Split global rules

2021-09-07 13:30:32 +02:00
parent 4f6b87fed5
commit 0e5e4fa19d
10 changed files with 219 additions and 111 deletions
@@ -0,0 +1,31 @@
+title: Netcat The Powershell Version
+id: c5b20776-639a-49bf-94c7-84f912b91c15
+related:
+   - id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
+     type: derived
+status: experimental
+author: frack113
+date: 2021/07/21
+modified: 2021/09/07
+description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
+references:
+    - https://nmap.org/ncat/
+    - https://github.com/besimorhino/powercat
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md
+tags:
+    - attack.command_and_control
+    - attack.t1095
+logsource:
+    product: windows
+    service: powershell-classic
+    definition: fields have to be extract from event
+detection:
+    selection:
+        EventID: 400
+        HostApplication|contains:
+            - 'powercat '
+            - 'powercat.ps1'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -1,8 +1,12 @@
-action: global
 title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+id: f65e22f9-819e-4f96-9c7b-498364ae7a25
+related:
+    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+      type: derived
 status: experimental
 author: frack113
 date: 2021/07/13
+modified: 2021/09/07
 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
@@ -10,31 +14,6 @@ references:
 tags:
    - attack.defense_evasion
    - attack.t1218
-fields:
-    - ComputerName
-    - User
-    - CommandLine
-    - ParentCommandLine
-falsepositives:
-    - Unknown
-level: medium
---
-id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection_cmd:
-        CommandLine|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
-    selection_opt:
-        CommandLine|contains:
-            - '-ModuleName '
-            - '-ModulePath '
-            - '-ScriptBlock '
-            - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
---
-id: f65e22f9-819e-4f96-9c7b-498364ae7a25
 logsource:
    product: windows
    service: powershell-classic
@@ -49,18 +28,11 @@ detection:
            - '-ScriptBlock '
            - '-RemoteFXvGPUDisablementFilePath'
    condition: selection_cmd and selection_opt
---
-id: 38a7625e-b2cb-485d-b83d-aff137d859f4
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection_cmd:
-        ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
-    selection_opt:
-        ContextInfo|contains:
-            - '-ModuleName '
-            - '-ModulePath '
-            - '-ScriptBlock '
-            - '-RemoteFXvGPUDisablementFilePath'
-    condition: selection_cmd and selection_opt
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium
@@ -1,32 +1,18 @@
-action: global
 title: Zip A Folder With PowerShell For Staging In Temp
+id: 71ff406e-b633-4989-96ec-bc49d825a412
+related:
+    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+      type: derived
 status: experimental
 author: frack113
 date: 2021/07/20
+modified: 2021/09/07
 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
 tags:
    - attack.collection
    - attack.t1074.001
-falsepositives:
-    - Unknown
-level: medium
---
-id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
-logsource:
-    product: windows
-    category: process_creation
-detection:
-    selection:
-        CommandLine|contains|all:
-            - 'Compress-Archive '
-            - ' -Path '
-            - ' -DestinationPath '
-            - '$env:TEMP\'
-    condition: selection 
---
-id: 71ff406e-b633-4989-96ec-bc49d825a412
 logsource:
    product: windows
    service: powershell-classic
@@ -39,16 +25,6 @@ detection:
            - ' -DestinationPath '
            - '$env:TEMP\'
    condition: selection 
---
-id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
-logsource:
-    product: windows
-    service: powershell
-detection:
-    selection:
-        ContextInfo|contains|all:
-            - 'Compress-Archive '
-            - ' -Path '
-            - ' -DestinationPath '
-            - '$env:TEMP\'
-    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -1,8 +1,9 @@
-action: global
 title: Netcat The Powershell Version
+id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
 status: experimental
 author: frack113
 date: 2021/07/21
+modified: 2021/09/07
 description: Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network
 references:
    - https://nmap.org/ncat/
@@ -11,24 +12,6 @@ references:
 tags:
    - attack.command_and_control
    - attack.t1095
-falsepositives:
-    - Unknown
-level: medium
---
-id: c5b20776-639a-49bf-94c7-84f912b91c15
-logsource:
-    product: windows
-    service: powershell-classic
-    definition: fields have to be extract from event
-detection:
-    selection:
-        EventID: 400
-        HostApplication|contains:
-            - 'powercat '
-            - 'powercat.ps1'
-    condition: selection 
---
-id: bf7286e7-c0be-460b-a7e8-5b2e07ecc2f2
 logsource:
    product: windows
    service: powershell
@@ -40,3 +23,6 @@ detection:
            - 'powercat '
            - 'powercat.ps1'
    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,37 @@
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+status: experimental
+author: frack113
+date: 2021/07/13
+modified: 2021/09/07
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    product: windows
+    service: powershell
+    definition: Module Logging must be enabled
+detection:
+    selection_id:
+        EventID: 4103
+    selection_cmd:
+        ContextInfo|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
+    selection_opt:
+        ContextInfo|contains:
+            - '-ModuleName '
+            - '-ModulePath '
+            - '-ScriptBlock '
+            - '-RemoteFXvGPUDisablementFilePath'
+    condition: selection_id and selection_cmd and selection_opt
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,28 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+status: experimental
+author: frack113
+date: 2021/07/20
+modified: 2021/09/07
+description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+tags:
+    - attack.collection
+    - attack.t1074.001
+logsource:
+    product: windows
+    service: powershell
+    definition: Module Logging must be enabled
+detection:
+    selection:
+        EventID: 4103
+        ContextInfo|contains|all:
+            - 'Compress-Archive '
+            - ' -Path '
+            - ' -DestinationPath '
+            - '$env:TEMP\'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,37 @@
+title: Abusable Invoke-ATHRemoteFXvGPUDisablementCommand
+id: a6fc3c46-23b8-4996-9ea2-573f4c4d88c5
+related:
+    - id: 38a7625e-b2cb-485d-b83d-aff137d859f4
+      type: derived
+status: experimental
+author: frack113
+date: 2021/07/13
+modified: 2021/09/07
+description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339).
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md
+    - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection_cmd:
+        CommandLine|contains: 'Invoke-ATHRemoteFXvGPUDisablementCommand '
+    selection_opt:
+        CommandLine|contains:
+            - '-ModuleName '
+            - '-ModulePath '
+            - '-ScriptBlock '
+            - '-RemoteFXvGPUDisablementFilePath'
+    condition: selection_cmd and selection_opt
+fields:
+    - ComputerName
+    - User
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Unknown
+level: medium
@@ -0,0 +1,29 @@
+title: Zip A Folder With PowerShell For Staging In Temp
+id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
+related:
+    - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
+      type: derived
+status: experimental
+author: frack113
+date: 2021/07/20
+modified: 2021/09/07
+description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md
+tags:
+    - attack.collection
+    - attack.t1074.001
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'Compress-Archive '
+            - ' -Path '
+            - ' -DestinationPath '
+            - '$env:TEMP\'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
@@ -1,32 +1,16 @@
-action: global
-title: Sysmon Configuration Modification
+title: Sysmon Configuration Error
+id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
 description: Someone try to hide from Sysmon
 status: experimental
 author: frack113
 date: 2021/06/04
-modified: 2021/06/16
+modified: 2021/09/07
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
 tags:
    - attack.defense_evasion
    - attack.t1564
-falsepositives:
-    - legitimate administrative action
-level: high    
---
-id: 1f2b5353-573f-4880-8e33-7d04dcf97744
-logsource:
-    product: windows
-    category: sysmon_status
-detection:
-    selection_stop:
-        State: Stopped
-    selection_conf:
-        - 'Sysmon config state changed'
-    condition: selection_stop or selection_conf
---
-id: 815cd91b-7dbc-4247-841a-d7dd1392b0a8
 logsource:
    product: windows
    category: sysmon_error
@@ -36,3 +20,6 @@ detection:
            - 'Failed to open service configuration with error'
            - 'Failed to connect to the driver to update configuration'
    condition: selection_error
+falsepositives:
+    - legitimate administrative action
+level: high 
@@ -0,0 +1,25 @@
+title: Sysmon Configuration Modification
+id: 1f2b5353-573f-4880-8e33-7d04dcf97744
+description: Someone try to hide from Sysmon
+status: experimental
+author: frack113
+date: 2021/06/04
+modified: 2021/09/07
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+    - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html
+tags:
+    - attack.defense_evasion
+    - attack.t1564
+logsource:
+    product: windows
+    category: sysmon_status
+detection:
+    selection_stop:
+        State: Stopped
+    selection_conf:
+        - 'Sysmon config state changed'
+    condition: selection_stop or selection_conf
+falsepositives:
+    - legitimate administrative action
+level: high