Florian Roth
@@ -0,0 +1,26 @@
|
||||
title: Psexec Accepteula Condition
|
||||
id: 730fc21b-eaff-474b-ad23-90fd265d4988
|
||||
description: Detect ed user accept agreement execution in psexec commandline
|
||||
status: experimental
|
||||
author: omkar72
|
||||
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
|
||||
date: 2020/10/30
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1569
|
||||
- attack.t1021
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\psexec.exe'
|
||||
CommandLine|contains: 'accepteula'
|
||||
condition: selection
|
||||
fields:
|
||||
- ComputerName
|
||||
- User
|
||||
- CommandLine
|
||||
falsepositives:
|
||||
- Administrative scripts.
|
||||
level: medium
|
||||
@@ -2,9 +2,12 @@ title: Suspicious Reconnaissance Activity
|
||||
id: d95de845-b83c-4a9a-8a6a-4fc802ebf6c0
|
||||
status: experimental
|
||||
description: Detects suspicious command line activity on Windows systems
|
||||
author: Florian Roth
|
||||
author: Florian Roth, omkar72
|
||||
date: 2019/01/16
|
||||
modified: 2020/08/28
|
||||
modified: 2020/10/30
|
||||
references:
|
||||
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
||||
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1087.001
|
||||
@@ -18,6 +21,7 @@ detection:
|
||||
CommandLine:
|
||||
- net group "domain admins" /domain
|
||||
- net localgroup administrators
|
||||
- net group "enterprise admins" /domain
|
||||
condition: selection
|
||||
fields:
|
||||
- CommandLine
|
||||
|
||||
@@ -2,12 +2,14 @@ title: Domain Trust Discovery
|
||||
id: 3bad990e-4848-4a78-9530-b427d854aac0
|
||||
description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts.
|
||||
status: experimental
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community
|
||||
author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72
|
||||
date: 2019/10/24
|
||||
modified: 2019/11/11
|
||||
modified: 2020/10/30
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md
|
||||
- https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html
|
||||
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
||||
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
||||
tags:
|
||||
- attack.discovery
|
||||
- attack.t1482
|
||||
@@ -17,7 +19,10 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: '\nltest.exe'
|
||||
CommandLine|contains: 'domain_trusts'
|
||||
CommandLine|contains:
|
||||
- 'domain_trusts'
|
||||
- 'all_trusts'
|
||||
- '/dclist'
|
||||
- Image|endswith: '\dsquery.exe'
|
||||
CommandLine|contains: 'trustedDomain'
|
||||
condition: selection
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
title: WINEKEY Registry Modification
|
||||
id: b98968aa-dbc0-4a9c-ac35-108363cbf8d5
|
||||
description: Detects potential malicious modification of run keys by winekey or team9 backdoor
|
||||
date: 2020/10/30
|
||||
author: omkar72
|
||||
references:
|
||||
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.t1547
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|endswith:
|
||||
- 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr'
|
||||
condition: selection
|
||||
fields:
|
||||
- ComputerName
|
||||
- Image
|
||||
- EventType
|
||||
- TargetObject
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
Reference in New Issue
Block a user