diff --git a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml b/deprecated/windows/file_event_win_crackmapexec_patterns.yml similarity index 97% rename from rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml rename to deprecated/windows/file_event_win_crackmapexec_patterns.yml index db2b09ece..d0d4349e2 100644 --- a/rules/windows/file/file_event/file_event_win_crackmapexec_patterns.yml +++ b/deprecated/windows/file_event_win_crackmapexec_patterns.yml @@ -1,12 +1,12 @@ title: CrackMapExec File Creation Patterns id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 -status: test +status: deprecated description: Detects suspicious file creation patterns found in logs when CrackMapExec is used references: - https://mpgn.gitbook.io/crackmapexec/smb-protocol/obtaining-credentials/dump-lsass author: Florian Roth (Nextron Systems) date: 2022/03/12 -modified: 2022/05/27 +modified: 2024/03/01 tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/network_connection/net_connection_win_susp_epmap.yml b/deprecated/windows/net_connection_win_susp_epmap.yml similarity index 95% rename from rules/windows/network_connection/net_connection_win_susp_epmap.yml rename to deprecated/windows/net_connection_win_susp_epmap.yml index 6cff1bdea..ff96373fb 100644 --- a/rules/windows/network_connection/net_connection_win_susp_epmap.yml +++ b/deprecated/windows/net_connection_win_susp_epmap.yml @@ -1,12 +1,12 @@ title: Suspicious Epmap Connection id: 628d7a0b-7b84-4466-8552-e6138bc03b43 -status: experimental +status: deprecated description: Detects suspicious "epmap" connection to a remote computer via remote procedure call (RPC) references: - https://github.com/RiccardoAncarani/TaskShell/ author: frack113, Tim Shelton (fps) date: 2022/07/14 -modified: 2023/09/28 +modified: 2024/03/01 tags: - attack.lateral_movement logsource: diff --git a/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml new file mode 100644 index 000000000..aaa0a8947 --- /dev/null +++ b/rules-threat-hunting/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml @@ -0,0 +1,74 @@ +title: Dbghelp/Dbgcore DLL Loaded By Uncommon/Suspicious Process +id: 0e277796-5f23-4e49-a490-483131d4f6e1 +related: + - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading + type: similar +status: test +description: | + Detects the load of dbghelp/dbgcore DLL by a potentially uncommon or potentially suspicious process. + The Dbghelp and Dbgcore DLLs export functions that allow for the dump of process memory. Tools like ProcessHacker, Task Manager and some attacker tradecraft use the MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. + As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. + Keep in mind that many legitimate Windows processes and services might load the aforementioned DLLs for debugging or other related purposes. Investigate the CommandLine and the Image location of the process loading the DLL. +references: + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 +author: Perez Diego (@darkquassar), oscd.community, Ecco +date: 2019/10/27 +modified: 2024/03/01 +tags: + - attack.credential_access + - attack.t1003.001 + - detection.threat_hunting +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\bash.exe' + - '\cmd.exe' + - '\cscript.exe' + - '\dnx.exe' + - '\excel.exe' + - '\monitoringhost.exe' + - '\msbuild.exe' + - '\mshta.exe' + - '\outlook.exe' + - '\powerpnt.exe' + - '\regsvcs.exe' + - '\rundll32.exe' + - '\sc.exe' + - '\scriptrunner.exe' + - '\winword.exe' + - '\wmic.exe' + - '\wscript.exe' + # - '\powershell.exe' # Note: Triggered by installing common software + # - '\regsvr32.exe' # Note: triggered by installing common software + # - '\schtasks.exe' # Note: triggered by installing software + # - '\svchost.exe' # Note: triggered by some services + filter_main_tiworker: + # Note: This filter requires "CommandLine" field enrichment + CommandLine|startswith: 'C:\WINDOWS\WinSxS\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + filter_main_generic: + # Note: This filter requires "CommandLine" field enrichment + Image|endswith: '\svchost.exe' + CommandLine|endswith: + - '-k LocalServiceNetworkRestricted' + - '-k WerSvcGroup' + filter_main_rundll32: + # Note: This filter requires "CommandLine" field enrichment + Image|endswith: '\rundll32.exe' + CommandLine|contains: + - '/d srrstr.dll,ExecuteScheduledSPPCreation' + - 'aepdu.dll,AePduRunUpdate' + - 'shell32.dll,OpenAs_RunDL' + - 'Windows.Storage.ApplicationData.dll,CleanupTemporaryState' + condition: selection and not 1 of filter_main_* +falsepositives: + - Debugging scripts might leverage this DLL in order to dump process memory for further analysis. +level: medium diff --git a/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml new file mode 100644 index 000000000..d8af348f9 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_hktl_crackmapexec_indicators.yml @@ -0,0 +1,31 @@ +title: CrackMapExec File Indicators +id: 736ffa74-5f6f-44ca-94ef-1c0df4f51d2a +related: + - id: 9433ff9c-5d3f-4269-99f8-95fc826ea489 + type: obsoletes +status: experimental +description: Detects file creation events with filename patterns used by CrackMapExec. +references: + - https://github.com/byt3bl33d3r/CrackMapExec/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2024/03/11 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + category: file_event +detection: + selection_path: + TargetFilename|startswith: 'C:\Windows\Temp\' # The disk extension is hardcoded in the tool. + selection_names_str: + TargetFilename|endswith: + - '\temp.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/keepass_trigger.py#L42C41-L42C68 + - '\msol.ps1' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/modules/msol.py#L48C98-L48C106 + selection_names_re: + - TargetFilename|re: '\\[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}\.txt$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/wmi/wmiexec.py#L86 + - TargetFilename|re: '\\[a-zA-Z]{8}\.tmp$' # https://github.com/byt3bl33d3r/CrackMapExec/blob/3c3e412193cb6d3237abe90c543e5d995bfa4447/cme/protocols/smb/atexec.py#L145C19-L146 + condition: selection_path and 1 of selection_names_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml b/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml deleted file mode 100644 index 5f1586906..000000000 --- a/rules/windows/image_load/image_load_dll_dbghelp_dbgcore_susp_load.yml +++ /dev/null @@ -1,59 +0,0 @@ -title: Load Of Dbghelp/Dbgcore DLL From Suspicious Process -id: 0e277796-5f23-4e49-a490-483131d4f6e1 -related: - - id: bdc64095-d59a-42a2-8588-71fd9c9d9abc # Unsigned Loading - type: similar -status: test -description: | - Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. - Tools like ProcessHacker and some attacker tradecraft use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. - As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. -references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 -author: Perez Diego (@darkquassar), oscd.community, Ecco -date: 2019/10/27 -modified: 2023/03/09 -tags: - - attack.credential_access - - attack.t1003.001 -logsource: - category: image_load - product: windows -detection: - selection: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' - # - '\svchost.exe' triggered by installing common software - - '\rundll32.exe' - # - '\powershell.exe' triggered by installing common software - - '\winword.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - # - '\regsvr32.exe' triggered by installing common software - # - '\schtasks.exe' triggered by installing software - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - filter_tiworker: - # CommandLine field added by aurora - CommandLine|startswith: 'C:\WINDOWS\winsxs\' - CommandLine|endswith: '\TiWorker.exe -Embedding' - condition: selection and not 1 of filter* -falsepositives: - - Unknown -level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index a855e2278..2a60622eb 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -10,7 +10,7 @@ references: - https://www.hexacorn.com/blog/2023/12/26/1-little-known-secret-of-runonce-exe-32-bit/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2024/01/10 +modified: 2024/03/11 tags: - attack.defense_evasion - attack.persistence @@ -445,36 +445,48 @@ detection: filter_main_generic: # Note: this filter is generic on purpose to avoid insane amount of FP from legitimate third party applications. A better approach would be to baseline everything and add specific filters to avoid blind spots ImageLoaded|contains: - - ':\Windows\System32\' - - ':\Windows\SysWOW64\' - - ':\Windows\WinSxS\' - - ':\Windows\SoftwareDistribution\' - - ':\Windows\SystemTemp\' - - ':\$WINDOWS.~BT\' + - 'C:\$WINDOWS.~BT\' + - 'C:\$WinREAgent\' + - 'C:\Windows\SoftwareDistribution\' + - 'C:\Windows\System32\' + - 'C:\Windows\SystemTemp\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + filter_main_dot_net: + ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\' + ImageLoaded|endswith: '\cscui.dll' filter_main_defender: - Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\' - Image|endswith: '\version.dll' + ImageLoaded|contains: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + ImageLoaded|endswith: '\version.dll' + filter_optional_exchange: + ImageLoaded|contains: 'C:\Program Files\Microsoft\Exchange Server\' + ImageLoaded|endswith: '\mswb7.dll' + filter_optional_arsenal_image_mounter: + ImageLoaded|contains: 'C:\Program Files\Arsenal-Image-Mounter-' + ImageLoaded|endswith: + - '\mi.dll' + - '\miutils.dl' filter_optional_office_appvpolicy: - Image|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' - ImageLoaded|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + Image|endswith: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' + ImageLoaded|endswith: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' filter_optional_azure: - ImageLoaded|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + ImageLoaded|contains: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_optional_dell: Image|contains: - - ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - - ':\Windows\System32\backgroundTaskHost.exe' + - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - 'C:\Windows\System32\backgroundTaskHost.exe' ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' filter_optional_dell_wldp: - Image|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|contains: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' filter_optional_checkpoint: Image|contains: - - ':\Program Files\CheckPoint\' - - ':\Program Files (x86)\CheckPoint\' + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' Image|endswith: '\SmartConsole.exe' ImageLoaded|contains: - - ':\Program Files\CheckPoint\' - - ':\Program Files (x86)\CheckPoint\' + - 'C:\Program Files\CheckPoint\' + - 'C:\Program Files (x86)\CheckPoint\' ImageLoaded|endswith: '\PolicyManager.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: