diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_service_execution.yml b/rules-deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_sysinternals_psexec_service_execution.yml rename to rules-deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml index e02eef085..22dd060ce 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_service_execution.yml +++ b/rules-deprecated/windows/proc_creation_win_sysinternals_psexec_service_execution.yml @@ -3,14 +3,14 @@ id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba related: - id: 42c575ea-e41e-41f1-b248-8093c3e82a28 type: derived -status: experimental +status: deprecated description: Detects PsExec service execution via default service image name references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet author: Thomas Patzke date: 2017/06/12 -modified: 2022/05/27 +modified: 2023/02/28 tags: - attack.execution - attack.t1569.002 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_start.yml b/rules-deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_start.yml rename to rules-deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml index 6f1548074..4b41216e9 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_start.yml +++ b/rules-deprecated/windows/proc_creation_win_sysinternals_psexesvc_start.yml @@ -1,10 +1,10 @@ title: PsExec Service Start id: 3ede524d-21cc-472d-a3ce-d21b568d8db7 -status: test +status: deprecated description: Detects a PsExec service start author: Florian Roth (Nextron Systems) date: 2018/03/13 -modified: 2021/11/27 +modified: 2023/02/28 tags: - attack.execution - attack.s0029 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml b/rules-deprecated/windows/proc_creation_win_whoami_as_system.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_whoami_as_system.yml rename to rules-deprecated/windows/proc_creation_win_whoami_as_system.yml index 03fff8773..fd59ab467 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml +++ b/rules-deprecated/windows/proc_creation_win_whoami_as_system.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2022/05/13 +modified: 2023/02/28 tags: - attack.privilege_escalation - attack.discovery diff --git a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml index f3e19288d..ed6a1f53d 100644 --- a/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml +++ b/rules/macos/process_creation/proc_creation_macos_persistence_via_plistbuddy.yml @@ -9,7 +9,7 @@ author: Sohan G (D4rkCiph3r) date: 2023/02/18 tags: - attack.persistence - - attack.t1543.001 + - attack.t1543.001 - attack.t1543.004 logsource: category: process_creation diff --git a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml index d3e5b4cc2..a4f0187ff 100644 --- a/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml +++ b/rules/windows/file/file_event/file_event_win_office_onenote_susp_dropped_files.yml @@ -8,8 +8,10 @@ references: - https://twitter.com/MaD_c4t/status/1623414582382567424 - https://labs.withsecure.com/publications/detecting-onenote-abuse - https://www.trustedsec.com/blog/new-attacks-old-tricks-how-onenote-malware-is-evolving/ + - https://app.any.run/tasks/17f2d378-6d11-4d6f-8340-954b04f35e83/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/09 +modified: 2023/02/27 tags: - attack.defense_evasion logsource: @@ -21,22 +23,25 @@ detection: - '\onenote.exe' - '\onenotem.exe' - '\onenoteim.exe' - TargetFilename|contains|all: - - '\AppData\Local\Temp\OneNote\' - - '\Exported\' + TargetFilename|contains: '\AppData\Local\Temp\OneNote\' TargetFilename|endswith: # TODO: Add more suspicious extensions - '.bat' + - '.chm' - '.cmd' + - '.dll' - '.exe' - '.hta' - '.htm' - '.html' + - '.js' - '.lnk' - '.ps1' - '.vbe' - '.vbs' + - '.wsf' condition: selection falsepositives: - - Unknown + - False positives should be very low with the extensions list cited. Especially if you don't heavily utilize onenote. + - Occasional FP might occur if OneNote is used internally to share different embedded documents level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 704c535d8..d6e1d57db 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/01/09 +modified: 2023/02/28 tags: - attack.defense_evasion - attack.persistence @@ -462,6 +462,9 @@ detection: ImageLoaded|endswith: '\ssshim.dll' filter_upgrade: Image|startswith: 'C:\$WINDOWS.~BT\' + filter_dell_wldp: + Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|endswith: '\wldp.dll' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/process_creation/proc_creation_win_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_download.yml index 5a95de695..9626c9ada 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download.yml @@ -34,4 +34,5 @@ fields: falsepositives: - Scripts created by developers and admins - Administrative activity + - The "\Git\usr\bin\sh.exe" process uses the "--output" flag to download specific file in the temp directory with the pattern "gfw-httpget-xxxxxxxx.txt " level: medium diff --git a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index 5767ef5a2..c00b62e6d 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -52,7 +52,7 @@ detection: - '.vbs' filter_git_windows: # Example FP - # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt + # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe' Image: 'C:\Program Files\Git\mingw64\bin\curl.exe' CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml index d99330805..7960da227 100644 --- a/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml +++ b/rules/windows/process_creation/proc_creation_win_imaging_devices_unusual_parents.yml @@ -1,7 +1,7 @@ title: ImagingDevices Unusual Parent/Child Processes id: f11f2808-adb4-46c0-802a-8660db50fa99 status: experimental -description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) and Wabmig.exe (Microsoft Address Book Import Tool) processes as seen being used with bumblebee activity +description: Detects unusual parent or children of the ImagingDevices.exe (Windows Contacts) processes as seen being used with bumblebee activity references: - https://thedfirreport.com/2022/09/26/bumblebee-round-two/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml index 2be0e4528..a550e4307 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ie4uinit.yml @@ -26,5 +26,5 @@ detection: CurrentDirectory: null condition: lolbin and not 1 of filter_* falsepositives: - - Unknown + - ViberPC updater calls this binary with the following commandline "ie4uinit.exe -ClearIconCache" level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 2e7acd41a..8f8f417d4 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -9,7 +9,7 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 modified: 2022/09/21 tags: diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index 572d79db8..5ec83de3c 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -9,7 +9,7 @@ references: - https://www.acunetix.com/blog/articles/windows-short-8-3-filenames-web-security-problem/ - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/06 modified: 2022/12/12 tags: diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml index 59fcaaf7d..26c703423 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_without_parameters.yml @@ -1,4 +1,4 @@ -title: Rundll32 Without Parameters +title: Rundll32 Execution Without Parameters id: 5bb68627-3198-40ca-b458-49f973db8752 status: test description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module @@ -6,7 +6,7 @@ references: - https://bczyz1.github.io/2021/01/30/psexec.html author: Bartlomiej Czyz, Relativity date: 2021/01/31 -modified: 2022/10/09 +modified: 2023/02/28 tags: - attack.lateral_movement - attack.t1021.002 @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - CommandLine: 'rundll32.exe' + CommandLine: + - 'rundll32.exe' + - 'rundll32' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_sc_query.yml b/rules/windows/process_creation/proc_creation_win_sc_query.yml index f811d5913..8e2dc80fd 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_query.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_query.yml @@ -22,4 +22,5 @@ detection: condition: all of selection_* falsepositives: - Legitimate query of a service by an administrator to get more information such as the state or PID + - Keybase process "kbfsdokan.exe" query the dokan1 service with the following commandline "sc query dokan1" level: low diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml new file mode 100644 index 000000000..a8c6c4fdc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_allow_service_changes.yml @@ -0,0 +1,38 @@ +title: Allow Service Access Using Security Descriptor Tampering Via Sc.EXE +id: 6c8fbee5-dee8-49bc-851d-c3142d02aa47 +related: + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering + type: similar +status: test +description: Detects suspicious DACL modifications to allow access to a service from suspicious trustee. This can be used to override access restrictions set by previous ACLs +references: + - https://twitter.com/0gtweet/status/1628720819537936386?s=12&t=ryKBN2ElFC1KoYmYy4xj-w + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/28 +tags: + - attack.persistence + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection_sc: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_sdset: + CommandLine|contains|all: + - 'sdset' + - 'A;' # Allow Access + selection_trustee: + CommandLine|contains: + - ';IU' # Interactively logged-on user + - ';SU' # Service logon user + - ';BA' # Built-in administrators + - ';SY' # Local system + - ';WD' # Everyone + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml new file mode 100644 index 000000000..d1aa89102 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_deny_service_access.yml @@ -0,0 +1,41 @@ +title: Deny Service Access Using Security Descriptor Tampering Via Sc.EXE +id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 +related: + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar +status: test +description: Detects suspicious DACL modifications to deny access to a service that affects critical trustee. This can be used to hide services or make them unstopable. +references: + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ + - https://learn.microsoft.com/en-us/windows/win32/secauthz/sid-strings +author: Jonhnathan Ribeiro, oscd.community +date: 2020/10/16 +modified: 2023/02/28 +tags: + - attack.persistence + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection_sc: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_sdset: + CommandLine|contains|all: + - 'sdset' + - 'D;' # Deny Access + selection_trustee: + CommandLine|contains: + - ';IU' # Interactively logged-on user + - ';SU' # Service logon user + - ';BA' # Built-in administrators + - ';SY' # Local system + - ';WD' # Everyone + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml new file mode 100644 index 000000000..e081772fd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_hide_sevices.yml @@ -0,0 +1,43 @@ +title: Service DACL Abuse To Hide Services Via Sc.EXE +id: a537cfc3-4297-4789-92b5-345bfd845ad0 +related: + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Generic SD tampering + type: similar +status: experimental +description: Detects usage of the "sc.exe" utility adding a new service with special permission seen used by threat actors which makes the service hidden and unremovable. +references: + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://twitter.com/Alh4zr3d/status/1580925761996828672 + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +author: Andreas Hunkeler (@Karneades) +date: 2021/12/20 +modified: 2022/08/08 +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' + selection_cli: + CommandLine|contains|all: + - 'sdset' + # Summary of permissions + # DC: Delete All Child Objects + # LC: List Contents + # WP: Write All Properties + # DT: Delete Subtree + # SD: Delete + - 'DCLCWPDTSD' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sc_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml similarity index 56% rename from rules/windows/process_creation/proc_creation_win_sc_hide_sevices.yml rename to rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml index 1093c7490..65e7d5932 100644 --- a/rules/windows/process_creation/proc_creation_win_sc_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_sc_sdset_modification.yml @@ -1,14 +1,20 @@ -title: Abuse of Service Permissions to Hide Services in Tools +title: Service Security Descriptor Tampering Via Sc.EXE id: a537cfc3-4297-4789-92b5-345bfd845ad0 +related: + - id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 # Deny Service Access + type: similar + - id: a537cfc3-4297-4789-92b5-345bfd845ad0 # Specific Technique + type: similar status: experimental description: Detection of sc.exe utility adding a new service with special permission which hides that service. references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - https://twitter.com/Alh4zr3d/status/1580925761996828672 -author: Andreas Hunkeler (@Karneades) -date: 2021/12/20 -modified: 2022/08/08 + - https://twitter.com/0gtweet/status/1628720819537936386?s=12&t=ryKBN2ElFC1KoYmYy4xj-w + - https://itconnect.uw.edu/tools-services-support/it-systems-infrastructure/msinf/other-help/understanding-sddl-syntax/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/28 tags: - attack.persistence - attack.defense_evasion @@ -22,10 +28,8 @@ detection: - Image|endswith: '\sc.exe' - OriginalFileName: 'sc.exe' selection_cli: - CommandLine|contains|all: - - 'sdset' - - 'DCLCWPDTSD' + CommandLine|contains: 'sdset' condition: all of selection_* falsepositives: - - Rare intended use of hidden services -level: high + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sc_service_dacl_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_service_dacl_modification.yml deleted file mode 100644 index d71fb51b4..000000000 --- a/rules/windows/process_creation/proc_creation_win_sc_service_dacl_modification.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Suspicious Service DACL Modification -id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 -status: test -description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable -references: - - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ - - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings -author: Jonhnathan Ribeiro, oscd.community -date: 2020/10/16 -modified: 2022/10/18 -tags: - - attack.persistence - - attack.t1543.003 -logsource: - category: process_creation - product: windows -detection: - selection_sc: - - Image|endswith: '\sc.exe' - - OriginalFileName: 'sc.exe' - selection_sdset: - CommandLine|contains|all: - - 'sdset' - - 'D;;' - CommandLine|contains: - - ';;;IU' - - ';;;SU' - - ';;;BA' - - ';;;SY' - - ';;;WD' - condition: all of selection_* -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml index 7520c28b6..5fb260fb5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml @@ -6,6 +6,8 @@ references: - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html author: Florian Roth (Nextron Systems) date: 2022/11/11 +tags: + - attack.privilege_escalation logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml b/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml index 0c4de8255..8250b5553 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_commandline_chars.yml @@ -6,6 +6,8 @@ references: - https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation author: Florian Roth (Nextron Systems) date: 2022/04/27 +tags: + - attack.defense_evasion logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_ext_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_ext_parent.yml deleted file mode 100644 index 7207edb06..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_double_ext_parent.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Suspicious Double File Extension in ParentCommandLine -id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c -related: - - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 - type: derived -status: experimental -description: Detect execution of suspicious double extension files in ParentCommandLine -references: - - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior - - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa -author: frack113 -date: 2023/01/06 -modified: 2023/02/05 -tags: - - attack.defense_evasion - - attack.t1036.007 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentCommandLine|contains: - - '.doc.lnk' - - '.docx.lnk' - - '.xls.lnk' - - '.xlsx.lnk' - - '.ppt.lnk' - - '.pptx.lnk' - - '.rtf.lnk' - - '.pdf.lnk' - - '.txt.lnk' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml index a6f9a96ae..19ba6900c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension.yml @@ -1,13 +1,15 @@ -title: Suspicious Double Extension +title: Suspicious Double Extension File Execution id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 +related: + - id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c # ParentImage/ParentCommandLine status: stable description: Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spear phishing campaigns references: - https://blu3-team.blogspot.com/2019/06/misleading-extensions-xlsexe-docexe.html - https://twitter.com/blackorbird/status/1140519090961825792 -author: Florian Roth (Nextron Systems), @blu3_team (idea) +author: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems) date: 2019/06/26 -modified: 2021/11/27 +modified: 2023/02/28 tags: - attack.initial_access - attack.t1566.001 @@ -28,6 +30,36 @@ detection: - '.txt.exe' - ' .exe' - '______.exe' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' + CommandLine|endswith: + - '.doc.exe' + - '.docx.exe' + - '.xls.exe' + - '.xlsx.exe' + - '.ppt.exe' + - '.pptx.exe' + - '.rtf.exe' + - '.pdf.exe' + - '.txt.exe' + - ' .exe' + - '______.exe' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml new file mode 100644 index 000000000..bdf7ed004 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_double_extension_parent.yml @@ -0,0 +1,63 @@ +title: Suspicious Parent Double Extension File Execution +id: 5e6a80c8-2d45-4633-9ef4-fa2671a39c5c +related: + - id: 1cdd9a09-06c9-4769-99ff-626e2b3991b8 # Image/CommandLine + type: derived +status: experimental +description: Detect execution of suspicious double extension files in ParentCommandLine +references: + - https://www.virustotal.com/gui/file/7872d8845a332dce517adae9c3389fde5313ff2fed38c2577f3b498da786db68/behavior + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2023/01/06 +modified: 2023/02/28 +tags: + - attack.defense_evasion + - attack.t1036.007 +logsource: + category: process_creation + product: windows +detection: + selection: + - ParentImage|contains: + - '.doc.lnk' + - '.docx.lnk' + - '.xls.lnk' + - '.xlsx.lnk' + - '.ppt.lnk' + - '.pptx.lnk' + - '.rtf.lnk' + - '.pdf.lnk' + - '.txt.lnk' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' + - ParentCommandLine|contains: + - '.doc.lnk' + - '.docx.lnk' + - '.xls.lnk' + - '.xlsx.lnk' + - '.ppt.lnk' + - '.pptx.lnk' + - '.rtf.lnk' + - '.pdf.lnk' + - '.txt.lnk' + - '.doc.js' + - '.docx.js' + - '.xls.js' + - '.xlsx.js' + - '.ppt.js' + - '.pptx.js' + - '.rtf.js' + - '.pdf.js' + - '.txt.js' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml index e4b41831f..e0579d345 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_download_office_domain.yml @@ -5,7 +5,7 @@ description: Detects suspicious ways to download files from Microsoft domains th references: - https://twitter.com/an0n_r0/status/1474698356635193346?s=12 - https://twitter.com/mrd0x/status/1475085452784844803?s=12 -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/12/27 modified: 2022/08/02 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml index 0e5b2d472..b62bd7e12 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump.yml @@ -1,12 +1,12 @@ -title: Procdump Usage +title: Procdump Execution id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 status: experimental description: Detects usage of the SysInternals Procdump utility references: - - Internal Research + - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) date: 2021/08/16 -modified: 2022/08/11 +modified: 2023/02/28 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml index acab7f0ee..aa4f6f738 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_evasion.yml @@ -1,4 +1,4 @@ -title: Procdump Evasion +title: Potential Procdump Evasion id: 79b06761-465f-4f88-9ef2-150e24d3d737 status: test description: Detects uses of the SysInternals Procdump utility in which procdump or its output get renamed or a dump file is moved ot copied to a different name @@ -6,6 +6,7 @@ references: - https://twitter.com/mrd0x/status/1480785527901204481 author: Florian Roth (Nextron Systems) date: 2022/01/11 +modified: 2023/02/28 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml index f2fcac60c..01560bcc3 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_procdump_lsass.yml @@ -1,9 +1,9 @@ -title: Suspicious Use of Procdump on LSASS +title: Potential LSASS Process Dump Via Procdump id: 5afee48e-67dd-4e03-a783-f74259dcf998 status: stable description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. references: - - Internal Research + - https://learn.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth (Nextron Systems) date: 2018/10/30 modified: 2022/08/12 @@ -17,11 +17,11 @@ logsource: category: process_creation product: windows detection: - selection1: + selection_flags: CommandLine|contains: - ' -ma ' - ' /ma ' - selection2: + selection_process: CommandLine|contains: ' ls' # Short for lsass condition: all of selection* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_eula.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml similarity index 75% rename from rules/windows/process_creation/proc_creation_win_sysinternals_psexec_eula.yml rename to rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml index 97d674639..a7c0c80ba 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_eula.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_execution.yml @@ -1,4 +1,4 @@ -title: Psexec Accepteula Condition +title: Psexec Execution id: 730fc21b-eaff-474b-ad23-90fd265d4988 status: test description: Detects user accept agreement execution in psexec commandline @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: omkar72 date: 2020/10/30 -modified: 2022/06/23 +modified: 2023/02/28 tags: - attack.execution - attack.t1569 @@ -16,12 +16,9 @@ logsource: product: windows detection: selection: - Image|endswith: '\psexec.exe' - CommandLine|contains: 'accepteula' + - Image|endswith: '\psexec.exe' + - OriginalFileName: 'psexec.c' condition: selection -fields: - - Image - - CommandLine falsepositives: - Administrative scripts. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index 32c740b70..313335c13 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -1,10 +1,10 @@ title: PsExec/PAExec Escalation to LOCAL SYSTEM id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 related: - - id: 207b0396-3689-42d9-8399-4222658efc99 + - id: 207b0396-3689-42d9-8399-4222658efc99 # Generic rule based on similar cli flags type: similar status: experimental -description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights +description: Detects suspicious commandline flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -62,9 +62,6 @@ detection: - 'psexec' - 'paexec' - 'accepteula' - - 'cmd /c ' - - 'cmd /k ' - - 'cmd /r ' condition: all of selection_* falsepositives: - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml new file mode 100644 index 000000000..7b67c416c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_remote_execution.yml @@ -0,0 +1,28 @@ +title: Potential PsExec Remote Execution +id: ea011323-7045-460b-b2d7-0f7442ea6b38 +status: experimental +description: Detects potential psexec command that initiate execution on a remote systems via common commandline flags used by the utility +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://www.poweradmin.com/paexec/ + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/28 +tags: + - attack.resource_development + - attack.t1587.001 +logsource: + category: process_creation + product: windows +detection: + selection: + # Accepting EULA in commandline - often used in automated attacks + CommandLine|contains|all: + - 'accepteula' + - ' -u ' + - ' -p ' + - ' \\\\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml index 3ca4a1414..ffd5a28ad 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc.yml @@ -2,14 +2,15 @@ title: PsExec Service Execution id: fdfcbd78-48f1-4a4b-90ac-d82241e368c5 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba - type: similar + type: obsoletes status: experimental description: Detects launch of the PSEXESVC service, which means that this system was the target of a psexec remote execution references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.youtube.com/watch?v=ro2QuZTIMBM -author: Romaissa Adjailia, FLorian Roth -date: 2022/07/21 +author: Thomas Patzke, Romaissa Adjailia, Florian Roth (Nextron Systems) +date: 2017/06/12 +modified: 2023/02/28 tags: - attack.execution logsource: diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml index 4421be335..e347347ba 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexesvc_as_system.yml @@ -1,4 +1,4 @@ -title: PsExec Service Execution as LOCAL SYSTEM +title: PsExec Service Child Process Execution as LOCAL SYSTEM id: 7c0dcd3d-acf8-4f71-9570-f448b0034f94 related: - id: fa91cc36-24c9-41ce-b3c8-3bbc3f2f67ba @@ -22,5 +22,5 @@ detection: - 'AUTORI' condition: selection falsepositives: - - Legitimate administrative tasks + - Users that debug Microsoft Intune issues using the commands mentioned in the official documentation; see https://learn.microsoft.com/en-us/mem/intune/apps/intune-management-extension level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml index eaa903756..ee21021cc 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_sdelete.yml @@ -1,4 +1,4 @@ -title: Sysinternals SDelete Delete File +title: Potential File Overwrite Via Sysinternals SDelete id: a4824fca-976f-4964-b334-0621379e84c4 status: experimental description: Detects the use of SDelete to erase a file not the free space @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md author: frack113 date: 2021/06/03 -modified: 2022/09/06 +modified: 2023/02/28 tags: - attack.impact - attack.t1485 @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - System administrator usage + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml index d57bd14aa..01ab059cb 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags_.yml @@ -1,10 +1,10 @@ title: Potential Pirvilege Escalation To LOCAL SYSTEM id: 207b0396-3689-42d9-8399-4222658efc99 related: - - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 + - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23 # PsExec specific rule type: similar status: experimental -description: Detects unknown programs using suspicious flags usually used by tools such as PsExec and PAExec to open shell program with SYSTEM Privileges +description: Detects unknown program using commandline flags usually used by tools such as PsExec and PAExec to start programs with SYSTEM Privileges references: - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec - https://www.poweradmin.com/paexec/ @@ -58,17 +58,12 @@ detection: - ' /i /s powershell' - ' -i /s powershell' - ' /i -s powershell' - selection_flags_2: - # Accepting EULA in commandline - often used in automated attacks - CommandLine|contains|all: - - 'accepteula' - - ' -u ' - - ' -p ' - - ' \\' filter: + # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23 CommandLine|contains: - 'paexec' - 'PsExec' + - 'accepteula' condition: 1 of selection_flags_* and not filter falsepositives: - Weird admins that rename their tools diff --git a/rules/windows/process_creation/proc_creation_win_sysinternal_suite_tools_masquerading.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_sysinternal_suite_tools_masquerading.yml rename to rules/windows/process_creation/proc_creation_win_sysinternals_tools_masquerading.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_susp_whoami.yml rename to rules/windows/process_creation/proc_creation_win_whoami_execution.yml index 309df4429..597bd2613 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution.yml @@ -1,13 +1,13 @@ -title: Whoami Execution +title: Whoami.EXE Execution id: e28a5a99-da44-436d-b7a0-2afc20a5f413 status: test -description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation but rarely used by administrators +description: Detects the execution of whoami, which is often used by attackers after exploitation / privilege escalation references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth (Nextron Systems) date: 2018/08/13 -modified: 2022/05/13 +modified: 2023/02/28 tags: - attack.discovery - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml similarity index 53% rename from rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml rename to rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml index 75ece93e3..e9b9b86d5 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_execution_from_high_priv_process.yml @@ -1,13 +1,16 @@ -title: Run Whoami as Privileged User +title: Suspicious Whoami.EXE Execution From Privileged Process id: 79ce34ca-af29-4d0e-b832-fc1b377020db +related: + - id: 80167ada-7a12-41ed-b8e9-aa47195c66a1 + type: obsoletes status: experimental -description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors +description: Detects the execution of "whoami.exe" by privileged accounts that are often misused by threat actors references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://nsudo.m2team.org/en-us/ -author: Florian Roth (Nextron Systems) +author: Florian Roth (Nextron Systems), Teymur Kheirkhabarov date: 2022/01/28 -modified: 2022/05/13 +modified: 2023/02/28 tags: - attack.privilege_escalation - attack.discovery @@ -16,12 +19,15 @@ logsource: category: process_creation product: windows detection: - selection_user: - User|contains: 'TrustedInstaller' selection_img: - OriginalFileName: 'whoami.exe' - Image|endswith: '\whoami.exe' - condition: all of selection* + selection_user: + User|contains: + - 'AUTHORI' + - 'AUTORI' + - 'TrustedInstaller' + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml new file mode 100644 index 000000000..91967e213 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_whoami_groups_discovery.yml @@ -0,0 +1,26 @@ +title: Group Membership Reconnaissance Via Whoami.EXE +id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b +status: experimental +description: Detects a whoami.exe executed with the /group command line flag instructing the tool to show group membership for current user, type of account, security identifiers (SID) and attributes. +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/28 +tags: + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\whoami.exe' + - OriginalFileName: 'whoami.exe' + selection_cli: + CommandLine|contains: + - ' /groups' + - ' -groups' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml similarity index 65% rename from rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml rename to rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml index 413acb898..72380a587 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_parent_anomaly.yml @@ -1,14 +1,14 @@ -title: Whoami Execution Anomaly +title: Whoami.EXE Execution Anomaly id: 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 status: experimental -description: Detects the execution of whoami with suspicious parents or parameters +description: Detects the execution of whoami with suspicious parents references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems) date: 2021/08/12 -modified: 2022/10/04 +modified: 2023/02/28 tags: - attack.discovery - attack.t1033 @@ -20,27 +20,20 @@ detection: selection: - Image|endswith: '\whoami.exe' - OriginalFileName: 'whoami.exe' - filter1: + filter_generic: + # This list can be any legitimate shell or application that you expect whoami to run from ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - filter2: - ParentImage: - - 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe' - - '' - filter3: + filter_ms_monitoring_agent: + ParentImage: 'C:\Program Files\Microsoft Monitoring Agent\Agent\MonitoringHost.exe' + filter_parent_null: ParentImage: null - selection_special: - CommandLine|contains: - - 'whoami -all' - - 'whoami /all' - - 'whoami.exe -all' - - 'whoami.exe /all' - - 'whoami.exe >' - - 'whoami >' - condition: ( selection and not 1 of filter* ) or selection_special + filter_parent_empty: + ParentImage: '' + condition: selection and not 1 of filter_* falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml similarity index 81% rename from rules/windows/process_creation/proc_creation_win_whoami_priv.yml rename to rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml index 305bf860c..8a8872c19 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv_discovery.yml @@ -1,4 +1,4 @@ -title: Run Whoami Showing Privileges +title: Security Privileges Reconnaissance Via Whoami.EXE id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b status: experimental description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth (Nextron Systems) date: 2021/05/05 -modified: 2022/05/13 +modified: 2023/02/28 tags: - attack.privilege_escalation - attack.discovery @@ -19,8 +19,10 @@ detection: - Image|endswith: '\whoami.exe' - OriginalFileName: 'whoami.exe' selection_cli: - CommandLine|contains: '/priv' + CommandLine|contains: + - ' /priv' + - ' -priv' condition: all of selection_* falsepositives: - - Administrative activity (rare lookups on current privileges) + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml new file mode 100644 index 000000000..d6b55155c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_whoami_susp_flags.yml @@ -0,0 +1,35 @@ +title: Suspicious Whoami.EXE Execution +id: c30fb093-1109-4dc8-88a8-b30d11c95a5d +status: experimental +description: Detects the execution of "whoami.exe" with the "/all" flag or with redirection options to export the results to a file for later use. +references: + - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ + - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ + - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/28 +tags: + - attack.discovery + - attack.t1033 + - car.2016-03-001 +logsource: + category: process_creation + product: windows +detection: + selection_main_img: + - Image|endswith: '\whoami.exe' + - OriginalFileName: 'whoami.exe' + selection_main_cli: + CommandLine|contains: + - ' -all' + - ' /all' + - ' /FO CSV' + - ' -FO CSV' + selection_special: + CommandLine|contains|all: + - 'whoami' + - '>' + condition: all of selection_main_* or selection_special +falsepositives: + - Unknown +level: high