diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 2a38f98d9..8da643d5e 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -70,3 +70,4 @@ ef9dcfed-690c-4c5d-a9d1-482cd422225c;Browser Execution In Headless Mode;.* 65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;Computer: (DESKTOP-6D0DBMB|WinDev2310Eval) de587dce-915e-4218-aac4-835ca6af6f70;Potential Persistence Attempt Via Run Keys Using Reg.EXE;\\Discord\\ 24357373-078f-44ed-9ac4-6d334a668a11;Direct Autorun Keys Modification;Discord\.exe +dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr diff --git a/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml b/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml new file mode 100644 index 000000000..f28088834 --- /dev/null +++ b/rules/windows/builtin/security/win_security_default_domain_gpo_modification.yml @@ -0,0 +1,38 @@ +title: Windows Default Domain GPO Modification +id: e5ac86dd-2da1-454b-be74-05d26c769d7d +related: + - id: dcff7e85-d01f-4eb5-badd-84e2e6be8294 + type: similar +status: experimental +description: | + Detects modifications to Default Domain or Default Domain Controllers Group Policy Objects (GPOs). + Adversaries may modify these default GPOs to deploy malicious configurations across the domain. +references: + - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html + - https://adsecurity.org/?p=3377 + - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ + - https://jgspiers.com/audit-group-policy-changes/ +author: Swachchhanda Shrawan Poudel (Nextron Systems) +date: 2025-11-22 +tags: + - attack.defense-evasion + - attack.privilege-escalation + - attack.t1484.001 +logsource: + product: windows + service: security + definition: | + Enable 'Audit Directory Service Changes' in the Default Domain Controllers Policy under: + Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies -> DS Access -> Audit Directory Service Changes (Success). + Additionally, proper SACL needs to be configured on the 'CN=Policies,CN=System,DC=,DC=' container in Active Directory to capture changes to Group Policy Objects. +detection: + selection: + EventID: 5136 + ObjectClass: 'groupPolicyContainer' + ObjectDN|startswith: + - 'CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Policy + - 'CN={6AC1786C-016F-11D2-945F-00C04FB984F9},CN=POLICIES,CN=SYSTEM' # Default Domain Controllers Policy + condition: selection +falsepositives: + - Legitimate modifications to Default Domain or Default Domain Controllers GPOs +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml b/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml new file mode 100644 index 000000000..64f9a45b3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mmc_default_domain_gpo_modification_via_gpme.yml @@ -0,0 +1,40 @@ +title: Windows Default Domain GPO Modification via GPME +id: dcff7e85-d01f-4eb5-badd-84e2e6be8294 +related: + - id: e5ac86dd-2da1-454b-be74-05d26c769d7d + type: similar +status: experimental +description: | + Detects the use of the Group Policy Management Editor (GPME) to modify Default Domain or Default Domain Controllers Group Policy Objects (GPOs). + Adversaries may leverage GPME to make stealthy changes in these default GPOs to deploy malicious GPOs configurations across the domain without raising suspicion. +references: + - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html + - https://adsecurity.org/?p=3377 + - https://sdmsoftware.com/general-stuff/launching-the-new-gp-management-editor-from-the-command-line/ + - https://www.pentestpartners.com/security-blog/living-off-the-land-gpo-style/ +author: TropChaud +date: 2025-11-22 +tags: + - attack.defense-evasion + - attack.privilege-escalation + - attack.t1484.001 +logsource: + product: windows + category: process_creation +detection: + # "C:\Windows\System32\gpme.msc" /s /gpobject:"LDAP:///cn,cnpolicies,cnsystem,DC,DClocal" + selection_mmc: + - Image|endswith: '\mmc.exe' + - OriginalFileName: 'MMC.exe' + selection_gpme: + CommandLine|contains|all: + - 'gpme.msc' + - 'gpobject:' + selection_default_gpos: + CommandLine|contains: + - '31B2F340-016D-11D2-945F-00C04FB984F9' # Default Domain Policy GUID + - '6AC1786C-016F-11D2-945F-00C04FB984F9' # Default Domain Controllers Policy GUID + condition: all of selection_* +falsepositives: + - Legitimate use of GPME to modify GPOs +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml index 9c8ec9b37..cfcd04a91 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_rdp_keys_tamper.yml @@ -4,9 +4,23 @@ status: test description: Detects the execution of "reg.exe" for enabling/disabling the RDP service on the host by tampering with the 'CurrentControlSet\Control\Terminal Server' values references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information + - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) + - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ + - https://blog.sekoia.io/darkgate-internals/ + - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/ + - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry + - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry + - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790 + - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer + - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html author: pH-T (Nextron Systems), @Kostastsale, TheDFIRReport date: 2022-02-12 -modified: 2023-02-05 +modified: 2025-11-22 tags: - attack.persistence - attack.defense-evasion @@ -32,18 +46,23 @@ detection: - 'EnableConcurrentSessions' selection_values_2: CommandLine|contains: - - 'WinStations\RDP-Tcp' - - 'MaxInstanceCount' - - 'fEnableWinStation' - - 'TSUserEnabled' - - 'TSEnabled' - - 'TSAppCompat' - - 'IdleWinStationPoolCount' - - 'TSAdvertise' - 'AllowTSConnections' - - 'fSingleSessionPerUser' - 'fDenyTSConnections' - condition: all of selection_main_* and 1 of selection_values_* + - 'fEnableWinStation' + - 'fSingleSessionPerUser' + - 'IdleWinStationPoolCount' + - 'MaxInstanceCount' + - 'SecurityLayer' + - 'TSAdvertise' + - 'TSAppCompat' + - 'TSEnabled' + - 'TSUserEnabled' + - 'WinStations\RDP-Tcp' + filter_main_values_tls: + CommandLine|contains|all: + - 'SecurityLayer' + - '02' # TLS Enabled + condition: all of selection_main_* and 1 of selection_values_* and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index 59d36524f..774dc5d7c 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -10,21 +10,36 @@ related: status: test description: | Detects tampering of RDP Terminal Service/Server sensitive settings. - Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc + Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. + + Below is a list of registry keys/values that are monitored by this rule: + + - Shadow: Used to enable Remote Desktop shadowing, which allows an administrator to view or control a user's session. + - DisableRemoteDesktopAntiAlias: Disables anti-aliasing for remote desktop sessions. + - DisableSecuritySettings: Disables certain security settings for Remote Desktop connections. + - fAllowUnsolicited: Allows unsolicited remote assistance offers. + - fAllowUnsolicitedFullControl: Allows unsolicited remote assistance offers with full control. + - InitialProgram: Specifies a program to run automatically when a user logs on to a remote computer. + - ServiceDll: Used in RDP hijacking techniques to specify a custom DLL to be loaded by the Terminal Services service. + - SecurityLayer: Specifies the security layer used for RDP connections. references: - - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contains description for most of the keys mentioned here (check it out if you want more information) - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique - - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html + - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contains description for most of the keys mentioned here (check it out if you want more information) - https://bazaar.abuse.ch/sample/6f3aa9362d72e806490a8abce245331030d1ab5ac77e400dd475748236a6cc81/ - - http://etutorials.org/Microsoft+Products/microsoft+windows+server+2003+terminal+services/Chapter+6+Registry/Registry+Keys+for+Terminal+Services/ # Contain description for most of the keys mentioned here (check it out if you want more information - - https://admx.help/HKLM/SOFTWARE/Policies/Microsoft/Windows%20NT/Terminal%20Services # Contain description for most of the keys mentioned here (check it out if you want more information) - https://blog.sekoia.io/darkgate-internals/ + - https://blog.talosintelligence.com/understanding-the-phobos-affiliate-structure/ - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-63---disable-remote-desktop-anti-alias-setting-through-registry - https://github.com/redcanaryco/atomic-red-team/blob/02c7d02fe1f1feb0fc7944550408ea8224273994/atomics/T1112/T1112.md#atomic-test-64---disable-remote-desktop-security-settings-through-registry + - https://github.com/redcanaryco/atomic-red-team/blob/dd526047b8c399c312fee47d1e6fb531164da54d/atomics/T1112/T1112.yaml#L790 + - https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-rdp-winstationextensions-securitylayer + - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html + - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique + - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - https://www.trendmicro.com/en_us/research/25/i/unmasking-the-gentlemen-ransomware.html author: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali date: 2022-08-06 -modified: 2024-02-08 +modified: 2025-11-22 tags: - attack.defense-evasion - attack.persistence @@ -59,8 +74,12 @@ detection: - '\Control\Terminal Server\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer. - '\Control\Terminal Server\WinStations\RDP-Tcp\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer. - '\services\TermService\Parameters\ServiceDll' # RDP hijacking + - '\Terminal Server\WinStations\RDP-Tcp\SecurityLayer' - '\Windows NT\Terminal Services\InitialProgram' # This value can be set to specify a program to run automatically when a user logs on to a remote computer. - condition: selection_shadow or selection_terminal_services_key or selection_tamper_only + filter_main_securitylayer_tls: + TargetObject|endswith: '\SecurityLayer' + Details: 'DWORD (0x00000002)' # TLS Enabled + condition: (selection_shadow or selection_terminal_services_key or selection_tamper_only) and not 1 of filter_main_* falsepositives: - Some of the keys mentioned here could be modified by an administrator while setting group policy (it should be investigated either way) level: high