feat: more updates and fixes

2023-02-28 15:22:25 +01:00
parent 2234b7d180
commit 137dcbcc50
42 changed files with 419 additions and 170 deletions
@@ -3,14 +3,14 @@ id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
 related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
-status: experimental
+status: deprecated
 description: Detects PsExec service execution via default service image name
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 author: Thomas Patzke
 date: 2017/06/12
-modified: 2022/05/27
+modified: 2023/02/28
 tags:
    - attack.execution
    - attack.t1569.002
@@ -1,10 +1,10 @@
 title: PsExec Service Start
 id: 3ede524d-21cc-472d-a3ce-d21b568d8db7
-status: test
+status: deprecated
 description: Detects a PsExec service start
 author: Florian Roth (Nextron Systems)
 date: 2018/03/13
-modified: 2021/11/27
+modified: 2023/02/28
 tags:
    - attack.execution
    - attack.s0029
@@ -6,7 +6,7 @@ references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 author: Teymur Kheirkhabarov, Florian Roth
 date: 2019/10/23
-modified: 2022/05/13
+modified: 2023/02/28
 tags:
    - attack.privilege_escalation
    - attack.discovery
@@ -9,7 +9,7 @@ author: Sohan G (D4rkCiph3r)
 date: 2023/02/18
 tags:
    - attack.persistence
-    - attack.t1543.001 
+    - attack.t1543.001
    - attack.t1543.004
 logsource:
    category: process_creation
@@ -8,8 +8,10 @@ references:
    - https://twitter.com/MaD_c4t/status/1623414582382567424
    - https://labs.withsecure.com/publications/detecting-onenote-abuse
    - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/
+    - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/09
+modified: 2023/02/27
 tags:
    - attack.defense_evasion
 logsource:
@@ -21,22 +23,25 @@ detection:
            - '\onenote.exe'
            - '\onenotem.exe'
            - '\onenoteim.exe'
-        TargetFilename|contains|all:
-            - '\AppData\Local\Temp\OneNote\'
-            - '\Exported\'
+        TargetFilename|contains: '\AppData\Local\Temp\OneNote\'
        TargetFilename|endswith:
            # TODO: Add more suspicious extensions
            - '.bat'
+            - '.chm'
            - '.cmd'
+            - '.dll'
            - '.exe'
            - '.hta'
            - '.htm'
            - '.html'
+            - '.js'
            - '.lnk'
            - '.ps1'
            - '.vbe'
            - '.vbs'
+            - '.wsf'
    condition: selection
 falsepositives:
-    - Unknown
+    - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize onenote.
+    - Occasional FP might occur if OneNote is used internally to share different embedded documents
 level: high
@@ -9,7 +9,7 @@ references:
    - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/14
-modified: 2023/01/09
+modified: 2023/02/28
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -462,6 +462,9 @@ detection:
        ImageLoaded|endswith: '\ssshim.dll'
    filter_upgrade:
        Image|startswith: 'C:\$WINDOWS.~BT\'
+    filter_dell_wldp:
+        Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
+        Image|endswith: '\wldp.dll'
    condition: selection and not 1 of filter_*
 falsepositives:
    - Legitimate applications loading their own versions of the DLLs mentioned in this rule
@@ -34,4 +34,5 @@ fields:
 falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
+    - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt "
 level: medium
@@ -52,7 +52,7 @@ detection:
            - '.vbs'
    filter_git_windows:
        # Example FP
-        # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
+        #   CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
        ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe'
        Image: 'C:\Program Files\Git\mingw64\bin\curl.exe'
        CommandLine|contains|all:
@@ -1,7 +1,7 @@
 title: ImagingDevices Unusual Parent/Child Processes
 id: f11f2808-adb4-46c0-802a-8660db50fa99
 status: experimental
-description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity
+description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) processes as seen being used with bumblebee activity
 references:
    - https://thedfirreport.com/2022/09/26/bumblebee-round-two/
 author: Nasreddine Bencherchali (Nextron Systems)
@@ -26,5 +26,5 @@ detection:
        CurrentDirectory: null
    condition: lolbin and not 1 of filter_*
 falsepositives:
-    - Unknown
+    - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache"
 level: medium
@@ -9,7 +9,7 @@ references:
    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
    - https://twitter.com/jonasLyk/status/1555914501802921984
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/05
 modified: 2022/09/21
 tags:
@@ -9,7 +9,7 @@ references:
    - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/
    - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN
    - https://twitter.com/jonasLyk/status/1555914501802921984
-author: frack113, Nasreddine Bencherchali
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
 date: 2022/08/06
 modified: 2022/12/12
 tags:
@@ -1,4 +1,4 @@
-title: Rundll32 Without Parameters
+title: Rundll32 Execution Without Parameters
 id: 5bb68627-3198-40ca-b458-49f973db8752
 status: test
 description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module
@@ -6,7 +6,7 @@ references:
    - https://bczyz1.github.io/2021/01/30/psexec.html
 author: Bartlomiej Czyz, Relativity
 date: 2021/01/31
-modified: 2022/10/09
+modified: 2023/02/28
 tags:
    - attack.lateral_movement
    - attack.t1021.002
@@ -18,7 +18,9 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine: 'rundll32.exe'
+        CommandLine:
+            - 'rundll32.exe'
+            - 'rundll32'
    condition: selection
 fields:
    - ComputerName
@@ -22,4 +22,5 @@ detection:
    condition: all of selection_*
 falsepositives:
    - Legitimate query of a service by an administrator to get more information such as the state or PID
+    - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1"
 level: low
@@ -0,0 +1,38 @@
+title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE
+id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47
+related:
+    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
+      type: similar
+status: test
+description: Detects suspicious DACL modifications to allow access to a service from suspicious trustee. This can be used to override access restrictions set by previous ACLs
+references:
+    - https://twitter.com/0gtweet/status/1628720819537936386?s=12&t=ryKBN2ElFC1KoYmYy4xj-w
+    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
+    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/28
+tags:
+    - attack.persistence
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_sc:
+        - Image|endswith: '\sc.exe'
+        - OriginalFileName: 'sc.exe'
+    selection_sdset:
+        CommandLine|contains|all:
+            - 'sdset'
+            - 'A;' # Allow Access
+    selection_trustee:
+        CommandLine|contains:
+            - ';IU' # Interactively logged-on user
+            - ';SU' # Service logon user
+            - ';BA' # Built-in administrators
+            - ';SY' # Local system
+            - ';WD' # Everyone
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,41 @@
+title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE
+id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
+related:
+    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
+      type: similar
+    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
+      type: similar
+status: test
+description: Detects suspicious DACL modifications to deny access to a service that affects critical trustee. This can  be used to hide services or make them unstopable.
+references:
+    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
+    - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings
+author: Jonhnathan Ribeiro, oscd.community
+date: 2020/10/16
+modified: 2023/02/28
+tags:
+    - attack.persistence
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_sc:
+        - Image|endswith: '\sc.exe'
+        - OriginalFileName: 'sc.exe'
+    selection_sdset:
+        CommandLine|contains|all:
+            - 'sdset'
+            - 'D;' # Deny Access
+    selection_trustee:
+        CommandLine|contains:
+            - ';IU' # Interactively logged-on user
+            - ';SU' # Service logon user
+            - ';BA' # Built-in administrators
+            - ';SY' # Local system
+            - ';WD' # Everyone
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -0,0 +1,43 @@
+title: Service DACL Abuse To Hide Services Via Sc.EXE
+id: a537cfc3-4297-4789-92b5-345bfd845ad0
+related:
+    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
+      type: similar
+    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering
+      type: similar
+status: experimental
+description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable.
+references:
+    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
+    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
+    - https://twitter.com/Alh4zr3d/status/1580925761996828672
+    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
+author: Andreas Hunkeler (@Karneades)
+date: 2021/12/20
+modified: 2022/08/08
+tags:
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1574.011
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\sc.exe'
+        - OriginalFileName: 'sc.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'sdset'
+            # Summary of permissions
+            #   DC: Delete All Child Objects
+            #   LC: List Contents
+            #   WP: Write All Properties
+            #   DT: Delete Subtree
+            #   SD: Delete
+            - 'DCLCWPDTSD'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -1,14 +1,20 @@
-title: Abuse of Service Permissions to Hide Services in Tools
+title: Service Security Descriptor Tampering Via Sc.EXE
 id: a537cfc3-4297-4789-92b5-345bfd845ad0
+related:
+    - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access
+      type: similar
+    - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique
+      type: similar
 status: experimental
 description: Detection of sc.exe utility adding a new service with special permission which hides that service.
 references:
    - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
    - https://twitter.com/Alh4zr3d/status/1580925761996828672
-author: Andreas Hunkeler (@Karneades)
-date: 2021/12/20
-modified: 2022/08/08
+    - https://twitter.com/0gtweet/status/1628720819537936386?s=12&t=ryKBN2ElFC1KoYmYy4xj-w
+    - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/28
 tags:
    - attack.persistence
    - attack.defense_evasion
@@ -22,10 +28,8 @@ detection:
        - Image|endswith: '\sc.exe'
        - OriginalFileName: 'sc.exe'
    selection_cli:
-        CommandLine|contains|all:
-            - 'sdset'
-            - 'DCLCWPDTSD'
+        CommandLine|contains: 'sdset'
    condition: all of selection_*
 falsepositives:
-    - Rare intended use of hidden services
-level: high
+    - Unknown
+level: medium
@@ -1,34 +0,0 @@
-title: Suspicious Service DACL Modification
-id: 99cf1e02-00fb-4c0d-8375-563f978dfd37
-status: test
-description: Detects suspicious DACL modifications that can  be used to hide services or make them unstopable
-references:
-    - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
-    - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings
-author: Jonhnathan Ribeiro, oscd.community
-date: 2020/10/16
-modified: 2022/10/18
-tags:
-    - attack.persistence
-    - attack.t1543.003
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_sc:
-        - Image|endswith: '\sc.exe'
-        - OriginalFileName: 'sc.exe'
-    selection_sdset:
-        CommandLine|contains|all:
-            - 'sdset'
-            - 'D;;'
-        CommandLine|contains:
-            - ';;;IU'
-            - ';;;SU'
-            - ';;;BA'
-            - ';;;SY'
-            - ';;;WD'
-    condition: all of selection_*
-falsepositives:
-    - Unknown
-level: high
@@ -6,6 +6,8 @@ references:
    - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html
 author: Florian Roth (Nextron Systems)
 date: 2022/11/11
+tags:
+    - attack.privilege_escalation
 logsource:
    category: process_creation
    product: windows
@@ -6,6 +6,8 @@ references:
    - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
 author: Florian Roth (Nextron Systems)
 date: 2022/04/27
+tags:
+    - attack.defense_evasion
 logsource:
    product: windows
    category: process_creation
@@ -1,35 +0,0 @@
-title: Suspicious Double File Extension in ParentCommandLine
-id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
-related:
-    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
-      type: derived
-status: experimental
-description: Detect execution of suspicious double extension files in ParentCommandLine
-references:
-    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
-    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
-author: frack113
-date: 2023/01/06
-modified: 2023/02/05
-tags:
-    - attack.defense_evasion
-    - attack.t1036.007
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        ParentCommandLine|contains:
-            - '.doc.lnk'
-            - '.docx.lnk'
-            - '.xls.lnk'
-            - '.xlsx.lnk'
-            - '.ppt.lnk'
-            - '.pptx.lnk'
-            - '.rtf.lnk'
-            - '.pdf.lnk'
-            - '.txt.lnk'
-    condition: selection
-falsepositives:
-    - Unknown
-level: high
@@ -1,13 +1,15 @@
-title: Suspicious Double Extension
+title: Suspicious Double Extension File Execution
 id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8
+related:
+    - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine
 status: stable
 description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns
 references:
    - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html
    - https://twitter.com/blackorbird/status/1140519090961825792
-author: Florian Roth (Nextron Systems), @blu3_team (idea)
+author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems)
 date: 2019/06/26
-modified: 2021/11/27
+modified: 2023/02/28
 tags:
    - attack.initial_access
    - attack.t1566.001
@@ -28,6 +30,36 @@ detection:
            - '.txt.exe'
            - '      .exe'
            - '______.exe'
+            - '.doc.js'
+            - '.docx.js'
+            - '.xls.js'
+            - '.xlsx.js'
+            - '.ppt.js'
+            - '.pptx.js'
+            - '.rtf.js'
+            - '.pdf.js'
+            - '.txt.js'
+        CommandLine|endswith:
+            - '.doc.exe'
+            - '.docx.exe'
+            - '.xls.exe'
+            - '.xlsx.exe'
+            - '.ppt.exe'
+            - '.pptx.exe'
+            - '.rtf.exe'
+            - '.pdf.exe'
+            - '.txt.exe'
+            - '      .exe'
+            - '______.exe'
+            - '.doc.js'
+            - '.docx.js'
+            - '.xls.js'
+            - '.xlsx.js'
+            - '.ppt.js'
+            - '.pptx.js'
+            - '.rtf.js'
+            - '.pdf.js'
+            - '.txt.js'
    condition: selection
 falsepositives:
    - Unknown
@@ -0,0 +1,63 @@
+title: Suspicious Parent Double Extension File Execution
+id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c
+related:
+    - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine
+      type: derived
+status: experimental
+description: Detect execution of suspicious double extension files in ParentCommandLine
+references:
+    - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior
+    - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2023/01/06
+modified: 2023/02/28
+tags:
+    - attack.defense_evasion
+    - attack.t1036.007
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - ParentImage|contains:
+            - '.doc.lnk'
+            - '.docx.lnk'
+            - '.xls.lnk'
+            - '.xlsx.lnk'
+            - '.ppt.lnk'
+            - '.pptx.lnk'
+            - '.rtf.lnk'
+            - '.pdf.lnk'
+            - '.txt.lnk'
+            - '.doc.js'
+            - '.docx.js'
+            - '.xls.js'
+            - '.xlsx.js'
+            - '.ppt.js'
+            - '.pptx.js'
+            - '.rtf.js'
+            - '.pdf.js'
+            - '.txt.js'
+        - ParentCommandLine|contains:
+            - '.doc.lnk'
+            - '.docx.lnk'
+            - '.xls.lnk'
+            - '.xlsx.lnk'
+            - '.ppt.lnk'
+            - '.pptx.lnk'
+            - '.rtf.lnk'
+            - '.pdf.lnk'
+            - '.txt.lnk'
+            - '.doc.js'
+            - '.docx.js'
+            - '.xls.js'
+            - '.xlsx.js'
+            - '.ppt.js'
+            - '.pptx.js'
+            - '.rtf.js'
+            - '.pdf.js'
+            - '.txt.js'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -5,7 +5,7 @@ description: Detects suspicious ways to download files from Microsoft domains th
 references:
    - https://twitter.com/an0n_r0/status/1474698356635193346?s=12
    - https://twitter.com/mrd0x/status/1475085452784844803?s=12
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2021/12/27
 modified: 2022/08/02
 logsource:
@@ -1,12 +1,12 @@
-title: Procdump Usage
+title: Procdump Execution
 id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20
 status: experimental
 description: Detects usage of the SysInternals Procdump utility
 references:
-    - Internal Research
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
 author: Florian Roth (Nextron Systems)
 date: 2021/08/16
-modified: 2022/08/11
+modified: 2023/02/28
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -1,4 +1,4 @@
-title: Procdump Evasion
+title: Potential Procdump Evasion
 id: 79b06761-465f-4f88-9ef2-150e24d3d737
 status: test
 description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name
@@ -6,6 +6,7 @@ references:
    - https://twitter.com/mrd0x/status/1480785527901204481
 author: Florian Roth (Nextron Systems)
 date: 2022/01/11
+modified: 2023/02/28
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -1,9 +1,9 @@
-title: Suspicious Use of Procdump on LSASS
+title: Potential LSASS Process Dump Via Procdump
 id: 5afee48e-67dd-4e03-a783-f74259dcf998
 status: stable
 description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable.
 references:
-    - Internal Research
+    - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump
 author: Florian Roth (Nextron Systems)
 date: 2018/10/30
 modified: 2022/08/12
@@ -17,11 +17,11 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
+    selection_flags:
        CommandLine|contains:
            - ' -ma '
            - ' /ma '
-    selection2:
+    selection_process:
        CommandLine|contains: ' ls' # Short for lsass
    condition: all of selection*
 falsepositives:
@@ -1,4 +1,4 @@
-title: Psexec Accepteula Condition
+title: Psexec Execution
 id: 730fc21b-eaff-474b-ad23-90fd265d4988
 status: test
 description: Detects user accept agreement execution in psexec commandline
@@ -6,7 +6,7 @@ references:
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: omkar72
 date: 2020/10/30
-modified: 2022/06/23
+modified: 2023/02/28
 tags:
    - attack.execution
    - attack.t1569
@@ -16,12 +16,9 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: '\psexec.exe'
-        CommandLine|contains: 'accepteula'
+        - Image|endswith: '\psexec.exe'
+        - OriginalFileName: 'psexec.c'
    condition: selection
-fields:
-    - Image
-    - CommandLine
 falsepositives:
    - Administrative scripts.
 level: medium
@@ -1,10 +1,10 @@
 title: PsExec/PAExec Escalation to LOCAL SYSTEM
 id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
 related:
-    - id: 207b0396-3689-42d9-8399-4222658efc99
+    - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags
      type: similar
 status: experimental
-description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
+description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
@@ -62,9 +62,6 @@ detection:
            - 'psexec'
            - 'paexec'
            - 'accepteula'
-            - 'cmd /c '
-            - 'cmd /k '
-            - 'cmd /r '
    condition: all of selection_*
 falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
@@ -0,0 +1,28 @@
+title: Potential PsExec Remote Execution
+id: ea011323-7045-460b-b2d7-0f7442ea6b38
+status: experimental
+description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+    - https://www.poweradmin.com/paexec/
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/28
+tags:
+    - attack.resource_development
+    - attack.t1587.001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        # Accepting EULA in commandline - often used in automated attacks
+        CommandLine|contains|all:
+            - 'accepteula'
+            - ' -u '
+            - ' -p '
+            - ' \\\\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -2,14 +2,15 @@ title: PsExec Service Execution
 id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5
 related:
    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
-      type: similar
+      type: obsoletes
 status: experimental
 description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.youtube.com/watch?v=ro2QuZTIMBM
-author: Romaissa Adjailia, FLorian Roth
-date: 2022/07/21
+author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems)
+date: 2017/06/12
+modified: 2023/02/28
 tags:
    - attack.execution
 logsource:
@@ -1,4 +1,4 @@
-title: PsExec Service Execution as LOCAL SYSTEM
+title: PsExec Service Child Process Execution as LOCAL SYSTEM
 id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94
 related:
    - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba
@@ -22,5 +22,5 @@ detection:
            - 'AUTORI'
    condition: selection
 falsepositives:
-    - Legitimate administrative tasks
+    - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension
 level: high
@@ -1,4 +1,4 @@
-title: Sysinternals SDelete Delete File
+title: Potential File Overwrite Via Sysinternals SDelete
 id: a4824fca-976f-4964-b334-0621379e84c4
 status: experimental
 description: Detects the use of SDelete to erase a file not the free space
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md
 author: frack113
 date: 2021/06/03
-modified: 2022/09/06
+modified: 2023/02/28
 tags:
    - attack.impact
    - attack.t1485
@@ -29,5 +29,5 @@ fields:
    - CommandLine
    - ParentCommandLine
 falsepositives:
-    - System administrator usage
+    - Unknown
 level: high
@@ -1,10 +1,10 @@
 title: Potential Pirvilege Escalation To LOCAL SYSTEM
 id: 207b0396-3689-42d9-8399-4222658efc99
 related:
-    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
+    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule
      type: similar
 status: experimental
-description: Detects unknown programs using suspicious flags usually used by tools such as PsExec and PAExec to open shell program with SYSTEM Privileges
+description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
@@ -58,17 +58,12 @@ detection:
            - ' /i /s powershell'
            - ' -i /s powershell'
            - ' /i -s powershell'
-    selection_flags_2:
-        # Accepting EULA in commandline - often used in automated attacks
-        CommandLine|contains|all:
-            - 'accepteula'
-            - ' -u '
-            - ' -p '
-            - ' \\'
    filter:
+        # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23
        CommandLine|contains:
            - 'paexec'
            - 'PsExec'
+            - 'accepteula'
    condition: 1 of selection_flags_* and not filter
 falsepositives:
    - Weird admins that rename their tools
@@ -1,13 +1,13 @@
-title: Whoami Execution
+title: Whoami.EXE Execution
 id: e28a5a99-da44-436d-b7a0-2afc20a5f413
 status: test
-description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators
+description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation
 references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
 author: Florian Roth (Nextron Systems)
 date: 2018/08/13
-modified: 2022/05/13
+modified: 2023/02/28
 tags:
    - attack.discovery
    - attack.t1033
@@ -1,13 +1,16 @@
-title: Run Whoami as Privileged User
+title: Suspicious Whoami.EXE Execution From Privileged Process
 id: 79ce34ca-af29-4d0e-b832-fc1b377020db
+related:
+    - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1
+      type: obsoletes
 status: experimental
-description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors
+description: Detects the execution of "whoami.exe" by privileged accounts that are often misused by threat actors
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://nsudo.m2team.org/en-us/
-author: Florian Roth (Nextron Systems)
+author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov
 date: 2022/01/28
-modified: 2022/05/13
+modified: 2023/02/28
 tags:
    - attack.privilege_escalation
    - attack.discovery
@@ -16,12 +19,15 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_user:
-        User|contains: 'TrustedInstaller'
    selection_img:
        - OriginalFileName: 'whoami.exe'
        - Image|endswith: '\whoami.exe'
-    condition: all of selection*
+    selection_user:
+        User|contains:
+            - 'AUTHORI'
+            - 'AUTORI'
+            - 'TrustedInstaller'
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -0,0 +1,26 @@
+title: Group Membership Reconnaissance Via Whoami.EXE
+id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
+status: experimental
+description: Detects a whoami.exe executed with the /group command line flag instructing the tool to show group membership for current user, type of account, security identifiers (SID) and attributes.
+references:
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/28
+tags:
+    - attack.discovery
+    - attack.t1033
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\whoami.exe'
+        - OriginalFileName: 'whoami.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' /groups'
+            - ' -groups'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -1,14 +1,14 @@
-title: Whoami Execution Anomaly
+title: Whoami.EXE Execution Anomaly
 id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0
 status: experimental
-description: Detects the execution of whoami with suspicious parents or parameters
+description: Detects the execution of whoami with suspicious parents
 references:
    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
 author: Florian Roth (Nextron Systems)
 date: 2021/08/12
-modified: 2022/10/04
+modified: 2023/02/28
 tags:
    - attack.discovery
    - attack.t1033
@@ -20,27 +20,20 @@ detection:
    selection:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
-    filter1:
+    filter_generic:
+        # This list can be any legitimate shell or application that you expect whoami to run from
        ParentImage|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
            - '\pwsh.exe'
            - '\powershell_ise.exe'
-    filter2:
-        ParentImage:
-            - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
-            - ''
-    filter3:
+    filter_ms_monitoring_agent:
+        ParentImage: 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe'
+    filter_parent_null:
        ParentImage: null
-    selection_special:
-        CommandLine|contains:
-            - 'whoami -all'
-            - 'whoami /all'
-            - 'whoami.exe -all'
-            - 'whoami.exe /all'
-            - 'whoami.exe >'
-            - 'whoami >'
-    condition: ( selection and not 1 of filter* ) or selection_special
+    filter_parent_empty:
+        ParentImage: ''
+    condition: selection and not 1 of filter_*
 falsepositives:
    - Admin activity
    - Scripts and administrative tools used in the monitored environment
@@ -1,4 +1,4 @@
-title: Run Whoami Showing Privileges
+title: Security Privileges Reconnaissance Via Whoami.EXE
 id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b
 status: experimental
 description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt.
@@ -6,7 +6,7 @@ references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami
 author: Florian Roth (Nextron Systems)
 date: 2021/05/05
-modified: 2022/05/13
+modified: 2023/02/28
 tags:
    - attack.privilege_escalation
    - attack.discovery
@@ -19,8 +19,10 @@ detection:
        - Image|endswith: '\whoami.exe'
        - OriginalFileName: 'whoami.exe'
    selection_cli:
-        CommandLine|contains: '/priv'
+        CommandLine|contains:
+            - ' /priv'
+            - ' -priv'
    condition: all of selection_*
 falsepositives:
-    - Administrative activity (rare lookups on current privileges)
+    - Unknown
 level: high
@@ -0,0 +1,35 @@
+title: Suspicious Whoami.EXE Execution
+id: c30fb093-1109-4dc8-88a8-b30d11c95a5d
+status: experimental
+description: Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use.
+references:
+    - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/
+    - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/
+    - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/28
+tags:
+    - attack.discovery
+    - attack.t1033
+    - car.2016-03-001
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_main_img:
+        - Image|endswith: '\whoami.exe'
+        - OriginalFileName: 'whoami.exe'
+    selection_main_cli:
+        CommandLine|contains:
+            - ' -all'
+            - ' /all'
+            - ' /FO CSV'
+            - ' -FO CSV'
+    selection_special:
+        CommandLine|contains|all:
+            - 'whoami'
+            - '>'
+    condition: all of selection_main_* or selection_special
+falsepositives:
+    - Unknown
+level: high