diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index ccdb8e75d..a745ebdc1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -3,6 +3,8 @@ id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d type: obsoletes + - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b + type: similar status: experimental description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. diff --git a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml index b9641f1d0..67cb203bb 100644 --- a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml @@ -5,9 +5,11 @@ description: Detects browsers starting with the remote debugging flags. Which is references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ + - https://github.com/defaultnamehere/cookie_crimes/ + - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T, Nasreddine Bencherchali (update) date: 2022/07/27 -modified: 2022/10/12 +modified: 2022/12/23 tags: - attack.credential_access - attack.t1185 @@ -20,7 +22,7 @@ detection: CommandLine|contains: ' --remote-debugging-' selection_firefox: Image|endswith: '\firefox.exe' - CommandLine|contains: ' -start-debugger-server ' + CommandLine|contains: ' -start-debugger-server' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml new file mode 100644 index 000000000..2e9cc1673 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml @@ -0,0 +1,28 @@ +title: Potential Data Stealing Via Chromium Headless Debugging +id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 +status: experimental +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +references: + - https://github.com/defaultnamehere/cookie_crimes/ + - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password + - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ + - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1185 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + - '--remote-debugging-' + - '--user-data-dir' + - '--headless' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml new file mode 100644 index 000000000..61e631384 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -0,0 +1,47 @@ +title: Potential Browser Data Stealing +id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b +related: + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived +status: experimental +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1555.003 +logsource: + category: process_creation + product: windows +detection: + selection_cmd: + - CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + - 'move' + - 'move-item' + - ' mi ' + - ' mv ' + - Image|endswith: + - '\xcopy.exe' + - '\robocopy.exe' + - OriginalFileName: + - 'XCOPY.EXE' + - 'robocopy.exe' + selection_path: + CommandLine|contains: + - '\Opera Software\Opera Stable\' + - '\Mozilla\Firefox\Profiles' + - '\Microsoft\Edge\User Data\' + - '\Google\Chrome\User Data\' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 52255b0e0..6c971e5f2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2019/12/30 -modified: 2022/11/09 +modified: 2022/12/23 tags: - attack.lateral_movement - attack.collection @@ -22,9 +22,12 @@ logsource: product: windows detection: selection_other_tools: - Image|endswith: + - Image|endswith: - '\robocopy.exe' - '\xcopy.exe' + - OriginalFileName: + - 'robocopy.exe' + - 'XCOPY.EXE' selection_cmd_img: - Image|endswith: '\cmd.exe' - OriginalFileName: 'Cmd.Exe'