diff --git a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 0fe996cd3..2a8e7c073 100644 --- a/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules-unsupported/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -1,6 +1,6 @@ title: MSI Spawned Cmd and Powershell Spawned Processes id: 38cf8340-461b-4857-bf99-23a41f772b18 -description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes +description: This rule looks for Windows Installer service (msiexec.exe) spawning command line and/or powershell that spawns other processes status: unsupported author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 diff --git a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml index 9ce2b7884..5bfbdd62e 100644 --- a/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/sysmon_abusing_azure_browser_sso.yml @@ -5,7 +5,7 @@ author: Den Iuzvyk references: - https://posts.specterops.io/requesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30 date: 2020/07/15 -modified: 2020/12/23 +modified: 2021/11/27 logsource: category: image_load product: windows @@ -16,15 +16,16 @@ tags: - attack.t1073 # an old one - attack.t1574.002 detection: - condition: selection_dll and not filter_legit selection_dll: ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll filter_legit: Image|endswith: - - BackgroundTaskHost.exe - - devenv.exe - - iexplore.exe - - MicrosoftEdge.exe + - '\BackgroundTaskHost.exe' + - '\devenv.exe' + - '\iexplore.exe' + - '\MicrosoftEdge.exe' + - '\Microsoft\Edge\Application\msedge.exe' + condition: selection_dll and not filter_legit falsepositives: - unknown level: high diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 4ce1cfee4..edd59fc66 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -7,7 +7,7 @@ status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2021/11/11 +modified: 2021/11/27 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -24,7 +24,7 @@ detection: - '\System.Management.Automation.Dll' - '\System.Management.Automation.ni.Dll' filter: - Image|endswith: + - Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' - '\WINDOWS\System32\sdiagnhost.exe' @@ -40,6 +40,10 @@ detection: - '\IDE\devenv.exe' - '\ServiceHub.VSDetouredHost.exe' - '\ServiceHub.SettingsHost.exe' + - '\ServiceHub.Host.CLR.x86.exe' + - Image|startswith: + - 'C:\Program Files (x86)\Microsoft Visual Studio\' + - 'C:\Program Files\Microsoft Visual Studio\' # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index a6bed3f6a..242e72a0b 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -29,6 +29,7 @@ detection: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - 'C:\Windows\System32\' + - 'C:\Windows\Microsoft.NET\' - 'C:\Windows\ImmersiveControlPanel\' - 'C:\Windows\System32\NhNotifSys.exe' - 'C:\Users\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index 73a21e295..45132f02c 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -1,6 +1,6 @@ title: Always Install Elevated MSI Spawned Cmd And Powershell id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa -description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell +description: This rule looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml index 4aa3afd03..fd04cd0ea 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -1,6 +1,6 @@ title: Always Install Elevated Windows Installer id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 -description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege +description: This rule looks for Windows Installer service (msiexec.exe) trying to install MSI packages with SYSTEM privilege status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13