diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml b/rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml rename to rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml index 1cf16816f..f11744720 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmd_exectution_via_wmi.yml +++ b/rules-deprecated/windows/proc_creation_win_susp_cmd_exectution_via_wmi.yml @@ -1,6 +1,6 @@ title: Suspicious Cmd Execution via WMI id: e31f89f7-36fb-4697-8ab6-48823708353b -status: experimental +status: deprecated description: Detects suspicious command execution (cmd) via Windows Management Instrumentation (WMI) on a remote host. This could be indicative of adversary lateral movement. references: - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml index ba53f5896..31a0b0df6 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml @@ -1,5 +1,8 @@ -title: Impacket Lateralization Detection +title: Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 +related: + - id: e31f89f7-36fb-4697-8ab6-48823708353b + type: obsoletes status: stable description: Detects wmiexec/dcomexec/atexec/smbexec from Impacket framework references: @@ -7,9 +10,10 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/atexec.py - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/smbexec.py - https://github.com/SecureAuthCorp/impacket/blob/8b1a99f7c715702eafe3f24851817bb64721b156/examples/dcomexec.py -author: Ecco, oscd.community, Jonhnathan Ribeiro + - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html +author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch date: 2019/09/03 -modified: 2022/12/08 +modified: 2023/01/19 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml deleted file mode 100644 index c01c586da..000000000 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Lolbins Process Creation with WmiPrvse -id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 -status: experimental -description: This rule will monitor LOLBin process creations by wmiprvse. Add more LOLBins to rule logic if needed. -references: - - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml -author: 'Vadim Khrykov (ThreatIntel), Cyb3rEng (Rule)' -date: 2021/08/23 -modified: 2022/07/11 -tags: - - attack.t1204.002 - - attack.t1047 - - attack.t1218.010 - - attack.execution - - attack.defense_evasion -logsource: - product: windows - category: process_creation -detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection: - Image|endswith: - - '\regsvr32.exe' - - '\rundll32.exe' - - '\msiexec.exe' - - '\mshta.exe' - - '\verclsid.exe' - ParentImage|endswith: '\wbem\WmiPrvSE.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml index f74bb8729..41f079839 100644 --- a/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/proc_creation_win_shell_spawn_susp_program.yml @@ -1,12 +1,12 @@ -title: Windows Shell Spawning Suspicious Program +title: Windows Shell/Scripting Processes Spawning Suspicious Programs id: 3a6586ad-127a-4d3b-a677-1e6eacdf8fde status: test -description: Detects a suspicious child process of a Windows shell +description: Detects suspicious child processes of a Windows shell and scripting processes such as wscript, rundll32, powershell, mshta...etc. references: - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth, Tim Shelton date: 2018/04/06 -modified: 2022/07/27 +modified: 2023/01/19 tags: - attack.execution - attack.defense_evasion @@ -22,7 +22,7 @@ detection: - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - #- '*\cmd.exe' # too many false positives + #- '\cmd.exe' # too many false positives - '\rundll32.exe' - '\cscript.exe' - '\wscript.exe' @@ -34,18 +34,18 @@ detection: - '\certutil.exe' - '\bitsadmin.exe' - '\mshta.exe' - falsepositives_1: + filter_ccmcache: CurrentDirectory|contains: '\ccmcache\' - falsepositives_2: + filter_amazon: ParentCommandLine|contains: # FP - Amazon Workspaces - '\Program Files\Amazon\WorkSpacesConfig\Scripts\setup-scheduledtask.ps1' - '\Program Files\Amazon\WorkSpacesConfig\Scripts\set-selfhealing.ps1' - '\Program Files\Amazon\WorkSpacesConfig\Scripts\check-workspacehealth.ps1' - '\nessus_' # Tenable/Nessus VA Scanner - falsepositives_3: + filter_nessus: CommandLine|contains: '\nessus_' # Tenable/Nessus VA Scanner - condition: selection and not 1 of falsepositives* + condition: selection and not 1 of filter_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml index ff94f4f4a..bec927a81 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_parent_process.yml @@ -1,12 +1,12 @@ title: Suspicious PowerShell Parent Process id: 754ed792-634f-40ae-b3bc-e0448d33f695 status: test -description: Detects a suspicious parents of powershell.exe process +description: Detects a suspicious or uncommon parent processes of PowerShell references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=26 author: Teymur Kheirkhabarov, Harish Segar (rule) date: 2020/03/20 -modified: 2023/01/05 +modified: 2023/01/19 tags: - attack.execution - attack.t1059.001 @@ -14,18 +14,6 @@ logsource: category: process_creation product: windows detection: - selection_powershell: - - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - - CommandLine|contains: - - '/c powershell' # FPs with sub processes that contained "powershell" soemwhere in the command line - - '/c pwsh' - - Description: 'Windows PowerShell' - - Product: 'PowerShell Core 6' - - OriginalFileName: - - 'PowerShell.EXE' - - 'pwsh.dll' selection_parent: - ParentImage|endswith: - '\mshta.exe' @@ -33,7 +21,7 @@ detection: - '\regsvr32.exe' - '\services.exe' - '\winword.exe' - - '\wmiprvse.exe' + #- '\wmiprvse.exe' # This process is covered in the rule 692f0bec-83ba-4d04-af7e-e884a96059b6 - '\powerpnt.exe' - '\excel.exe' - '\msaccess.exe' @@ -59,7 +47,19 @@ detection: - '\jbosssvc.exe' - '\MicrosoftEdgeSH.exe' - ParentImage|contains: 'tomcat' - condition: all of selection* + selection_powershell: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - CommandLine|contains: + - '/c powershell' # FPs with sub processes that contained "powershell" soemwhere in the command line + - '/c pwsh' + - Description: 'Windows PowerShell' + - Product: 'PowerShell Core 6' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + condition: all of selection_* falsepositives: - Other scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml index dabe899f7..0e1f09446 100644 --- a/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawning_process.yml @@ -1,12 +1,17 @@ -title: Wmiprvse Spawning Process +title: WmiPrvSE Spawned A Process id: d21374ff-f574-44a7-9998-4a8c8bf33d7d -status: experimental +related: + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar +status: stable description: Detects wmiprvse spawning processes references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/08/15 -modified: 2022/05/27 +modified: 2023/01/19 tags: - attack.execution - attack.t1047 @@ -16,7 +21,7 @@ logsource: detection: selection: ParentImage|endswith: '\WmiPrvSe.exe' - filter: + filter_generic: - LogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives @@ -28,7 +33,7 @@ detection: - '\WerFault.exe' filter_null: # some backends need the null value in a separate expression LogonId: null - condition: selection and not filter and not filter_null + condition: selection and not 1 of filter_* falsepositives: - Unknown -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml rename to rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml index 0e18b4bc3..961d06990 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_spawns_powershell.yml @@ -1,12 +1,17 @@ -title: WMI Spawning Windows PowerShell +title: WmiPrvSE Spawned PowerShell id: 692f0bec-83ba-4d04-af7e-e884a96059b6 -status: experimental -description: Detects WMI spawning a PowerShell process +related: + - id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar +status: stable +description: Detects Powershell as a child of the WmiPrvSE process. Which could be a signe of remote access via WMI references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e -author: Markus Neis / @Karneades +author: Markus Neis @Karneades date: 2019/04/03 -modified: 2022/07/14 +modified: 2023/01/19 tags: - attack.execution - attack.t1047 @@ -24,11 +29,11 @@ detection: - OriginalFileName: - 'PowerShell.EXE' - 'pwsh.dll' - filter_null1: + filter_null_1: CommandLine: 'null' - filter_null2: # some backends need the null value in a separate expression + filter_null_2: # some backends need the null value in a separate expression CommandLine: null - condition: all of selection* and not filter_null1 and not filter_null2 + condition: all of selection* and not 1 of filter_* falsepositives: - AppvClient - CCM diff --git a/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml new file mode 100644 index 000000000..80bcbbe62 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wmiprvse_susp_child_processes.yml @@ -0,0 +1,51 @@ +title: Suspicious WmiPrvse Child Process Spawned +id: 8a582fe2-0882-4b89-a82a-da6b2dc32937 +related: + - id: 692f0bec-83ba-4d04-af7e-e884a96059b6 + type: similar + - id: d21374ff-f574-44a7-9998-4a8c8bf33d7d + type: similar +status: test +description: Detects suspicious and uncommon child processes of WmiPrvSE +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/Threat%20Intelligence/The%20DFIR%20Report/20210329_Sodinokibi_(aka_REvil)_Ransomware.yaml + - https://blog.osarmor.com/319/onenote-attachment-delivers-asyncrat-malware/ +author: Vadim Khrykov (ThreatIntel), Cyb3rEng +date: 2021/08/23 +modified: 2023/01/19 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1047 + - attack.t1204.002 + - attack.t1218.010 +logsource: + product: windows + category: process_creation +detection: + selection_parent: + ParentImage|endswith: '\wbem\WmiPrvSE.exe' + selection_children_1: + # TODO: Think to add more LOLBINs or suspicious processes that make sens in your environment + Image|endswith: + - '\regsvr32.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\mshta.exe' + - '\verclsid.exe' + selection_children_2: + # This is in a seperate selection due to the nature of FP generated with CMD + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'powershell' + - 'pwsh' + - 'mshta' + - 'rundll32' + - 'regsvr32' + - 'wscript' + - 'cscript' + condition: selection_parent and 1 of selection_children_* +falsepositives: + - Unknown +level: high