From 0a77980bb8e392b09b1840c07abf48497c593aa4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:14:13 +0100 Subject: [PATCH 01/12] fix: move firewall rule to firewall folder --- .../firewall}/firewall_cleartext_protocols.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => network/firewall}/firewall_cleartext_protocols.yml (100%) diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/network/firewall/firewall_cleartext_protocols.yml similarity index 100% rename from rules/compliance/firewall_cleartext_protocols.yml rename to rules/network/firewall/firewall_cleartext_protocols.yml From 4c90e86736e8f8a0666cb37a897c5afc47890417 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:15:47 +0100 Subject: [PATCH 02/12] fix: move security rule to security folder --- .../builtin/security}/group_modification_logging.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => windows/builtin/security}/group_modification_logging.yml (100%) diff --git a/rules/compliance/group_modification_logging.yml b/rules/windows/builtin/security/group_modification_logging.yml similarity index 100% rename from rules/compliance/group_modification_logging.yml rename to rules/windows/builtin/security/group_modification_logging.yml From b1628c1a4c5f84163fbffb10bdaf0d74f2926873 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 19:17:11 +0100 Subject: [PATCH 03/12] fix: move security rule to security folder 2 --- .../builtin/security}/workstation_was_locked.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/{compliance => windows/builtin/security}/workstation_was_locked.yml (100%) diff --git a/rules/compliance/workstation_was_locked.yml b/rules/windows/builtin/security/workstation_was_locked.yml similarity index 100% rename from rules/compliance/workstation_was_locked.yml rename to rules/windows/builtin/security/workstation_was_locked.yml From 43912f2be7dbfbdf8edf812f502c47db15e10438 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:15:07 +0100 Subject: [PATCH 04/12] fix: rename files part 1 --- ...ext_protocols.yml => net_firewall_cleartext_protocols.yml} | 0 ...ver_load.yml => win_codeintegrity_blocked_driver_load.yml} | 0 ...ogging.yml => win_security_group_modification_logging.yml} | 0 ...was_locked.yml => win_security_workstation_was_locked.yml} | 0 ...preter_or_cobaltstrike_getsystem_service_installation.yml} | 0 rules/windows/builtin/system/win_system_pcap_drivers.yml | 4 ++-- ...eation.yml => win_taskscheduler_rare_schtask_creation.yml} | 0 ...ocations.yml => win_taskscheduler_susp_task_locations.yml} | 0 ...e_thread_win_winapi_in_powershell_credentials_dumping.yml} | 0 ...s.yml => dns_query_win_remote_access_software_domains.yml} | 0 ..._mal_creddumper.yml => driver_load_win_mal_creddumper.yml} | 0 ...rtry_driver.yml => driver_load_win_mal_poortry_driver.yml} | 0 ...te_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} | 0 ...n_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} | 0 ..._vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} | 0 ...novo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} | 0 ...g0_driver.yml => driver_load_win_vuln_winring0_driver.yml} | 0 ...river_load_windivert.yml => driver_load_win_windivert.yml} | 0 18 files changed, 2 insertions(+), 2 deletions(-) rename rules/network/firewall/{firewall_cleartext_protocols.yml => net_firewall_cleartext_protocols.yml} (100%) rename rules/windows/builtin/code_integrity/{win_codeintergiry_blocked_driver_load.yml => win_codeintegrity_blocked_driver_load.yml} (100%) rename rules/windows/builtin/security/{group_modification_logging.yml => win_security_group_modification_logging.yml} (100%) rename rules/windows/builtin/security/{workstation_was_locked.yml => win_security_workstation_was_locked.yml} (100%) rename rules/windows/{driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml => builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_rare_schtask_creation.yml => win_taskscheduler_rare_schtask_creation.yml} (100%) rename rules/windows/builtin/taskscheduler/{win_task_scheduler_susp_task_locations.yml => win_taskscheduler_susp_task_locations.yml} (100%) rename rules/windows/create_remote_thread/{create_remote_thread_winapi_in_powershell_credentials_dumping.yml => create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/dns_query/{dns_query_remote_access_software_domains.yml => dns_query_win_remote_access_software_domains.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_creddumper.yml => driver_load_win_mal_creddumper.yml} (100%) rename rules/windows/driver_load/{driver_load_mal_poortry_driver.yml => driver_load_win_mal_poortry_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_gigabyte_driver.yml => driver_load_win_vuln_gigabyte_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hevd_driver.yml => driver_load_win_vuln_hevd_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_hw_driver.yml => driver_load_win_vuln_hw_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_lenovo_driver.yml => driver_load_win_vuln_lenovo_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_winring0_driver.yml => driver_load_win_vuln_winring0_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_windivert.yml => driver_load_win_windivert.yml} (100%) diff --git a/rules/network/firewall/firewall_cleartext_protocols.yml b/rules/network/firewall/net_firewall_cleartext_protocols.yml similarity index 100% rename from rules/network/firewall/firewall_cleartext_protocols.yml rename to rules/network/firewall/net_firewall_cleartext_protocols.yml diff --git a/rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml b/rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml similarity index 100% rename from rules/windows/builtin/code_integrity/win_codeintergiry_blocked_driver_load.yml rename to rules/windows/builtin/code_integrity/win_codeintegrity_blocked_driver_load.yml diff --git a/rules/windows/builtin/security/group_modification_logging.yml b/rules/windows/builtin/security/win_security_group_modification_logging.yml similarity index 100% rename from rules/windows/builtin/security/group_modification_logging.yml rename to rules/windows/builtin/security/win_security_group_modification_logging.yml diff --git a/rules/windows/builtin/security/workstation_was_locked.yml b/rules/windows/builtin/security/win_security_workstation_was_locked.yml similarity index 100% rename from rules/windows/builtin/security/workstation_was_locked.yml rename to rules/windows/builtin/security/win_security_workstation_was_locked.yml diff --git a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml similarity index 100% rename from rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename to rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules/windows/builtin/system/win_system_pcap_drivers.yml b/rules/windows/builtin/system/win_system_pcap_drivers.yml index 5a2361e62..d0ae0f782 100644 --- a/rules/windows/builtin/system/win_system_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_system_pcap_drivers.yml @@ -6,14 +6,14 @@ references: - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more author: Cian Heasley date: 2020/06/10 -modified: 2021/11/27 +modified: 2022/12/22 tags: - attack.discovery - attack.credential_access - attack.t1040 logsource: product: windows - service: security + service: system definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_rare_schtask_creation.yml diff --git a/rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml b/rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml similarity index 100% rename from rules/windows/builtin/taskscheduler/win_task_scheduler_susp_task_locations.yml rename to rules/windows/builtin/taskscheduler/win_taskscheduler_susp_task_locations.yml diff --git a/rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml b/rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/create_remote_thread/create_remote_thread_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/create_remote_thread/create_remote_thread_win_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml similarity index 100% rename from rules/windows/dns_query/dns_query_remote_access_software_domains.yml rename to rules/windows/dns_query/dns_query_win_remote_access_software_domains.yml diff --git a/rules/windows/driver_load/driver_load_mal_creddumper.yml b/rules/windows/driver_load/driver_load_win_mal_creddumper.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_creddumper.yml rename to rules/windows/driver_load/driver_load_win_mal_creddumper.yml diff --git a/rules/windows/driver_load/driver_load_mal_poortry_driver.yml b/rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_mal_poortry_driver.yml rename to rules/windows/driver_load/driver_load_win_mal_poortry_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_gigabyte_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_gigabyte_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hevd_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hevd_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_hw_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_hw_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_hw_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_lenovo_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_lenovo_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_winring0_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_winring0_driver.yml diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_win_windivert.yml similarity index 100% rename from rules/windows/driver_load/driver_load_windivert.yml rename to rules/windows/driver_load/driver_load_win_windivert.yml From 4577ea702a747e705c75b7257d4299f86739d432 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:19:38 +0100 Subject: [PATCH 05/12] fix: rename more files --- ...tstrike_getsystem_service_installation.yml | 54 ------------------- ...owershell_script_installed_as_service.yml} | 0 ...yml => driver_load_win_process_hacker.yml} | 0 ....yml => driver_load_win_susp_temp_use.yml} | 0 ...ad_win_vuln_avast_anti_rootkit_driver.yml} | 0 ...l => driver_load_win_vuln_dell_driver.yml} | 0 ...s.yml => driver_load_win_vuln_drivers.yml} | 0 ...=> driver_load_win_vuln_drivers_names.yml} | 0 ...ccess_win_shellcode_inject_msf_empire.yml} | 0 ....yml => proc_access_win_susp_seclogon.yml} | 0 ...api_in_powershell_credentials_dumping.yml} | 0 ...roc_creation_win_wmic_tamper_defender.yml} | 0 ...cleanup_handler_new_entry_persistence.yml} | 0 ...stry_set_natural_language_persistence.yml} | 0 14 files changed, 54 deletions(-) delete mode 100644 rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml rename rules/windows/driver_load/{driver_load_powershell_script_installed_as_service.yml => driver_load_win_powershell_script_installed_as_service.yml} (100%) rename rules/windows/driver_load/{driver_load_process_hacker.yml => driver_load_win_process_hacker.yml} (100%) rename rules/windows/driver_load/{driver_load_susp_temp_use.yml => driver_load_win_susp_temp_use.yml} (100%) mode change 100755 => 100644 rename rules/windows/driver_load/{driver_load_vuln_avast_anti_rootkit_driver.yml => driver_load_win_vuln_avast_anti_rootkit_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_dell_driver.yml => driver_load_win_vuln_dell_driver.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers.yml => driver_load_win_vuln_drivers.yml} (100%) rename rules/windows/driver_load/{driver_load_vuln_drivers_names.yml => driver_load_win_vuln_drivers_names.yml} (100%) rename rules/windows/process_access/{process_access_win_shellcode_inject_msf_empire.yml => proc_access_win_shellcode_inject_msf_empire.yml} (100%) rename rules/windows/process_access/{process_access_win_susp_seclogon.yml => proc_access_win_susp_seclogon.yml} (100%) rename rules/windows/process_access/{process_access_winapi_in_powershell_credentials_dumping.yml => proc_access_winapi_in_powershell_credentials_dumping.yml} (100%) rename rules/windows/process_creation/{proc_creation_wmic_tamper_defender.yml => proc_creation_win_wmic_tamper_defender.yml} (100%) rename rules/windows/registry/registry_add/{registry_set_disk_cleanup_handler_new_entry_persistence.yml => registry_add_disk_cleanup_handler_new_entry_persistence.yml} (100%) rename rules/windows/registry/registry_set/{regsitry_set_natural_language_persistence.yml => registry_set_natural_language_persistence.yml} (100%) diff --git a/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml deleted file mode 100644 index b3afed27b..000000000 --- a/rules/windows/builtin/system/driver_load_win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ /dev/null @@ -1,54 +0,0 @@ -title: Meterpreter or Cobalt Strike Getsystem Service Installation -id: d585ab5a-6a69-49a8-96e8-4a726a54de46 -related: - - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 - type: derived -status: test -description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -references: - - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ -author: Teymur Kheirkhabarov, Ecco, Florian Roth -date: 2019/10/26 -modified: 2022/10/09 -tags: - - attack.privilege_escalation - - attack.t1134.001 - - attack.t1134.002 -logsource: - product: windows - category: driver_load -detection: - selection: - # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - 'cmd' - - '/c' - - 'echo' - - '\pipe\' - # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - '%COMSPEC%' - - '/c' - - 'echo' - - '\pipe\' - # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a - - ImagePath|contains|all: - - 'cmd.exe' - - '/c' - - 'echo' - - '\pipe\' - # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - - ImagePath|contains|all: - - 'rundll32' - - '.dll,a' - - '/p:' - condition: selection -fields: - - ComputerName - - SubjectDomainName - - SubjectUserName - - ImagePath -falsepositives: - - Highly unlikely -level: critical diff --git a/rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml b/rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml similarity index 100% rename from rules/windows/driver_load/driver_load_powershell_script_installed_as_service.yml rename to rules/windows/driver_load/driver_load_win_powershell_script_installed_as_service.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_win_process_hacker.yml similarity index 100% rename from rules/windows/driver_load/driver_load_process_hacker.yml rename to rules/windows/driver_load/driver_load_win_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_win_susp_temp_use.yml old mode 100755 new mode 100644 similarity index 100% rename from rules/windows/driver_load/driver_load_susp_temp_use.yml rename to rules/windows/driver_load/driver_load_win_susp_temp_use.yml diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_avast_anti_rootkit_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_dell_driver.yml b/rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_dell_driver.yml rename to rules/windows/driver_load/driver_load_win_vuln_dell_driver.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml similarity index 100% rename from rules/windows/driver_load/driver_load_vuln_drivers_names.yml rename to rules/windows/driver_load/driver_load_win_vuln_drivers_names.yml diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml similarity index 100% rename from rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml rename to rules/windows/process_access/proc_access_win_shellcode_inject_msf_empire.yml diff --git a/rules/windows/process_access/process_access_win_susp_seclogon.yml b/rules/windows/process_access/proc_access_win_susp_seclogon.yml similarity index 100% rename from rules/windows/process_access/process_access_win_susp_seclogon.yml rename to rules/windows/process_access/proc_access_win_susp_seclogon.yml diff --git a/rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/process_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml diff --git a/rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml b/rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_wmic_tamper_defender.yml rename to rules/windows/process_creation/proc_creation_win_wmic_tamper_defender.yml diff --git a/rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml b/rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml similarity index 100% rename from rules/windows/registry/registry_add/registry_set_disk_cleanup_handler_new_entry_persistence.yml rename to rules/windows/registry/registry_add/registry_add_disk_cleanup_handler_new_entry_persistence.yml diff --git a/rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml b/rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml similarity index 100% rename from rules/windows/registry/registry_set/regsitry_set_natural_language_persistence.yml rename to rules/windows/registry/registry_set/registry_set_natural_language_persistence.yml From b40a67c3a6c3ab42f328d6abb12d62bd9819d8a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:23:54 +0100 Subject: [PATCH 06/12] fix: rename proc access rule --- ... proc_access_win_winapi_in_powershell_credentials_dumping.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_access/{proc_access_winapi_in_powershell_credentials_dumping.yml => proc_access_win_winapi_in_powershell_credentials_dumping.yml} (100%) diff --git a/rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml b/rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml similarity index 100% rename from rules/windows/process_access/proc_access_winapi_in_powershell_credentials_dumping.yml rename to rules/windows/process_access/proc_access_win_winapi_in_powershell_credentials_dumping.yml From 72bdf4c6c21520b9fd119aff986127d1bd2bb8fd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:31:21 +0100 Subject: [PATCH 07/12] feat: enhance test and resolve #3724 --- tests/test_rules.py | 137 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 136 insertions(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index b7d9e8f0e..0e7d70d6c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -729,10 +729,145 @@ class TestRules(unittest.TestCase): print( Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) + else: + # This test make sure that every rules has a filename that corresponds to + # It's specific logsource. + # Fix Issue #1381 (https://github.com/SigmaHQ/sigma/issues/1381) + logsource = self.get_rule_part(file_path=file, part_name="logsource") + if logsource: + pattern_prefix = "" + os_infix = "" + os_bool = False + for key,value in logsource.items(): + if key == "definition": + pass + else: + if key == "product": + # This is to get the OS for certain categories + if value == "windows": + os_infix = "win_" + elif value == "macos": + os_infix = "macos_" + elif value == "linux": + os_infix = "lnx_" + # For other stuff + elif value == "aws": + pattern_prefix = "aws_" + elif value == "azure": + pattern_prefix = "azure_" + elif value == "gcp": + pattern_prefix = "gcp_" + elif value == "gworkspace": + pattern_prefix = "gworkspace_" + elif value == "m365": + pattern_prefix = "microsoft365_" + elif value == "okta": + pattern_prefix = "okta_" + elif value == "onelogin": + pattern_prefix = "onelogin_" + elif key == "category": + if value == "process_creation": + pattern_prefix = "proc_creation_" + os_bool = True + elif value == "image_load": + pattern_prefix = "image_load_" + elif value == "file_event": + pattern_prefix = "file_event_" + os_bool = True + elif value == "registry_set": + pattern_prefix = "registry_set_" + elif value == "registry_add": + pattern_prefix = "registry_add_" + elif value == "registry_event": + pattern_prefix = "registry_event_" + elif value == "registry_delete": + pattern_prefix = "registry_delete_" + elif value == "registry_rename": + pattern_prefix = "registry_rename_" + elif value == "process_access": + pattern_prefix = "proc_access_" + os_bool = True + elif value == "driver_load": + pattern_prefix = "driver_load_" + os_bool = True + elif value == "dns_query": + pattern_prefix = "dns_query_" + os_bool = True + elif value == "ps_script": + pattern_prefix = "posh_ps_" + elif value == "ps_module": + pattern_prefix = "posh_pm_" + elif value == "ps_classic_start": + pattern_prefix = "posh_pc_" + elif value == "pipe_created": + pattern_prefix = "pipe_created_" + elif value == "network_connection": + pattern_prefix = "net_connection_" + os_bool = True + elif value == "file_rename": + pattern_prefix = "file_rename_" + os_bool = True + elif value == "file_delete": + pattern_prefix = "file_delete_" + os_bool = True + elif value == "file_change": + pattern_prefix = "file_change_" + os_bool = True + elif value == "file_access": + pattern_prefix = "file_access_" + os_bool = True + elif value == "create_stream_hash": + pattern_prefix = "create_stream_hash_" + elif value == "create_remote_thread": + pattern_prefix = "create_remote_thread_win_" + elif value == "dns": + pattern_prefix = "net_dns_" + elif value == "firewall": + pattern_prefix = "net_firewall_" + elif value == "webserver": + pattern_prefix = "web_" + elif key == "service": + if value == "auditd": + pattern_prefix = "lnx_auditd_" + elif value == "modsecurity": + pattern_prefix = "modsec_" + elif value == "diagnosis-scripted": + pattern_prefix = "win_diagnosis_scripted_" + elif value == "firewall-as": + pattern_prefix = "win_firewall_as_" + elif value == "msexchange-management": + pattern_prefix = "win_exchange_" + elif value == "security": + pattern_prefix = "win_security_" + elif value == "system": + pattern_prefix = "win_system_" + elif value == "taskscheduler": + pattern_prefix = "win_taskscheduler_" + elif value == "terminalservices-localsessionmanager": + pattern_prefix = "win_terminalservices_" + elif value == "windefend": + pattern_prefix = "win_defender_" + elif value == "wmi": + pattern_prefix = "win_wmi_" + elif value == "codeintegrity-operational": + pattern_prefix = "win_codeintegrity_" + elif value == "bits-client": + pattern_prefix = "win_bits_client_" + elif value == "applocker": + pattern_prefix = "win_applocker_" + + # This value is used to test if we should add the OS infix for certain categories + if os_bool: + pattern_prefix += os_infix + if pattern_prefix != "": + if not filename.startswith(pattern_prefix): + print( + Fore.YELLOW + "Rule {} has a file name that doesn't match our standard naming convention.".format(file)) + faulty_rules.append(file) name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character. It also has to follow the following naming convention https://github.com/SigmaHQ/sigma-specification/blob/main/sigmahq/Sigmahq_filename_rule.md') def test_title(self): faulty_rules = [] From b02f8b5936f74843b8643396d321a099ecbed0cb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:48:05 +0100 Subject: [PATCH 08/12] fix: rollback deletion and transfer to unsupported --- ...tstrike_getsystem_service_installation.yml | 54 +++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml new file mode 100644 index 000000000..5c3f04abd --- /dev/null +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -0,0 +1,54 @@ +title: Meterpreter or Cobalt Strike Getsystem Service Installation +id: d585ab5a-6a69-49a8-96e8-4a726a54de46 +related: + - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 + type: derived +status: unsupported +description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ +author: Teymur Kheirkhabarov, Ecco, Florian Roth +date: 2019/10/26 +modified: 2022/10/09 +tags: + - attack.privilege_escalation + - attack.t1134.001 + - attack.t1134.002 +logsource: + product: windows + category: driver_load +detection: + selection: + # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - '%COMSPEC%' + - '/c' + - 'echo' + - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ImagePath|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' + # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn + - ImagePath|contains|all: + - 'rundll32' + - '.dll,a' + - '/p:' + condition: selection +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ImagePath +falsepositives: + - Highly unlikely +level: critical \ No newline at end of file From fce8b1e80926a58f7b8e4492682d341a45338a37 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:48:35 +0100 Subject: [PATCH 09/12] fix: update modified --- ...terpreter_or_cobaltstrike_getsystem_service_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 5c3f04abd..4f23f2659 100644 --- a/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules-unsupported/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -10,7 +10,7 @@ references: - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2022/10/09 +modified: 2022/12/22 tags: - attack.privilege_escalation - attack.t1134.001 From 0aa6f26a6fcf240dd65704f74a5b151c7814220e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 18:37:59 +0100 Subject: [PATCH 10/12] feat: updates and enhancements --- .../posh_ps_access_to_browser_login_data.yml | 2 + ..._creation_win_browser_remote_debugging.yml | 6 ++- ...eation_win_chromium_headless_debugging.yml | 28 +++++++++++ .../proc_creation_win_copy_browser_data.yml | 48 +++++++++++++++++++ ...reation_win_susp_copy_lateral_movement.yml | 7 ++- 5 files changed, 87 insertions(+), 4 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml create mode 100644 rules/windows/process_creation/proc_creation_win_copy_browser_data.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index ccdb8e75d..a745ebdc1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -3,6 +3,8 @@ id: fc028194-969d-4122-8abe-0470d5b8f12f related: - id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d type: obsoletes + - id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b + type: similar status: experimental description: | Adversaries may acquire credentials from web browsers by reading files specific to the target browser. diff --git a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml index b9641f1d0..67cb203bb 100644 --- a/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_browser_remote_debugging.yml @@ -5,9 +5,11 @@ description: Detects browsers starting with the remote debugging flags. Which is references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf - https://www.mdsec.co.uk/2022/10/analysing-lastpass-part-1/ + - https://github.com/defaultnamehere/cookie_crimes/ + - https://github.com/wunderwuzzi23/firefox-cookiemonster author: pH-T, Nasreddine Bencherchali (update) date: 2022/07/27 -modified: 2022/10/12 +modified: 2022/12/23 tags: - attack.credential_access - attack.t1185 @@ -20,7 +22,7 @@ detection: CommandLine|contains: ' --remote-debugging-' selection_firefox: Image|endswith: '\firefox.exe' - CommandLine|contains: ' -start-debugger-server ' + CommandLine|contains: ' -start-debugger-server' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml new file mode 100644 index 000000000..2e9cc1673 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_chromium_headless_debugging.yml @@ -0,0 +1,28 @@ +title: Potential Data Stealing Via Chromium Headless Debugging +id: 3e8207c5-fcd2-4ea6-9418-15d45b4890e4 +status: experimental +description: Detects chromium based browsers starting in headless and debugging mode and pointing to a user profile. This could be a sign of data stealing or remote control +references: + - https://github.com/defaultnamehere/cookie_crimes/ + - https://mango.pdf.zone/stealing-chrome-cookies-without-a-password + - https://embracethered.com/blog/posts/2020/cookie-crimes-on-mirosoft-edge/ + - https://embracethered.com/blog/posts/2020/chrome-spy-remote-control/ +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1185 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + # Covers: --remote-debugging-address, --remote-debugging-port, --remote-debugging-socket-name, --remote-debugging-pipe....etc + - '--remote-debugging-' + - '--user-data-dir' + - '--headless' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml new file mode 100644 index 000000000..2d5cc5949 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -0,0 +1,48 @@ +title: Access to Browser Login Data +id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b +related: + - id: fc028194-969d-4122-8abe-0470d5b8f12f + type: derived +status: experimental +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md +author: Nasreddine Bencherchali +date: 2022/12/23 +tags: + - attack.credential_access + - attack.t1555.003 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + - CommandLine|contains: + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + - 'move' + - 'move-item' + - ' mi ' + - ' mv ' + - Image|endswith: + - '\xcopy.exe' + - '\robocopy.exe' + - OriginalFileName: + - 'XCOPY.EXE' + - 'robocopy.exe' + selection_path: + CommandLine|contains: + - '\Opera Software\Opera Stable\' + - '\Mozilla\Firefox\Profiles' + - '\Microsoft\Edge\User Data\' + - '\Google\Chrome\User Data\' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml index 52255b0e0..6c971e5f2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml @@ -9,7 +9,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, Nasreddine Bencherchali' date: 2019/12/30 -modified: 2022/11/09 +modified: 2022/12/23 tags: - attack.lateral_movement - attack.collection @@ -22,9 +22,12 @@ logsource: product: windows detection: selection_other_tools: - Image|endswith: + - Image|endswith: - '\robocopy.exe' - '\xcopy.exe' + - OriginalFileName: + - 'robocopy.exe' + - 'XCOPY.EXE' selection_cmd_img: - Image|endswith: '\cmd.exe' - OriginalFileName: 'Cmd.Exe' From 92e4081de387223837bbc261d690b8c06c659edd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:20:43 +0100 Subject: [PATCH 11/12] fix: duplicate title --- .../process_creation/proc_creation_win_copy_browser_data.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml index 2d5cc5949..ee7a1a436 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -1,4 +1,4 @@ -title: Access to Browser Login Data +title: Potential Browser Data Stealing id: 47147b5b-9e17-4d76-b8d2-7bac24c5ce1b related: - id: fc028194-969d-4122-8abe-0470d5b8f12f From 5a8808e0acf493b8dd9f01010126245189d8675a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 23 Dec 2022 19:27:34 +0100 Subject: [PATCH 12/12] fix: wrong category --- .../process_creation/proc_creation_win_copy_browser_data.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml index ee7a1a436..61e631384 100644 --- a/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml +++ b/rules/windows/process_creation/proc_creation_win_copy_browser_data.yml @@ -16,9 +16,8 @@ tags: - attack.credential_access - attack.t1555.003 logsource: + category: process_creation product: windows - category: ps_script - definition: Script block logging must be enabled detection: selection_cmd: - CommandLine|contains: