertions(+), 137 deletions(-) diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml index 16adddd41..e54a4b349 100644 --- a/rules/cloud/aws/aws_delete_identity.yml +++ b/rules/cloud/aws/aws_delete_identity.yml @@ -1,23 +1,22 @@ -title: Delete SES Identity -id: 20f754db-d025-4a8f-9d74-e0037e999a9a -status: experimental -description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.defense_evasion - - attack.t1070 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ses.amazonaws.com - - delete-identity - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file +title: Delete SES Identity +id: 20f754db-d025-4a8f-9d74-e0037e999a9a +status: experimental +description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.defense_evasion + - attack.t1070 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: ses.amazonaws.com + eventName: delete-identity + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml index 5f37586ce..0670b0e34 100644 --- a/rules/cloud/aws/aws_enum_logging.yml +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -1,31 +1,31 @@ -title: Enumerate Backup Configuration on AWS -id: 76255e09-755e-4675-8b6b-dbce9842cd2a -status: experimental -description: Identifies enumeration activity targeting the AWS backups -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1580 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ec2.amazonaws.com - - GetPasswordData - - GetEbsEncryptionByDefault - - GetEbsDefaultKmsKeyId - - GetBucketReplication - - DescribeVolumes - - DescribeVolumesModifications - - DescribeSnapshotAttribute - - DescribeSnapshotTierStatus - - DescribeImages - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file +title: Enumerate Backup Configuration on AWS +id: 76255e09-755e-4675-8b6b-dbce9842cd2a +status: experimental +description: Identifies enumeration activity targeting the AWS backups +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1580 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: ec2.amazonaws.com + eventName: + - GetPasswordData + - GetEbsEncryptionByDefault + - GetEbsDefaultKmsKeyId + - GetBucketReplication + - DescribeVolumes + - DescribeVolumesModifications + - DescribeSnapshotAttribute + - DescribeSnapshotTierStatus + - DescribeImages + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml index 1b3e0a8b4..2aa6abe2b 100644 --- a/rules/cloud/aws/aws_enum_network.yml +++ b/rules/cloud/aws/aws_enum_network.yml @@ -1,28 +1,28 @@ -title: Network Enumeration on AWS -id: c3d53999-4b14-4ddd-9d9b-e618c366b54d -status: experimental -description: Identifies when network enumeration is performed on AWS. -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1016 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: cloudtrail - eventName: ec2.amazonaws.com - - DescribeCarrierGateways - - DescribeVpcEndpointConnectionNotifications - - DescribeTransitGatewayMulticastDomains - - DescribeClientVpnRoutes - - DescribeDhcpOptions - - GetTransitGatewayRouteTableAssociations - condition: selection -falsepositives: - - Unknown -level: low \ No newline at end of file +title: Network Enumeration on AWS +id: c3d53999-4b14-4ddd-9d9b-e618c366b54d +status: experimental +description: Identifies when network enumeration is performed on AWS. +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1016 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: ec2.amazonaws.com + eventName: + - DescribeCarrierGateways + - DescribeVpcEndpointConnectionNotifications + - DescribeTransitGatewayMulticastDomains + - DescribeClientVpnRoutes + - DescribeDhcpOptions + - GetTransitGatewayRouteTableAssociations + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml index 45046240e..5e560c4c0 100644 --- a/rules/cloud/aws/aws_enum_storage.yml +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -1,29 +1,29 @@ -title: Storage Enumeration on AWS -id: 4723218f-2048-41f6-bcb0-417f2d784f61 -status: experimental -description: Identifies enumeration activity targeting AWS storage -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/13 -tags: - - attack.discovery - - attack.t1619 -logsource: - product: aws - service: cloudtrail -detection: - selection: - eventSource: s3.amazonaws.com - eventName: - - 'ListBuckets' - - 'GetBucketCors' - - 'GetBucketInventoryConfiguration' - - 'GetBucketPublicAccessBlock' - - 'GetBucketMetricsConfiguration' - - 'GetBucketPolicy' - - 'GetBucketTagging' - condition: selection -falsepositives: - - Unknown -level: medium +title: Storage Enumeration on AWS +id: 4723218f-2048-41f6-bcb0-417f2d784f61 +status: experimental +description: Identifies enumeration activity targeting AWS storage +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/13 +tags: + - attack.discovery + - attack.t1619 +logsource: + product: aws + service: cloudtrail +detection: + selection: + eventSource: s3.amazonaws.com + eventName: + - 'ListBuckets' + - 'GetBucketCors' + - 'GetBucketInventoryConfiguration' + - 'GetBucketPublicAccessBlock' + - 'GetBucketMetricsConfiguration' + - 'GetBucketPolicy' + - 'GetBucketTagging' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml index a0a56844f..a9eb342c8 100644 --- a/rules/cloud/aws/aws_ses_messaging_enabled.yml +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -1,26 +1,26 @@ -title: Configure AWS SES To Send Messages -id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 -status: experimental -description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched -references: - - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ -author: Janantha Marasinghe -date: 2022/12/12 -tags: - - attack.t1583.006 - - attack.resource_development -logsource: - product: aws - service: cloudtrail -detection: - selection1: - eventSource: ses.amazonaws.com - eventName: 'UpdateAccountSendingEnabled' - selection2: - eventSource: ses.amazonaws.com - eventName: 'VerifyEmailIdentity' - timeframe: 5m - condition: selection1 and selection2 -falsepositives: - - Legitimate SES configuration activity -level: medium +title: Configure AWS SES To Send Messages +id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +status: experimental +description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched +references: + - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ +author: Janantha Marasinghe +date: 2022/12/12 +tags: + - attack.t1583.006 + - attack.resource_development +logsource: + product: aws + service: cloudtrail +detection: + selection1: + eventSource: ses.amazonaws.com + eventName: 'UpdateAccountSendingEnabled' + selection2: + eventSource: ses.amazonaws.com + eventName: 'VerifyEmailIdentity' + timeframe: 5m + condition: selection1 and selection2 +falsepositives: + - Legitimate SES configuration activity +level: medium From 97c43eaa7349e8f208e65b5f233986df030d26a4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 10:32:18 +0100 Subject: [PATCH 197/303] fix: duplicate id --- rules/cloud/aws/aws_ses_messaging_enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml index a9eb342c8..4d49be28f 100644 --- a/rules/cloud/aws/aws_ses_messaging_enabled.yml +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -1,5 +1,5 @@ title: Configure AWS SES To Send Messages -id: 33d50d03-20ec-4b74-a74e-1e65a38af1c0 +id: 60b84424-a724-4502-bd0d-cc676e1bc90e status: experimental description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched references: From 3868dd91c6dc93b2e2a53e3fd60a6254d6250ad8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 16:52:12 +0100 Subject: [PATCH 198/303] feat: updates and enhancements --- .../driver_load_mal_poortry_driver.yml | 69 +++++++++++++++++++ .../driver_load_vuln_dell_driver.yml | 1 + .../driver_load/driver_load_vuln_drivers.yml | 1 + .../driver_load_vuln_drivers_names.yml | 3 +- ...l => file_event_win_lsass_shtinkering.yml} | 0 ..._win_wermgr_local_privilege_escalation.yml | 22 ++++++ .../image_load_side_load_wermgr_comctl32.yml | 25 +++++++ ...access_win_shellcode_inject_msf_empire.yml | 8 +-- ...tion_win_susp_child_process_as_system_.yml | 14 ++-- .../proc_creation_win_susp_wermgr.yml | 15 ++-- .../proc_creation_win_sysmon_exploitation.yml | 5 +- 11 files changed, 142 insertions(+), 21 deletions(-) create mode 100644 rules/windows/driver_load/driver_load_mal_poortry_driver.yml rename rules/windows/file/file_event/{file_event_lsass_shtinkering.yml => file_event_win_lsass_shtinkering.yml} (100%) create mode 100644 rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml create mode 100644 rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml diff --git a/rules/windows/driver_load/driver_load_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_mal_poortry_driver.yml new file mode 100644 index 000000000..1be44592b --- /dev/null +++ b/rules/windows/driver_load/driver_load_mal_poortry_driver.yml @@ -0,0 +1,69 @@ +title: Usage Of Malicious POORTRY Signed Driver +id: 91bc09e7-674d-4cf5-8d86-ed5d8bdb95a6 +status: experimental +description: Detects the load of the signed poortry driver used by UNC3944 as reported by Mandiant and Sentinel One. +references: + - https://www.mandiant.com/resources/blog/hunting-attestation-signed-malware +author: Nasreddine Bencherchali +date: 2022/12/16 +tags: + - attack.privilege_escalation + - attack.t1543 + - attack.t1068 +logsource: + category: driver_load + product: windows +detection: + selection_image: + ImageLoaded|contains: + - '\prokiller64.sys' + - '\gftkyj64.sys' + - '\KApcHelper_x64.sys' + - '\NodeDriver.sys' + - '\LcTkA.sys' + selection_sysmon: + Hashes|contains: + - 'SHA256=0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' + - 'SHA256=9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' + - 'SHA256=8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' + - 'SHA256=d7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' + - 'SHA256=05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' + - 'SHA256=c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' + - 'SHA1=31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' + - 'SHA1=a804ebec7e341b4d98d9e94f6e4860a55ea1638d' + - 'SHA1=6debce728bcff73d9d1d334df0c6b1c3735e295c' + - 'SHA1=cc65bf60600b64feece5575f21ab89e03a728332' + - 'SHA1=3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' + - 'SHA1=b2f955b3e6107f831ebe67997f8586d4fe9f3e98' + - 'MD5=10f3679384a03cb487bda9621ceb5f90' + - 'MD5=04a88f5974caa621cee18f34300fc08a' + - 'MD5=6fcf56f6ca3210ec397e55f727353c4a' + - 'MD5=0f16a43f7989034641fd2de3eb268bf1' + - 'MD5=ee6b1a79cb6641aa44c762ee90786fe0' + - 'MD5=909f3fc221acbe999483c87d9ead024a' + selection_hash: + - SHA256: + - '0440ef40c46fdd2b5d86e7feef8577a8591de862cfd7928cdbcc8f47b8fa3ffc' + - '9b1b15a3aacb0e786a608726c3abfc94968915cedcbd239ddf903c4a54bfcf0c' + - '8e035beb02a411f8a9e92d4cf184ad34f52bbd0a81a50c222cdd4706e4e45104' + - 'd7c81b0f3c14844f6424e8bdd31a128e773cb96cccef6d05cbff473f0ccb9f9c' + - '05b146a48a69dd62a02759487e769bd30d39f16374bc76c86453b4ae59e7ffa4' + - 'c8f9e1ad7b8cce62fba349a00bc168c849d42cfb2ca5b2c6cc4b51d054e0c497' + - SHA1: + - '31cc8718894d6e6ce8c132f68b8caaba39b5ba7a' + - 'a804ebec7e341b4d98d9e94f6e4860a55ea1638d' + - '6debce728bcff73d9d1d334df0c6b1c3735e295c' + - 'cc65bf60600b64feece5575f21ab89e03a728332' + - '3ef30c95e40a854cc4ded94fc503d0c3dc3e620e' + - 'b2f955b3e6107f831ebe67997f8586d4fe9f3e98' + - MD5: + - '10f3679384a03cb487bda9621ceb5f90' + - '04a88f5974caa621cee18f34300fc08a' + - '6fcf56f6ca3210ec397e55f727353c4a' + - '0f16a43f7989034641fd2de3eb268bf1' + - 'ee6b1a79cb6641aa44c762ee90786fe0' + - '909f3fc221acbe999483c87d9ead024a' + condition: 1 of selection* +falsepositives: + - Legitimate BIOS driver updates (should be rare) +level: high diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml index dce4c8e04..bc5b26d8d 100644 --- a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_dell_driver.yml @@ -11,6 +11,7 @@ tags: - attack.privilege_escalation - cve.2021.21551 - attack.t1543 + - attack.t1068 logsource: category: driver_load product: windows diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 5d9bf7866..8e2449b70 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -25,6 +25,7 @@ modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 + - attack.t1068 logsource: product: windows category: driver_load diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 07d18c8ef..85da6ba0c 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -24,6 +24,7 @@ modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 + - attack.t1068 logsource: product: windows category: driver_load @@ -210,6 +211,6 @@ detection: - '\vLTZ19.sys' condition: selection falsepositives: - - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. + - False positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. - If you experience a lot of FP you could comment the driver name or it's exact known legitimate location (when possible) level: medium diff --git a/rules/windows/file/file_event/file_event_lsass_shtinkering.yml b/rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml similarity index 100% rename from rules/windows/file/file_event/file_event_lsass_shtinkering.yml rename to rules/windows/file/file_event/file_event_win_lsass_shtinkering.yml diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml new file mode 100644 index 000000000..f455614ba --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -0,0 +1,22 @@ +title: Potential Privilege Escalation Attempt Via Wermgr.Exe.Local +id: 07a99744-56ac-40d2-97b7-2095967b0e03 +status: experimental +description: Detects potential privilege escalation attempt via the creation of the "Wermgr.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +references: + - https://github.com/binderlabs/DirCreate2System +author: Nasreddine Bencherchali +date: 2022/12/16 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|startswith: 'C:\windows\system32\wermgr.exe.local\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml new file mode 100644 index 000000000..c1dba7aec --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml @@ -0,0 +1,25 @@ +title: Potential DLL Sideloading Via comctl32.dll +id: 6360757a-d460-456c-8b13-74cf0e60cceb +status: experimental +description: Detects potential DLL sideloading using comctl32.dll via "wermgr.exe" to obtain system privileges +references: + - https://github.com/binderlabs/DirCreate2System +author: Nasreddine Bencherchali +date: 2022/12/16 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|startswith: 'C:\windows\system32\wermgr.exe.local\' + ImageLoaded|endswith: '\comctl32.dll' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index 5c5bb41df..f590e937f 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -1,10 +1,10 @@ -title: Shellcode Injection +title: Potential Shellcode Injection id: 250ae82f-736e-4844-a68b-0b5e8cc887da status: experimental -description: Detects shellcode injection by Metasploit's migrate and Empire's psinject +description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 -modified: 2022/11/01 +modified: 2022/12/15 tags: - attack.defense_evasion - attack.privilege_escalation @@ -59,5 +59,5 @@ detection: TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe condition: selection and not 1 of filter_* falsepositives: - - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 279bd99a2..093c1ff8a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/Cyb3rWard0g/status/1453123054243024897 author: Teymur Kheirkhabarov, Roberto Rodriguez (@Cyb3rWard0g), Open Threat Research (OTR) date: 2019/10/26 -modified: 2021/11/27 +modified: 2022/12/15 tags: - attack.privilege_escalation - attack.t1134.002 @@ -19,21 +19,21 @@ logsource: definition: ParentUser field needs sysmon >= 13.30 detection: selection: - ParentUser: - - 'NT AUTHORITY\NETWORK SERVICE' - - 'NT AUTHORITY\LOCAL SERVICE' - - 'AUTORITE NT\' # French language settings + ParentUser|contains: + - 'AUTHORI' + - 'AUTORI' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' User|endswith: # System - '\SYSTEM' + - '\Système' - '\СИСТЕМА' IntegrityLevel: 'System' - rundllexception: + filter_rundll32: Image|endswith: '\rundll32.exe' CommandLine|contains: 'DavSetCookie' - condition: selection and not rundllexception + condition: selection and not 1 of filter_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index 0b0bee2dd..cbff1f31f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -5,6 +5,7 @@ description: Detects suspicious Windows Error Reporting manager (wermgr.exe) pro references: - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html - https://www.echotrail.io/insights/search/wermgr.exe + - https://github.com/binderlabs/DirCreate2System author: Florian Roth date: 2022/10/14 modified: 2022/12/04 @@ -12,12 +13,6 @@ logsource: category: process_creation product: windows detection: - selection_img: - Image|endswith: '\wermgr.exe' - filter_img_location: - Image|contains: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' selection_susp_parent: ParentImage|endswith: '\wermgr.exe' Image|endswith: @@ -30,7 +25,13 @@ detection: - '\systeminfo.exe' - '\cmd.exe' - '\powershell.exe' - condition: selection_img and not filter_img_location or 1 of selection_susp* + selection_img: + Image|endswith: '\wermgr.exe' + filter_img_location: + Image|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: 1 of selection_susp* or (selection_img and not filter_img_location) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml index 431b8345c..93c142377 100644 --- a/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml +++ b/rules/windows/process_creation/proc_creation_win_sysmon_exploitation.yml @@ -8,7 +8,7 @@ references: - https://twitter.com/filip_dragovic/status/1590104354727436290 author: Florian Roth date: 2022/11/10 -modified: 2022/12/04 +modified: 2022/12/15 tag: - attack.privilege_escalation - attack.t1068 @@ -22,11 +22,12 @@ detection: - '\Sysmon.exe' - '\Sysmon64.exe' filter: - Image: + - Image: - 'C:\Windows\Sysmon64.exe' - 'C:\Windows\System32\conhost.exe' - 'wevtutil.exe' - 'C:\WINDOWS\system32\wevtutil.exe' + - Image|endswith: '\AppData\Local\Temp\Sysmon.exe' # When launching Sysmon 32bit version. condition: selection and not filter falsepositives: - Unknown From f0ff97be9b28c1c05678bfd0b7b280f30fc03bb5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 17:07:52 +0100 Subject: [PATCH 199/303] fix: update description --- .../proc_creation_win_rundll32_parent_explorer.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index b9c8c39ab..94a6a90ff 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -1,7 +1,7 @@ title: Rundll32 With Suspicious Parent Process id: 1723e720-616d-4ddc-ab02-f7e3685a4713 status: experimental -description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. Does not detect explorer executing rundll32.exe with a DLL already present in the system folder. +description: Detects suspicious start of rundll32.exe with a parent process of Explorer.exe. Variant of Raspberry Robin, as first reported by Red Canary. references: - https://redcanary.com/blog/raspberry-robin/ - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ From 2b9048b6c832a9f2a9dec90330db8d65da4e643e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 17:09:34 +0100 Subject: [PATCH 200/303] fix: update detection logic --- .../proc_creation_win_rundll32_parent_explorer.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 94a6a90ff..f1b485722 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -18,9 +18,7 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' - - CommandLine|contains: 'rundll32.exe" C:\Windows\System32\' - - CommandLine|contains: 'rundll32.exe C:\Windows\System32\' + CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required condition: selection and not filter fields: - Image From c67960d1629117bdcfa428a996ed8133b7680975 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 17:46:35 +0100 Subject: [PATCH 201/303] fix: update logic --- ..._creation_win_powershell_xor_commandline.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 2ecee013f..6d37c0cf8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -4,7 +4,7 @@ status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton date: 2018/09/05 -modified: 2022/11/18 +modified: 2022/12/16 tags: - attack.defense_evasion - attack.t1059.001 @@ -14,10 +14,11 @@ logsource: category: process_creation product: windows detection: - selection: + selection_metadata: + - Image|endswith: '\powershell.exe' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' - filter: + selection_cli: CommandLine|contains: - 'bxor' - '-join ' @@ -25,10 +26,14 @@ detection: - '-join"' - '-join`' - 'char' - false_positives: + filter_amazon: ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe' - CommandLine|contains: 'function Convert-GuidToCompressedGuid' - condition: selection and filter and not false_positives + filter_powershell_script: + CommandLine|contains|all: + # Example: https://github.com/SigmaHQ/sigma/pull/3717#issue-1455440560 + - 'function Convert-GuidToCompressedGuid' + - 'ValueFromPipelineByPropertyName' + condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown level: medium From 1e2cd1655e6e03287cde82e7132dbfb53529f361 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 17:59:24 +0100 Subject: [PATCH 202/303] fix: add more filters and update image field --- .../proc_creation_win_powershell_xor_commandline.yml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 6d37c0cf8..70e2f2766 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -15,7 +15,12 @@ logsource: product: windows detection: selection_metadata: - - Image|endswith: '\powershell.exe' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' - Description: 'Windows PowerShell' - Product: 'PowerShell Core 6' selection_cli: @@ -30,9 +35,12 @@ detection: ParentImage: 'C:\Program Files\Amazon\SSM\ssm-document-worker.exe' filter_powershell_script: CommandLine|contains|all: + # Script part of Amazon SSM worker (But the parent is empty - see example linked below) # Example: https://github.com/SigmaHQ/sigma/pull/3717#issue-1455440560 - 'function Convert-GuidToCompressedGuid' - 'ValueFromPipelineByPropertyName' + - '::ParseExact(' + - 'KB[000000-999999]' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown From dbe3c80dd3a830aa2ca547a70437f0c065051867 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 18:50:38 +0100 Subject: [PATCH 203/303] fix: fp found with baseline --- .../proc_creation_win_susp_child_process_as_system_.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml index 093c1ff8a..7ed781e45 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_child_process_as_system_.yml @@ -22,6 +22,9 @@ detection: ParentUser|contains: - 'AUTHORI' - 'AUTORI' + ParentUser|endswith: + - '\NETWORK SERVICE' + - '\LOCAL SERVICE' User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' From a6062235683253ceae76de31088df17195dd2cd9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Dec 2022 19:47:13 +0100 Subject: [PATCH 204/303] fix: add missing filename to the logic --- .../file_event_win_wermgr_local_privilege_escalation.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index f455614ba..e7c83ae61 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -16,6 +16,7 @@ logsource: detection: selection: TargetFilename|startswith: 'C:\windows\system32\wermgr.exe.local\' + TargetFilename|endswith: '\comctl32.dll' condition: selection falsepositives: - Unknown From 021499e6ef55b3cb370755089e0e657b9c7b6e1b Mon Sep 17 00:00:00 2001 From: orenebahar <109508385+orenebahar@users.noreply.github.com> Date: Sun, 18 Dec 2022 12:13:29 +0000 Subject: [PATCH 205/303] Update net_connection_win_malware_backconnect_ports.yml Add description about the right event ID in sysmon configuration --- .../net_connection_win_malware_backconnect_ports.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index b52f0ede2..b643d1ae5 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -13,7 +13,8 @@ tags: logsource: category: network_connection product: windows - definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + # definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' + definition: 'Event ID 3 - Network Connection' detection: selection: Initiated: 'true' From 3f6bcb6ceecd0466b306a870ad34ccc06102917d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 18 Dec 2022 15:07:47 +0100 Subject: [PATCH 206/303] fix: fp found in testing --- ...in_iis_service_account_password_dumped.yml | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml index 2616aca73..78a67801a 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_service_account_password_dumped.yml @@ -8,7 +8,7 @@ references: - https://www.netspi.com/blog/technical/network-penetration-testing/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/ author: Tim Rauch, Janantha Marasinghe date: 2022/11/08 -modified: 2022/12/06 +modified: 2022/12/17 tags: - attack.credential_access - attack.t1003 @@ -16,18 +16,25 @@ logsource: category: process_creation product: windows detection: - selection_name: + selection_base_name: - Image|endswith: '\appcmd.exe' - OriginalFilename: 'appcmd.exe' - selection_list: + selection_base_list: CommandLine|contains: 'list ' - selection_cmd: + selection_standalone: + CommandLine|contains: + - ' /config' # https://pbs.twimg.com/media/FgydDAJWIAEio34?format=png&name=900x900 + - ' /xml' + selection_cmd_flags: CommandLine|contains: - ' /@t' # Covers both "/@text:*" and "/@t:*" - ' /text' - ' /show' - - ' /config' - condition: all of selection_* + selection_cmd_grep: + CommandLine|contains: + - ':\*' + - 'password' + condition: all of selection_base_* and (selection_standalone or all of selection_cmd_*) falsepositives: - Unknown level: high From 1882a4a0c2360521d068b7d01b5f1a814b3a67fc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 18 Dec 2022 15:24:58 +0100 Subject: [PATCH 207/303] fix: remove unnecessary definition --- .../net_connection_win_malware_backconnect_ports.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml index b643d1ae5..a0af40626 100755 --- a/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/net_connection_win_malware_backconnect_ports.yml @@ -13,8 +13,6 @@ tags: logsource: category: network_connection product: windows - # definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' - definition: 'Event ID 3 - Network Connection' detection: selection: Initiated: 'true' From 1ccee514e2d74c60f5472c8942dfc0d9d449bee0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sun, 18 Dec 2022 20:55:32 +0100 Subject: [PATCH 208/303] feat: add duplicate titles test --- ...invoke_obfuscation_via_rundll_services.yml | 2 +- tests/test_rules.py | 25 ++++++++++++++++--- 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml index 04fbe6eb0..266ac8c68 100644 --- a/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml +++ b/rules-unsupported/driver_load_invoke_obfuscation_via_rundll_services.yml @@ -20,7 +20,7 @@ detection: - 'shell32.dll' - 'shellexec_rundll' - 'powershell' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/tests/test_rules.py b/tests/test_rules.py index b58d0884a..86db54ecd 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -764,12 +764,10 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print( - Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print( - Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -806,6 +804,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules without the 'title' attribute in their first line.") + def test_duplicate_titles(self): + # This test ensure that every rule has a unique title + faulty_rules = [] + titles_dict = {} + for file in self.yield_next_rule_file_path(self.path_to_rules): + title = self.get_rule_part(file_path=file, part_name="title").lower().rstrip() + duplicate = False + for rule, title_ in titles_dict.items(): + if title == title_: + print(Fore.RED + "Rule {} has an already used title in {}.".format(file, rule)) + duplicate = True + faulty_rules.append(file) + continue + if not duplicate: + titles_dict[file] = title + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with already used 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ From 646351808ec3e59166d465535946aee2b196b50c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 18 Dec 2022 21:00:14 +0100 Subject: [PATCH 209/303] Refractor (#3794) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- ...napi_in_powershell_credentials_dumping.yml | 4 +-- .../sysmon_dcom_iertutil_dll_hijack.yml | 6 ++-- .../antivirus/av_relevant_files.yml | 8 ++--- ...ssed_role_to_glue_development_endpoint.yml | 19 +++++------ rules/cloud/aws/aws_susp_saml_activity.yml | 16 +++++----- .../azure_kubernetes_admission_controller.yml | 15 ++++----- .../cloud/azure/azure_kubernetes_cronjob.yml | 15 ++++----- rules/cloud/azure/azure_mfa_interrupted.yml | 7 ++-- ...re_unusual_authentication_interruption.yml | 9 +++--- .../gcp_kubernetes_admission_controller.yml | 17 ++++------ ...itd_cve_2021_3156_sudo_buffer_overflow.yml | 32 ++++++++----------- .../lnx_auditd_keylogging_with_pam_d.yml | 8 ++--- .../auditd/lnx_auditd_network_sniffing.yml | 8 ++--- .../lnx_auditd_password_policy_discovery.yml | 10 +++--- .../auditd/lnx_auditd_screencaputre_xwd.yml | 6 ++-- .../lnx_auditd_system_info_discovery.yml | 8 ++--- ...napi_in_powershell_credentials_dumping.yml | 30 +++++++++++++++++ ...ile_event_win_dcom_iertutil_dll_hijack.yml | 29 +++++++++++++++++ .../image_load_dcom_iertutil_dll_hijack.yml | 29 +++++++++++++++++ ...napi_in_powershell_credentials_dumping.yml | 30 +++++++++++++++++ .../proc_creation_win_apt_unc2452_cmds.yml | 12 +++---- ..._powershell_cmdline_special_characters.yml | 14 ++++---- .../proc_creation_win_renamed_jusched.yml | 12 +++---- ...susp_servu_exploitation_cve_2021_35211.yml | 10 +++--- 24 files changed, 228 insertions(+), 126 deletions(-) rename {rules/windows/sysmon => rules-deprecated/windows}/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml (94%) rename {rules/windows/sysmon => rules-deprecated/windows}/sysmon_dcom_iertutil_dll_hijack.yml (92%) create mode 100644 rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml create mode 100644 rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml create mode 100644 rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml create mode 100644 rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml similarity index 94% rename from rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml rename to rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml index 4e9cb06cb..b031cd481 100644 --- a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml +++ b/rules-deprecated/windows/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell for Credentials Dumping id: 3f07b9d1-2082-4c56-9277-613a621983cc -status: experimental +status: deprecated description: Detects Accessing to lsass.exe by Powershell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2022/07/14 +modified: 2022/12/18 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml similarity index 92% rename from rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml rename to rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml index dc777781b..d53e7b71e 100644 --- a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml +++ b/rules-deprecated/windows/sysmon_dcom_iertutil_dll_hijack.yml @@ -1,12 +1,12 @@ title: DCOM InternetExplorer.Application Iertutil DLL Hijack - Sysmon id: e554f142-5cf3-4e55-ace9-a1b59e0def65 -status: test +status: deprecated description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga date: 2020/10/12 -modified: 2022/11/26 +modified: 2022/12/18 tags: - attack.lateral_movement - attack.t1021.002 @@ -23,7 +23,7 @@ detection: EventID: 7 Image|endswith: '\Internet Explorer\iexplore.exe' ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' - condition: selection_one or selection_two + condition: 1 of selection_* falsepositives: - Unknown level: critical diff --git a/rules/application/antivirus/av_relevant_files.yml b/rules/application/antivirus/av_relevant_files.yml index 7caa873ba..eb6a4ef3a 100644 --- a/rules/application/antivirus/av_relevant_files.yml +++ b/rules/application/antivirus/av_relevant_files.yml @@ -6,14 +6,14 @@ references: - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ author: Florian Roth, Arnim Rupp date: 2018/09/09 -modified: 2021/11/23 +modified: 2022/12/18 tags: - attack.resource_development - attack.t1588 logsource: category: antivirus detection: - selection: + selection_path: - Filename|startswith: - 'C:\Windows\' - 'C:\Temp\' @@ -29,7 +29,7 @@ detection: - 'tomcat' - 'nginx' - 'weblogic' - selection2: + selection_ext: Filename|endswith: - '.asax' - '.ashx' @@ -69,7 +69,7 @@ detection: - '.wsf' - '.wsh' - '.xml' - condition: selection or selection2 + condition: 1 of selection_* fields: - Signature - User diff --git a/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml index 04e2d099a..95ef3b65e 100644 --- a/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml +++ b/rules/cloud/aws/aws_passed_role_to_glue_development_endpoint.yml @@ -7,23 +7,20 @@ references: - https://docs.aws.amazon.com/glue/latest/webapi/API_CreateDevEndpoint.html author: Austin Songer @austinsonger date: 2021/10/03 -modified: 2021/10/13 +modified: 2022/12/18 tags: - attack.privilege_escalation logsource: product: aws service: cloudtrail detection: - selection1: - eventSource: glue.amazonaws.com - eventName: CreateDevEndpoint - selection2: - eventSource: glue.amazonaws.com - eventName: DeleteDevEndpoint - selection3: - eventSource: glue.amazonaws.com - eventName: UpdateDevEndpoint - condition: selection1 or selection2 or selection3 + selection: + eventSource: 'glue.amazonaws.com' + eventName: + - 'CreateDevEndpoint' + - 'DeleteDevEndpoint' + - 'UpdateDevEndpoint' + condition: selection falsepositives: - Glue Development Endpoint Activity may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/aws/aws_susp_saml_activity.yml b/rules/cloud/aws/aws_susp_saml_activity.yml index e97a2be62..531596e17 100644 --- a/rules/cloud/aws/aws_susp_saml_activity.yml +++ b/rules/cloud/aws/aws_susp_saml_activity.yml @@ -7,7 +7,7 @@ references: - https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html author: Austin Songer date: 2021/09/22 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078 @@ -20,13 +20,13 @@ logsource: product: aws service: cloudtrail detection: - selection1: - eventSource: sts.amazonaws.com - eventName: AssumeRoleWithSAML - selection2: - eventSource: iam.amazonaws.com - eventName: UpdateSAMLProvider - condition: selection1 or selection2 + selection_sts: + eventSource: 'sts.amazonaws.com' + eventName: 'AssumeRoleWithSAML' + selection_iam: + eventSource: 'iam.amazonaws.com' + eventName: 'UpdateSAMLProvider' + condition: 1 of selection_* falsepositives: - Automated processes that uses Terraform may lead to false positives. - SAML Provider could be updated by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index b9eeb44b6..10bbbe188 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/11/25 -modified: 2022/08/23 +modified: 2022/12/18 tags: - attack.persistence - attack.t1078 @@ -24,17 +24,14 @@ logsource: product: azure service: activitylogs detection: - selection1: - operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' - selection2: - operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' - operationName|endswith: - - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' - - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' - condition: selection1 or selection2 + condition: selection falsepositives: - Azure Kubernetes Admissions Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 2cec75874..dfd53d5b8 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -12,7 +12,7 @@ references: - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ author: Austin Songer @austinsonger date: 2021/11/22 -modified: 2022/08/23 +modified: 2022/12/18 tags: - attack.persistence - attack.privilege_escalation @@ -21,17 +21,14 @@ logsource: product: azure service: activitylogs detection: - selection1: - operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' + selection: + operationName|startswith: + - 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' + - 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' operationName|endswith: - '/CRONJOBS/WRITE' - '/JOBS/WRITE' - selection2: - operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' - operationName|endswith: - - '/CRONJOBS/WRITE' - - '/JOBS/WRITE' - condition: selection1 or selection2 + condition: selection falsepositives: - Azure Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_mfa_interrupted.yml b/rules/cloud/azure/azure_mfa_interrupted.yml index 09b969dc3..4685828d0 100644 --- a/rules/cloud/azure/azure_mfa_interrupted.yml +++ b/rules/cloud/azure/azure_mfa_interrupted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: AlertIQ date: 2021/10/10 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078.004 @@ -13,13 +14,13 @@ logsource: product: azure service: signinlogs detection: - selection: + selection_50074: ResultType: 50074 ResultDescription|contains: 'Strong Auth required' - selection1: + selection_500121: ResultType: 500121 ResultDescription|contains: 'Authentication failed during strong authentication request' - condition: selection or selection1 + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/cloud/azure/azure_unusual_authentication_interruption.yml b/rules/cloud/azure/azure_unusual_authentication_interruption.yml index 2d867f7be..f500f32a5 100644 --- a/rules/cloud/azure/azure_unusual_authentication_interruption.yml +++ b/rules/cloud/azure/azure_unusual_authentication_interruption.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts author: Austin Songer @austinsonger date: 2021/11/26 +modified: 2022/12/18 tags: - attack.initial_access - attack.t1078 @@ -13,16 +14,16 @@ logsource: product: azure service: signinlogs detection: - selection1: + selection_50097: ResultType: 50097 ResultDescription: 'Device authentication is required' - selection2: + selection_50155: ResultType: 50155 ResultDescription: 'DeviceAuthenticationFailed' - selection3: + selection_50158: ResultType: 50158 ResultDescription: 'ExternalSecurityChallenge - External security challenge was not satisfied' - condition: selection1 or selection2 or selection3 + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index e78d76b2d..2f3f2c6e3 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,7 +12,7 @@ references: - https://cloud.google.com/kubernetes-engine/docs author: Austin Songer @austinsonger date: 2021/11/25 -modified: 2021/11/26 +modified: 2022/12/18 tags: - attack.persistence - attack.t1078 @@ -23,19 +23,16 @@ logsource: product: gcp service: gcp.audit detection: - selection1: - gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.' + selection: + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v' + gcp.audit.method_name|contains: + - '.mutatingwebhookconfigurations.' + - '.validatingwebhookconfigurations.' gcp.audit.method_name|endswith: - 'create' - 'patch' - 'replace' - selection2: - gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.' - gcp.audit.method_name|endswith: - - 'create' - - 'patch' - - 'replace' - condition: selection1 or selection2 + condition: selection falsepositives: - Google Cloud Kubernetes Admission Controller may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml index 42678145f..45bb7de35 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_3156_sudo_buffer_overflow.yml @@ -9,7 +9,7 @@ references: - https://blog.qualys.com/vulnerabilities-research/2021/01/26/cve-2021-3156-heap-based-buffer-overflow-in-sudo-baron-samedit author: Bhabesh Raj date: 2021/02/01 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.privilege_escalation - attack.t1068 @@ -18,26 +18,20 @@ logsource: product: linux service: auditd detection: - selection: + cmd_base: type: 'EXECVE' a0: '/usr/bin/sudoedit' - cmd1: - a1: '-s' - cmd2: - a2: '-s' - cmd3: - a3: '-s' - cmd4: - a4: '-s' - cmd5: - a1: '\' - cmd6: - a2: '\' - cmd7: - a3: '\' - cmd8: - a4: '\' - condition: selection and (cmd1 or cmd2 or cmd3 or cmd4) and (cmd5 or cmd6 or cmd7 or cmd8) | count() by host > 50 + cmd_s: + - a1: '-s' + - a2: '-s' + - a3: '-s' + - a4: '-s' + cmd_backslash: + - a1: '\' + - a2: '\' + - a3: '\' + - a4: '\' + condition: all of cmd_* | count() by host > 50 falsepositives: - Unknown level: high diff --git a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml index c946fd66c..39db6d496 100644 --- a/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml +++ b/rules/linux/auditd/lnx_auditd_keylogging_with_pam_d.yml @@ -10,7 +10,7 @@ references: - https://access.redhat.com/articles/4409591#audit-record-types-2 author: 'Pawel Mazur' date: 2021/05/24 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.credential_access - attack.t1003 @@ -19,16 +19,16 @@ logsource: product: linux service: auditd detection: - path_events: + selection_path_events: type: PATH name: - '/etc/pam.d/system-auth' - '/etc/pam.d/password-auth' - tty_events: + selection_tty_events: type: - 'TTY' - 'USER_TTY' - condition: path_events or tty_events + condition: 1 of selection_* falsepositives: - Administrative work level: high diff --git a/rules/linux/auditd/lnx_auditd_network_sniffing.yml b/rules/linux/auditd/lnx_auditd_network_sniffing.yml index ea8cdd3e6..f0b51e629 100644 --- a/rules/linux/auditd/lnx_auditd_network_sniffing.yml +++ b/rules/linux/auditd/lnx_auditd_network_sniffing.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2022/11/26 +modified: 2022/12/18 tags: - attack.credential_access - attack.discovery @@ -17,17 +17,17 @@ logsource: product: linux service: auditd detection: - selection1: + selection_1: type: 'execve' a0: 'tcpdump' a1: '-c' a3|contains: '-i' - selection2: + selection_2: type: 'execve' a0: 'tshark' a1: '-c' a3: '-i' - condition: selection1 or selection2 + condition: 1 of selection_* falsepositives: - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low diff --git a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml index d2fc4eefb..e3c0abbad 100644 --- a/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_password_policy_discovery.yml @@ -10,7 +10,7 @@ references: - https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu author: Ömer Günal, oscd.community, Pawel Mazur date: 2020/10/08 -modified: 2021/11/12 +modified: 2022/12/18 tags: - attack.discovery - attack.t1201 @@ -18,26 +18,26 @@ logsource: product: linux service: auditd detection: - files: + selection_files: type: 'PATH' name: - '/etc/pam.d/common-password' - '/etc/security/pwquality.conf' - '/etc/pam.d/system-auth' - '/etc/login.defs' - chage: + selection_chage: type: 'EXECVE' a0: 'chage' a1: - '--list' - '-l' - passwd: + selection_passwd: type: 'EXECVE' a0: 'passwd' a1: - '-S' - '--status' - condition: files or chage or passwd + condition: 1 of selection_* falsepositives: - Legitimate administration activities level: low diff --git a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml index 924c3cd21..b25f8a5ae 100644 --- a/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml +++ b/rules/linux/auditd/lnx_auditd_screencaputre_xwd.yml @@ -8,7 +8,7 @@ references: - https://linux.die.net/man/1/xwd author: 'Pawel Mazur' date: 2021/09/13 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.collection - attack.t1113 @@ -16,7 +16,7 @@ logsource: product: linux service: auditd detection: - xwd: + selection: type: EXECVE a0: xwd xwd_root_window: @@ -26,7 +26,7 @@ detection: xwd_no_root_window: a1: '-out' a2|endswith: '.xwd' - condition: xwd and (xwd_root_window or xwd_no_root_window) + condition: selection and 1 of xwd_* falsepositives: - Legitimate use of screenshot utility level: low diff --git a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml index bece5830b..7c8906701 100644 --- a/rules/linux/auditd/lnx_auditd_system_info_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_system_info_discovery.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md author: 'Pawel Mazur' date: 2021/09/03 -modified: 2022/11/27 +modified: 2022/12/18 tags: - attack.discovery - attack.t1082 @@ -15,18 +15,18 @@ logsource: product: linux service: auditd detection: - selection: + selection_1: type: PATH name: - /etc/lsb-release - /etc/redhat-release - /etc/issue - selection2: + selection_2: type: EXECVE a0: - uname - uptime - condition: selection or selection2 + condition: 1 of selection_* falsepositives: - Legitimate administrative activity level: low diff --git a/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml new file mode 100644 index 000000000..b6ab658fb --- /dev/null +++ b/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml @@ -0,0 +1,30 @@ +title: Potential Credential Dumping Attempt Via PowerShell Remote Thread +id: fb656378-f909-47c1-8747-278bf09f4f4f +related: + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 + type: similar +status: experimental +description: Detects remote thread creation by PowerShell processes into "lsass.exe" +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: create_remote_thread +detection: + selection: + SourceImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + TargetImage|endswith: '\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..3704cad95 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,29 @@ +title: Potential DCOM InternetExplorer.Application DLL Hijack +id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa +related: + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: f354eba5-623b-450f-b073-0b5b2773b6aa + type: similar +status: test +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class over the network +references: + - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +date: 2020/10/12 +modified: 2022/12/18 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image: System + TargetFilename|endswith: '\Internet Explorer\iertutil.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml b/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..40dc3a5b3 --- /dev/null +++ b/rules/windows/image_load/image_load_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,29 @@ +title: Potential DCOM InternetExplorer.Application DLL Hijack - Image Load +id: f354eba5-623b-450f-b073-0b5b2773b6aa +related: + - id: e554f142-5cf3-4e55-ace9-a1b59e0def65 + type: obsoletes + - id: 2f7979ae-f82b-45af-ac1d-2b10e93b0baa + type: similar +status: test +description: Detects potential DLL hijack of "iertutil.dll" found in the DCOM InternetExplorer.Application Class +references: + - https://threathunterplaybook.com/hunts/windows/201009-RemoteDCOMIErtUtilDLLHijack/notebook.html +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +date: 2020/10/12 +modified: 2022/12/18 +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\Internet Explorer\iexplore.exe' + ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml new file mode 100644 index 000000000..67702b53f --- /dev/null +++ b/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml @@ -0,0 +1,30 @@ +title: Potential Credential Dumping Attempt Via PowerShell +id: 0f920ebe-7aea-4c54-b202-9aa0c609cfe5 +related: + - id: 3f07b9d1-2082-4c56-9277-613a621983cc + type: obsoletes + - id: fb656378-f909-47c1-8747-278bf09f4f4f + type: similar +status: experimental +description: Detects PowerShell processes requesting access to "lsass.exe" +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2022/12/18 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: process_access +detection: + selection: + SourceImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' + TargetImage|endswith: '\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index 69fc53568..3f2490a9c 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Florian Roth date: 2021/01/22 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.execution - attack.t1059.001 @@ -16,9 +16,9 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_1: CommandLine|contains: '7z.exe a -v500m -mx9 -r0 -p' - selection2: + selection_2: ParentCommandLine|contains|all: - 'wscript.exe' - '.vbs' @@ -26,11 +26,11 @@ detection: - 'rundll32.exe' - 'C:\Windows' - '.dll,Tk_' - selection3: + selection_3: ParentImage|endswith: '\rundll32.exe' ParentCommandLine|contains: 'C:\Windows' CommandLine|contains: 'cmd.exe /C ' - selection4: + selection_4: CommandLine|contains|all: - 'rundll32 c:\windows\' - '.dll ' @@ -41,7 +41,7 @@ detection: CommandLine: - ' ' - '' - condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) + condition: 1 of selection_* or ( specific1 and not filter1 ) falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 50d2c0e20..7161651e6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 -modified: 2022/07/14 +modified: 2022/12/18 tags: - attack.defense_evasion - attack.t1027 @@ -16,27 +16,27 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - selection2: + selection_2: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - selection3: + selection_3: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*' - selection4: + selection_4: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' - selection5: + selection_5: Image|endswith: - '\powershell.exe' - '\pwsh.exe' @@ -47,7 +47,7 @@ detection: CommandLine|contains: - 'new EventSource("Microsoft.Windows.Sense.Client.Management"' - 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);' - condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter_amazonSSM and not (selection3 and filter_windef_atp) + condition: (1 of selection_*) and not filter_amazonSSM and not (selection_3 and filter_windef_atp) falsepositives: - Unlikely - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 3dd0c383e..be59309af 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -6,7 +6,7 @@ references: - https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf author: Markus Neis, Swisscom date: 2019/06/04 -modified: 2021/11/27 +modified: 2022/12/18 tags: - attack.execution - attack.defense_evasion @@ -15,13 +15,13 @@ logsource: category: process_creation product: windows detection: - selection1: - Description: Java Update Scheduler - selection2: - Description: Java(TM) Update Scheduler + selection: + Description: + - Java Update Scheduler + - Java(TM) Update Scheduler filter: Image|endswith: '\jusched.exe' - condition: (selection1 or selection2) and not filter + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml index 688ad4185..538c99dea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_servu_exploitation_cve_2021_35211.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ author: Florian Roth date: 2021/07/14 -modified: 2022/10/09 +modified: 2022/12/18 tags: - attack.persistence - attack.t1136.001 @@ -16,15 +16,15 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_whoami: CommandLine|contains: 'whoami' - selection2: + selection_cmd_1: CommandLine|contains: - './Client/Common/' - '.\Client\Common\' - selection3: + selection_cmd_2: CommandLine|contains: 'C:\Windows\Temp\Serv-U.bat' - condition: selection1 and selection2 or selection3 + condition: selection_whoami and 1 of selection_cmd* falsepositives: - Unlikely level: critical From 238c18e4b78dd8cb66713a3dd19dbf0c2ae3c95b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 01:28:31 +0100 Subject: [PATCH 210/303] feat: update license --- LICENSE | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/LICENSE b/LICENSE index 0b9e352e3..7a04a9c9a 100644 --- a/LICENSE +++ b/LICENSE @@ -3,5 +3,5 @@ The content of this repository is released under the following licenses: - The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License -- The Sigma specification and the Sigma logo are public domain -- The rules contained in the rules/ directory are released under the Detection Rule License (DRL) 1.1 +- The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain +- The rules contained in the rules/ and rules-*/ directories are released under the Detection Rule License (DRL) 1.1 From 972720d42c56c2e788ef8e1b5e47d0f84fdacb7a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 10:17:49 +0100 Subject: [PATCH 211/303] fix: apply code review suggestion Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 86db54ecd..d3a584334 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -821,7 +821,7 @@ class TestRules(unittest.TestCase): titles_dict[file] = title self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with already used 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + "There are rules that share the same 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): faulty_rules = [] From 4bb01e4cc163b065b0159136a6aa10784615103c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 10:19:43 +0100 Subject: [PATCH 212/303] fix: update license wording Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- LICENSE | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/LICENSE b/LICENSE index 7a04a9c9a..2c06c4bed 100644 --- a/LICENSE +++ b/LICENSE @@ -4,4 +4,4 @@ The content of this repository is released under the following licenses: - The toolchain (everything under tools/) is licensed under the GNU Lesser General Public License - The Sigma specification (https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain -- The rules contained in the rules/ and rules-*/ directories are released under the Detection Rule License (DRL) 1.1 +- The rules contained in the SigmaHQ repository (https://github.com/SigmaHQ) are released under the Detection Rule License (DRL) 1.1 From 9318c05751b9251ea326124e9b3c79fa8bd343c9 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Mon, 19 Dec 2022 15:00:00 +0500 Subject: [PATCH 213/303] fix: modify the detection and condtion --- .../proc_creation_win_nslookup_poweshell_download.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 9f94a97e3..216149aad 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Nasreddine Bencherchali date: 2022/09/05 -modified: 2022/12/12 +modified: 2022/12/19 tags: - attack.defense_evasion logsource: @@ -22,14 +22,14 @@ detection: CommandLine|contains|all: - 'powershell .' - 'nslookup' - - ' -q=txt ' selection_img: ParentImage|endswith: '\powershell.exe' Image|contains: '\nslookup.exe' + selection_cmd: CommandLine|contains: - ' -q=txt ' - ' -querytype=txt ' - condition: 1 of selection_* + condition: (selection_cli or selection_img) and selection_cmd falsepositives: - Unlikely level: high From 025c1a4aae14bba9f82762f12594c3802ceef2fb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 11:21:24 +0100 Subject: [PATCH 214/303] fix: enhance logic and severity --- .../posh_pc_abuse_nslookup_with_dns_records.yml | 3 ++- ...creation_win_nslookup_poweshell_download.yml | 17 ++++++++--------- 2 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml index e1e309369..c19e56e38 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_abuse_nslookup_with_dns_records.yml @@ -9,6 +9,7 @@ references: - https://twitter.com/Alh4zr3d/status/1566489367232651264 author: Sai Prashanth Pulisetti @pulisettis date: 2022/12/10 +modified: 2022/12/19 tags: - attack.execution - attack.t1059.001 @@ -27,4 +28,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml index 216149aad..4a10ff9e0 100644 --- a/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml +++ b/rules/windows/process_creation/proc_creation_win_nslookup_poweshell_download.yml @@ -18,18 +18,17 @@ logsource: category: process_creation product: windows detection: - selection_cli: - CommandLine|contains|all: - - 'powershell .' - - 'nslookup' selection_img: - ParentImage|endswith: '\powershell.exe' - Image|contains: '\nslookup.exe' + - Image|contains: '\nslookup.exe' + - OriginalFileName: '\nslookup.exe' selection_cmd: + ParentImage|endswith: + - '\powershell.exe' + - '\pwsh.exe' CommandLine|contains: - ' -q=txt ' - ' -querytype=txt ' - condition: (selection_cli or selection_img) and selection_cmd + condition: all of selection_* falsepositives: - - Unlikely -level: high + - Unknown +level: medium From 9238d20d65ee014dcf5eb4b2406806380f004632 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 17:28:09 +0100 Subject: [PATCH 215/303] feat: update readme for license and markdown warnings --- README.md | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/README.md b/README.md index 38d1e6b26..1fd9f412f 100644 --- a/README.md +++ b/README.md @@ -256,18 +256,21 @@ and included with `@filename` as parameter on the command line. Example: *misp.conf*: -``` + +```apacheconf url https://host key foobarfoobarfoobarfoobarfoobarfoobarfoo ``` Load Sigma rule into MISP event 1234: -``` + +```bash sigma2misp @misp.conf --event 1234 sigma_rule.py ``` Load Sigma rules in directory sigma_rules/ into one newly created MISP event with info set to *Test Event*: -``` + +```bash sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ ``` @@ -280,11 +283,12 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ Generates a [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) heatmap from a directory containing sigma rules. Requirements: -- Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`) + +* Sigma rules tagged with a `attack.tXXXX` tag (e.g.: `attack.t1086`) Usage samples: -``` +```bash # Use the default "rules" folder ./tools/sigma2attack @@ -345,8 +349,9 @@ If you want to contribute, you are more then welcome. There are numerous ways to If you use it, let us know what works and what does not work. E.g. -- Tell us about false positives (issues section) -- Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule + +* Tell us about false positives (issues section) +* Try to provide an improved rule (new filter) via [pull request](https://docs.github.com/en/repositories/working-with-files/managing-files/editing-files#editing-files-in-another-users-repository) on that rule ## Work on open issues @@ -358,15 +363,15 @@ Please don't provide backends for the old code base (sigmac) anymore. Please use ## Spread the word -Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it. +Last but not least, the more people use Sigma, the better, so help promote it by sharing it via social media. If you are using it, consider giving a talk about your journey and tell us about it. # Licenses The content of this repository is released under the following licenses: -* The toolchain (everything under `tools/`) is licensed under the [GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html) -* The [Sigma specification](https://github.com/Neo23x0/sigma/wiki) is public domain -* The rules contained in the `rules/` directory are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) +* The toolchain (everything under tools/) is licensed under the[GNU Lesser General Public License](https://www.gnu.org/licenses/lgpl-3.0.en.html) +* The [Sigma Specification](https://github.com/SigmaHQ/sigma-specification) and the Sigma logo are public domain +* The rules contained in the [SigmaHQ repository](https://github.com/SigmaHQ) are released under the [Detection Rule License (DRL) 1.1](https://github.com/SigmaHQ/sigma/blob/master/LICENSE.Detection.Rules.md) # Credits From ba3e985bed5fa66f809173d704974b298d564f5f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 17:41:40 +0100 Subject: [PATCH 216/303] feat: multiple update and enhancements --- .../proc_creation_win_mavinject_proc_inj.yml | 24 ++++++++++++ ...sing_windows_telemetry_for_persistence.yml | 28 ++++++------- .../registry_set_silentprocessexit.yml | 2 +- ...vent_win_error_handler_cmd_persistence.yml | 3 +- ...file_event_win_susp_powershell_profile.yml | 2 +- .../proc_creation_create_link_osk_cmd.yml | 4 +- ...sing_windows_telemetry_for_persistence.yml | 29 +++++++------- ...egistry_add_amsi_providers_persistence.yml | 6 ++- ...registry_event_silentprocessexit_lsass.yml | 8 ++-- ...set_asep_reg_keys_modification_classes.yml | 2 +- ..._set_asep_reg_keys_modification_common.yml | 2 +- ...eg_keys_modification_currentcontrolset.yml | 2 +- ...p_reg_keys_modification_currentversion.yml | 2 +- ...eg_keys_modification_currentversion_nt.yml | 4 +- ...eg_keys_modification_internet_explorer.yml | 2 +- ..._set_asep_reg_keys_modification_office.yml | 2 +- ..._reg_keys_modification_session_manager.yml | 2 +- ...p_reg_keys_modification_system_scripts.yml | 2 +- ...asep_reg_keys_modification_wow6432node.yml | 2 +- ..._keys_modification_wow6432node_classes.yml | 2 +- ...odification_wow6432node_currentversion.yml | 2 +- ...try_set_dbgmanageddebugger_persistence.yml | 5 ++- .../registry_set_globalflags_persistence.yml | 28 +++++++------ .../registry_set_telemetry_persistence.yml | 39 ++++++++++++++----- tests/test_rules.py | 1 + 25 files changed, 129 insertions(+), 76 deletions(-) create mode 100644 rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml rename {rules/windows/registry/registry_set => rules-deprecated/windows}/registry_set_abusing_windows_telemetry_for_persistence.yml (79%) rename {rules/windows/registry/registry_set => rules-deprecated/windows}/registry_set_silentprocessexit.yml (97%) diff --git a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml new file mode 100644 index 000000000..819be68db --- /dev/null +++ b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml @@ -0,0 +1,24 @@ +title: MavInject Process Injection +id: 17eb8e57-9983-420d-ad8a-2c4976c22eb8 +status: deprecated +description: Detects process injection using the signed Windows tool Mavinject32.exe +author: Florian Roth +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +date: 2018/12/12 +modified: 2021/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: ' /INJECTRUNNING ' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.t1055.001 + - attack.t1218 diff --git a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml b/rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml similarity index 79% rename from rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml rename to rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml index d31bcb063..cdaa52a4e 100644 --- a/rules/windows/registry/registry_set/registry_set_abusing_windows_telemetry_for_persistence.yml +++ b/rules-deprecated/windows/registry_set_abusing_windows_telemetry_for_persistence.yml @@ -1,6 +1,6 @@ title: Abusing Windows Telemetry For Persistence - Registry id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 -status: experimental +status: deprecated description: | Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. @@ -23,19 +23,19 @@ detection: EventType: SetValue TargetObject|contains: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' Details|endswith: - - .sh - - .exe - - .dll - - .bin - - .bat - - .cmd - - .js - - .ps - - .vb - - .jar - - .hta - - .msi - - .vbs + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.ps' + - '.vb' + - '.jar' + - '.hta' + - '.msi' + - '.vbs' condition: selection fields: - EventID diff --git a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml b/rules-deprecated/windows/registry_set_silentprocessexit.yml similarity index 97% rename from rules/windows/registry/registry_set/registry_set_silentprocessexit.yml rename to rules-deprecated/windows/registry_set_silentprocessexit.yml index 19f3c96d0..e9ae3be90 100644 --- a/rules/windows/registry/registry_set/registry_set_silentprocessexit.yml +++ b/rules-deprecated/windows/registry_set_silentprocessexit.yml @@ -1,6 +1,6 @@ title: SilentProcessExit Monitor Registration id: c81fe886-cac0-4913-a511-2822d72ff505 -status: experimental +status: deprecated description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ diff --git a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml index cfdfb81b9..e420bb832 100644 --- a/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_error_handler_cmd_persistence.yml @@ -1,4 +1,4 @@ -title: Persistence Via ErrorHandler.Cmd +title: Potential Persistence Attempt Via ErrorHandler.Cmd id: 15904280-565c-4b73-9303-3291f964e7f9 status: experimental description: | @@ -9,6 +9,7 @@ references: - https://github.com/last-byte/PersistenceSniper author: Nasreddine Bencherchali date: 2022/08/09 +modified: 2022/12/19 tags: - attack.persistence logsource: diff --git a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml index 2a904a121..6a68b5207 100644 --- a/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file/file_event/file_event_win_susp_powershell_profile.yml @@ -25,5 +25,5 @@ detection: - '\Program Files\PowerShell\7\profile.ps1' condition: selection falsepositives: - - System administrator create Powershell profile manually + - System administrator creating Powershell profile manually level: high diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml index cef5457d6..dcfdc0073 100644 --- a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml @@ -16,13 +16,13 @@ logsource: detection: selection_img: - Image|endswith: '\cmd.exe' - - OriginalFileName: 'Cmd.exe' + - OriginalFileName: 'Cmd.Exe' selection_cli: CommandLine|contains|all: - 'mklink' - '\osk.exe' - '\cmd.exe' - condition: all of selection_* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml index 0d9d237f6..35c8f10d2 100644 --- a/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_abusing_windows_telemetry_for_persistence.yml @@ -1,31 +1,30 @@ -title: Abusing Windows Telemetry For Persistence +title: Potential Persistence Execution Via Microsoft Compatibility Appraiser id: f548a603-c9f2-4c89-b511-b089f7e94549 +related: + - id: 73a883d0-0348-4be4-a8d8-51031c2564f8 + type: derived status: experimental -description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +description: Detects manual execution of the "Microsoft Compatibility Appraiser" task via schtasks. In order to trigger persistence stored in the "\AppCompatFlags\TelemetryController" registry key. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ author: Sreeman date: 2020/09/29 -modified: 2022/02/21 +modified: 2022/12/19 tags: - - attack.defense_evasion - attack.persistence - - attack.t1112 - - attack.t1053 + - attack.t1053.005 logsource: product: windows category: process_creation detection: - selection: + selection_img: + Image|endswith: '\schtasks.exe' + OriginalFileName: 'schtasks.exe' + selection_cli: CommandLine|contains|all: - - 'schtasks' + - 'run ' - '\Application Experience\Microsoft Compatibility Appraiser' - condition: selection -fields: - - EventID - - CommandLine - - TargetObject - - Details + condition: all of selection_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml index 20c31d6f8..b369a0815 100644 --- a/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml +++ b/rules/windows/registry/registry_add/registry_add_amsi_providers_persistence.yml @@ -7,6 +7,7 @@ references: - https://github.com/gtworek/PSBits/blob/8d767892f3b17eefa4d0668f5d2df78e844f01d8/FakeAMSI/FakeAMSI.c author: Nasreddine Bencherchali date: 2022/07/21 +modified: 2022/12/19 tags: - attack.persistence logsource: @@ -19,7 +20,10 @@ detection: - '\SOFTWARE\Microsoft\AMSI\Providers\' - '\SOFTWARE\WOW6432Node\Microsoft\AMSI\Providers\' filter: - Image|startswith: 'C:\Program Files' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - Legitimate security products adding their own AMSI providers diff --git a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml index 6b5f69270..f0069ff5d 100644 --- a/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml +++ b/rules/windows/registry/registry_event/registry_event_silentprocessexit_lsass.yml @@ -1,7 +1,7 @@ -title: SilentProcessExit Monitor Registration for LSASS +title: Potential Credential Dumping Via LSASS SilentProcessExit Technique id: 55e29995-75e7-451a-bef0-6225e2f13597 related: - - id: 1f24c7c1-0b71-4e4e-8a6d-f863c9d8aa4a + - id: 36803969-5421-41ec-b92f-8500f79c23b0 type: similar status: experimental description: Detects changes to the Registry in which a monitor program gets registered to dump the memory of the lsass.exe process @@ -10,10 +10,10 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ author: Florian Roth date: 2021/02/26 -modified: 2022/09/07 +modified: 2022/12/19 tags: - attack.credential_access - - attack.t1003.007 + - attack.t1003.001 logsource: category: registry_event product: windows diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml index cb01e74e1..815458a31 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_classes.yml @@ -2,7 +2,7 @@ title: Classes Autorun Keys Modification id: 9df5f547-c86a-433e-b533-f2794357e242 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 73c9c3ce6..86272d01d 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -2,7 +2,7 @@ title: Common Autorun Keys Modification id: f59c3faf-50f3-464b-9f4c-1b67ab512d99 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 4a251912d..7358de40c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -2,7 +2,7 @@ title: CurrentControlSet Autorun Keys Modification id: f674e36a-4b91-431e-8aef-f8a96c2aca35 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index 2a306b9af..00e256f48 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -2,7 +2,7 @@ title: CurrentVersion Autorun Keys Modification id: 20f0ee37-5942-4e45-b7d5-c5b5db9df5cd related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml index 57591152e..cf9b29bea 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion_nt.yml @@ -2,7 +2,7 @@ title: CurrentVersion NT Autorun Keys Modification id: cbf93e5d-ca6c-4722-8bea-e9119007c248 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: @@ -33,7 +33,7 @@ detection: - '\Winlogon\AlternateShells\AvailableShells' - '\Windows\IconServiceLib' - '\Windows\Appinit_Dlls' - - '\Image File Execution Options' + - '\Image File Execution Options' # Covered in better details in 36803969-5421-41ec-b92f-8500f79c23b0 - '\Font Drivers' - '\Drivers32' - '\Windows\Run' diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml index a2a4508c4..08dd1e190 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_internet_explorer.yml @@ -2,7 +2,7 @@ title: Internet Explorer Autorun Keys Modification id: a80f662f-022f-4429-9b8c-b1a41aaa6688 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index d627b0384..9385cd16e 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -2,7 +2,7 @@ title: Office Autorun Keys Modification id: baecf8fb-edbf-429f-9ade-31fc3f22b970 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml index 6f6cc6e2a..77d941b03 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_session_manager.yml @@ -2,7 +2,7 @@ title: Session Manager Autorun Keys Modification id: 046218bd-e0d8-4113-a3c3-895a12b2b298 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml index 1d1b33595..f30a1ebe6 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_system_scripts.yml @@ -2,7 +2,7 @@ title: System Scripts Autorun Keys Modification id: e7a2fd40-3ae1-4a85-bf80-15cf624fb1b1 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index b575c0acf..122227129 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -2,7 +2,7 @@ title: Wow6432Node CurrentVersion Autorun Keys Modification id: b29aed60-ebd1-442b-9cb5-16a1d0324adb related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml index d0221d76f..84e00ba88 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_classes.yml @@ -2,7 +2,7 @@ title: Wow6432Node Classes Autorun Keys Modification id: 18f2065c-d36c-464a-a748-bcf909acb2e3 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml index 3de85319d..cafd8e5b1 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node_currentversion.yml @@ -2,7 +2,7 @@ title: Wow6432Node Windows NT CurrentVersion Autorun Keys Modification id: 480421f9-417f-4d3b-9552-fd2728443ec8 related: - id: 17f878b8-9968-4578-b814-c4217fc5768c - type: derived + type: obsoletes status: experimental description: Detects modification of autostart extensibility point (ASEP) in registry. references: diff --git a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml index f214e54f8..2a5b69714 100644 --- a/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_dbgmanageddebugger_persistence.yml @@ -1,12 +1,13 @@ -title: Add Debugger Entry To DbgManagedDebugger For Persistence +title: Potential Registry Persistence Attempt Via DbgManagedDebugger id: 9827ae57-3802-418f-994b-d5ecf5cd974b status: experimental -description: Detects when an attacker adds a new "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence which will get invoked when an application crashes +description: Detects the addition of the "Debugger" value to the "DbgManagedDebugger" key in order to achieve persistence. Which will get invoked when an application crashes references: - https://www.hexacorn.com/blog/2013/09/19/beyond-good-ol-run-key-part-4/ - https://github.com/last-byte/PersistenceSniper author: frack113 date: 2022/08/07 +modified: 2022/12/19 tags: - attack.persistence - attack.t1574 diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index 831bbfecd..ef3e0c318 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -1,12 +1,16 @@ -title: GlobalFlags Registry Persistence Mechanisms +title: Potential GlobalFlags Registry Persistence Attempt id: 36803969-5421-41ec-b92f-8500f79c23b0 +related: + - id: c81fe886-cac0-4913-a511-2822d72ff505 + type: obsoletes status: test -description: Detects persistence using GlobalFlags in image file execution options +description: Detects regisrry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ -author: Karneades, Jonhnathan Ribeiro + - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +author: Karneades, Jonhnathan Ribeiro, Florian Roth date: 2018/04/11 -modified: 2022/09/07 +modified: 2022/12/19 tags: - attack.privilege_escalation - attack.persistence @@ -17,17 +21,17 @@ logsource: category: registry_set product: windows detection: - selection_reg1: - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\' - selection_reg2: - - TargetObject|contains|all: + selection_global_flag: + TargetObject|contains|all: + - '\Microsoft\Windows NT\CurrentVersion\' - '\Image File Execution Options\' - '\GlobalFlag' - - TargetObject|contains|all: - - 'SilentProcessExit\' + selection_silent_process: + TargetObject|contains|all: + - '\Microsoft\Windows NT\CurrentVersion\' + - '\SilentProcessExit\' + TargetObject|contains: - '\ReportingMode' - - TargetObject|contains|all: - - 'SilentProcessExit\' - '\MonitorProcess' condition: all of selection_* falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml index dfc509f1a..307aecb82 100644 --- a/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_telemetry_persistence.yml @@ -1,26 +1,45 @@ -title: Registry Persistence Mechanism via Windows Telemetry +title: Potential Registry Persistence Attempt Via Windows Telemetry id: 73a883d0-0348-4be4-a8d8-51031c2564f8 +related: + - id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 + type: obsoletes status: test -description: Detects persistence method using windows telemetry +description: | + Detects potential persistence behaviour using the windows telemetry registry key. + Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. + This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. + The problem is, it will run any arbitrary command without restriction of location or type. references: - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ -author: Lednyov Alexey, oscd.community +author: Lednyov Alexey, oscd.community, Sreeman date: 2020/10/16 -modified: 2022/03/26 +modified: 2022/12/19 tags: - attack.persistence - attack.t1053.005 logsource: category: registry_set product: windows - definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLM hives' detection: selection: EventType: SetValue - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' - - '\Command' - Details|contains: '.exe' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + TargetObject|endswith: '\Command' + Details|contains: + - '.sh' + - '.exe' + - '.dll' + - '.bin' + - '.bat' + - '.cmd' + - '.js' + - '.ps' + - '.vb' + - '.jar' + - '.hta' + - '.msi' + - '.vbs' filter: Details|contains: - '\system32\CompatTelRunner.exe' @@ -28,4 +47,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: critical +level: high diff --git a/tests/test_rules.py b/tests/test_rules.py index d3a584334..d0756b635 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -65,6 +65,7 @@ class TestRules(unittest.TestCase): # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): + # See Issue # https://github.com/SigmaHQ/sigma/issues/1014 files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 8d617d2587e9cdfca9ced5575f5d5207ebd55f31 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Mon, 19 Dec 2022 22:14:25 +0530 Subject: [PATCH 217/303] Create file_event_win_dircreate2system_privesc.yml --- ...ile_event_win_dircreate2system_privesc.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml diff --git a/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml b/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml new file mode 100644 index 000000000..f0259fe8c --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml @@ -0,0 +1,27 @@ +title: Suspicious Privilege Escalation Attempts using DirCreate2System +id: 2d367498-5112-4ae5-a06a-96e7bc33a212 +status: experimental +description: | + Detects privilege escalation from a privileged user (eg. Administrator) to NT AUTHORITY\SYSTEM using variety of DLL Hijacking techniques. +references: + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt +author: Subhash Popuri (@pbssubhash) +date: 2022/12/19 +tags: + - attack.defense_evasion +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|startswith: + - 'C:\Windows\System32\LogonUI.exe.Local' + - 'C:\Windows\System32\WerFault.exe.Local' + - 'C:\Windows\System32\consent.exe.Local' + - 'C:\Windows\System32\Narrator.exe.Local' + - 'C:\Windows\System32\Wermgr.exe.Local' + TargetFilename|endswith: 'comctl32.dll' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From b763ddd7c74b4f2dd38b51b86ad93fa7656920e5 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Mon, 19 Dec 2022 22:21:37 +0530 Subject: [PATCH 218/303] Update file_event_win_dircreate2system_privesc.yml --- .../file/file_event/file_event_win_dircreate2system_privesc.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml b/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml index f0259fe8c..8594d1981 100644 --- a/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml +++ b/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml @@ -1,4 +1,4 @@ -title: Suspicious Privilege Escalation Attempts using DirCreate2System +title: Suspicious Privilege Escalation Attempts Using DirCreate2System id: 2d367498-5112-4ae5-a06a-96e7bc33a212 status: experimental description: | From ae974d8f154cfb60d19140b9771725e0363ffb49 Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Mon, 19 Dec 2022 22:35:36 +0530 Subject: [PATCH 219/303] Modifying existing rule instead of a new one --- ...ile_event_win_dircreate2system_privesc.yml | 27 ------------------- ..._win_wermgr_local_privilege_escalation.yml | 7 ++++- 2 files changed, 6 insertions(+), 28 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml diff --git a/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml b/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml deleted file mode 100644 index 8594d1981..000000000 --- a/rules/windows/file/file_event/file_event_win_dircreate2system_privesc.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Suspicious Privilege Escalation Attempts Using DirCreate2System -id: 2d367498-5112-4ae5-a06a-96e7bc33a212 -status: experimental -description: | - Detects privilege escalation from a privileged user (eg. Administrator) to NT AUTHORITY\SYSTEM using variety of DLL Hijacking techniques. -references: - - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt -author: Subhash Popuri (@pbssubhash) -date: 2022/12/19 -tags: - - attack.defense_evasion -logsource: - product: windows - category: file_event -detection: - selection: - TargetFilename|startswith: - - 'C:\Windows\System32\LogonUI.exe.Local' - - 'C:\Windows\System32\WerFault.exe.Local' - - 'C:\Windows\System32\consent.exe.Local' - - 'C:\Windows\System32\Narrator.exe.Local' - - 'C:\Windows\System32\Wermgr.exe.Local' - TargetFilename|endswith: 'comctl32.dll' - condition: selection -falsepositives: - - Unknown -level: high \ No newline at end of file diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index e7c83ae61..1c4b55c36 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -15,7 +15,12 @@ logsource: product: windows detection: selection: - TargetFilename|startswith: 'C:\windows\system32\wermgr.exe.local\' + TargetFilename|startswith: + - 'C:\Windows\System32\logonUI.exe.local' + - 'C:\Windows\System32\werFault.exe.local' + - 'C:\Windows\System32\consent.exe.local' + - 'C:\Windows\System32\narrator.exe.local' + - 'C:\Windows\System32\wermgr.exe.local' TargetFilename|endswith: '\comctl32.dll' condition: selection falsepositives: From 8a9f1ee2730c6ce246733406b9f83abb80157cdd Mon Sep 17 00:00:00 2001 From: pbssubhash Date: Mon, 19 Dec 2022 22:39:05 +0530 Subject: [PATCH 220/303] Update file_event_win_wermgr_local_privilege_escalation.yml --- .../file_event_win_wermgr_local_privilege_escalation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index 1c4b55c36..36d4b3f76 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -4,7 +4,8 @@ status: experimental description: Detects potential privilege escalation attempt via the creation of the "Wermgr.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" references: - https://github.com/binderlabs/DirCreate2System -author: Nasreddine Bencherchali + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt +author: Nasreddine Bencherchali, Subhash P (@pbssubhash) date: 2022/12/16 tags: - attack.defense_evasion From 060174e2dd31b15cc2738cdbd6bcbc4071e2b81d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 18:14:01 +0100 Subject: [PATCH 221/303] fix: small fixes - Added modified date - Updated DLL sideload version --- ...le_event_win_wermgr_local_privilege_escalation.yml | 3 ++- .../image_load_side_load_wermgr_comctl32.yml | 11 +++++++++-- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index 36d4b3f76..cff90f796 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -7,6 +7,7 @@ references: - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt author: Nasreddine Bencherchali, Subhash P (@pbssubhash) date: 2022/12/16 +modified: 2022/12/19 tags: - attack.defense_evasion - attack.persistence @@ -16,7 +17,7 @@ logsource: product: windows detection: selection: - TargetFilename|startswith: + TargetFilename|startswith: - 'C:\Windows\System32\logonUI.exe.local' - 'C:\Windows\System32\werFault.exe.local' - 'C:\Windows\System32\consent.exe.local' diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml index c1dba7aec..1ed8ae86f 100644 --- a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml @@ -4,8 +4,10 @@ status: experimental description: Detects potential DLL sideloading using comctl32.dll via "wermgr.exe" to obtain system privileges references: - https://github.com/binderlabs/DirCreate2System -author: Nasreddine Bencherchali + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt +author: Nasreddine Bencherchali, Subhash Popuri (@pbssubhash) date: 2022/12/16 +modified: 2022/12/19 tags: - attack.defense_evasion - attack.persistence @@ -17,7 +19,12 @@ logsource: product: windows detection: selection: - ImageLoaded|startswith: 'C:\windows\system32\wermgr.exe.local\' + ImageLoaded|startswith: + - 'C:\Windows\System32\logonUI.exe.local\' + - 'C:\Windows\System32\werFault.exe.local\' + - 'C:\Windows\System32\consent.exe.local\' + - 'C:\Windows\System32\narrator.exe.local\' + - 'C:\windows\system32\wermgr.exe.local\' ImageLoaded|endswith: '\comctl32.dll' condition: selection falsepositives: From c37441366476f9469d32832338183117eeb8bce8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 18:15:57 +0100 Subject: [PATCH 222/303] fix: change to permalink --- .../file_event_win_wermgr_local_privilege_escalation.yml | 2 +- .../windows/image_load/image_load_side_load_wermgr_comctl32.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index cff90f796..4489234e2 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential privilege escalation attempt via the creation of the "Wermgr.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" references: - https://github.com/binderlabs/DirCreate2System - - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt + - hhttps://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali, Subhash P (@pbssubhash) date: 2022/12/16 modified: 2022/12/19 diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml index 1ed8ae86f..d7692fc59 100644 --- a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential DLL sideloading using comctl32.dll via "wermgr.exe" to obtain system privileges references: - https://github.com/binderlabs/DirCreate2System - - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/master/dir_create2system.txt + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali, Subhash Popuri (@pbssubhash) date: 2022/12/16 modified: 2022/12/19 From 9c308642c77a82c39ece61fa811e3254b0357a90 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 19:21:55 +0100 Subject: [PATCH 223/303] fix: apply suggestions from code review Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../file_event_win_wermgr_local_privilege_escalation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml index 4489234e2..5772f1e59 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml @@ -1,10 +1,10 @@ title: Potential Privilege Escalation Attempt Via Wermgr.Exe.Local id: 07a99744-56ac-40d2-97b7-2095967b0e03 status: experimental -description: Detects potential privilege escalation attempt via the creation of the "Wermgr.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" +description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" references: - https://github.com/binderlabs/DirCreate2System - - hhttps://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt + - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt author: Nasreddine Bencherchali, Subhash P (@pbssubhash) date: 2022/12/16 modified: 2022/12/19 From ff94bfee2bfb276be8e23a69a8f551ec1da92dae Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 19:23:11 +0100 Subject: [PATCH 224/303] fix: update description to fit logic --- .../windows/image_load/image_load_side_load_wermgr_comctl32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml index d7692fc59..39a6d77ca 100644 --- a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml +++ b/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml @@ -1,7 +1,7 @@ title: Potential DLL Sideloading Via comctl32.dll id: 6360757a-d460-456c-8b13-74cf0e60cceb status: experimental -description: Detects potential DLL sideloading using comctl32.dll via "wermgr.exe" to obtain system privileges +description: Detects potential DLL sideloading using comctl32.dll to obtain system privileges references: - https://github.com/binderlabs/DirCreate2System - https://github.com/sailay1996/awesome_windows_logical_bugs/blob/60cbb23a801f4c3195deac1cc46df27c225c3d07/dir_create2system.txt From 05bdb9af749426d392d5d3ac0454f373df33d816 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 19 Dec 2022 19:28:23 +0100 Subject: [PATCH 225/303] fix: rename files to fit logic --- ...le_event_win_system32_local_folder_privilege_escalation.yml} | 2 +- ...ad_wermgr_comctl32.yml => image_load_side_load_comctl32.yml} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename rules/windows/file/file_event/{file_event_win_wermgr_local_privilege_escalation.yml => file_event_win_system32_local_folder_privilege_escalation.yml} (94%) rename rules/windows/image_load/{image_load_side_load_wermgr_comctl32.yml => image_load_side_load_comctl32.yml} (100%) diff --git a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml similarity index 94% rename from rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml rename to rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml index 5772f1e59..28746ba13 100644 --- a/rules/windows/file/file_event/file_event_win_wermgr_local_privilege_escalation.yml +++ b/rules/windows/file/file_event/file_event_win_system32_local_folder_privilege_escalation.yml @@ -1,4 +1,4 @@ -title: Potential Privilege Escalation Attempt Via Wermgr.Exe.Local +title: Potential Privilege Escalation Attempt Via .Exe.Local Technique id: 07a99744-56ac-40d2-97b7-2095967b0e03 status: experimental description: Detects potential privilege escalation attempt via the creation of the "*.Exe.Local" folder inside the "System32" directory in order to sideload "comctl32.dll" diff --git a/rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml b/rules/windows/image_load/image_load_side_load_comctl32.yml similarity index 100% rename from rules/windows/image_load/image_load_side_load_wermgr_comctl32.yml rename to rules/windows/image_load/image_load_side_load_comctl32.yml From ba52dc2aa81b2cbb80f574cab503e5e6a39af4c0 Mon Sep 17 00:00:00 2001 From: MetaOSINT <99858125+tropChaud@users.noreply.github.com> Date: Mon, 19 Dec 2022 23:20:13 -0500 Subject: [PATCH 226/303] T1539 Steal Web Session Cookie rules Update existing rule and add one new rule related to Steal Web Session Cookie technique (T1539) --- ...roc_creation_win_sqlite_chrome_cookies.yml | 25 +++++++++++++++++++ ...oc_creation_win_sqlite_firefox_cookies.yml | 5 +++- 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml new file mode 100644 index 000000000..654f56f12 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml @@ -0,0 +1,25 @@ +title: SQLite Chrome Cookie DB Access +status: experimental +description: Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows +author: TropChaud +date: 2022/12/19 +tags: + - attack.credential_access + - attack.t1539 +logsource: + category: process_creation + product: windows +detection: + selection_sql: + - Product: SQLite + - Image|endswith: + - '\sqlite.exe' + - '\sqlite3.exe' + selection_firefox: + CommandLine|contains: '\Google\Chrome\User Data\Default\Network\Cookies' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml index d013d6b35..ab488a002 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_firefox_cookies.yml @@ -6,6 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1539/T1539.md#atomic-test-1---steal-firefox-cookies-windows author: frack113 date: 2022/04/08 +modified: 2022/12/19 tags: - attack.credential_access - attack.t1539 @@ -15,7 +16,9 @@ logsource: detection: selection_sql: - Product: SQLite - - Image|endswith: '\sqlite.exe' + - Image|endswith: + - '\sqlite.exe' + - '\sqlite3.exe' selection_firefox: CommandLine|contains: 'cookies.sqlite' condition: all of selection_* From 22761ec2c377e1f677d86db1d01a65ef5478aa0a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 10:25:03 +0100 Subject: [PATCH 227/303] fix: add missing id --- .../process_creation/proc_creation_win_sqlite_chrome_cookies.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml index 654f56f12..1176db012 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml @@ -1,4 +1,5 @@ title: SQLite Chrome Cookie DB Access +id: 24c77512-782b-448a-8950-eddb0785fc71 status: experimental description: Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it references: From de5345cfd20428b3cb42b355996f934299b96ef2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 10:25:52 +0100 Subject: [PATCH 228/303] fix: add permalink instead of master --- .../proc_creation_win_sqlite_chrome_cookies.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml index 1176db012..75d842f59 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml @@ -3,7 +3,7 @@ id: 24c77512-782b-448a-8950-eddb0785fc71 status: experimental description: Detect use of sqlite binary to query the Chrome Cookies database and steal the cookie data contained within it references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows + - https://github.com/redcanaryco/atomic-red-team/blob/84d9edaaaa2c5511144521b0e4af726d1c7276ce/atomics/T1539/T1539.md#atomic-test-2---steal-chrome-cookies-windows author: TropChaud date: 2022/12/19 tags: From 3f48eb4963657da1b7c7efbf6416b77f87659055 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 10:42:21 +0100 Subject: [PATCH 229/303] fix: selection name and add old path --- .../proc_creation_win_sqlite_chrome_cookies.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml index 75d842f59..f1d7d7055 100644 --- a/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml +++ b/rules/windows/process_creation/proc_creation_win_sqlite_chrome_cookies.yml @@ -18,8 +18,10 @@ detection: - Image|endswith: - '\sqlite.exe' - '\sqlite3.exe' - selection_firefox: - CommandLine|contains: '\Google\Chrome\User Data\Default\Network\Cookies' + selection_chrome: + CommandLine|contains: + - '\Google\Chrome\User Data\Default\Network\Cookies' # Latest chrome versions + - '\Google\Chrome\User Data\Default\Cookies' # Older chrome versions condition: all of selection_* falsepositives: - Unknown From 7679d057061ba0cb40a0a7a91c4aaf8c46d797fb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 13:23:32 +0100 Subject: [PATCH 230/303] fix: fp found in testing exchange server --- .../process_access_win_shellcode_inject_msf_empire.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index f590e937f..d0d078105 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -4,7 +4,7 @@ status: experimental description: Detects potential shellcode injection used by tools such as Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 -modified: 2022/12/15 +modified: 2022/12/20 tags: - attack.defense_evasion - attack.privilege_escalation @@ -57,6 +57,11 @@ detection: SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' SourceImage|endswith: '\MSBuild\Current\Bin\MSBuild.exe' TargetImage: C:\Program Files\Dell\DellDataVault\DDVDataCollector.exe + filter_wmiprvese: + SourceImage: 'C:\Windows\System32\Wbem\Wmiprvse.exe' + TargetImage: 'C:\Windows\system32\lsass.exe' + CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll' + CallTrace|contains: '\System.ni.dll+' condition: selection and not 1 of filter_* falsepositives: - Unknown From 59e4dc3e1ce1eb52e418e069f617ead9cd94f624 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Tue, 20 Dec 2022 15:51:40 +0100 Subject: [PATCH 231/303] Modifying Creation Of An User Account Added additional test for record type of ADD_USER which should be generated whether you have created auditd rule or not. --- rules/linux/auditd/lnx_auditd_create_account.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index ae841cf4d..aa2dd74be 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -2,11 +2,13 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. + 'add_user_record_type' detection is based on ADD_USER record type which is going to generate whether you have created an auditd rule or not. references: - - 'MITRE Attack technique T1136; Create Account ' -author: Marie Euler + - https://attack.mitre.org/techniques/T1136/ + - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files +author: Marie Euler, Pawel Mazur date: 2020/05/18 -modified: 2021/11/27 +modified: 2022/12/20 tags: - attack.t1136.001 - attack.persistence @@ -14,10 +16,12 @@ logsource: product: linux service: auditd detection: - selection: + syscall_record_type: type: 'SYSCALL' exe|endswith: '/useradd' - condition: selection + add_user_record_type: + type: 'ADD_USER' # it appears that it doesn't require an auditd rule + condition: syscall_record_type or add_user_record_type falsepositives: - Admin activity level: medium From 1a117d38e7230f31074969328869b9e912a24d1a Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Tue, 20 Dec 2022 19:30:26 +0100 Subject: [PATCH 232/303] Update rules/linux/auditd/lnx_auditd_create_account.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- rules/linux/auditd/lnx_auditd_create_account.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index aa2dd74be..2050b9d6c 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -4,7 +4,6 @@ status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. 'add_user_record_type' detection is based on ADD_USER record type which is going to generate whether you have created an auditd rule or not. references: - - https://attack.mitre.org/techniques/T1136/ - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files author: Marie Euler, Pawel Mazur date: 2020/05/18 From 592e0062a1bbf72b2b42d2e35d3826868d4219bf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 22:14:14 +0100 Subject: [PATCH 233/303] fix: update condition and add new ref --- rules/linux/auditd/lnx_auditd_create_account.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 2050b9d6c..da6ac51c2 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -2,9 +2,9 @@ title: Creation Of An User Account id: 759d0d51-bc99-4b5e-9add-8f5b2c8e7512 status: test description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. - 'add_user_record_type' detection is based on ADD_USER record type which is going to generate whether you have created an auditd rule or not. references: - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files + - https://access.redhat.com/articles/4409591#audit-record-types-2 author: Marie Euler, Pawel Mazur date: 2020/05/18 modified: 2022/12/20 @@ -15,12 +15,12 @@ logsource: product: linux service: auditd detection: - syscall_record_type: + selection_syscall_record_type: type: 'SYSCALL' exe|endswith: '/useradd' - add_user_record_type: - type: 'ADD_USER' # it appears that it doesn't require an auditd rule - condition: syscall_record_type or add_user_record_type + selection_add_user_record_type: + type: 'ADD_USER' # This is logged with having to configure audit rules on both Ubuntu and Centos + condition: 1 of selection_* falsepositives: - Admin activity level: medium From e72bc1dcaf7fe07d70488676d6879e45b3639034 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 22:14:46 +0100 Subject: [PATCH 234/303] fix: add reference --- rules/linux/auditd/lnx_auditd_create_account.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index da6ac51c2..de03d334f 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -5,6 +5,7 @@ description: Detects the creation of a new user account. Such accounts may be us references: - https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files - https://access.redhat.com/articles/4409591#audit-record-types-2 + - https://www.youtube.com/watch?v=VmvY5SQm5-Y&ab_channel=M45C07 author: Marie Euler, Pawel Mazur date: 2020/05/18 modified: 2022/12/20 From 6679347fe3c9b14228b5c3a0347b2d5af3ed6c95 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 22:25:49 +0100 Subject: [PATCH 235/303] fix: rename files to follow convention --- ...link_osk_cmd.yml => proc_creation_win_create_link_osk_cmd.yml} | 0 ..._execution.yml => proc_creation_win_susp_rcedit_execution.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{proc_creation_create_link_osk_cmd.yml => proc_creation_win_create_link_osk_cmd.yml} (100%) rename rules/windows/process_creation/{proc_creation_susp_rcedit_execution.yml => proc_creation_win_susp_rcedit_execution.yml} (100%) diff --git a/rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_create_link_osk_cmd.yml rename to rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml diff --git a/rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_susp_rcedit_execution.yml rename to rules/windows/process_creation/proc_creation_win_susp_rcedit_execution.yml From c36acb333f136f091880e73260d2f5233f86e045 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 22:28:49 +0100 Subject: [PATCH 236/303] fix: typo in comment --- rules/linux/auditd/lnx_auditd_create_account.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index de03d334f..71a21f5b2 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -20,7 +20,7 @@ detection: type: 'SYSCALL' exe|endswith: '/useradd' selection_add_user_record_type: - type: 'ADD_USER' # This is logged with having to configure audit rules on both Ubuntu and Centos + type: 'ADD_USER' # This is logged without having to configure audit rules on both Ubuntu and Centos condition: 1 of selection_* falsepositives: - Admin activity From beccf416dabaad2118a05efc25f8dbab6dfb9dc8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Dec 2022 23:44:44 +0100 Subject: [PATCH 237/303] feat: add two new rules --- .../win_security_dot_net_etw_tamper.yml | 4 +- ..._creation_win_renamed_office_processes.yml | 39 ++++++++++++++++ .../registry_set_suspicious_env_variables.yml | 44 +++++++++++++++++++ 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml create mode 100644 rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml diff --git a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml index e7225550f..8787ac6c4 100644 --- a/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml +++ b/rules/windows/builtin/security/win_security_dot_net_etw_tamper.yml @@ -18,7 +18,7 @@ references: - https://i.blackhat.com/EU-21/Wednesday/EU-21-Teodorescu-Veni-No-Vidi-No-Vici-Attacks-On-ETW-Blind-EDRs.pdf author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/06/05 -modified: 2022/12/09 +modified: 2022/12/20 tags: - attack.defense_evasion - attack.t1112 @@ -34,7 +34,7 @@ detection: NewValue: 0 selection_complus: EventID: 4657 - ObjectName|endswith: '\Environment\' + ObjectName|contains: '\Environment' ObjectValueName: - 'COMPlus_ETWEnabled' - 'COMPlus_ETWFlags' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml new file mode 100644 index 000000000..808084ae0 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -0,0 +1,39 @@ +title: Renamed Office Binary Execution +id: 0b0cd537-fc77-4e6e-a973-e53495c1083d +status: experimental +description: Detects the execution of a renamed office binaries +references: + - https://infosec.exchange/@sbousseaden/109542254124022664 +author: Nasreddine Bencherchali +date: 2022/12/20 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + - OriginalFileName: + - 'Excel.exe' + - 'MSACCESS.EXE' + - 'OneNote.exe' + - 'POWERPNT.EXE' + - 'WinWord.exe' + - Description: + - 'Microsoft Access' + - 'Microsoft Excel' + - 'Microsoft OneNote' + - 'Microsoft PowerPoint' + - 'Microsoft Word' + - Product|contains: Microsoft Office' + filter: + Image|endswith: + - '\EXCEL.exe' + - '\MSACCESS.exe' + - '\ONENOTE.EXE' + - '\POWERPNT.EXE' + - '\WINWORD.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml new file mode 100644 index 000000000..fee89d500 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -0,0 +1,44 @@ +title: Suspicious Environment Variable Has Been Registered +id: 966315ef-c5e1-4767-ba25-fce9c8de3660 +status: test +description: Detects the creation of user-specific or system-wide environement variables via the registry. Which contains suspicious commands and strings +references: + - https://infosec.exchange/@sbousseaden/109542254124022664 +author: Nasreddine Bencherchali +date: 2022/12/20 +tags: + - attack.defense_evasion + - attack.persistence +logsource: + product: windows + category: registry_set +detection: + selection_main: + EventType: SetValue + TargetObject|contains: '\Environment\' + selection_details: + Details: + - 'powershell' + - 'pwsh' + Details|contains: + # Add more suspicious strings in env variables below + - '\AppData\Local\Temp\' + - 'C:\Users\Public\' + # Base64 MZ Header + - 'TVqQAAMAAAAEAAAA' # MZ.......... + - 'TVpQAAIAAAAEAA8A' + - 'TVqAAAEAAAAEABAA' + - 'TVoAAAAAAAAAAAAA' + - 'TVpTAQEAAAAEAAAA' + # Base64 Invoke- (UTF-8) + - 'SW52b2tlL' + - 'ludm9rZS' + - 'JbnZva2Ut' + # Base64 Invoke- (UTF-16LE) + - 'SQBuAHYAbwBrAGUALQ' + - 'kAbgB2AG8AawBlAC0A' + - 'JAG4AdgBvAGsAZQAtA' + condition: all of selection_* +falsepositives: + - Unknown +level: high From 2580b84de33dff05a012732c2fbc5ad137fcbb10 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 00:07:51 +0100 Subject: [PATCH 238/303] fix: typo --- .../registry_set/registry_set_globalflags_persistence.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index ef3e0c318..ac9afd353 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -4,7 +4,7 @@ related: - id: c81fe886-cac0-4913-a511-2822d72ff505 type: obsoletes status: test -description: Detects regisrry persistence technique using the GlobalFlags and SilentProcessExit keys +description: Detects registry persistence technique using the GlobalFlags and SilentProcessExit keys references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ From 7c46e4c3c058e44f654ae5e82fb4f1bea066430d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 00:11:04 +0100 Subject: [PATCH 239/303] fix: fix #2479 --- .../create_remote_thread_win_susp_remote_thread_source.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml index fd56e9755..d94154070 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_remote_thread_source.yml @@ -98,6 +98,11 @@ detection: filter_nvidia: SourceImage: 'C:\Windows\explorer.exe' TargetImage: 'C:\Program Files\NVIDIA Corporation\NVIDIA GeForce Experience\NVIDIA GeForce Experience.exe' + #filter_powerpnt: + # # Raised by the following issue: https://github.com/SigmaHQ/sigma/issues/2479 + # SourceImage|contains: '\Microsoft Office\' + # SourceImage|endswith: '\POWERPNT.EXE' + # TargetImage: 'C:\Windows\System32\csrss.exe' condition: selection and not 1 of filter* fields: - ComputerName From 4b6f5f143da7dca94469f8cb2f918222ead33ba0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 00:18:44 +0100 Subject: [PATCH 240/303] feat: add more suspicious cases Co-authored-by: Florian Roth --- .../registry_set_suspicious_env_variables.yml | 20 +++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml index fee89d500..186a0e114 100644 --- a/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml +++ b/rules/windows/registry/registry_set/registry_set_suspicious_env_variables.yml @@ -17,10 +17,10 @@ detection: EventType: SetValue TargetObject|contains: '\Environment\' selection_details: - Details: + - Details: - 'powershell' - 'pwsh' - Details|contains: + - Details|contains: # Add more suspicious strings in env variables below - '\AppData\Local\Temp\' - 'C:\Users\Public\' @@ -38,6 +38,22 @@ detection: - 'SQBuAHYAbwBrAGUALQ' - 'kAbgB2AG8AawBlAC0A' - 'JAG4AdgBvAGsAZQAtA' + - Details|startswith: # https://gist.github.com/Neo23x0/6af876ee72b51676c82a2db8d2cd3639 + - 'SUVY' + - 'SQBFAF' + - 'SQBuAH' + - 'cwBhA' + - 'aWV4' + - 'aQBlA' + - 'R2V0' + - 'dmFy' + - 'dgBhA' + - 'dXNpbm' + - 'H4sIA' + - 'Y21k' + - 'cABhAH' + - 'Qzpc' + - 'Yzpc' condition: all of selection_* falsepositives: - Unknown From 7f4a84963ccd8cded247a4e871102315be20ebde Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 08:56:26 +0100 Subject: [PATCH 241/303] style: reordered fields --- .../windows/proc_creation_win_mavinject_proc_inj.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml index 819be68db..d168fe6c9 100644 --- a/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml +++ b/rules-deprecated/windows/proc_creation_win_mavinject_proc_inj.yml @@ -9,6 +9,9 @@ references: - https://twitter.com/Hexacorn/status/776122138063409152 date: 2018/12/12 modified: 2021/11/27 +tags: + - attack.t1055.001 + - attack.t1218 logsource: category: process_creation product: windows @@ -19,6 +22,3 @@ detection: falsepositives: - Unknown level: high -tags: - - attack.t1055.001 - - attack.t1218 From 7e7cbe41c3bb653e4789d37d4c412201e468fab1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 08:57:05 +0100 Subject: [PATCH 242/303] docs: change modified date --- .../process_creation/proc_creation_win_create_link_osk_cmd.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml b/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml index dcfdc0073..fe58e5519 100644 --- a/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_create_link_osk_cmd.yml @@ -7,6 +7,7 @@ references: - https://ss64.com/nt/mklink.html author: frack113 date: 2022/12/11 +modified: 2022/12/20 tags: - attack.credential_access - attack.t1546.008 From 93729878014d719d502430668786c5e7475ba3ff Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 08:57:37 +0100 Subject: [PATCH 243/303] fix: missing upper tick Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../proc_creation_win_renamed_office_processes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index 808084ae0..fb0dd044d 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -25,7 +25,7 @@ detection: - 'Microsoft OneNote' - 'Microsoft PowerPoint' - 'Microsoft Word' - - Product|contains: Microsoft Office' + - Product|contains: 'Microsoft Office' filter: Image|endswith: - '\EXCEL.exe' From b157bef3de27d23e219201d2b644f47f2e87f813 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 08:59:24 +0100 Subject: [PATCH 244/303] fix: link to correct issue --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index d0756b635..678c6b264 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -65,7 +65,7 @@ class TestRules(unittest.TestCase): # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): - # See Issue # https://github.com/SigmaHQ/sigma/issues/1014 + # See Issue # https://github.com/SigmaHQ/sigma/issues/1028 files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From f9d1eb1f2d9789ccb58811244bb9c5e1ac0a3ae3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 21 Dec 2022 09:18:06 +0100 Subject: [PATCH 245/303] Update proc_creation_win_renamed_office_processes.yml --- .../proc_creation_win_renamed_office_processes.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml index fb0dd044d..ec89ae388 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_office_processes.yml @@ -25,7 +25,7 @@ detection: - 'Microsoft OneNote' - 'Microsoft PowerPoint' - 'Microsoft Word' - - Product|contains: 'Microsoft Office' + # - Product|contains: 'Microsoft Office' # prone to many FPs filter: Image|endswith: - '\EXCEL.exe' From 120196b2fc09513ddcd4c9534be0ca403079c88d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 10:33:31 +0100 Subject: [PATCH 246/303] fix: resolve #2613 --- rules/linux/auditd/lnx_auditd_cve_2021_4034.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 9db5ef2f8..3bf97f06c 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -1,13 +1,14 @@ -title: CVE-2021-4034 Exploitation Attempt +title: Potential CVE-2021-4034 Exploitation Attempt id: 40a016ab-4f48-4eee-adde-bbf612695c53 status: experimental -description: Detects exploitation attempt of vulnerability described in CVE-2021-4034. +description: Detects exploitation attempt of the vulnerability described in CVE-2021-4034. references: - https://github.com/berdav/CVE-2021-4034 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4034 - https://access.redhat.com/security/cve/CVE-2021-4034 -author: 'Pawel Mazur' +author: Pawel Mazur date: 2022/01/27 +modified: 2022/12/21 tags: - attack.privilege_escalation - attack.t1068 @@ -22,7 +23,7 @@ detection: type: SYSCALL comm: pkexec exe: '/usr/bin/pkexec' - condition: proctitle and syscall + condition: proctitle near syscall falsepositives: - Unknown level: high From 3b6100ccd9ec98cab3906852090cc304ec155d3c Mon Sep 17 00:00:00 2001 From: sai prashanth pulisetti <40313110+prashanthpulisetti@users.noreply.github.com> Date: Wed, 21 Dec 2022 17:57:22 +0530 Subject: [PATCH 247/303] Create Possible Manipulation Of Tokens on a Windows computers remotely Detected via impersonate (#3803) Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_impersonate_tool.yml | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_impersonate_tool.yml diff --git a/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml new file mode 100644 index 000000000..417f3166e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_impersonate_tool.yml @@ -0,0 +1,38 @@ +title: Impersonate Execution +id: cf0c254b-22f1-4b2b-8221-e137b3c0af94 +status: experimental +description: Detects execution of the Impersonate tool. Which can be used to manipulate tokens on a Windows computers remotely (PsExec/WmiExec) or interactively +references: + - https://sensepost.com/blog/2022/abusing-windows-tokens-to-compromise-active-directory-without-touching-lsass/ + - https://github.com/sensepost/impersonate +author: Sai Prashanth Pulisetti @pulisettis +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1134.001 + - attack.t1134.003 +logsource: + product: windows + category: process_creation +detection: + selection_commandline_exe: + CommandLine|contains: 'impersonate.exe' + selection_commandline_opt: + CommandLine|contains: + - ' list ' + - ' exec ' + - ' adduser ' + selection_hash_plain: + Hashes|contains: + - 'MD5=9520714AB576B0ED01D1513691377D01' + - 'SHA256=E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - 'IMPHASH=0A358FFC1697B7A07D0E817AC740DF62' + selection_hash_ext: + - MD5: '9520714AB576B0ED01D1513691377D01' + - SHA256: 'E81CC96E2118DC4FBFE5BAD1604E0AC7681960143E2101E1A024D52264BB0A8A' + - IMPHASH: '0A358FFC1697B7A07D0E817AC740DF62' + condition: all of selection_commandline_* or 1 of selection_hash_* +falsepositives: + - Unknown +level: medium From c97463e77475f16a814e075f637d066c3807312a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 17:59:46 +0100 Subject: [PATCH 248/303] fix: update linux rules --- .../proc_creation_lnx_sed_command.yml | 23 --------- ... proc_creation_lnx_usermod_susp_group.yml} | 49 ++++++++++--------- 2 files changed, 25 insertions(+), 47 deletions(-) delete mode 100644 rules/linux/process_creation/proc_creation_lnx_sed_command.yml rename rules/linux/process_creation/{proc_creation_lnx_usermod_command.yml => proc_creation_lnx_usermod_susp_group.yml} (51%) diff --git a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml b/rules/linux/process_creation/proc_creation_lnx_sed_command.yml deleted file mode 100644 index 6d2fbb43d..000000000 --- a/rules/linux/process_creation/proc_creation_lnx_sed_command.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Edit Linux Texts -id: ea3fgcdf3-db86-9f48-hgb3-659a29d4db89 -status: test -description: Detects suspicious commands for edit text using sed -author: TuanLe (GTSC) -date: 2022/03/14 -references: - - https://www.geeksforgeeks.org/sed-command-in-linux-unix-with-examples/ -logsource: - product: linux - category: process_creation -detection: - selection: - Image|contains: - - '/sed' - CommandLine|contains: - - '-i' - condition: selection -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.privilege_escalation \ No newline at end of file diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml similarity index 51% rename from rules/linux/process_creation/proc_creation_lnx_usermod_command.yml rename to rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index f5c77ad97..15e18c816 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -1,24 +1,25 @@ -title: Add User To Root Group -id: qg3fcgdf3-rd54-9f48-4gh3-659a29b3db89 -status: test -description: Detects add user to root group in linux using usermod -author: TuanLe (GTSC) -date: 2022/03/14 -references: - - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ -logsource: - product: linux - category: process_creation -detection: - selection: - Image|contains: - - 'usermod' - CommandLine|contains: - - '-aG root' - - '-aG sudoers' - condition: selection -falsepositives: - - Legitimate administration activities -level: medium -tags: - - attack.privilege_escalation +title: User Added To Root/Sudoers Group Using Usermod +id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 +status: test +description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups +references: + - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ + - https://www.configserverfirewall.com/ubuntu-linux/ubuntu-add-user-to-root-group/ +author: TuanLe (GTSC) +date: 2022/12/21 +tags: + - attack.privilege_escalation + - attack.persistence +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/usermod' + CommandLine|contains: + - '-aG root' + - '-aG sudoers' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium From 0fa4f8a4545bd6af996283518ef862428ada38fe Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 18:16:20 +0100 Subject: [PATCH 249/303] Create lnx_privileged_user_creation.yml Adding new use case for tracking of Creation of privileged user in linux --- .../builtin/lnx_privileged_user_creation.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/linux/builtin/lnx_privileged_user_creation.yml diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml new file mode 100644 index 000000000..c2ac6436c --- /dev/null +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -0,0 +1,33 @@ +title: Creation of Privileged User +id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e +status: experimental +description: Detects when privileged user is added to the environment. +#The example of the events that could be observed when matching these would be as follow +#Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash +#Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash +#Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash +#Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash +references: + - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 + - https://linux.die.net/man/8/useradd + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid +author: Pawel Mazur +date: 2022/12/21 +tags: + - attack.t1136.001 + - attack.t1098 + - attack.persistence +logsource: + product: linux +detection: + selection_new_user|contains: + - 'new user' + selection_uids_gids|contains: + - 'GID=0' # root group + - 'UID=0' # root UID + - 'GID=10' # wheel group + - 'GID=27' # sudo group + condition: all of selection* +falsepositives: + - Administrative work +level: high From d51ff694a4b37a409bf4127a8187c25940cf0ae1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:23:23 +0100 Subject: [PATCH 250/303] fix: rule status --- .../process_creation/proc_creation_lnx_usermod_susp_group.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml index 15e18c816..fe2386dde 100644 --- a/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml +++ b/rules/linux/process_creation/proc_creation_lnx_usermod_susp_group.yml @@ -1,6 +1,6 @@ title: User Added To Root/Sudoers Group Using Usermod id: 6a50f16c-3b7b-42d1-b081-0fdd3ba70a73 -status: test +status: experimental description: Detects usage of the "usermod" binary to add users add users to the root or suoders groups references: - https://pberba.github.io/security/2021/11/23/linux-threat-hunting-for-persistence-account-creation-manipulation/ From 14f006382abd8ce17e5dd79caa75376a323a2839 Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:31:24 +0100 Subject: [PATCH 251/303] Update rules/linux/builtin/lnx_privileged_user_creation.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/linux/builtin/lnx_privileged_user_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index c2ac6436c..aba3b27ed 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -20,7 +20,7 @@ tags: logsource: product: linux detection: - selection_new_user|contains: + selection_new_user: - 'new user' selection_uids_gids|contains: - 'GID=0' # root group From a0c07b2fba8c5f8d4b8584b66e6956c81f6bc75c Mon Sep 17 00:00:00 2001 From: zakibro <48967550+zakibro@users.noreply.github.com> Date: Wed, 21 Dec 2022 19:31:34 +0100 Subject: [PATCH 252/303] Update rules/linux/builtin/lnx_privileged_user_creation.yml Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/linux/builtin/lnx_privileged_user_creation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index aba3b27ed..4dd97c73b 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -22,7 +22,7 @@ logsource: detection: selection_new_user: - 'new user' - selection_uids_gids|contains: + selection_uids_gids: - 'GID=0' # root group - 'UID=0' # root UID - 'GID=10' # wheel group From 4c7db898470eeb838b640d8acfdb16cbcff8d647 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Dec 2022 20:40:29 +0100 Subject: [PATCH 253/303] fix: improve overall structure --- .../builtin/lnx_privileged_user_creation.yml | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/rules/linux/builtin/lnx_privileged_user_creation.yml b/rules/linux/builtin/lnx_privileged_user_creation.yml index 4dd97c73b..ceb66f538 100644 --- a/rules/linux/builtin/lnx_privileged_user_creation.yml +++ b/rules/linux/builtin/lnx_privileged_user_creation.yml @@ -1,25 +1,26 @@ -title: Creation of Privileged User +title: Privileged User Has Been Created id: 0ac15ec3-d24f-4246-aa2a-3077bb1cf90e status: experimental -description: Detects when privileged user is added to the environment. -#The example of the events that could be observed when matching these would be as follow -#Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash -#Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash -#Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash -#Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash +description: Detects the addition of a new user to a privileged group such as "root" or "sudo" references: - https://digital.nhs.uk/cyber-alerts/2018/cc-2825 - https://linux.die.net/man/8/useradd - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid + - https://github.com/redcanaryco/atomic-red-team/blob/25acadc0b43a07125a8a5b599b28bbc1a91ffb06/atomics/T1136.001/T1136.001.md#atomic-test-5---create-a-new-user-in-linux-with-root-uid-and-gid author: Pawel Mazur date: 2022/12/21 tags: + - attack.persistence - attack.t1136.001 - attack.t1098 - - attack.persistence logsource: product: linux + definition: '/var/log/secure on REHL systems or /var/log/auth.log on debian like Systems needs to be collected in order for this detection to work' detection: + # Example of the events that could be observed when matching these would be as follow + # Dec 21 16:42:19 testserver useradd[1337]: new user: name=butter1, UID=1000, GID=0, home=/root, shell=/bin/bash + # Dec 21 17:13:54 testserver useradd[1337]: new user: name=john, UID=0, GID=0, home=/home/john, shell=/bin/bash + # Dec 21 17:24:40 testserver useradd[1337]: new user: name=butter3, UID=1000, GID=10, home=/home/butter3, shell=/bin/bash + # Dec 21 17:30:22 testserver useradd[1337]: new user: name=butter4, UID=1000, GID=27, home=/home/butter4, shell=/bin/bash selection_new_user: - 'new user' selection_uids_gids: @@ -27,7 +28,7 @@ detection: - 'UID=0' # root UID - 'GID=10' # wheel group - 'GID=27' # sudo group - condition: all of selection* + condition: all of selection_* falsepositives: - - Administrative work + - Administrative activity level: high From 3b4bf47d59a8bf491943f8d573fe5b440fa93443 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Thu, 22 Dec 2022 07:40:48 +1100 Subject: [PATCH 254/303] Added timeframe --- rules/cloud/aws/aws_enum_logging.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml index 0670b0e34..51d227522 100644 --- a/rules/cloud/aws/aws_enum_logging.yml +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -25,6 +25,7 @@ detection: - DescribeSnapshotAttribute - DescribeSnapshotTierStatus - DescribeImages + timeframe: 10m condition: selection falsepositives: - Unknown From 855ca77253020139a484cef5aeac08a506404af9 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Thu, 22 Dec 2022 07:49:26 +1100 Subject: [PATCH 255/303] Added a timeframe --- rules/cloud/aws/aws_enum_storage.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml index 5e560c4c0..f91ea1dd1 100644 --- a/rules/cloud/aws/aws_enum_storage.yml +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -23,6 +23,7 @@ detection: - 'GetBucketMetricsConfiguration' - 'GetBucketPolicy' - 'GetBucketTagging' + timeframe: 10m condition: selection falsepositives: - Unknown From 426dc04fd1d3d4985e30053927ff3bc70dcf1b08 Mon Sep 17 00:00:00 2001 From: BlueTeamOps <1480956+blueteam0ps@users.noreply.github.com> Date: Thu, 22 Dec 2022 07:56:14 +1100 Subject: [PATCH 256/303] Added timeframe --- rules/cloud/aws/aws_enum_network.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml index 2aa6abe2b..e6441bb65 100644 --- a/rules/cloud/aws/aws_enum_network.yml +++ b/rules/cloud/aws/aws_enum_network.yml @@ -22,6 +22,7 @@ detection: - DescribeClientVpnRoutes - DescribeDhcpOptions - GetTransitGatewayRouteTableAssociations + timeframe: 10m condition: selection falsepositives: - Unknown From 44a25df15f7fd336d40832f99c2c7d612a67d171 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 22 Dec 2022 08:41:37 +0100 Subject: [PATCH 257/303] Check for issue 3724 --- tests/test_rules.py | 51 ++++++++++++++++++++++++++------------------- 1 file changed, 29 insertions(+), 22 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 678c6b264..225d56133 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -65,7 +65,6 @@ class TestRules(unittest.TestCase): # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): - # See Issue # https://github.com/SigmaHQ/sigma/issues/1028 files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -765,10 +764,12 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print( + Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print( + Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -805,25 +806,6 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules without the 'title' attribute in their first line.") - def test_duplicate_titles(self): - # This test ensure that every rule has a unique title - faulty_rules = [] - titles_dict = {} - for file in self.yield_next_rule_file_path(self.path_to_rules): - title = self.get_rule_part(file_path=file, part_name="title").lower().rstrip() - duplicate = False - for rule, title_ in titles_dict.items(): - if title == title_: - print(Fore.RED + "Rule {} has an already used title in {}.".format(file, rule)) - duplicate = True - faulty_rules.append(file) - continue - if not duplicate: - titles_dict[file] = title - - self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules that share the same 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") - def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ @@ -910,6 +892,31 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + def test_selection_start_or_and(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part( + file_path=file, part_name="detection") + if detection: + + # This test is a best effort to avoid breaking SIGMAC parser. You could do more testing and try to fix this once and for all by modifiying the token regular expressions https://github.com/SigmaHQ/sigma/blob/b9ae5303f12cda8eb6b5b90a32fd7f11ad65645d/tools/sigma/parser/condition.py#L107-L127 + for key in detection: + if key[:3].lower() == "sel": + continue + elif key[:2].lower() == "or": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'or'".format(file, key)) + faulty_rules.append(file) + elif key[:3].lower() == "and": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'and'".format(file, key)) + faulty_rules.append(file) + elif key[:3].lower() == "not": + print( Fore.RED + "Rule {} has a selection '{}' that starts with the string 'not'".format(file, key)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' ") + + def test_unused_selection(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 3bb741af669186f0e78f21fb72f69322bcdba694 Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 21 Dec 2022 23:41:39 -0800 Subject: [PATCH 258/303] Remove Windows 10 volume control false positive https://superuser.com/questions/1175267/what-is-this-rundll32-instance-running --- .../proc_creation_win_rundll32_parent_explorer.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index f1b485722..67faacd00 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: CD_ROM_ date: 2022/05/21 -modified: 2022/12/15 +modified: 2022/12/21 tags: - attack.defense_evasion logsource: @@ -18,7 +18,8 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required + - CommandLine|contains: ' C:\Windows\System32\' # The space at the start is required + - CommandLine|endswith: ' -localserver 22d8c27b-47a1-48d1-ad08-7da7abd79617' # Windows 10 volume control condition: selection and not filter fields: - Image From a27dc6c43a2379050e7f4532fcf62c997c4acbac Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 22 Dec 2022 08:46:25 +0100 Subject: [PATCH 259/303] Check for issue 3724 --- tests/test_rules.py | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 225d56133..b7d9e8f0e 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -65,6 +65,7 @@ class TestRules(unittest.TestCase): # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): + # See Issue # https://github.com/SigmaHQ/sigma/issues/1028 files_with_legal_issues = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -764,12 +765,10 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) continue elif len(title) > 70: - print( - Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) + print(Fore.YELLOW + "Rule {} has a title field with too many characters (>70)".format(file)) faulty_rules.append(file) if title.startswith("Detects "): - print( - Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) + print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) if title.endswith("."): print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) @@ -806,6 +805,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules without the 'title' attribute in their first line.") + def test_duplicate_titles(self): + # This test ensure that every rule has a unique title + faulty_rules = [] + titles_dict = {} + for file in self.yield_next_rule_file_path(self.path_to_rules): + title = self.get_rule_part(file_path=file, part_name="title").lower().rstrip() + duplicate = False + for rule, title_ in titles_dict.items(): + if title == title_: + print(Fore.RED + "Rule {} has an already used title in {}.".format(file, rule)) + duplicate = True + faulty_rules.append(file) + continue + if not duplicate: + titles_dict[file] = title + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules that share the same 'title'. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ @@ -916,7 +934,6 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with bad selection names. Can't start a selection name with an 'or*' or an 'and*' or a 'not*' ") - def test_unused_selection(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 5bdf52beae59b31f51abe70147895ec1867b593f Mon Sep 17 00:00:00 2001 From: Veramine Date: Wed, 21 Dec 2022 23:49:14 -0800 Subject: [PATCH 260/303] Remove Logitech auto-updater false positive --- .../process_creation/proc_creation_win_service_stop.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index b70527f74..4d38e2d2e 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -29,7 +29,9 @@ detection: - '\pwsh.exe' CommandLine|contains: 'Stop-Service ' filter: - CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + CommandLine: + - 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + - 'sc stop LGHUBUpdaterService' # Logitech LGHUB Updater Service User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' From 29377ddfff9d775910ff3379490fbae708d70f93 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Thu, 22 Dec 2022 14:16:25 +0500 Subject: [PATCH 261/303] fix: updated targetUserName and ipAddress --- .../builtin/security/win_security_susp_rottenpotato.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/security/win_security_susp_rottenpotato.yml b/rules/windows/builtin/security/win_security_susp_rottenpotato.yml index 8087c1167..ee7bf0bcf 100644 --- a/rules/windows/builtin/security/win_security_susp_rottenpotato.yml +++ b/rules/windows/builtin/security/win_security_susp_rottenpotato.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1195284233729777665 author: '@SBousseaden, Florian Roth' date: 2019/11/15 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.credential_access @@ -18,9 +18,11 @@ detection: selection: EventID: 4624 LogonType: 3 - TargetUserName: 'ANONYMOUS_LOGON' + TargetUserName: 'ANONYMOUS LOGON' WorkstationName: '-' - IpAddress: '127.0.0.1' + IpAddress: + - '127.0.0.1' + - '::1' condition: selection falsepositives: - Unknown From 653b49831535a84cfc25304a00f6140a1c531b6b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 10:31:25 +0100 Subject: [PATCH 262/303] fix: update modified field --- .../windows/process_creation/proc_creation_win_service_stop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 4d38e2d2e..0490537b1 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ status: experimental description: Detects a windows service to be stopped author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/09/01 +modified: 2022/12/22 tags: - attack.impact - attack.t1489 From e61795a1eaf1d85335159c5f3e41a9e8816fd6fa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 12:10:29 +0100 Subject: [PATCH 263/303] feat: proxynotshell owa variant rules --- ...e_2022_41040_proxynotshell_owa_variant.yml | 26 +++++++++++++++++++ ...e_2022_41040_proxynotshell_owa_variant.yml | 26 +++++++++++++++++++ .../win_usb_device_plugged.yml | 4 +-- 3 files changed, 54 insertions(+), 2 deletions(-) create mode 100644 rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml create mode 100644 rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml diff --git a/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml b/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml new file mode 100644 index 000000000..ea87855d6 --- /dev/null +++ b/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml @@ -0,0 +1,26 @@ +title: Potential CVE-2022-41040 OWA Variant Exploitation Attempt - Proxy +id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 +status: experimental +description: Detects exploitation attempt of CVE-2022-41040 using the OWA endpoint variant to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 + - cve.2022.41040 +logsource: + category: proxy +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + cs-method: 'POST' + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Web vulnerability scanners +level: high diff --git a/rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml b/rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml new file mode 100644 index 000000000..5f6b62266 --- /dev/null +++ b/rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml @@ -0,0 +1,26 @@ +title: Potential CVE-2022-41040 OWA Variant Exploitation Attempt - Webserver +id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 +status: experimental +description: Detects exploitation attempt of CVE-2022-41040 using the OWA endpoint variant to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 + - cve.2022.41040 +logsource: + category: webserver +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + cs-method: 'POST' + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Web vulnerability scanners +level: high diff --git a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml index a99d2da29..fb40783bf 100644 --- a/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml +++ b/rules/windows/builtin/driverframeworks/win_usb_device_plugged.yml @@ -1,7 +1,7 @@ title: USB Device Plugged id: 1a4bd6e3-4c6e-405d-a9a3-53a116e341d4 status: test -description: Detects plugged USB devices +description: Detects plugged/unplugged USB devices references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ @@ -14,7 +14,7 @@ tags: logsource: product: windows service: driver-framework - definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + definition: 'Requires enabling and collection of the Microsoft-Windows-DriverFrameworks-UserMode/Operational eventlog' detection: selection: EventID: From f79c09c1ff02c6bbd1468322dba8e4601ad97d65 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 12:14:55 +0100 Subject: [PATCH 264/303] fix: duplicate id --- rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml b/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml index ea87855d6..0a145fbda 100644 --- a/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml +++ b/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml @@ -1,5 +1,5 @@ title: Potential CVE-2022-41040 OWA Variant Exploitation Attempt - Proxy -id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 +id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 status: experimental description: Detects exploitation attempt of CVE-2022-41040 using the OWA endpoint variant to access the powershell backend endpoint references: From 3b54d8de79a055a6a624ddfaba1f2e1d44aa381d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 12:20:18 +0100 Subject: [PATCH 265/303] fix: metadata --- ...a_variant.yml => proxy_exchange_owassrf_exploitation.yml} | 5 ++--- ...owa_variant.yml => web_exchange_owassrf_exploitation.yml} | 5 ++--- 2 files changed, 4 insertions(+), 6 deletions(-) rename rules/proxy/{proxy_cve_2022_41040_proxynotshell_owa_variant.yml => proxy_exchange_owassrf_exploitation.yml} (76%) rename rules/web/{web_cve_2022_41040_proxynotshell_owa_variant.yml => web_exchange_owassrf_exploitation.yml} (76%) diff --git a/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml similarity index 76% rename from rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml rename to rules/proxy/proxy_exchange_owassrf_exploitation.yml index 0a145fbda..d421eee17 100644 --- a/rules/proxy/proxy_cve_2022_41040_proxynotshell_owa_variant.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -1,7 +1,7 @@ -title: Potential CVE-2022-41040 OWA Variant Exploitation Attempt - Proxy +title: Potential OWASSRF Exploitation Attempt - Proxy id: 1ddf4596-1908-43c9-add2-1d2c2fcc4797 status: experimental -description: Detects exploitation attempt of CVE-2022-41040 using the OWA endpoint variant to access the powershell backend endpoint +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ @@ -10,7 +10,6 @@ date: 2022/12/22 tags: - attack.initial_access - attack.t1190 - - cve.2022.41040 logsource: category: proxy detection: diff --git a/rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml b/rules/web/web_exchange_owassrf_exploitation.yml similarity index 76% rename from rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml rename to rules/web/web_exchange_owassrf_exploitation.yml index 5f6b62266..b72bb9181 100644 --- a/rules/web/web_cve_2022_41040_proxynotshell_owa_variant.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -1,7 +1,7 @@ -title: Potential CVE-2022-41040 OWA Variant Exploitation Attempt - Webserver +title: Potential OWASSRF Exploitation Attempt - Webserver id: 181f49fa-0b21-4665-a98c-a57025ebb8c7 status: experimental -description: Detects exploitation attempt of CVE-2022-41040 using the OWA endpoint variant to access the powershell backend endpoint +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers It uses the OWA endpoint to access the powershell backend endpoint references: - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ @@ -10,7 +10,6 @@ date: 2022/12/22 tags: - attack.initial_access - attack.t1190 - - cve.2022.41040 logsource: category: webserver detection: From cc3dce61d76d8536799ba881a94e8a02a4ab48d9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:25:50 +0100 Subject: [PATCH 266/303] fix: apply suggestions from code review Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/proxy/proxy_exchange_owassrf_exploitation.yml | 2 +- rules/web/web_exchange_owassrf_exploitation.yml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index d421eee17..30760d4ad 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -17,7 +17,7 @@ detection: # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com cs-method: 'POST' c-uri|contains|all: - - '/owa/mastermailbox' + - '/owa/' - '/powershell' condition: selection falsepositives: diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml index b72bb9181..0d71e438c 100644 --- a/rules/web/web_exchange_owassrf_exploitation.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -17,7 +17,8 @@ detection: # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com cs-method: 'POST' c-uri|contains|all: - - '/owa/mastermailbox' + - '/owa/' + - `@` - '/powershell' condition: selection falsepositives: From 8fd9181392f57b5ead094d4170fd55883583cee9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:35:22 +0100 Subject: [PATCH 267/303] fix: typo in selection --- rules/proxy/proxy_exchange_owassrf_exploitation.yml | 1 + rules/web/web_exchange_owassrf_exploitation.yml | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index 30760d4ad..0cd193396 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -18,6 +18,7 @@ detection: cs-method: 'POST' c-uri|contains|all: - '/owa/' + - '@' - '/powershell' condition: selection falsepositives: diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml index 0d71e438c..ea4d9880e 100644 --- a/rules/web/web_exchange_owassrf_exploitation.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -18,7 +18,7 @@ detection: cs-method: 'POST' c-uri|contains|all: - '/owa/' - - `@` + - '@' - '/powershell' condition: selection falsepositives: From 7ed105bccb810f64e517fbb59e917366b0e8642d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:36:32 +0100 Subject: [PATCH 268/303] fix: add response code --- rules/proxy/proxy_exchange_owassrf_exploitation.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index 0cd193396..777827c05 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -16,6 +16,7 @@ detection: selection: # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com cs-method: 'POST' + sc-status: 200 c-uri|contains|all: - '/owa/' - '@' From 62a828e1843a1852f799daf749e5f76baede69d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:45:53 +0100 Subject: [PATCH 269/303] feat: more updates --- .../proxy_exchange_owassrf_exploitation.yml | 1 - ...roxy_exchange_owassrf_poc_exploitation.yml | 28 +++++++++++++++++++ .../web/web_exchange_owassrf_exploitation.yml | 2 +- .../web_exchange_owassrf_poc_exploitation.yml | 28 +++++++++++++++++++ 4 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml create mode 100644 rules/web/web_exchange_owassrf_poc_exploitation.yml diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index 777827c05..4a3ea0367 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -14,7 +14,6 @@ logsource: category: proxy detection: selection: - # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com cs-method: 'POST' sc-status: 200 c-uri|contains|all: diff --git a/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml new file mode 100644 index 000000000..22a19f10b --- /dev/null +++ b/rules/proxy/proxy_exchange_owassrf_poc_exploitation.yml @@ -0,0 +1,28 @@ +title: OWASSRF Exploitation Attempt Using Public POC - Proxy +id: fdd7e904-7304-4616-a46a-e32f917c4be4 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ + - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: proxy +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36' + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml index ea4d9880e..beaa35ef8 100644 --- a/rules/web/web_exchange_owassrf_exploitation.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -14,8 +14,8 @@ logsource: category: webserver detection: selection: - # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com cs-method: 'POST' + sc-status: 200 c-uri|contains|all: - '/owa/' - '@' diff --git a/rules/web/web_exchange_owassrf_poc_exploitation.yml b/rules/web/web_exchange_owassrf_poc_exploitation.yml new file mode 100644 index 000000000..8ace4c265 --- /dev/null +++ b/rules/web/web_exchange_owassrf_poc_exploitation.yml @@ -0,0 +1,28 @@ +title: OWASSRF Exploitation Attempt Using Public POC - Webserver +id: 92d78c63-5a5c-4c40-9b60-463810ffb082 +status: experimental +description: Detects exploitation attempt of the OWASSRF variant targeting exchange servers using publicly available POC. It uses the OWA endpoint to access the powershell backend endpoint +references: + - https://www.crowdstrike.com/blog/owassrf-exploit-analysis-and-recommendations/ + - https://www.rapid7.com/blog/post/2022/12/21/cve-2022-41080-cve-2022-41082-rapid7-observed-exploitation-of-owassrf-in-exchange-for-rce/ + - https://twitter.com/purp1ew0lf/status/1602989967776808961?s=12&t=OkZJl_ViICeiftVEsohRyw +author: Nasreddine Bencherchali +date: 2022/12/22 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + # Look for the header: X-OWA-ExplicitLogonUser: owa/mastermailbox@outlook.com + c-useragent: 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36' + cs-method: 'POST' + sc-status: 200 + c-uri|contains|all: + - '/owa/mastermailbox' + - '/powershell' + condition: selection +falsepositives: + - Unlikely +level: critical From 74f198460e33cd9bf1a8c0745603c1e1ecb6f7f5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:50:30 +0100 Subject: [PATCH 270/303] fix: add good ua as filter --- rules/proxy/proxy_exchange_owassrf_exploitation.yml | 7 ++++++- rules/web/web_exchange_owassrf_exploitation.yml | 7 ++++++- 2 files changed, 12 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index 4a3ea0367..c7132ec2e 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -20,7 +20,12 @@ detection: - '/owa/' - '@' - '/powershell' - condition: selection + filter: + c-useragent: + - 'ClientInfo' + - 'Microsoft WinRM Client' + - 'Exchange BackEnd Probes' + condition: selection and not filter falsepositives: - Web vulnerability scanners level: high diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml index beaa35ef8..6738f3d4c 100644 --- a/rules/web/web_exchange_owassrf_exploitation.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -20,7 +20,12 @@ detection: - '/owa/' - '@' - '/powershell' - condition: selection + filter: + c-useragent: + - 'ClientInfo' + - 'Microsoft WinRM Client' + - 'Exchange BackEnd Probes' + condition: selection and not filter falsepositives: - Web vulnerability scanners level: high From d6b6984567f84155ad7c9219838daf6ae922f48f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:53:34 +0100 Subject: [PATCH 271/303] fix: add encoded @ symbol Co-authored-by: Florian Roth --- rules/proxy/proxy_exchange_owassrf_exploitation.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_exchange_owassrf_exploitation.yml b/rules/proxy/proxy_exchange_owassrf_exploitation.yml index c7132ec2e..9a9b9c44e 100644 --- a/rules/proxy/proxy_exchange_owassrf_exploitation.yml +++ b/rules/proxy/proxy_exchange_owassrf_exploitation.yml @@ -18,8 +18,10 @@ detection: sc-status: 200 c-uri|contains|all: - '/owa/' - - '@' - '/powershell' + c-uri|contains: + - '@' + - '%40' filter: c-useragent: - 'ClientInfo' From 17aae0161d8dc2a26014f9bc467e947144f43e93 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 14:55:20 +0100 Subject: [PATCH 272/303] fix: add other missing encoded @ symbol --- rules/web/web_exchange_owassrf_exploitation.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/web/web_exchange_owassrf_exploitation.yml b/rules/web/web_exchange_owassrf_exploitation.yml index 6738f3d4c..5327931cb 100644 --- a/rules/web/web_exchange_owassrf_exploitation.yml +++ b/rules/web/web_exchange_owassrf_exploitation.yml @@ -18,8 +18,10 @@ detection: sc-status: 200 c-uri|contains|all: - '/owa/' - - '@' - '/powershell' + c-uri|contains: + - '@' + - '%40' filter: c-useragent: - 'ClientInfo' From 57e51cca2a0f4057aca57f7617eb828de24e8e9a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 16:08:21 +0100 Subject: [PATCH 273/303] fix: typo in near operator --- rules/linux/auditd/lnx_auditd_cve_2021_4034.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml index 3bf97f06c..d4584852a 100644 --- a/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml +++ b/rules/linux/auditd/lnx_auditd_cve_2021_4034.yml @@ -8,7 +8,7 @@ references: - https://access.redhat.com/security/cve/CVE-2021-4034 author: Pawel Mazur date: 2022/01/27 -modified: 2022/12/21 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1068 @@ -16,14 +16,14 @@ logsource: product: linux service: auditd detection: - proctitle: + selection_proctitle: type: PROCTITLE proctitle: '(null)' - syscall: + selection_syscall: type: SYSCALL comm: pkexec exe: '/usr/bin/pkexec' - condition: proctitle near syscall + condition: selection_proctitle |near selection_syscall falsepositives: - Unknown level: high From 0a77980bb8e392b09b1840c07abf48497c593aa4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:14:13 +0100 Subject: [PATCH 274/303] fix: move firewall rule to firewall folder --- .../firewall}/firewall_cleartext_protocols.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => network/firewall}/firewall_cleartext_protocols.yml (100%) diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/network/firewall/firewall_cleartext_protocols.yml similarity index 100% rename from rules/compliance/firewall_cleartext_protocols.yml rename to rules/network/firewall/firewall_cleartext_protocols.yml From 4c90e86736e8f8a0666cb37a897c5afc47890417 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:15:47 +0100 Subject: [PATCH 275/303] fix: move security rule to security folder --- .../builtin/security}/group_modification_logging.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => windows/builtin/security}/group_modification_logging.yml (100%) diff --git a/rules/compliance/group_modification_logging.yml b/rules/windows/builtin/security/group_modification_logging.yml similarity index 100% rename from rules/compliance/group_modification_logging.yml rename to rules/windows/builtin/security/group_modification_logging.yml From b1628c1a4c5f84163fbffb10bdaf0d74f2926873 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:17:11 +0100 Subject: [PATCH 276/303] fix: move security rule to security folder 2 --- .../builtin/security}/workstation_was_locked.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => windows/builtin/security}/workstation_was_locked.yml (100%) diff --git a/rules/compliance/workstation_was_locked.yml b/rules/windows/builtin/security/workstation_was_locked.yml similarity index 100% rename from rules/compliance/workstation_was_locked.yml rename to rules/windows/builtin/security/workstation_was_locked.yml From 43912f2be7dbfbdf8edf812f502c47db15e10438 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:15:07 +0100 Subject: [PATCH 277/303] fix: rename files part 1 --- ...ext_protocols.yml => net_firewall_cleartext_protocols.yml} | 0 ...ver_load.yml => win_codeintegrity_blocked_driver_load.yml} | 0 ...ogging.yml => win_security_group_modification_logging.yml} | 0 ...was_locked.yml => win_security_workstation_was_locked.yml} | 0 ...preter_or_cobaltstrike_getsystem_service_installation.yml} | 0 rules/windows/builtin/system/win_system_pcap_drivers.yml | 4 ++-- ...eation.yml => win_taskscheduler_rare_schtask_creation.yml} | 0 ...ocations.yml => win_taskscheduler_susp_task_locations.yml} | 0 ...e_thread_win_winapi_in_powershell_credentials_dumping.yml} | 0 ...s.yml => dns_query_win_remote_access_software_domains.yml} | 0 ..._mal_creddumper.yml => driver_load_win_mal_creddumper.yml} | 0 ...rtry_driver.yml => driver_load_win_mal_poortry_driver.yml} | 0 ...te_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} | 0 ...n_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} | 0 ..._vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} | 0 ...novo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} | 0 ...g0_driver.yml => driver_load_win_vuln_winring0_driver.yml} | 0 ...river_load_windivert.yml => driver_load_win_windivert.yml} | 0 18 files changed, 2 insertions(+), 2 deletions(-) rename rules/network/firewall/{firewall_cleartext_protocols.yml => net_firewall_cleartext_protocols.yml} (100%) rename rules/windows/builtin/code_integrity/{win_codeintergiry_blocked_driver_load.yml => win_codeintegrity_blocked_driver_load.yml} (100%) rename rules/windows/builtin/security/{group_modification_logging.yml => win_security_group_modification_logging.yml} (100%) rename rules/windows/builtin/security/{workstation_was_locked.yml => win_security_workstation_was_locked.yml} (100%) rename rules/windows/{driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml => builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_rare_schtask_creation.yml => win_taskscheduler_rare_schtask_creation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_task_scheduler_susp_task_locations.yml => win_taskscheduler_susp_task_locations.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_winapi_in_powershell_credentials_dumping.yml => create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/dns_query/{dns_query_remote_access_software_domains.yml => dns_query_win_remote_access_software_domains.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_creddumper.yml => driver_load_win_mal_creddumper.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_poortry_driver.yml => driver_load_win_mal_poortry_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_gigabyte_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_lenovo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_winring0_driver.yml => driver_load_win_vuln_winring0_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_windivert.yml => driver_load_win_windivert.yml} (100%) diff --git a/rules/network/firewall/firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml similarity index 100% rename from rules/network/firewall/firewall_cleartext_protocols.yml rename to rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml similarity index 100% rename from rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml diff --git a/rules/windows/builtin/security/group_modification_logging.yml b/rules/windows/builtin/security/win_security_group_modification_logging.yml similarity index 100% rename from rules/windows/builtin/security/group_modification_logging.yml rename to rules/windows/builtin/security/win_security_group_modification_logging.yml diff --git a/rules/windows/builtin/security/workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml similarity index 100% rename from rules/windows/builtin/security/workstation_was_locked.yml rename to rules/windows/builtin/security/win_security_workstation_was_locked.yml diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules/windows/builtin/system/win_system_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml index 5a2361e62..d0ae0f782 100644 --- a/rules/windows/builtin/system/win_system_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_system_pcap_drivers.yml @@ -6,14 +6,14 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley date: 2020/06/10 -modified: 2021/11/27 +modified: 2022/12/22 tags: - attack.discovery - attack.credential_access - attack.t1040 logsource: product: windows - service: security + service: system definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml similarity index 100% rename from rules/windows/dns_query/dns_query_remote_access_software_domains.yml rename to rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_creddumper.yml rename to rules/windows/driver_load/driver_load_win_mal_creddumper.yml diff --git a/rules/windows/driver_load/driver_load_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_poortry_driver.yml rename to rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hevd_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hw_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_winring0_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml similarity index 100% rename from rules/windows/driver_load/driver_load_windivert.yml rename to rules/windows/driver_load/driver_load_win_windivert.yml From 4577ea702a747e705c75b7257d4299f86739d432 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:19:38 +0100 Subject: [PATCH 278/303] fix: rename more files --- ...tstrike_getsystem_service_installation.yml | 54 ------------------- ...owershell_script_installed_as_service.yml} | 0 ...yml => driver_load_win_process_hacker.yml} | 0 ....yml => driver_load_win_susp_temp_use.yml} | 0 ...ad_win_vuln_avast_anti_rootkit_driver.yml} | 0 ...l => driver_load_win_vuln_dell_driver.yml} | 0 ...s.yml => driver_load_win_vuln_drivers.yml} | 0 ...=> driver_load_win_vuln_drivers_names.yml} | 0 ...ccess_win_shellcode_inject_msf_empire.yml} | 0 ....yml => proc_access_win_susp_seclogon.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...roc_creation_win_wmic_tamper_defender.yml} | 0 ...cleanup_handler_new_entry_persistence.yml} | 0 ...stry_set_natural_language_persistence.yml} | 0 14 files changed, 54 deletions(-) delete mode 100644 rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename rules/windows/driver_load/{driver_load_powershell_script_installed_as_service.yml => driver_load_win_powershell_script_installed_as_service.yml} (100%) rename rules/windows/driver_load/{driver_load_process_hacker.yml => driver_load_win_process_hacker.yml} (100%) rename rules/windows/driver_load/{driver_load_susp_temp_use.yml => driver_load_win_susp_temp_use.yml} (100%) mode change 100755 => 100644 rename rules/windows/driver_load/{driver_load_vuln_avast_anti_rootkit_driver.yml => driver_load_win_vuln_avast_anti_rootkit_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_dell_driver.yml => driver_load_win_vuln_dell_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers.yml => driver_load_win_vuln_drivers.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers_names.yml => driver_load_win_vuln_drivers_names.yml} (100%) rename rules/windows/process_access/{process_access_win_shellcode_inject_msf_empire.yml => proc_access_win_shellcode_inject_msf_empire.yml} (100%) rename rules/windows/process_access/{process_access_win_susp_seclogon.yml => proc_access_win_susp_seclogon.yml} (100%) rename rules/windows/process_access/{process_access_winapi_in_powershell_credentials_dumping.yml => proc_access_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/process_creation/{proc_creation_wmic_tamper_defender.yml => proc_creation_win_wmic_tamper_defender.yml} (100%) rename rules/windows/registry/registry_add/{registry_set_disk_cleanup_handler_new_entry_persistence.yml => registry_add_disk_cleanup_handler_new_entry_persistence.yml} (100%) rename rules/windows/registry/registry_set/{regsitry_set_natural_language_persistence.yml => registry_set_natural_language_persistence.yml} (100%) diff --git a/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index b3afed27b..000000000 --- a/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 -related: - - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -modified: 2022/10/09 -tags: - - attack.privilege_escalation - - attack.t1134.001 - - attack.t1134.002 -logsource: - product: windows - category: driver_load -detection: - selection: - # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - 'cmd' - - '/c' - - 'echo' - - '\pipe\' - # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - '%COMSPEC%' - - '/c' - - 'echo' - - '\pipe\' - # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - 'cmd.exe' - - '/c' - - 'echo' - - '\pipe\' - # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - - ImagePath|contains|all: - - 'rundll32' - - '.dll,a' - - '/p:' - condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - ImagePath -falsepositives: - - Highly unlikely -level: critical diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml rename to rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml similarity index 100% rename from rules/windows/driver_load/driver_load_process_hacker.yml rename to rules/windows/driver_load/driver_load_win_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/driver_load/driver_load_susp_temp_use.yml rename to rules/windows/driver_load/driver_load_win_susp_temp_use.yml diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_dell_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers_names.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml similarity index 100% rename from rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml rename to rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_susp_seclogon.yml similarity index 100% rename from rules/windows/process_access/process_access_win_susp_seclogon.yml rename to rules/windows/process_access/proc_access_win_susp_seclogon.yml diff --git a/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml rename to rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml similarity index 100% rename from rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml similarity index 100% rename from rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml rename to rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml From b40a67c3a6c3ab42f328d6abb12d62bd9819d8a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:23:54 +0100 Subject: [PATCH 279/303] fix: rename proc access rule --- ... proc_access_win_winapi_in_powershell_credentials_dumping.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_access/{proc_access_winapi_in_powershell_credentials_dumping.yml => proc_access_win_winapi_in_powershell_credentials_dumping.yml} (100%) diff --git a/rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml From 72bdf4c6c21520b9fd119aff986127d1bd2bb8fd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:31:21 +0100 Subject: [PATCH 280/303] feat: enhance test and resolve #3724 --- tests/test_rules.py | 137 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 136 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index b7d9e8f0e..0e7d70d6c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -729,10 +729,145 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + else: + # This test make sure that every rules has a filename that corresponds to + # It's specific logsource. + # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381) + logsource = self.get_rule_part(file_path=file, part_name="logsource") + if logsource: + pattern_prefix = "" + os_infix = "" + os_bool = False + for key,value in logsource.items(): + if key == "definition": + pass + else: + if key == "product": + # This is to get the OS for certain categories + if value == "windows": + os_infix = "win_" + elif value == "macos": + os_infix = "macos_" + elif value == "linux": + os_infix = "lnx_" + # For other stuff + elif value == "aws": + pattern_prefix = "aws_" + elif value == "azure": + pattern_prefix = "azure_" + elif value == "gcp": + pattern_prefix = "gcp_" + elif value == "gworkspace": + pattern_prefix = "gworkspace_" + elif value == "m365": + pattern_prefix = "microsoft365_" + elif value == "okta": + pattern_prefix = "okta_" + elif value == "onelogin": + pattern_prefix = "onelogin_" + elif key == "category": + if value == "process_creation": + pattern_prefix = "proc_creation_" + os_bool = True + elif value == "image_load": + pattern_prefix = "image_load_" + elif value == "file_event": + pattern_prefix = "file_event_" + os_bool = True + elif value == "registry_set": + pattern_prefix = "registry_set_" + elif value == "registry_add": + pattern_prefix = "registry_add_" + elif value == "registry_event": + pattern_prefix = "registry_event_" + elif value == "registry_delete": + pattern_prefix = "registry_delete_" + elif value == "registry_rename": + pattern_prefix = "registry_rename_" + elif value == "process_access": + pattern_prefix = "proc_access_" + os_bool = True + elif value == "driver_load": + pattern_prefix = "driver_load_" + os_bool = True + elif value == "dns_query": + pattern_prefix = "dns_query_" + os_bool = True + elif value == "ps_script": + pattern_prefix = "posh_ps_" + elif value == "ps_module": + pattern_prefix = "posh_pm_" + elif value == "ps_classic_start": + pattern_prefix = "posh_pc_" + elif value == "pipe_created": + pattern_prefix = "pipe_created_" + elif value == "network_connection": + pattern_prefix = "net_connection_" + os_bool = True + elif value == "file_rename": + pattern_prefix = "file_rename_" + os_bool = True + elif value == "file_delete": + pattern_prefix = "file_delete_" + os_bool = True + elif value == "file_change": + pattern_prefix = "file_change_" + os_bool = True + elif value == "file_access": + pattern_prefix = "file_access_" + os_bool = True + elif value == "create_stream_hash": + pattern_prefix = "create_stream_hash_" + elif value == "create_remote_thread": + pattern_prefix = "create_remote_thread_win_" + elif value == "dns": + pattern_prefix = "net_dns_" + elif value == "firewall": + pattern_prefix = "net_firewall_" + elif value == "webserver": + pattern_prefix = "web_" + elif key == "service": + if value == "auditd": + pattern_prefix = "lnx_auditd_" + elif value == "modsecurity": + pattern_prefix = "modsec_" + elif value == "diagnosis-scripted": + pattern_prefix = "win_diagnosis_scripted_" + elif value == "firewall-as": + pattern_prefix = "win_firewall_as_" + elif value == "msexchange-management": + pattern_prefix = "win_exchange_" + elif value == "security": + pattern_prefix = "win_security_" + elif value == "system": + pattern_prefix = "win_system_" + elif value == "taskscheduler": + pattern_prefix = "win_taskscheduler_" + elif value == "terminalservices-localsessionmanager": + pattern_prefix = "win_terminalservices_" + elif value == "windefend": + pattern_prefix = "win_defender_" + elif value == "wmi": + pattern_prefix = "win_wmi_" + elif value == "codeintegrity-operational": + pattern_prefix = "win_codeintegrity_" + elif value == "bits-client": + pattern_prefix = "win_bits_client_" + elif value == "applocker": + pattern_prefix = "win_applocker_" + + # This value is used to test if we should add the OS infix for certain categories + if os_bool: + pattern_prefix += os_infix + if pattern_prefix != "": + if not filename.startswith(pattern_prefix): + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard naming convention.".format(file)) + faulty_rules.append(file) name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md') def test_title(self): faulty_rules = [] From b02f8b5936f74843b8643396d321a099ecbed0cb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:48:05 +0100 Subject: [PATCH 281/303] fix: rollback deletion and transfer to unsupported --- ...tstrike_getsystem_service_installation.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 000000000..5c3f04abd --- /dev/null +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,54 @@ +title: Meterpreter or Cobalt Strike Getsystem Service Installation +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 +related: + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived +status: unsupported +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +author: Teymur Kheirkhabarov, Ecco, Florian Roth +date: 2019/10/26 +modified: 2022/10/09 +tags: + - attack.privilege_escalation + - attack.t1134.001 + - attack.t1134.002 +logsource: + product: windows + category: driver_load +detection: + selection: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ImagePath|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ImagePath +falsepositives: + - Highly unlikely +level: critical \ No newline at end of file From fce8b1e80926a58f7b8e4492682d341a45338a37 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:48:35 +0100 Subject: [PATCH 282/303] fix: update modified --- ...terpreter_or_cobaltstrike_getsystem_service_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 5c3f04abd..4f23f2659 100644 --- a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -10,7 +10,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1134.001 From 03cc78e91633ea8260bec5e365d015ffbf5ee6fc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 09:25:16 +0100 Subject: [PATCH 283/303] feat: filename test enhancements (#3812) --- ...tstrike_getsystem_service_installation.yml | 6 +- .../net_firewall_cleartext_protocols.yml} | 0 ...win_codeintegrity_blocked_driver_load.yml} | 0 ...n_security_group_modification_logging.yml} | 0 .../win_security_workstation_was_locked.yml} | 0 .../system/win_system_pcap_drivers.yml | 4 +- ...n_taskscheduler_rare_schtask_creation.yml} | 0 ...win_taskscheduler_susp_task_locations.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...ry_win_remote_access_software_domains.yml} | 0 ...yml => driver_load_win_mal_creddumper.yml} | 0 ...=> driver_load_win_mal_poortry_driver.yml} | 0 ...owershell_script_installed_as_service.yml} | 0 ...yml => driver_load_win_process_hacker.yml} | 0 ....yml => driver_load_win_susp_temp_use.yml} | 0 ...ad_win_vuln_avast_anti_rootkit_driver.yml} | 0 ...l => driver_load_win_vuln_dell_driver.yml} | 0 ...s.yml => driver_load_win_vuln_drivers.yml} | 0 ...=> driver_load_win_vuln_drivers_names.yml} | 0 ... driver_load_win_vuln_gigabyte_driver.yml} | 0 ...l => driver_load_win_vuln_hevd_driver.yml} | 0 ...yml => driver_load_win_vuln_hw_driver.yml} | 0 ...=> driver_load_win_vuln_lenovo_driver.yml} | 0 ... driver_load_win_vuln_winring0_driver.yml} | 0 ...vert.yml => driver_load_win_windivert.yml} | 0 ...ccess_win_shellcode_inject_msf_empire.yml} | 0 ....yml => proc_access_win_susp_seclogon.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...roc_creation_win_wmic_tamper_defender.yml} | 0 ...cleanup_handler_new_entry_persistence.yml} | 0 ...stry_set_natural_language_persistence.yml} | 0 tests/test_rules.py | 137 +++++++++++++++++- 32 files changed, 141 insertions(+), 6 deletions(-) rename {rules/windows/driver_load => rules-unsupported}/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml (96%) rename rules/{compliance/firewall_cleartext_protocols.yml => network/firewall/net_firewall_cleartext_protocols.yml} (100%) rename rules/windows/builtin/code_integrity/{win_codeintergiry_blocked_driver_load.yml => win_codeintegrity_blocked_driver_load.yml} (100%) rename rules/{compliance/group_modification_logging.yml => windows/builtin/security/win_security_group_modification_logging.yml} (100%) rename rules/{compliance/workstation_was_locked.yml => windows/builtin/security/win_security_workstation_was_locked.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_rare_schtask_creation.yml => win_taskscheduler_rare_schtask_creation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_task_scheduler_susp_task_locations.yml => win_taskscheduler_susp_task_locations.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_winapi_in_powershell_credentials_dumping.yml => create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/dns_query/{dns_query_remote_access_software_domains.yml => dns_query_win_remote_access_software_domains.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_creddumper.yml => driver_load_win_mal_creddumper.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_poortry_driver.yml => driver_load_win_mal_poortry_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_powershell_script_installed_as_service.yml => driver_load_win_powershell_script_installed_as_service.yml} (100%) rename rules/windows/driver_load/{driver_load_process_hacker.yml => driver_load_win_process_hacker.yml} (100%) rename rules/windows/driver_load/{driver_load_susp_temp_use.yml => driver_load_win_susp_temp_use.yml} (100%) mode change 100755 => 100644 rename rules/windows/driver_load/{driver_load_vuln_avast_anti_rootkit_driver.yml => driver_load_win_vuln_avast_anti_rootkit_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_dell_driver.yml => driver_load_win_vuln_dell_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers.yml => driver_load_win_vuln_drivers.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers_names.yml => driver_load_win_vuln_drivers_names.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_gigabyte_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_lenovo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_winring0_driver.yml => driver_load_win_vuln_winring0_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_windivert.yml => driver_load_win_windivert.yml} (100%) rename rules/windows/process_access/{process_access_win_shellcode_inject_msf_empire.yml => proc_access_win_shellcode_inject_msf_empire.yml} (100%) rename rules/windows/process_access/{process_access_win_susp_seclogon.yml => proc_access_win_susp_seclogon.yml} (100%) rename rules/windows/process_access/{process_access_winapi_in_powershell_credentials_dumping.yml => proc_access_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/process_creation/{proc_creation_wmic_tamper_defender.yml => proc_creation_win_wmic_tamper_defender.yml} (100%) rename rules/windows/registry/registry_add/{registry_set_disk_cleanup_handler_new_entry_persistence.yml => registry_add_disk_cleanup_handler_new_entry_persistence.yml} (100%) rename rules/windows/registry/registry_set/{regsitry_set_natural_language_persistence.yml => registry_set_natural_language_persistence.yml} (100%) diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 96% rename from rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index b3afed27b..4f23f2659 100644 --- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -3,14 +3,14 @@ id: d585ab5a-6a69-49a8-96e8-4a726a54de46 related: - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 type: derived -status: test +status: unsupported description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1134.001 @@ -51,4 +51,4 @@ fields: - ImagePath falsepositives: - Highly unlikely -level: critical +level: critical \ No newline at end of file diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml similarity index 100% rename from rules/compliance/firewall_cleartext_protocols.yml rename to rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml similarity index 100% rename from rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml diff --git a/rules/compliance/group_modification_logging.yml b/rules/windows/builtin/security/win_security_group_modification_logging.yml similarity index 100% rename from rules/compliance/group_modification_logging.yml rename to rules/windows/builtin/security/win_security_group_modification_logging.yml diff --git a/rules/compliance/workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml similarity index 100% rename from rules/compliance/workstation_was_locked.yml rename to rules/windows/builtin/security/win_security_workstation_was_locked.yml diff --git a/rules/windows/builtin/system/win_system_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml index 5a2361e62..d0ae0f782 100644 --- a/rules/windows/builtin/system/win_system_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_system_pcap_drivers.yml @@ -6,14 +6,14 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley date: 2020/06/10 -modified: 2021/11/27 +modified: 2022/12/22 tags: - attack.discovery - attack.credential_access - attack.t1040 logsource: product: windows - service: security + service: system definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml similarity index 100% rename from rules/windows/dns_query/dns_query_remote_access_software_domains.yml rename to rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_creddumper.yml rename to rules/windows/driver_load/driver_load_win_mal_creddumper.yml diff --git a/rules/windows/driver_load/driver_load_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_poortry_driver.yml rename to rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml rename to rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml similarity index 100% rename from rules/windows/driver_load/driver_load_process_hacker.yml rename to rules/windows/driver_load/driver_load_win_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/driver_load/driver_load_susp_temp_use.yml rename to rules/windows/driver_load/driver_load_win_susp_temp_use.yml diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_dell_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers_names.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hevd_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hw_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_winring0_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml similarity index 100% rename from rules/windows/driver_load/driver_load_windivert.yml rename to rules/windows/driver_load/driver_load_win_windivert.yml diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml similarity index 100% rename from rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml rename to rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_susp_seclogon.yml similarity index 100% rename from rules/windows/process_access/process_access_win_susp_seclogon.yml rename to rules/windows/process_access/proc_access_win_susp_seclogon.yml diff --git a/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml rename to rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml similarity index 100% rename from rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml similarity index 100% rename from rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml rename to rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml diff --git a/tests/test_rules.py b/tests/test_rules.py index b7d9e8f0e..0e7d70d6c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -729,10 +729,145 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + else: + # This test make sure that every rules has a filename that corresponds to + # It's specific logsource. + # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381) + logsource = self.get_rule_part(file_path=file, part_name="logsource") + if logsource: + pattern_prefix = "" + os_infix = "" + os_bool = False + for key,value in logsource.items(): + if key == "definition": + pass + else: + if key == "product": + # This is to get the OS for certain categories + if value == "windows": + os_infix = "win_" + elif value == "macos": + os_infix = "macos_" + elif value == "linux": + os_infix = "lnx_" + # For other stuff + elif value == "aws": + pattern_prefix = "aws_" + elif value == "azure": + pattern_prefix = "azure_" + elif value == "gcp": + pattern_prefix = "gcp_" + elif value == "gworkspace": + pattern_prefix = "gworkspace_" + elif value == "m365": + pattern_prefix = "microsoft365_" + elif value == "okta": + pattern_prefix = "okta_" + elif value == "onelogin": + pattern_prefix = "onelogin_" + elif key == "category": + if value == "process_creation": + pattern_prefix = "proc_creation_" + os_bool = True + elif value == "image_load": + pattern_prefix = "image_load_" + elif value == "file_event": + pattern_prefix = "file_event_" + os_bool = True + elif value == "registry_set": + pattern_prefix = "registry_set_" + elif value == "registry_add": + pattern_prefix = "registry_add_" + elif value == "registry_event": + pattern_prefix = "registry_event_" + elif value == "registry_delete": + pattern_prefix = "registry_delete_" + elif value == "registry_rename": + pattern_prefix = "registry_rename_" + elif value == "process_access": + pattern_prefix = "proc_access_" + os_bool = True + elif value == "driver_load": + pattern_prefix = "driver_load_" + os_bool = True + elif value == "dns_query": + pattern_prefix = "dns_query_" + os_bool = True + elif value == "ps_script": + pattern_prefix = "posh_ps_" + elif value == "ps_module": + pattern_prefix = "posh_pm_" + elif value == "ps_classic_start": + pattern_prefix = "posh_pc_" + elif value == "pipe_created": + pattern_prefix = "pipe_created_" + elif value == "network_connection": + pattern_prefix = "net_connection_" + os_bool = True + elif value == "file_rename": + pattern_prefix = "file_rename_" + os_bool = True + elif value == "file_delete": + pattern_prefix = "file_delete_" + os_bool = True + elif value == "file_change": + pattern_prefix = "file_change_" + os_bool = True + elif value == "file_access": + pattern_prefix = "file_access_" + os_bool = True + elif value == "create_stream_hash": + pattern_prefix = "create_stream_hash_" + elif value == "create_remote_thread": + pattern_prefix = "create_remote_thread_win_" + elif value == "dns": + pattern_prefix = "net_dns_" + elif value == "firewall": + pattern_prefix = "net_firewall_" + elif value == "webserver": + pattern_prefix = "web_" + elif key == "service": + if value == "auditd": + pattern_prefix = "lnx_auditd_" + elif value == "modsecurity": + pattern_prefix = "modsec_" + elif value == "diagnosis-scripted": + pattern_prefix = "win_diagnosis_scripted_" + elif value == "firewall-as": + pattern_prefix = "win_firewall_as_" + elif value == "msexchange-management": + pattern_prefix = "win_exchange_" + elif value == "security": + pattern_prefix = "win_security_" + elif value == "system": + pattern_prefix = "win_system_" + elif value == "taskscheduler": + pattern_prefix = "win_taskscheduler_" + elif value == "terminalservices-localsessionmanager": + pattern_prefix = "win_terminalservices_" + elif value == "windefend": + pattern_prefix = "win_defender_" + elif value == "wmi": + pattern_prefix = "win_wmi_" + elif value == "codeintegrity-operational": + pattern_prefix = "win_codeintegrity_" + elif value == "bits-client": + pattern_prefix = "win_bits_client_" + elif value == "applocker": + pattern_prefix = "win_applocker_" + + # This value is used to test if we should add the OS infix for certain categories + if os_bool: + pattern_prefix += os_infix + if pattern_prefix != "": + if not filename.startswith(pattern_prefix): + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard naming convention.".format(file)) + faulty_rules.append(file) name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md') def test_title(self): faulty_rules = [] From 9617cdd4eac616b9aaf0786e72254a8b17005ab1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 10:50:34 +0100 Subject: [PATCH 284/303] Issue 575 page 42 --- .../posh_ps_x509enrollment.yml | 25 +++++++++++++++++++ .../proc_creation_win_x509enrollment.yml | 24 ++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml create mode 100644 rules/windows/process_creation/proc_creation_win_x509enrollment.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml new file mode 100644 index 000000000..ef7f40d75 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -0,0 +1,25 @@ +title: Suspicious X509Enrollment +id: 504d63cb-0dba-4d02-8531-e72981aace2c +related: + - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 + type: similar +status: experimental +description: Detect use of X509Enrollment +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - 'X509Enrollment.CBinaryConverter' + - '884e2002-217d-11da-b2a4-000e7bbb2b09' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml new file mode 100644 index 000000000..8d6d2d5ae --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml @@ -0,0 +1,24 @@ +title: Suspicious X509Enrollment +id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 +related: + - id: 504d63cb-0dba-4d02-8531-e72981aace2c + type: similar +status: experimental +description: Detect use of X509Enrollment +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - 'X509Enrollment.CBinaryConverter' + - '884e2002-217d-11da-b2a4-000e7bbb2b09' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium From b200b5dedbadec1450ef93a03ddd572bbe29c8e2 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 10:58:11 +0100 Subject: [PATCH 285/303] Fix title --- .../powershell/powershell_script/posh_ps_x509enrollment.yml | 2 +- .../process_creation/proc_creation_win_x509enrollment.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index ef7f40d75..46b705b72 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -1,4 +1,4 @@ -title: Suspicious X509Enrollment +title: Suspicious X509Enrollment - Ps Script id: 504d63cb-0dba-4d02-8531-e72981aace2c related: - id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml index 8d6d2d5ae..cff0a1082 100644 --- a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml @@ -1,4 +1,4 @@ -title: Suspicious X509Enrollment +title: Suspicious X509Enrollment - Process Creation id: 114de787-4eb2-48cc-abdb-c0b449f93ea4 related: - id: 504d63cb-0dba-4d02-8531-e72981aace2c From a3f897606f946500904e9946c796818ff8c32a48 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 11:01:57 +0100 Subject: [PATCH 286/303] fix: enhance metadata information --- rules/cloud/aws/aws_delete_identity.yml | 8 +++--- rules/cloud/aws/aws_enum_logging.yml | 26 +++++++++---------- rules/cloud/aws/aws_enum_network.yml | 20 +++++++------- rules/cloud/aws/aws_enum_storage.yml | 8 +++--- rules/cloud/aws/aws_ses_messaging_enabled.yml | 10 +++---- 5 files changed, 36 insertions(+), 36 deletions(-) diff --git a/rules/cloud/aws/aws_delete_identity.yml b/rules/cloud/aws/aws_delete_identity.yml index e54a4b349..9ba8f1a88 100644 --- a/rules/cloud/aws/aws_delete_identity.yml +++ b/rules/cloud/aws/aws_delete_identity.yml @@ -1,7 +1,7 @@ -title: Delete SES Identity +title: SES Identity Has Been Deleted id: 20f754db-d025-4a8f-9d74-e0037e999a9a status: experimental -description: Identifies a SES identity is deleted. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities +description: Detects an instance of an SES identity being deleted via the "delete-identity" event. This may be an indicator of an adversary removing the account that carried out suspicious or malicious activities references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe @@ -14,8 +14,8 @@ logsource: service: cloudtrail detection: selection: - eventSource: ses.amazonaws.com - eventName: delete-identity + eventSource: 'ses.amazonaws.com' + eventName: 'delete-identity' condition: selection falsepositives: - Unknown diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml index 51d227522..63c680008 100644 --- a/rules/cloud/aws/aws_enum_logging.yml +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -1,7 +1,7 @@ -title: Enumerate Backup Configuration on AWS +title: Potential Backup Enumeration on An AWS Instance id: 76255e09-755e-4675-8b6b-dbce9842cd2a status: experimental -description: Identifies enumeration activity targeting the AWS backups +description: Detects potential enumeration activity targeting an AWS instance backups references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe @@ -14,17 +14,17 @@ logsource: service: cloudtrail detection: selection: - eventSource: ec2.amazonaws.com - eventName: - - GetPasswordData - - GetEbsEncryptionByDefault - - GetEbsDefaultKmsKeyId - - GetBucketReplication - - DescribeVolumes - - DescribeVolumesModifications - - DescribeSnapshotAttribute - - DescribeSnapshotTierStatus - - DescribeImages + eventSource: 'ec2.amazonaws.com' + eventName: + - 'GetPasswordData' + - 'GetEbsEncryptionByDefault' + - 'GetEbsDefaultKmsKeyId' + - 'GetBucketReplication' + - 'DescribeVolumes' + - 'DescribeVolumesModifications' + - 'DescribeSnapshotAttribute' + - 'DescribeSnapshotTierStatus' + - 'DescribeImages' timeframe: 10m condition: selection falsepositives: diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml index e6441bb65..7b5a6ca6c 100644 --- a/rules/cloud/aws/aws_enum_network.yml +++ b/rules/cloud/aws/aws_enum_network.yml @@ -1,7 +1,7 @@ -title: Network Enumeration on AWS +title: Potential Network Enumeration on An AWS Instance id: c3d53999-4b14-4ddd-9d9b-e618c366b54d status: experimental -description: Identifies when network enumeration is performed on AWS. +description: Detects network enumeration performed on an AWS instance. references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe @@ -14,14 +14,14 @@ logsource: service: cloudtrail detection: selection: - eventSource: ec2.amazonaws.com - eventName: - - DescribeCarrierGateways - - DescribeVpcEndpointConnectionNotifications - - DescribeTransitGatewayMulticastDomains - - DescribeClientVpnRoutes - - DescribeDhcpOptions - - GetTransitGatewayRouteTableAssociations + eventSource: 'ec2.amazonaws.com' + eventName: + - 'DescribeCarrierGateways' + - 'DescribeVpcEndpointConnectionNotifications' + - 'DescribeTransitGatewayMulticastDomains' + - 'DescribeClientVpnRoutes' + - 'DescribeDhcpOptions' + - 'GetTransitGatewayRouteTableAssociations' timeframe: 10m condition: selection falsepositives: diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml index f91ea1dd1..c06f63780 100644 --- a/rules/cloud/aws/aws_enum_storage.yml +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -1,7 +1,7 @@ -title: Storage Enumeration on AWS +title: Potential Storage Enumeration on An AWS Instance id: 4723218f-2048-41f6-bcb0-417f2d784f61 status: experimental -description: Identifies enumeration activity targeting AWS storage +description: Detects potential enumeration activity targeting AWS storage references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe @@ -14,8 +14,8 @@ logsource: service: cloudtrail detection: selection: - eventSource: s3.amazonaws.com - eventName: + eventSource: 's3.amazonaws.com' + eventName: - 'ListBuckets' - 'GetBucketCors' - 'GetBucketInventoryConfiguration' diff --git a/rules/cloud/aws/aws_ses_messaging_enabled.yml b/rules/cloud/aws/aws_ses_messaging_enabled.yml index 4d49be28f..55a5038d6 100644 --- a/rules/cloud/aws/aws_ses_messaging_enabled.yml +++ b/rules/cloud/aws/aws_ses_messaging_enabled.yml @@ -1,7 +1,7 @@ -title: Configure AWS SES To Send Messages +title: Potential Phshing Activity Via AWS Cloud Email Service Abuse id: 60b84424-a724-4502-bd0d-cc676e1bc90e status: experimental -description: Identifies email sending feature is enabled for an account and the email address verification request is dispatched +description: Detects potential phshing activity when the email sending feature is enabled for an account and the email address verification request is dispatched in quick succession references: - https://unit42.paloaltonetworks.com/compromised-cloud-compute-credentials/ author: Janantha Marasinghe @@ -14,13 +14,13 @@ logsource: service: cloudtrail detection: selection1: - eventSource: ses.amazonaws.com + eventSource: 'ses.amazonaws.com' eventName: 'UpdateAccountSendingEnabled' selection2: - eventSource: ses.amazonaws.com + eventSource: 'ses.amazonaws.com' eventName: 'VerifyEmailIdentity' timeframe: 5m - condition: selection1 and selection2 + condition: selection1 and selection2 # We don't combine them in one selection because we want to correlate both events falsepositives: - Legitimate SES configuration activity level: medium From bee5b2f2529cb7febed738767aef5e68c12a5871 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 11:10:17 +0100 Subject: [PATCH 287/303] Issue 575 page 43 --- .../posh_ps_frombase64string_archive.yml | 24 +++++++++++++++++++ ..._creation_win_frombase64string_archive.yml | 23 ++++++++++++++++++ 2 files changed, 47 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml create mode 100644 rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml new file mode 100644 index 000000000..f5d440162 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -0,0 +1,24 @@ +title: Suspicious FromBase64String Gzip Archive - Ps Script +id: df69cb1d-b891-4cd9-90c7-d617d90100ce +related: + - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f + type: similar +status: experimental +description: Detect use of a Gzip archive in a base64 string +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'FromBase64String' + - 'H4sI' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml new file mode 100644 index 000000000..0830c8dee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml @@ -0,0 +1,23 @@ +title: Suspicious FromBase64String Gzip Archive - Process Creation +id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f +related: + - id: df69cb1d-b891-4cd9-90c7-d617d90100ce + type: similar +status: experimental +description: Detect use of a Gzip archive in a base64 string +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 +author: frack113 +date: 2022/12/23 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - 'FromBase64String' + - 'H4sI' + condition: selection +falsepositives: + - Legitimate administrative script +level: medium From 32b7ef47df2aa44a985d5118c43bf22f675fa394 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 12:32:05 +0100 Subject: [PATCH 288/303] Add count condition --- rules/cloud/aws/aws_enum_logging.yml | 2 +- rules/cloud/aws/aws_enum_network.yml | 2 +- rules/cloud/aws/aws_enum_storage.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/cloud/aws/aws_enum_logging.yml b/rules/cloud/aws/aws_enum_logging.yml index 63c680008..50fa152c6 100644 --- a/rules/cloud/aws/aws_enum_logging.yml +++ b/rules/cloud/aws/aws_enum_logging.yml @@ -26,7 +26,7 @@ detection: - 'DescribeSnapshotTierStatus' - 'DescribeImages' timeframe: 10m - condition: selection + condition: selection | count() > 5 falsepositives: - Unknown level: medium diff --git a/rules/cloud/aws/aws_enum_network.yml b/rules/cloud/aws/aws_enum_network.yml index 7b5a6ca6c..41297071c 100644 --- a/rules/cloud/aws/aws_enum_network.yml +++ b/rules/cloud/aws/aws_enum_network.yml @@ -23,7 +23,7 @@ detection: - 'DescribeDhcpOptions' - 'GetTransitGatewayRouteTableAssociations' timeframe: 10m - condition: selection + condition: selection | count() > 5 falsepositives: - Unknown level: low diff --git a/rules/cloud/aws/aws_enum_storage.yml b/rules/cloud/aws/aws_enum_storage.yml index c06f63780..6a9ad5b41 100644 --- a/rules/cloud/aws/aws_enum_storage.yml +++ b/rules/cloud/aws/aws_enum_storage.yml @@ -24,7 +24,7 @@ detection: - 'GetBucketPolicy' - 'GetBucketTagging' timeframe: 10m - condition: selection + condition: selection | count() > 5 falsepositives: - Unknown level: medium From 546e53fb35475294300f1b9abe38a560302fedb0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 12:34:56 +0100 Subject: [PATCH 289/303] Apply suggestions from code review Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../powershell_script/posh_ps_frombase64string_archive.yml | 5 +++-- .../proc_creation_win_frombase64string_archive.yml | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml index f5d440162..6199b3064 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_frombase64string_archive.yml @@ -1,10 +1,10 @@ -title: Suspicious FromBase64String Gzip Archive - Ps Script +title: Suspicious FromBase64String Usage On Gzip Archive - Ps Script id: df69cb1d-b891-4cd9-90c7-d617d90100ce related: - id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f type: similar status: experimental -description: Detect use of a Gzip archive in a base64 string +description: Detects attempts of decoding a base64 Gzip archive in a PowerShell script. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 @@ -17,6 +17,7 @@ detection: selection: ScriptBlockText|contains|all: - 'FromBase64String' + - 'MemoryStream' - 'H4sI' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml index 0830c8dee..24390ceea 100644 --- a/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml +++ b/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml @@ -1,10 +1,10 @@ -title: Suspicious FromBase64String Gzip Archive - Process Creation +title: Suspicious FromBase64String Usage On Gzip Archive - Process Creation id: d75d6b6b-adb9-48f7-824b-ac2e786efe1f related: - id: df69cb1d-b891-4cd9-90c7-d617d90100ce type: similar status: experimental -description: Detect use of a Gzip archive in a base64 string +description: Detects attempts of decoding a base64 Gzip archive via PowerShell. This technique is often used as a method to load malicious content into memory afterward. references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=43 author: frack113 @@ -16,6 +16,7 @@ detection: selection: CommandLine|contains|all: - 'FromBase64String' + - 'MemoryStream' - 'H4sI' condition: selection falsepositives: From df015e555ccc3fe07d8131b51bc46f964d5dac5e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 13:22:50 +0100 Subject: [PATCH 290/303] Add more ref --- .../powershell/powershell_script/posh_ps_x509enrollment.yml | 1 + .../process_creation/proc_creation_win_x509enrollment.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml index 46b705b72..223b3637b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_x509enrollment.yml @@ -7,6 +7,7 @@ status: experimental description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 date: 2022/12/23 diff --git a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml index cff0a1082..d941ae9fe 100644 --- a/rules/windows/process_creation/proc_creation_win_x509enrollment.yml +++ b/rules/windows/process_creation/proc_creation_win_x509enrollment.yml @@ -7,6 +7,7 @@ status: experimental description: Detect use of X509Enrollment references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=42 + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=41 - https://learn.microsoft.com/en-us/dotnet/api/microsoft.hpc.scheduler.store.cx509enrollmentwebclassfactoryclass?view=hpc-sdk-5.1.6115 author: frack113 date: 2022/12/23 From 0aa6f26a6fcf240dd65704f74a5b151c7814220e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 18:37:59 +0100 Subject: [PATCH 291/303] feat: updates and enhancements --- .../posh_ps_access_to_browser_login_data.yml | 2 + ..._creation_win_browser_remote_debugging.yml | 6 ++- ...eation_win_chromium_headless_debugging.yml | 28 +++++++++++ .../proc_creation_win_copy_browser_data.yml | 48 +++++++++++++++++++ ...reation_win_susp_copy_lateral_movement.yml | 7 ++- 5 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml create mode 100644 rules/windows/process_creation/proc_creation_win_copy_browser_data.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index ccdb8e75d..a745ebdc1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -3,6 +3,8 @@ id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d type: obsoletes + - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b + type: similar status: experimental description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. diff --git a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml index b9641f1d0..67cb203bb 100644 --- a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml @@ -5,9 +5,11 @@ description: Detects browsers starting with the remote debugging flags. Which is references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ + - https://github.com/defaultnamehere/cookie_crimes/ + - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T, Nasreddine Bencherchali (update) date: 2022/07/27 -modified: 2022/10/12 +modified: 2022/12/23 tags: - attack.credential_access - attack.t1185 @@ -20,7 +22,7 @@ detection: CommandLine|contains: ' --remote-debugging-' selection_firefox: Image|endswith: '\firefox.exe' - CommandLine|contains: ' -start-debugger-server ' + CommandLine|contains: ' -start-debugger-server' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml new file mode 100644 index 000000000..2e9cc1673 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml @@ -0,0 +1,28 @@ +title: Potential Data Stealing Via Chromium Headless Debugging +id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 +status: experimental +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +references: + - https://github.com/defaultnamehere/cookie_crimes/ + - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password + - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ + - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1185 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + - '--remote-debugging-' + - '--user-data-dir' + - '--headless' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml new file mode 100644 index 000000000..2d5cc5949 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -0,0 +1,48 @@ +title: Access to Browser Login Data +id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b +related: + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived +status: experimental +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1555.003 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + - CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + - 'move' + - 'move-item' + - ' mi ' + - ' mv ' + - Image|endswith: + - '\xcopy.exe' + - '\robocopy.exe' + - OriginalFileName: + - 'XCOPY.EXE' + - 'robocopy.exe' + selection_path: + CommandLine|contains: + - '\Opera Software\Opera Stable\' + - '\Mozilla\Firefox\Profiles' + - '\Microsoft\Edge\User Data\' + - '\Google\Chrome\User Data\' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 52255b0e0..6c971e5f2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2019/12/30 -modified: 2022/11/09 +modified: 2022/12/23 tags: - attack.lateral_movement - attack.collection @@ -22,9 +22,12 @@ logsource: product: windows detection: selection_other_tools: - Image|endswith: + - Image|endswith: - '\robocopy.exe' - '\xcopy.exe' + - OriginalFileName: + - 'robocopy.exe' + - 'XCOPY.EXE' selection_cmd_img: - Image|endswith: '\cmd.exe' - OriginalFileName: 'Cmd.Exe' From 28664d5bb3ac7b18c4d9a860677182e3cc809bc0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:16:17 +0100 Subject: [PATCH 292/303] feat: new aadinternals related rules --- ...posh_ps_aadinternals_cmdlets_execution.yml | 51 +++++++++++++++++ .../posh_ps_access_to_browser_login_data.yml | 2 +- ...ion_win_aadinternals_cmdlets_execution.yml | 57 +++++++++++++++++++ 3 files changed, 109 insertions(+), 1 deletion(-) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml create mode 100644 rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml new file mode 100644 index 000000000..7385a6f3b --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -0,0 +1,51 @@ +title: AADInternals PowerShell Cmdlets Execution - PsScript +id: 91e69562-2426-42ce-a647-711b8152ced6 +related: + - id: c86500e9-a645-4680-98d7-f882c70c1ea3 + type: similar +status: experimental +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +references: + - https://o365blog.com/aadinternals/ + - https://github.com/Gerenios/AADInternals +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +date: 2022/12/23 +tags: + - attack.execution + - attack.reconnaissance + - attack.discovery + - attack.credential_access + - attack.impact +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enable +detection: + selection: + ScriptBlockText|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + - 'Add-AADInt' + - 'ConvertTo-AADInt' + - 'Disable-AADInt' + - 'Enable-AADInt' + - 'Export-AADInt' + - 'Get-AADInt' + - 'Grant-AADInt' + - 'Install-AADInt' + - 'Invoke-AADInt' + - 'Join-AADInt' + - 'New-AADInt' + - 'Open-AADInt' + - 'Read-AADInt' + - 'Register-AADInt' + - 'Remove-AADInt' + - 'Restore-AADInt' + - 'Search-AADInt' + - 'Send-AADInt' + - 'Set-AADInt' + - 'Start-AADInt' + - 'Update-AADInt' + condition: selection +falsepositives: + - Legitimate use of the library of pentesting or smiliar activity +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index ccdb8e75d..946acf17f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: frack113 -date: 2022/01/30 tags: - attack.credential_access - attack.t1555.003 +date: 2022/01/30 logsource: product: windows category: ps_script diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml new file mode 100644 index 000000000..6e57b0b72 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml @@ -0,0 +1,57 @@ +title: AADInternals PowerShell Cmdlets Execution - ProccessCreation +id: c86500e9-a645-4680-98d7-f882c70c1ea3 +related: + - id: 91e69562-2426-42ce-a647-711b8152ced6 + type: similar +status: experimental +description: Detects ADDInternals Cmdlet execution. A tool for administering Azure AD and Office 365. Which can be abused by threat actors to attack Azure AD or Office 365. +references: + - https://o365blog.com/aadinternals/ + - https://github.com/Gerenios/AADInternals +author: Austin Songer (@austinsonger), Nasreddine Bencherchali (update) +date: 2022/12/23 +tags: + - attack.execution + - attack.reconnaissance + - attack.discovery + - attack.credential_access + - attack.impact +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.Exe' + - 'pwsh.dll' + selection_cli: + CommandLine|contains: + # Since most of the cmdlets use a unique enough string which is "-AADInt" we only used that portion. For a complet list please check the references linked above + - 'Add-AADInt' + - 'ConvertTo-AADInt' + - 'Disable-AADInt' + - 'Enable-AADInt' + - 'Export-AADInt' + - 'Get-AADInt' + - 'Grant-AADInt' + - 'Install-AADInt' + - 'Invoke-AADInt' + - 'Join-AADInt' + - 'New-AADInt' + - 'Open-AADInt' + - 'Read-AADInt' + - 'Register-AADInt' + - 'Remove-AADInt' + - 'Restore-AADInt' + - 'Search-AADInt' + - 'Send-AADInt' + - 'Set-AADInt' + - 'Start-AADInt' + - 'Update-AADInt' + condition: all of selection_* +falsepositives: + - Legitimate use of the library of pentesting or smiliar activity +level: high From 92e4081de387223837bbc261d690b8c06c659edd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:20:43 +0100 Subject: [PATCH 293/303] fix: duplicate title --- .../process_creation/proc_creation_win_copy_browser_data.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml index 2d5cc5949..ee7a1a436 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -1,4 +1,4 @@ -title: Access to Browser Login Data +title: Potential Browser Data Stealing id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - id: fc028194-969d-4122-8abe-0470d5b8f12f From 1f38e15bb42a405ff742cd52cd305bf10578a98a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:24:08 +0100 Subject: [PATCH 294/303] fix: fp section --- .../posh_ps_aadinternals_cmdlets_execution.yml | 2 +- .../proc_creation_win_aadinternals_cmdlets_execution.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml index 7385a6f3b..c922fce07 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_aadinternals_cmdlets_execution.yml @@ -47,5 +47,5 @@ detection: - 'Update-AADInt' condition: selection falsepositives: - - Legitimate use of the library of pentesting or smiliar activity + - Legitimate use of the library for administrative activity level: high diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml index 6e57b0b72..69cd97c42 100644 --- a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml @@ -53,5 +53,5 @@ detection: - 'Update-AADInt' condition: all of selection_* falsepositives: - - Legitimate use of the library of pentesting or smiliar activity + - Legitimate use of the library for administrative activity level: high From 5a8808e0acf493b8dd9f01010126245189d8675a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:27:34 +0100 Subject: [PATCH 295/303] fix: wrong category --- .../process_creation/proc_creation_win_copy_browser_data.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml index ee7a1a436..61e631384 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -16,9 +16,8 @@ tags: - attack.credential_access - attack.t1555.003 logsource: + category: process_creation product: windows - category: ps_script - definition: Script block logging must be enabled detection: selection_cmd: - CommandLine|contains: From b19abdaeda7669c379bca72fa7ca8eada4677c5b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 20:02:54 +0100 Subject: [PATCH 296/303] fix: date position --- .../powershell_script/posh_ps_access_to_browser_login_data.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 946acf17f..ccdb8e75d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -11,10 +11,10 @@ description: | references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md author: frack113 +date: 2022/01/30 tags: - attack.credential_access - attack.t1555.003 -date: 2022/01/30 logsource: product: windows category: ps_script From 5fdad241ea0b2c741b86fa4838b5ee9f15e560f1 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 20:11:55 +0100 Subject: [PATCH 297/303] Update proc_creation_win_lolbin_agentexecutor.yml --- .../proc_creation_win_lolbin_agentexecutor.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index 8851dfc95..0cf6c58aa 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -15,15 +15,14 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image: 'AgentExecutor.exe' - selection2: CommandLine|contains: '-powershell' filter: CommandLine|contains: - ' C:\Windows\SysWOW64\WindowsPowerShell\' - ' C:\Windows\System32\WindowsPowerShell\' - condition: selection1 and selection2 and not filter + condition: selection and not filter falsepositives: - Unknown level: medium From 21f5bf85363cdfb6172a7781d65a40b27f929174 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 20:42:51 +0100 Subject: [PATCH 298/303] feat: new rules related to rat software based on #2841 --- ...service_install_remote_access_software.yml | 48 ++++++++++++++++++ ...service_install_remote_access_software.yml | 50 +++++++++++++++++++ ...ery_win_remote_access_software_domains.yml | 46 +++++++++++++++-- 3 files changed, 140 insertions(+), 4 deletions(-) create mode 100644 rules/windows/builtin/security/win_security_service_install_remote_access_software.yml create mode 100644 rules/windows/builtin/system/win_system_service_install_remote_access_software.yml diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml new file mode 100644 index 000000000..fcc788eef --- /dev/null +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -0,0 +1,48 @@ +title: Remote Access Tool Services Have Been Installed - Security +id: c8b00925-926c-47e3-beea-298fd563728e +related: + - id: 1a31b18a-f00c-4061-9900-f735b96c99fc + type: similar +status: experimental +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform +references: + - https://redcanary.com/blog/misbehaving-rats/ +author: Connor Martin, Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.persistence + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 +detection: + selection: + EventID: 4697 + ServiceFileName|contains: + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - 'SSUService' + - 'SplashtopRemoteService' # https://www.splashtop.com/ + - 'Atera' + - 'LogMeIn' # https://www.logmein.com/ + - 'LMIGuardianSvc' # https://www.logmein.com/ + - 'TeamViewer' + - 'RPCService' # https://www.remotepc.com/ + - 'RPCPerformanceService' # https://www.remotepc.com/ + - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html + - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - 'GoToMyPC' # https://get.gotomypc.com/ + - 'monblanking' + - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - 'GoToAssist' # https://www.goto.com/it-management/resolve + - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'vncserver' + - 'Parsec' + - 'chromoting' + - 'Zoho' + - 'jumpcloud' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml new file mode 100644 index 000000000..43673856d --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml @@ -0,0 +1,50 @@ +title: Remote Access Tool Services Have Been Installed - System +id: 1a31b18a-f00c-4061-9900-f735b96c99fc +related: + - id: c8b00925-926c-47e3-beea-298fd563728e + type: similar +status: experimental +description: Detects service installation of different remote access tools software. These software are often abused by threat actors to perform +references: + - https://redcanary.com/blog/misbehaving-rats/ +author: Connor Martin, Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.persistence + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: + - 7045 + - 7036 + ServiceName|contains: + # Based on https://github.com/SigmaHQ/sigma/pull/2841 + - 'SSUService' + - 'SplashtopRemoteService' # https://www.splashtop.com/ + - 'Atera' + - 'LogMeIn' # https://www.logmein.com/ + - 'LMIGuardianSvc' # https://www.logmein.com/ + - 'TeamViewer' + - 'RPCService' # https://www.remotepc.com/ + - 'RPCPerformanceService' # https://www.remotepc.com/ + - 'BASupportExpressStandaloneService' # https://www.systemlookup.com/O23/6839-BASupSrvc_exe.html + - 'BASupportExpressSrvcUpdater' # https://www.systemlookup.com/O23/6837-BASupSrvcUpdater_exe.html + - 'GoToMyPC' # https://get.gotomypc.com/ + - 'monblanking' + - 'RManService' # https://www.systemlookup.com/O23/7855-rutserv_exe.html + - 'GoToAssist' # https://www.goto.com/it-management/resolve + - 'AmmyyAdmin' # https://www.ammyy.com/en/ + - 'vncserver' + - 'Parsec' + - 'chromoting' + - 'Zoho' + - 'jumpcloud' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml index 33a709c18..405c67f68 100644 --- a/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml +++ b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml @@ -1,4 +1,4 @@ -title: Query To Remote Access Software Domain +title: DNS Query To Remote Access Software Domain id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 related: - id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f @@ -17,9 +17,9 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution - https://redcanary.com/blog/misbehaving-rats/ -author: frack113 +author: frack113, Connor Martin date: 2022/07/11 -modified: 2022/10/31 +modified: 2022/12/23 tags: - attack.command_and_control - attack.t1219 @@ -34,6 +34,44 @@ detection: - '.ammyy.com' - '.netsupportsoftware.com' # For NetSupport Manager RAT - 'remoteutilities.com' # Usage of Remote Utilities RAT + - '.net.anydesk.com' + - 'api.playanext.com' + - '.relay.splashtop.com' + - '.api.splashtop.com' + - 'app.atera.com' + - '.agentreporting.atera.com' + - '.pubsub.atera.com' + - 'logmeincdn.http.internapcdn.net' + - 'logmein-gateway.com' + - 'client.teamviewer.com' + - 'integratedchat.teamviewer.com' + - 'static.remotepc.com' + - '.n-able.com' + - 'comserver.corporate.beanywhere.com' + - '.swi-rc.com' + - '.swi-tc.com' + - 'telemetry.servers.qetqo.com' + - 'relay.screenconnect.com' + - 'control.connectwise.com' + - 'express.gotoassist.com' + - 'authentication.logmeininc.com' + - '.services.vnc.com' + - '.tmate.io' + - 'api.parsec.app' + - 'parsecusercontent.com' + - 'remotedesktop-pa.googleapis.com' + - '.logmein-gateway.com' + - 'secure.logmeinrescue.com' + - 'join.zoho.com' + - 'assist.zoho.com' + - '.zohoassist.com' + - 'downloads.zohocdn.com' + - 'agent.jumpcloud.com' + - 'kickstart.jumpcloud.com' + - 'cdn.kaseya.net' + - 'relay.kaseya.net' + - 'license.bomgar.com' + - '.beyondtrustcloud.com' filter: # Exclude browsers for legitimate visits of the domains mentioned above # Add missing browsers you use and exclude the ones you don't @@ -50,5 +88,5 @@ detection: - '\CCleaner Browser\Application\CCleanerBrowser.exe' condition: selection and not filter falsepositives: - - FP may be caused in legitimate usage of the softwares mentioned above + - Legitimate usage of the softwares mentioned above level: medium From e6baac1bf22c82b1ad74ce830c51b9cb2bf66ec3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 20:50:38 +0100 Subject: [PATCH 299/303] fix: exclude teamviewer fp & reduce severity --- .github/workflows/known-FPs.csv | 2 ++ .../win_security_service_install_remote_access_software.yml | 2 +- .../win_system_service_install_remote_access_software.yml | 2 +- 3 files changed, 4 insertions(+), 2 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index bbb1f00d1..bafb98285 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -44,3 +44,5 @@ fdbf0b9d-0182-4c43-893b-a1eaab92d085;Newly Registered Protocol Handler;.* 52a85084-6989-40c3-8f32-091e12e17692;Suspicious Usage of CVE_2021_34484 or CVE 2022_21919;Computer: Agamemnon 573df571-a223-43bc-846e-3f98da481eca;Copy a File Downloaded From Internet;7z\.exe 37774c23-25a1-4adb-bb6d-8bb9fd59c0f8;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd\.exe +1a31b18a-f00c-4061-9900-f735b96c99fc;Remote Access Tool Services Have Been Installed - System;ServiceName: TeamViewer +c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Installed - Security;ServiceName: TeamViewer diff --git a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml index fcc788eef..c0601b803 100644 --- a/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml +++ b/rules/windows/builtin/security/win_security_service_install_remote_access_software.yml @@ -45,4 +45,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml index 43673856d..e6bee6ff7 100644 --- a/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml +++ b/rules/windows/builtin/system/win_system_service_install_remote_access_software.yml @@ -47,4 +47,4 @@ detection: condition: selection falsepositives: - Unknown -level: high +level: medium From 316aa03efdedb1e103f489f8358f7febc4fd2e3f Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Dec 2022 20:59:40 +0100 Subject: [PATCH 300/303] Update hawk.yml --- tools/config/hawk.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index a843a4fda..27ebcc03c 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -171,7 +171,7 @@ logsources: category: file_change conditions: product_name: "Sysmon" - vendor_id: "11" + vendor_id: "2" windows-pipe-created: product: windows category: pipe_created From e7d6bf7cab11c2de9233a4364c38d9b62ddff431 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 24 Dec 2022 14:10:21 +0100 Subject: [PATCH 301/303] fix: enhance logic of `AgentExecutor` rules --- ...proc_creation_win_lolbin_agentexecutor.yml | 38 ++++++++++------ ...on_win_lolbin_agentexecutor_susp_usage.yml | 44 +++++++++++++++++++ 2 files changed, 69 insertions(+), 13 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml index 0cf6c58aa..e75be25e3 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor.yml @@ -1,28 +1,40 @@ -title: Suspicious AgentExecutor PowerShell Execution +title: AgentExecutor PowerShell Execution id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 +related: + - id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab + type: similar status: experimental -description: Detects AgentExecutor.exe execution of binary named powershell when the default ps path is absent from the command line. AgentExecutor will execute any binary named powershell.exe located in the $PSFolder path argument. AgentExecutor is included as part of Intune Managed Devices for Windows 10. +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +author: Nasreddine Bencherchali, memory-shards references: - https://twitter.com/lefterispan/status/1286259016436514816 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://twitter.com/jseerden/status/1247985304667066373/photo/1 +date: 2022/12/24 tags: - attack.defense_evasion - attack.t1218 -date: 2022/07/31 -author: memory-shards -logsource: +logsource: category: process_creation product: windows detection: - selection: - Image: 'AgentExecutor.exe' - CommandLine|contains: '-powershell' - filter: + selection_img: + - Image: '\AgentExecutor.exe' + - OriginalFileName: 'AgentExecutor.exe' + selection_cli: + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" CommandLine|contains: - - ' C:\Windows\SysWOW64\WindowsPowerShell\' - - ' C:\Windows\System32\WindowsPowerShell\' - condition: selection and not filter + - ' -powershell' # Also covers the "-powershellDetection" flag + - ' -remediationScript' + condition: all of selection_* falsepositives: - - Unknown + - Legitimate use via Intune management. You exclude script paths and names to reduce FP rate level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml new file mode 100644 index 000000000..84099d274 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml @@ -0,0 +1,44 @@ +title: Suspicious AgentExecutor PowerShell Execution +id: c0b40568-b1e9-4b03-8d6c-b096da6da9ab +related: + - id: 7efd2c8d-8b18-45b7-947d-adfe9ed04f61 + type: similar +status: experimental +description: Detects execution of the AgentExecutor.exe binary. Which can be abused as a LOLBIN to execute powershell scripts with the ExecutionPolicy "Bypass" or any binary named "powershell.exe" located in the path provided by 6th postiional argument +author: Nasreddine Bencherchali, memory-shards +references: + - https://twitter.com/lefterispan/status/1286259016436514816 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Agentexecutor/ + - https://docs.microsoft.com/en-us/mem/intune/apps/intune-management-extension + - https://twitter.com/jseerden/status/1247985304667066373/photo/1 +date: 2022/12/24 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\AgentExecutor.exe' + - OriginalFileName: 'AgentExecutor.exe' + selection_cli: + # Example: + # AgentExecutor.exe -powershell [scriptPath] [outputFilePath] [errorFilePath] [timeoutFilePath] [timeoutSeconds] [powershellPath] [enforceSignatureCheck] [runAs32BitOn64] + # Note: + # - If [timeoutSeconds] is NULL then it defaults to 60000 + # - If [enforceSignatureCheck] is: + # - "NULL" or "1" then a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy allsigned -file " + # - Else a PowerShell instance is spawned with the args: "-NoProfile -executionPolicy bypass -file " + # - [powershellPath] is always concatendated to "powershell.exe" + CommandLine|contains: + - ' -powershell' # Also covers the "-powershellDetection" flag + - ' -remediationScript' + filter: + CommandLine|contains: + - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\' + - 'C:\Windows\System32\WindowsPowerShell\v1.0\' + condition: selection and not filter +falsepositives: + - Unknown +level: high From 794d93c29806ae9bc062695cbe49b8bb6c318a68 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 24 Dec 2022 14:11:32 +0100 Subject: [PATCH 302/303] fix: broken selection --- .../proc_creation_win_lolbin_agentexecutor_susp_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml index 84099d274..ecf092fb9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_agentexecutor_susp_usage.yml @@ -38,7 +38,7 @@ detection: CommandLine|contains: - 'C:\Windows\SysWOW64\WindowsPowerShell\v1.0\' - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - condition: selection and not filter + condition: all of selection_* and not filter falsepositives: - Unknown level: high From 2d759cad94a726b23cff0ced75b32ab6287d42c8 Mon Sep 17 00:00:00 2001 From: tuan Date: Tue, 27 Dec 2022 17:21:14 +0700 Subject: [PATCH 303/303] Add rule delete group or user (#3822) Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_lnx_groupdel.yml | 24 +++++++++++++++++++ .../proc_creation_lnx_userdel.yml | 24 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 rules/linux/process_creation/proc_creation_lnx_groupdel.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_userdel.yml diff --git a/rules/linux/process_creation/proc_creation_lnx_groupdel.yml b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml new file mode 100644 index 000000000..fb8f9b8ca --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_groupdel.yml @@ -0,0 +1,24 @@ +title: Group Has Been Deleted Via Groupdel +id: 8a46f16c-8c4c-82d1-b121-0fdd3ba70a84 +status: experimental +description: Detects execution of the "groupdel" binary. Which is used to delete a group. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/groupdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/groupdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_userdel.yml b/rules/linux/process_creation/proc_creation_lnx_userdel.yml new file mode 100644 index 000000000..f226f649b --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_userdel.yml @@ -0,0 +1,24 @@ +title: User Has Been Deleted Via Userdel +id: 08f26069-6f80-474b-8d1f-d971c6fedea0 +status: experimental +description: Detects execution of the "userdel" binary. Which is used to delete a user account and related files. This is sometimes abused by threat actors in order to cover their tracks +references: + - https://linuxize.com/post/how-to-delete-group-in-linux/ + - https://www.cyberciti.biz/faq/linux-remove-user-command/ + - https://www.cybrary.it/blog/0p3n/linux-commands-used-attackers/ + - https://linux.die.net/man/8/userdel +author: Tuan Le (NCSGroup) +date: 2022/12/26 +tags: + - attack.impact + - attack.t1531 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/userdel' + condition: selection +falsepositives: + - Legitimate administrator activities +level: medium