From 0214a0632a0d1cb1381432f0451d988858cb3b5f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 11:47:15 +0100 Subject: [PATCH 01/12] Fix FP --- .../proc_creation_win_ntfs_short_name_path_use_cli.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_path_use_image.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_cli.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_image.yml | 6 ++++-- 4 files changed, 16 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index aa34470fc..76b3888e5 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -24,7 +24,9 @@ detection: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe - - ParentImage|endswith: '\WebEx\WebexHost.exe' + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index 0ac7224b3..2263db78e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -24,7 +24,9 @@ detection: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) - - ParentImage|endswith: '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - ParentImage|endswith: + - '\WebEx\WebexHost.exe' # Spawns a shortened version of the CLI and Image processes + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index eea7d834c..4158116e8 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -37,7 +37,9 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: '\WebEx\WebexHost.exe' + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index a78bfa522..fceefa59e 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 -modified: 2022/08/10 +modified: 2022/08/12 logsource: category: process_creation product: windows @@ -37,7 +37,9 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: '\WebEx\WebexHost.exe' + ParentImage|endswith: + - '\WebEx\WebexHost.exe' + - '\thor\thor64.exe' condition: selection and not filter falsepositives: - Unknown From d7bc975c71bad874bc7041713285d230176ab2e5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:42:52 +0100 Subject: [PATCH 02/12] Update meta --- .../create_remote_thread_win_susp_targets.yml | 33 ++++++++++--------- .../sysmon_powershell_code_injection.yml | 4 +-- .../sysmon_susp_remote_thread.yml | 6 ++-- ...ent_win_win_shell_write_susp_directory.yml | 2 +- 4 files changed, 22 insertions(+), 23 deletions(-) diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml index 6f8bb5e82..038d93f23 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_susp_targets.yml @@ -6,24 +6,25 @@ references: - https://blog.redbluepurple.io/offensive-research/bypassing-injection-detection author: Florian Roth date: 2022/03/16 -modified: 2022/07/07 +modified: 2022/08/12 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - TargetImage|endswith: - - '\mspaint.exe' - - '\calc.exe' - - '\notepad.exe' - - '\sethc.exe' - - '\write.exe' - - '\wordpad.exe' - condition: selection + selection: + TargetImage|endswith: + - '\mspaint.exe' + - '\calc.exe' + - '\notepad.exe' + - '\sethc.exe' + - '\write.exe' + - '\wordpad.exe' + - '\explorer.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1055.003 + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055.003 diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml index bde512e95..50c53ef0a 100644 --- a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml @@ -1,12 +1,12 @@ title: Accessing WinAPI in PowerShell. Code Injection id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 status: test -description: Detecting Code injection with PowerShell in another process +description: Detects the creation of a remote thread from a Powershell process to another process author: Nikita Nazarov, oscd.community references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse date: 2020/10/06 -modified: 2022/07/28 +modified: 2022/08/12 logsource: product: windows category: create_remote_thread diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml index f094daf60..c1019a171 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2022/07/31 +modified: 2022/08/12 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -49,8 +49,6 @@ detection: - '\outlook.exe' - '\ping.exe' - '\powerpnt.exe' - - '\powershell.exe' - - '\pwsh.exe' - '\provtool.exe' - '\python.exe' - '\regsvr32.exe' @@ -99,6 +97,6 @@ fields: - User - SourceImage - TargetImage -level: high falsepositives: - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml index 135fff322..b1232f7a9 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_directory.yml @@ -3,7 +3,7 @@ id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 status: experimental description: Detects a Windows executable that writes files to suspicious folders references: - - No references + - Internal Research author: Florian Roth date: 2021/11/20 modified: 2022/07/14 From b1e0668ae30ace687f2391b62650d9bd0ae3f978 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:43:36 +0100 Subject: [PATCH 03/12] Update adfind rules --- .../proc_creation_win_susp_adfind.yml | 33 ------------------- ..._creation_win_susp_adfind_enumeration.yml} | 17 +++++----- ...> proc_creation_win_susp_adfind_usage.yml} | 18 +++++++--- 3 files changed, 21 insertions(+), 47 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_adfind.yml rename rules/windows/process_creation/{proc_creation_win_susp_adfind_enumerate.yml => proc_creation_win_susp_adfind_enumeration.yml} (69%) rename rules/windows/process_creation/{proc_creation_win_ad_find_discovery.yml => proc_creation_win_susp_adfind_usage.yml} (67%) diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind.yml deleted file mode 100644 index 2e7aa684c..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Suspicious AdFind Execution -id: 75df3b17-8bcc-4565-b89b-c9898acef911 -status: experimental -description: Detects the execution of a AdFind for Active Directory enumeration -references: - - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md - - https://thedfirreport.com/2020/05/08/adfind-recon/ -author: FPT.EagleEye Team, omkar72, oscd.community -date: 2020/09/26 -modified: 2021/05/12 -tags: - - attack.discovery - - attack.t1018 - - attack.t1087.002 - - attack.t1482 - - attack.t1069.002 -logsource: - product: windows - category: process_creation -detection: - selection: - CommandLine|contains: - - 'objectcategory' - - 'trustdmp' - - 'dcmodes' - - 'dclist' - - 'computers_pwdnotreqd' - Image|endswith: '\adfind.exe' - condition: selection -falsepositives: - - Administrative activity -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml similarity index 69% rename from rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml index 41ff9f25c..b5c219af6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumerate.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml @@ -1,19 +1,18 @@ -title: Suspicious AdFind Enumerate +title: Suspicious AdFind Enumeration id: 455b9d50-15a1-4b99-853f-8d37655a4c1b status: experimental -description: Detects the execution of a AdFind for enumeration +description: Detects the execution of a AdFind for enumeration based on it's commadline flags references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 date: 2021/12/13 +modified: 2022/08/12 logsource: product: windows category: process_creation detection: - selection: - Image|endswith: '\adfind.exe' - test_5: #Listing password policy + selection_password: #Listing password policy CommandLine|contains: - lockoutduration - lockoutthreshold @@ -23,14 +22,14 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - test_6: #Enumerate Active Directory Admins + selection_enum_ad: #Enumerate Active Directory Admins CommandLine|contains: '-sc admincountdmp' - test_8: #Enumerate Active Directory Exchange AD Objects + selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects CommandLine|contains: '-sc exchaddresses' - condition: selection and 1 of test_* + condition: 1 of selection_* falsepositives: - Administrative activity -level: medium +level: high tags: - attack.discovery - attack.t1087.002 diff --git a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml similarity index 67% rename from rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml rename to rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml index 93d568e96..b75743797 100644 --- a/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml @@ -1,24 +1,31 @@ title: AdFind Usage Detection id: 9a132afa-654e-11eb-ae93-0242ac130002 +related: + - id: 75df3b17-8bcc-4565-b89b-c9898acef911 + type: obsoletes status: test description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. -author: Janantha Marasinghe (https://github.com/blueteam0ps) +author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community references: - https://thedfirreport.com/2020/05/08/adfind-recon/ - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ + - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx + - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md date: 2021/02/02 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.discovery - - attack.t1482 - attack.t1018 + - attack.t1087.002 + - attack.t1482 + - attack.t1069.002 logsource: category: process_creation product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'domainlist' - 'trustdmp' - 'dcmodes' @@ -37,7 +44,8 @@ detection: - 'fspdmp' - 'users_noexpire' - 'computers_active' + - 'computers_pwdnotreqd' condition: selection falsepositives: - - Admin activity + - Legitimate admin activity level: high From e4e24a00a708276c6453264ace91bff6a1dbbc91 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:44:03 +0100 Subject: [PATCH 04/12] Update procdump rules --- .../proc_creation_win_procdump.yml | 11 +++----- .../proc_creation_win_renamed_procdump.yml | 23 +++++++++------- .../proc_creation_win_susp_procdump.yml | 26 ------------------- .../proc_creation_win_susp_procdump_lsass.yml | 14 +++++----- 4 files changed, 23 insertions(+), 51 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_procdump.yml diff --git a/rules/windows/process_creation/proc_creation_win_procdump.yml b/rules/windows/process_creation/proc_creation_win_procdump.yml index 697a761b2..6d34d0b8b 100644 --- a/rules/windows/process_creation/proc_creation_win_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_procdump.yml @@ -1,11 +1,12 @@ title: Procdump Usage id: 2e65275c-8288-4ab4-aeb7-6274f58b6b20 -description: Detects uses of the SysInternals Procdump utility +description: Detects usage of the SysInternals Procdump utility status: experimental references: - Internal Research author: Florian Roth date: 2021/08/16 +modified: 2022/08/11 tags: - attack.defense_evasion - attack.t1036 @@ -14,15 +15,11 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - selection2: - CommandLine|contains|all: - - ' -ma ' - - '.exe' - condition: selection1 or selection2 + condition: selection falsepositives: - Legitimate use of procdump by a developer or administrator level: medium diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 87107e01e..9469558c6 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -1,12 +1,15 @@ title: Renamed ProcDump id: 4a0b2c7e-7cb2-495d-8b63-5f268e7bfd67 +related: + - id: 03795938-1387-481b-9f4c-3f6241e604fe + type: obsoletes status: test description: Detects the execution of a renamed ProcDump executable often used by attackers or malware references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2021/08/16 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036.003 @@ -14,22 +17,22 @@ logsource: product: windows category: process_creation detection: - selection1: + original_file_name: OriginalFileName: 'procdump' - selection2: - CommandLine|contains|all: + selection_ma: + CommandLine|contains: - ' -ma ' + - ' /ma ' + selection_other: + CommandLine|contains: - ' -accepteula ' - selection3: - CommandLine|contains|all: - - ' -ma ' - - '.dmp' + - ' /accepteula ' filter: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: ( selection1 or selection2 or selection3 ) and not filter + condition: (original_file_name or all of selection_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - - Weird admins who renamed binaries + - Weird admins who renamed binaries (and should be investigated) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump.yml deleted file mode 100644 index 7c3256d94..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Suspicious Use of Procdump -id: 03795938-1387-481b-9f4c-3f6241e604fe -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma ' and ' -accepteula' in a single step. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2021/02/02 -modified: 2021/08/16 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.t1003.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - ' -ma ' - - ' -accepteula ' - condition: selection -falsepositives: - - Another tool that uses the command line switches of Procdump - - Legitimate use of procdump by a developer or administrator -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml index fbefa0c1f..c19213fc3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_procdump_lsass.yml @@ -6,7 +6,7 @@ references: - Internal Research author: Florian Roth date: 2018/10/30 -modified: 2021/02/02 +modified: 2022/08/12 tags: - attack.defense_evasion - attack.t1036 @@ -18,14 +18,12 @@ logsource: product: windows detection: selection1: - CommandLine|contains: ' -ma ' - selection2: - CommandLine|contains: ' lsass' - selection3: - CommandLine|contains|all: + CommandLine|contains: - ' -ma ' - - ' ls' - condition: ( selection1 and selection2 ) or selection3 + - ' /ma ' + selection2: + CommandLine|contains: ' ls' # Short for lsass + condition: all of selection* falsepositives: - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump From cf2a817801c3348a61a4b456d83e64d2ad3040d6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 13:44:16 +0100 Subject: [PATCH 05/12] New Rules --- .../win_anydesk_service_installation.yml | 22 +++++++++ ..._win_shell_write_susp_files_extensions.yml | 40 ++++++++++++++++ ...tion_win_cobaltstrike_bloopers_modules.yml | 46 +++++++++---------- 3 files changed, 85 insertions(+), 23 deletions(-) create mode 100644 rules/windows/builtin/system/win_anydesk_service_installation.yml create mode 100644 rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml diff --git a/rules/windows/builtin/system/win_anydesk_service_installation.yml b/rules/windows/builtin/system/win_anydesk_service_installation.yml new file mode 100644 index 000000000..0726fc8e3 --- /dev/null +++ b/rules/windows/builtin/system/win_anydesk_service_installation.yml @@ -0,0 +1,22 @@ +title: Anydesk Remote Access Software Service Installation +id: 530a6faa-ff3d-4022-b315-50828e77eef5 +status: experimental +description: Detects the installation of the anydesk software service. Which could be an indication of anydesk abuse if you the software isn't already used. +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ +date: 2022/08/11 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'AnyDesk Service' + condition: selection +falsepositives: + - Legitimate usage of the anydesk tool +level: medium +tags: + - attack.persistence diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml new file mode 100644 index 000000000..eef0bcab0 --- /dev/null +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -0,0 +1,40 @@ +title: Windows Binaries Write Suspicious Extensions +id: b8fd0e93-ff58-4cbd-8f48-1c114e342e62 +related: + - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 + type: derived +status: experimental +description: Detects windows executables that writes files with suspicious extensions +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2022/08/12 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: + - '\rundll32.exe' + - '\svchost.exe' + - '\dllhost.exe' + - '\smss.exe' + - '\RuntimeBroker.exe' + - '\sihost.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\winlogon.exe' + - '\wininit.exe' + TargetFilename|endswith: + - '.bat' + - '.vbe' + - '.txt' + - '.vbs' + - '.exe' + - '.ps1' + - '.hta' + - '.iso' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml index 871b46ca3..7539879eb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_bloopers_modules.yml @@ -4,34 +4,34 @@ id: 4f154fb6-27d1-4813-a759-78b93e0b9c48 description: Detects use of Cobalt Strike module commands accidentally entered in the CMD shell author: _pete_0, TheDFIRReport references: - - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf - - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ - - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ + - https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/cobalt-4-5-user-guide.pdf + - https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/ + - https://thedfirreport.com/2022/06/16/sans-ransomware-summit-2022-can-you-detect-this/ date: 2022/05/06 modified: 2022/05/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|startswith: - - 'cmd.exe' - - 'c:\windows\system32\cmd.exe' - CommandLine|contains: - - Invoke-UserHunter - - Invoke-ShareFinder - - Invoke-Kerberoast - - Invoke-SMBAutoBrute - - Invoke-Nightmare - - zerologon - - av_query - Image|endswith: '\cmd.exe' - condition: selection + selection: + Image|endswith: '\cmd.exe' + CommandLine|startswith: + - 'cmd.exe' + - 'c:\windows\system32\cmd.exe' + CommandLine|contains: + - Invoke-UserHunter + - Invoke-ShareFinder + - Invoke-Kerberoast + - Invoke-SMBAutoBrute + - Invoke-Nightmare + - zerologon + - av_query + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.execution + - attack.t1059.003 From 8477c4976be74ebdfad72090b75f404e9970f511 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:02:54 +0100 Subject: [PATCH 06/12] Update proc_creation_win_renamed_procdump.yml --- .../process_creation/proc_creation_win_renamed_procdump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 9469558c6..5e1b13880 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -31,7 +31,7 @@ detection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: (original_file_name or all of selection_*) and not filter + condition: original_file_name or all of selection_* and not filter falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries (and should be investigated) From 4a0c1b41f2828e9dfe9a3ff8984b45a4e19520d7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:04:38 +0100 Subject: [PATCH 07/12] Update proc_creation_win_renamed_procdump.yml --- .../proc_creation_win_renamed_procdump.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml index 5e1b13880..9a09c3246 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_procdump.yml @@ -17,13 +17,13 @@ logsource: product: windows category: process_creation detection: - original_file_name: + selection_org: OriginalFileName: 'procdump' - selection_ma: + selection_args_ma: CommandLine|contains: - ' -ma ' - ' /ma ' - selection_other: + selection_args_other: CommandLine|contains: - ' -accepteula ' - ' /accepteula ' @@ -31,7 +31,7 @@ detection: Image|endswith: - '\procdump.exe' - '\procdump64.exe' - condition: original_file_name or all of selection_* and not filter + condition: (selection_org or all of selection_args_*) and not filter falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries (and should be investigated) From b6fda3e7588f47593cca91fd4bce6c208d5f41f8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:09:20 +0100 Subject: [PATCH 08/12] Fix FP --- .../file_event_win_win_shell_write_susp_files_extensions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml index eef0bcab0..5eb617acc 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -16,7 +16,7 @@ detection: selection: Image|endswith: - '\rundll32.exe' - - '\svchost.exe' + #- '\svchost.exe' # Might generate some FP - '\dllhost.exe' - '\smss.exe' - '\RuntimeBroker.exe' From 4f7738b8674efdfd1908b40c851a739176ac2c2b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 16:29:52 +0100 Subject: [PATCH 09/12] Add rule CVE-2022-31656 --- rules/web/web_cve_2021_43798_grafana.yml | 2 +- rules/web/web_cve_2022_31656_auth_bypass.yml | 22 ++++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 rules/web/web_cve_2022_31656_auth_bypass.yml diff --git a/rules/web/web_cve_2021_43798_grafana.yml b/rules/web/web_cve_2021_43798_grafana.yml index fc4fc7478..e4622ae43 100644 --- a/rules/web/web_cve_2021_43798_grafana.yml +++ b/rules/web/web_cve_2021_43798_grafana.yml @@ -1,7 +1,7 @@ title: Grafana Path Traversal Exploitation CVE-2021-43798 id: 7b72b328-5708-414f-9a2a-6a6867c26e16 status: experimental -description: Detects a successful Grafana path traversal exploitation +description: Detects a successful Grafana path traversal exploitation author: Florian Roth references: - https://grafana.com/blog/2021/12/07/grafana-8.3.1-8.2.7-8.1.8-and-8.0.7-released-with-high-severity-security-fix/ diff --git a/rules/web/web_cve_2022_31656_auth_bypass.yml b/rules/web/web_cve_2022_31656_auth_bypass.yml new file mode 100644 index 000000000..1d5de9178 --- /dev/null +++ b/rules/web/web_cve_2022_31656_auth_bypass.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31656 VMware Workspace ONE Access Auth Bypass +id: fcf1101d-07c9-49b2-ad81-7e421ff96d80 +status: experimental +description: | + Detects the exploitation of VMware Workspace ONE Access Authentication Bypass vulnerability as described in CVE-2022-31656 + VMware Workspace ONE Access, Identity Manager and vRealize Automation contain an authentication bypass vulnerability affecting local domain users. A malicious actor with network access to the UI may be able to obtain administrative access without the need to authenticate. +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/SAAS/t/_/;/' + condition: selection +falsepositives: + - Vulnerability scanners +level: high +tags: + - attack.initial_access + - attack.t1190 From 3fffd6a8f39357607daaa22da11390abcd698e57 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:12:35 +0100 Subject: [PATCH 10/12] Create proc_creation_win_wab_execution_from_non_default_location.yml --- ...ab_execution_from_non_default_location.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml diff --git a/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml new file mode 100644 index 000000000..601a65f63 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_execution_from_non_default_location.yml @@ -0,0 +1,27 @@ +title: Wab Execution From Non Default Location +id: 395907ee-96e5-4666-af2e-2ca91688e151 +status: experimental +description: Detects execution of wab.exe (Windows Contacts) from non default locations as seen with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wab.exe' + filter: + Image|startswith: + - 'C:\Windows\WinSxS\' + - 'C:\Program Files\Windows Mail\' + - 'C:\Program Files (x86)\Windows Mail\' + condition: selection and not filter +falsepositives: + - Unlikely +level: high From 0cca5208e9940a3e3e5da4871ea95b3538be8440 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 17:18:44 +0100 Subject: [PATCH 11/12] Create proc_creation_win_wab_unusual_parents.yml --- .../proc_creation_win_wab_unusual_parents.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml diff --git a/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml new file mode 100644 index 000000000..ad84a9698 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wab_unusual_parents.yml @@ -0,0 +1,29 @@ +title: Wab.Exe Unusual Parent Or Child Processes +id: 63d1ccc0-2a43-4f4b-9289-361b308991ff +status: experimental +description: Detects unusual parent or children of the wab.exe (Windows Contacts) process as seen being used with bumblebee activity +references: + - https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain-admin/ + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime +author: Nasreddine Bencherchali +date: 2022/08/12 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_parent: + ParentImage|endswith: + # Add more if known + - \WmiPrvSE.exe + - \svchost.exe + - \dllhost.exe + Image|endswith: '\wab.exe' + selection_child: + ParentImage|endswith: '\wab.exe' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high From ce43b1da5c070a1d81005c926cdfc8a1db0ba67b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 12 Aug 2022 18:50:08 +0100 Subject: [PATCH 12/12] Create web_cve_2022_31659_vmware_rce.yml --- rules/web/web_cve_2022_31659_vmware_rce.yml | 22 +++++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/web/web_cve_2022_31659_vmware_rce.yml diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml new file mode 100644 index 000000000..5d9fd9897 --- /dev/null +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -0,0 +1,22 @@ +title: CVE-2022-31659 VMware Workspace ONE Access RCE +id: efdb2003-a922-48aa-8f37-8b80021a9706 +status: experimental +description: Detects possible exploitation of VMware Workspace ONE Access Admin Remote Code Execution vulnerability as described in CVE-2022-31659 +author: Nasreddine Bencherchali +date: 2022/08/12 +references: + - https://petrusviet.medium.com/dancing-on-the-architecture-of-vmware-workspace-one-access-eng-ad592ae1b6dd +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to look spot the difference between benign and malicious requests to this URL + condition: selection +falsepositives: + - Vulnerability scanners + - Legitimate access to the URI +level: medium +tags: + - attack.initial_access + - attack.t1190