diff --git a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml index f21385f1d..b86345eac 100644 --- a/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml +++ b/rules/linux/auditd/lnx_auditd_change_file_time_attr.yml @@ -1,4 +1,4 @@ -title: File Time Attribute Change +title: File Time Attribute Change - Linux id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b status: test description: Detect file time attribute change to hide new or changes to existing files. @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/28 tags: - attack.defense_evasion - attack.t1070.006 diff --git a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml index 0a0357b6f..fc4b87556 100644 --- a/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml +++ b/rules/linux/auditd/lnx_auditd_find_cred_in_files.yml @@ -1,4 +1,4 @@ -title: 'Credentials In Files' +title: Credentials In Files - Linux id: df3fcaea-2715-4214-99c5-0056ea59eb35 status: test description: 'Detecting attempts to extract passwords with grep' @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/28 tags: - attack.credential_access - attack.t1552.001 diff --git a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml index 6452f8254..0878a35b3 100644 --- a/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml +++ b/rules/linux/auditd/lnx_auditd_split_file_into_pieces.yml @@ -1,4 +1,4 @@ -title: 'Split A File Into Pieces' +title: Split A File Into Pieces - Linux id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 status: test description: 'Detection use of the command "split" to split files into parts and possible transfer.' @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1030/T1030.md author: 'Igor Fits, oscd.community' date: 2020/10/15 -modified: 2021/11/27 +modified: 2022/11/28 tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 91048c97d..63c13cebc 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -1,4 +1,4 @@ -title: 'Suspicious History File Operations' +title: Suspicious History File Operations - Linux id: eae8ce9f-bde9-47a6-8e79-f20d18419910 status: test description: 'Detects commandline operations on shell history files' @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md author: 'Mikhail Larin, oscd.community' date: 2020/10/17 -modified: 2021/11/27 +modified: 2022/11/28 tags: - attack.credential_access - attack.t1552.003 diff --git a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml index df6565c0f..3ff369979 100644 --- a/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml +++ b/rules/network/zeek/zeek_dce_rpc_potential_petit_potam_efs_rpc_call.yml @@ -13,7 +13,7 @@ references: - https://threatpost.com/microsoft-petitpotam-poc/168163/ author: '@neu5ron, @Antonlovesdnb, Mike Remen' date: 2021/08/17 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.t1557.001 - attack.t1187 @@ -22,9 +22,7 @@ logsource: service: dce_rpc detection: selection: - operation|startswith: - - 'Efs' - - 'efs' + operation|startswith: 'efs' condition: selection fields: - id.orig_h diff --git a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml index 453bcc009..6ac028468 100644 --- a/rules/network/zeek/zeek_dns_susp_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_susp_zbit_flag.yml @@ -14,7 +14,7 @@ references: - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' author: '@neu5ron, SOC Prime Team, Corelight' date: 2021/05/04 -modified: 2022/10/05 +modified: 2022/11/29 tags: - attack.t1095 - attack.t1571 @@ -40,9 +40,7 @@ detection: - '.azuregov-dns.org' exclude_query_types: qtype_name: - - 'NS' - 'ns' - - 'MX' - 'mx' exclude_responses: answers|endswith: '\\x00' diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index b57f6a221..966c1a6ef 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -1,4 +1,4 @@ -title: Regsvr32 Network Activity +title: Regsvr32 Network Activity - DNS id: 36e037c4-c228-4866-b6a3-48eb292b9955 related: - id: c7e91a02-d771-4a6d-a700-42587e0b1095 @@ -10,7 +10,7 @@ references: - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ author: Dmitriy Lifanov, oscd.community date: 2019/10/25 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.execution - attack.t1559.001 diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 018868c3b..d544236f3 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -21,7 +21,7 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/10/19 +modified: 2022/11/28 tags: - attack.privilege_escalation - attack.t1543.003 @@ -864,8 +864,6 @@ detection: - 'DB90E554AD249C2BD888282ECF7D8DA4D1538DD364129A3327B54F8242DD5653' - 'E61A54F6D3869B43C4ECEAC3016DF73DF67CCE03878C5A6167166601C5D3F028' - '3871E16758A1778907667F78589359734F7F62F9DC953EC558946DCDBE6951E3' - - 'DED2927F9A4E64EEFD09D0CABA78E94F309E3A6292841AE81D5528CAB109F95D' - - '0296E2CE999E67C76352613A718E11516FE1B0EFC3FFDB8918FC999DD76A73A5' - '80CBBA9F404DF3E642F22C476664D63D7C229D45D34F5CD0E19C65EB41BECEC3' - 'BB50818A07B0EB1BD317467139B7EB4BAD6CD89053FECDABFEAE111689825955' - 'FF6729518A380BF57F1BC6F1EC0AA7F3012E1618B8D9B0F31A61D299EE2B4339' diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 6ad24e0ed..65bf8e139 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -6,7 +6,7 @@ references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 -modified: 2022/10/07 +modified: 2022/11/28 tags: - attack.t1218.011 - attack.defense_evasion @@ -19,10 +19,7 @@ detection: filter: TargetFilename|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\system32\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\SysWow64\' - - 'C:\Windows\winsxs\' - 'C:\Windows\WinSxS\' - 'C:\$WINDOWS.~BT\NewOS\' condition: selection and not filter diff --git a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml index be047ae0a..f0c6bd2f4 100644 --- a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml @@ -7,6 +7,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/secretsdump.py author: SecurityAura date: 2022/11/16 +modified: 2022/11/29 tags: - attack.credential_access - attack.t1003 @@ -17,7 +18,7 @@ detection: selection: Image|endswith: '\svchost.exe' # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy - TargetFilename|endswith: '\Windows\System32\????????.tmp' + TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml index 5b1e72682..c6180f208 100644 --- a/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml +++ b/rules/windows/file/file_event/file_event_win_winrm_awl_bypass.yml @@ -1,4 +1,4 @@ -title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl - File id: d353dac0-1b41-46c2-820c-d7d2561fc6ed related: - id: 074e0ded-6ced-4ebd-8b4d-53f55908119 @@ -9,7 +9,7 @@ references: - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 author: Julia Fomina, oscd.community date: 2020/10/06 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.defense_evasion - attack.t1216 diff --git a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml index e2ecb5be8..93643c97d 100644 --- a/rules/windows/image_load/image_load_silenttrinity_stage_use.yml +++ b/rules/windows/image_load/image_load_silenttrinity_stage_use.yml @@ -1,4 +1,4 @@ -title: SILENTTRINITY Stager Execution +title: SILENTTRINITY Stager Execution - DLL id: 75c505b1-711d-4f68-a357-8c3fe37dbf2d related: - id: 03552375-cc2c-4883-bbe4-7958d5a980be @@ -9,7 +9,7 @@ references: - https://github.com/byt3bl33d3r/SILENTTRINITY author: Aleksey Potapov, oscd.community date: 2019/10/22 -modified: 2022/10/09 +modified: 2022/11/28 tags: - attack.command_and_control - attack.t1071 diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index 8b1c90929..acecd619c 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -6,7 +6,7 @@ references: - https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/ author: Vasiliy Burov date: 2019/08/06 -modified: 2021/11/27 +modified: 2022/11/29 tags: - attack.execution - attack.t1204 @@ -23,7 +23,7 @@ detection: CommandLine|contains: - 'samss' - 'audioendpointbuilder' - - 'unistoresvc_?????' + - 'unistoresvc_' condition: all of selection* falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml index 244c5f234..291c1ec16 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.2 author: Florian Roth date: 2022/03/24 -modified: 2022/10/28 +modified: 2022/11/28 logsource: product: windows category: process_creation @@ -16,25 +16,22 @@ detection: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - ' | iex;' - - ' | iex ' - - ' | iex}' - - ' | IEX;' - - ' | IEX ;' - - ' | IEX -Error' - - ' | IEX (new' - - ' | IEX (New' + - ' | iex;' + - ' | iex ' + - ' | iex}' + - ' | IEX ;' + - ' | IEX -Error' + - ' | IEX (new' - ');IEX ' selection_combined_2: CommandLine|contains: - '::FromBase64String' - '.GetString([System.Convert]::' selection_standalone: - CommandLine|contains: - - ')|iex;$' - - ')|IEX;$' - - ');iex($' - - ');iex $' + CommandLine|contains: + - ')|iex;$' + - ');iex($' + - ');iex $' - ' | IEX | ' condition: all of selection_combined* or selection_standalone falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml index 2fc43458a..9e0f2b328 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_debugview.yml @@ -6,7 +6,7 @@ references: - https://www.epicturla.com/blog/sysinturla author: Florian Roth date: 2020/05/28 -modified: 2021/11/27 +modified: 2022/11/29 tags: - attack.resource_development - attack.t1588.002 @@ -15,9 +15,7 @@ logsource: product: windows detection: selection: - Product: - - 'Sysinternals DebugView' - - 'Sysinternals Debugview' + Product: 'Sysinternals DebugView' filter: OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml index b71ae7f1a..7df638f02 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -10,6 +10,7 @@ references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html author: Nasreddine Bencherchali date: 2022/09/01 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1489 @@ -35,284 +36,281 @@ detection: CommandLine|contains: 'Stop-Service ' services: CommandLine|contains: - - 'VSS' - - 'HealthTLService' - - 'ThreatLockerService' - - '"Veritas System Recovery"' - - 'EPlntegrationService' - - 'EPRedline' - - '"Client Agent 7.60"' - - 'SQLAgent$SVSTEM_BGC' - - '"Sophos Device Control Service"' - - '"Zoolz 2 Service"' - - '"Sophos AutoUpdate Service"' - - '"Sophos System Protection Service"' - - 'POVFSService' - - 'MSSQLFDLauncherSTPSAMA' - - '"Symantec System Recovery"' - - 'Antivirus' - - '"Sophos Health Service"' - - 'MSSQLFDLauncherSTPS' - - 'AcrSch2Svc' - - 'MSSQLSSVSTEM_BGC' - - 'MSSQLFDLauncherSPROFXENGAGEMENT' - - 'SQLAgentSTPS' - - '"Sophos Message Router"' - - 'MSSQLFDLauncher$S8SMONITORING' - - 'MySQL80' - - 'MSSQLSECWDB2' - - 'MSSQLWEEAMSQL2008R2' - - '"Sophos Clean Service"' - - '"Sophos Web Control Service"' - - 'EhttpSry' - - 'MSOLAPSTPSAMA' - - '"Veeam Backup Catalog Data Service"' - - 'MSSQLSSBSMONITORIMG' - - 'AcronisAgent' - - 'MySQLS7' - - 'UTODetect' - - 'MSSQLFOLauncherSSVSTEM_BGC' - - 'MSSQLSBKUPEXEC' - - 'SQLAgentSPRACTTICEBGC' - - '"Sophos MCS Client"' - - 'BackupExeclobEngine' - - 'SQLAgentSVEEAMSQL2008R2' - - '143Svc' - - '"SQLsafe Backup Service"' - - 'SQLAgentSCXDB' - - '"Sophos Safestore Service"' - - 'svcienericHost' - - 'MSSQLSTPSAMA' - - 'SQLAgentSCITRIX_METAFRAME' - - 'WeanClOudSve' - - '"Sophos File Scanner Service"' - - '"Sophos Agent"' - - 'M8EndpointAgent' - - 'mSSQLSFRACTICEMGT' - - 'SQLAgentSTPSAMA' - - 'McAfeeframework' - - '"Enterprise Client Service"' - - 'SQLAgentSSBSMONITORING' - - 'MSSQLSVEEAMSQL2012' - - 'SQ1SafeOLRService' - - 'VeeamEnterpriseHanagerSvc' - - 'SQLAgentSSQL EXPRESS' - - 'MSSQ!I.SPROFXENGAGEMEHT' - - 'IMANSVC' - - 'ARSM' - - 'MSSQLFOLavocher' - - 'MSExchangeMIA' - - 'TruekeyScheduler' - - 'MSSQ0SOPHOS' - - '"SQL Backups"' - - 'MSSQLSTPS' - - 'Weems JY' - - 'MSSQ0SHAREPOINT' - - 'mfevto' - - 'msftesq1SPROO' - - 'wozyprobackup' - - 'MSSQLSSQL_2008' - - 'MSSQLSSQLEXPRESS' - - 'MSSQLSPRACTTICEBGE' - - 'VeeamRISTSvc' - - 'HMS' - - '"Sophos MCS Agent"' - '"Acronis VSS Provider"' - - 'MSSQLSVIEAMSQL2008112' - - 'HISSQLFDLauncherSSHAREPOINIT' - - '"SQLsafe Filter Service"' - - 'MSSQLSPROO' - - 'SQLAgentSPROO' - - 'MSOLAPSTPS' - - 'VeemaDep/oySvc' + - '"Client Agent 7.60"' + - '"Enterprise Client Service"' + - '"Sophos Agent"' + - '"Sophos AutoUpdate Service"' + - '"Sophos Clean Service"' + - '"Sophos Device Control Service"' + - '"Sophos File Scanner Service"' + - '"Sophos Health Service"' + - '"Sophos MCS Agent"' + - '"Sophos MCS Client"' + - '"Sophos Message Router"' + - '"Sophos Safestore Service"' + - '"Sophos System Protection Service"' + - '"Sophos Web Control Service"' + - '"SQL Backups"' - '"SQL Server (MSSQLSERVER)"' - '"SQL Server (SQLEXPRESS)' + - '"SQLsafe Backup Service"' + - '"SQLsafe Filter Service"' + - '"Symantec System Recovery"' + - '"Veeam Backup Catalog Data Service"' + - '"Veritas System Recovery"' + - '"Zoolz 2 Service"' + - '“Avast Business Console Client Antivirus Service”' + - '“avast! Antivirus”' + - '“SQL Backups”' + - '“Zoolz 2 Service”' + - '143Svc' + - 'AcronisAgent' + - 'AcrSch2Svc' + - 'Antivirus' + - 'ARSM' + - 'aswBcc' + - 'AVP' - 'BackupExecAgentAccelerator' - - 'McAfeeEngineService' - 'BackupExecAgentBrowser' - - 'McAfeeFramework' - 'BackupExecDeviceMediaService' - - 'McAfeeFrameworkMcAfeeFramework' - 'BackupExecJobEngine' - - 'McTaskManager' + - 'BackupExeclobEngine' - 'BackupExecManagementService' - - 'mfemms' - 'BackupExecRPCService' - - 'mfevtp' - 'BackupExecVSSProvider' - - 'MMS' - 'bedbg' - - 'mozyprobackup' + - 'BITS' + - 'BrokerInfrastructure' - 'DCAgent' + - 'EhttpSrv' + - 'EhttpSry' + - 'ekrn' + - 'epag' + - 'EPIntegrationService' + - 'EPlntegrationService' + - 'EPProtectedService' + - 'EPRedline' + - 'EPSecurityService' + - 'EPUpdateService' + - 'EraserSvc11710' + - 'EsgShKernel' + - 'ESHASRV' + - 'FA_Scheduler' + - 'HealthTLService' + - 'HISSQLFDLauncherSSHAREPOINIT' + - 'HMS' + - 'IISAdmin' + - 'IMANSVC' + - 'IMAP4Svc' + - 'KAVFS' + - 'KAVFSGT' + - 'kavfsslp' + - 'klnagent' + - 'LogProcessorService' + - 'M8EndpointAgent' + - 'macmnsvc' + - 'masvc' + - 'MBAMService' + - 'MBEndpointAgent' + - 'McAfeeEngineService' + - 'MCAFEEEVENTPARSERSRV' + - 'McAfeeFramework' + - 'McAfeeFrameworkMcAfeeFramework' + - 'MCAFEETOMCATSRV530' + - 'McShield' + - 'McTaskManager' + - 'mfefire' + - 'mfemms' + - 'mfevto' + - 'mfevtp' + - 'mfewc' + - 'MMS' + - 'mozyprobackup' - 'MsDtsServer' - 'MsDtsServer100' - 'MsDtsServer110' - - 'EraserSvc11710' + - 'MsDtsServer130' - 'MSExchangeES' - - 'EsgShKernel' - 'MSExchangeIS' - - 'FA_Scheduler' - 'MSExchangeMGMT' - - 'IISAdmin' + - 'MSExchangeMIA' - 'MSExchangeMTA' - - 'IMAP4Svc' - 'MSExchangeSA' - - 'macmnsvc' - 'MSExchangeSRS' - - 'masvc' - - 'MSOLAP$SQL_2008' - - 'MBAMService' - - 'MSOLAP$SYSTEM_BGC' - - 'MBEndpointAgent' - - 'MSOLAP$TPS' - - 'McShield' - - 'MSSQLSERVER' - - 'MSSQL$ECWDB2' - - 'MSSQLServerADHelper100' - - 'MSSQL$PRACTICEMGT' - - 'MSSQLServerOLAPService' - - 'MSSQL$PRACTTICEBGC' - - 'MySQL57' - - 'MSSQL$PROFXENGAGEMENT' - - 'ntrtscan' - - 'MSSQL$SBSMONITORING' - - 'OracleClientCache80' - - 'MSSQL$SHAREPOINT' - - 'PDVFSService' - - 'MSSQL$SQL_2008' - - 'POP3Svc' - - 'MSSQL$SYSTEM_BGC' - - 'ReportServer' - - 'MSSQL$TPS' - - 'ReportServer$SQL_2008' - - 'MSSQL$TPSAMA' - - 'ReportServer$SYSTEM_BGC' - - 'ReportServer$TPS' - - 'MSSQL$VEEAMSQL2012' - - 'ReportServer$TPSAMA' - - 'MSSQLFDLauncher' - - 'RESvc' - - 'MSSQLFDLauncher$PROFXENGAGEMENT' - - 'sacsvr' - - 'MSSQLFDLauncher$SBSMONITORING' - - 'MSSQLFDLauncher$SHAREPOINT' - - 'SamSs' - - 'MSSQLFDLauncher$SQL_2008' - - 'SAVAdminService' - - 'MSSQLFDLauncher$SYSTEM_BGC' - - 'SAVService' - - 'MSOLAP$TPSAMA' - - 'MSSQLFDLauncher$TPS' - - 'MSSQL$BKUPEXEC' - - 'MSSQLFDLauncher$TPSAMA' - - 'Smcinst' - - 'SQLTELEMETRY$ECWDB2' - - 'SmcService' - - 'SQLWriter' - - 'SMTPSvc' - - 'SstpSvc' - - 'SNAC' - - 'svcGenericHost' - - 'SntpService' - - 'swi_filter' - - 'sophossps' - - 'swi_service' - - 'SQLAgent$BKUPEXEC' - - 'swi_update_64' - - 'SQLAgent$ECWDB2' - - 'TmCCSF' - - 'SQLAgent$PRACTTICEBGC' - - 'tmlisten' - - 'SQLAgent$PRACTTICEMGT' - - 'TrueKey' - - 'SQLAgent$PROFXENGAGEMENT' - - 'TrueKeyScheduler' - - 'SQLAgent$SBSMONITORING' - - 'TrueKeyServiceHelper' - - 'SQLAgent$SHAREPOINT' - - 'SQLAgent$SQL_2008' - - 'UI0Detect' - - 'SQLAgent$SYSTEM_BGC' - - 'SQLAgent$TPS' - - 'VeeamBackupSvc' - - 'SQLAgent$TPSAMA' - - 'VeeamBrokerSvc' - - 'SQLAgent$VEEAMSQL2012' - - 'VeeamCatalogSvc' - - 'SQLBrowser' - - 'VeeamCloudSvc' - - 'SDRSVC' - - 'SQLSafeOLRService' - - 'SepMasterService' - - 'SQLSERVERAGENT' - - 'ShMonitor' - - 'SQLTELEMETRY' - - 'VeeamDeploymentService' - - 'NetMsmqActivator' - - 'VeeamDeploySvc' - - 'EhttpSrv' - - 'VeeamEnterpriseManagerSvc' - - 'ekrn' - - 'VeeamMountSvc' - - 'ESHASRV' - - 'VeeamNFSSvc' - - 'MSSQL$SOPHOS' - - 'VeeamRESTSvc' - - 'SQLAgent$SOPHOS' - - 'VeeamTransportSvc' - - 'AVP' - - 'W3Svc' - - 'klnagent' - - 'MSSQL$SQLEXPRESS' - - 'WRSVC' - - 'SQLAgent$SQLEXPRESS' - - 'wbengine' - - 'MSSQL$VEEAMSQL2008R2' - - 'kavfsslp' - - 'SQLAgent$VEEAMSQL2008R2' - - 'VeeamHvIntegrationSvc' - - 'KAVFSGT' - - 'swi_update' - - 'KAVFS' - - 'SQLAgent$CXDB' - - 'mfefire' - - 'SQLAgent$CITRIX_METAFRAME' - - '“SQL Backups”' - - '“avast! Antivirus”' - - 'MSSQL$PROD' - - 'aswBcc' - - '“Zoolz 2 Service”' - - '“Avast Business Console Client Antivirus Service”' - - 'MSSQLServerADHelper' - - 'mfewc' - - 'SQLAgent$PROD' - - 'Telemetryserver' + - 'msftesq1SPROO' - 'msftesql$PROD' - - 'WdNisSvc' - - 'WinDefend' - - 'MCAFEETOMCATSRV530' - - 'MCAFEEEVENTPARSERSRV' - - 'MSSQLFDLauncher$ITRIS' + - 'MSOLAP$SQL_2008' + - 'MSOLAP$SYSTEM_BGC' + - 'MSOLAP$TPS' + - 'MSOLAP$TPSAMA' + - 'MSOLAPSTPS' + - 'MSOLAPSTPSAMA' + - 'MSSQ!I.SPROFXENGAGEMEHT' + - 'MSSQ0SHAREPOINT' + - 'MSSQ0SOPHOS' + - 'MSSQL$BKUPEXEC' + - 'MSSQL$ECWDB2' - 'MSSQL$EPOSERVER' - 'MSSQL$ITRIS' + - 'MSSQL$PRACTICEMGT' + - 'MSSQL$PRACTTICEBGC' + - 'MSSQL$PROD' + - 'MSSQL$PROFXENGAGEMENT' + - 'MSSQL$SBSMONITORING' + - 'MSSQL$SHAREPOINT' + - 'MSSQL$SOPHOS' + - 'MSSQL$SQL_2008' + - 'MSSQL$SQLEXPRESS' + - 'MSSQL$SYSTEM_BGC' + - 'MSSQL$TPS' + - 'MSSQL$TPSAMA' + - 'MSSQL$VEEAMSQL2008R2' + - 'MSSQL$VEEAMSQL2012' + - 'MSSQLFDLauncher' + - 'MSSQLFDLauncher$ITRIS' + - 'MSSQLFDLauncher$PROFXENGAGEMENT' + - 'MSSQLFDLauncher$S8SMONITORING' + - 'MSSQLFDLauncher$SBSMONITORING' + - 'MSSQLFDLauncher$SHAREPOINT' + - 'MSSQLFDLauncher$SQL_2008' + - 'MSSQLFDLauncher$SYSTEM_BGC' + - 'MSSQLFDLauncher$TPS' + - 'MSSQLFDLauncher$TPSAMA' + - 'MSSQLFDLauncherSPROFXENGAGEMENT' + - 'MSSQLFDLauncherSTPS' + - 'MSSQLFDLauncherSTPSAMA' + - 'MSSQLFOLauncherSSVSTEM_BGC' + - 'MSSQLFOLavocher' + - 'MSSQLLaunchpad$ITRIS' + - 'MSSQLSBKUPEXEC' + - 'MSSQLSECWDB2' + - 'MSSQLSERVER' + - 'MSSQLServerADHelper' + - 'MSSQLServerADHelper100' + - 'MSSQLServerOLAPService' + - 'mSSQLSFRACTICEMGT' + - 'MSSQLSPRACTTICEBGE' + - 'MSSQLSPROO' + - 'MSSQLSSBSMONITORIMG' + - 'MSSQLSSQL_2008' + - 'MSSQLSSQLEXPRESS' + - 'MSSQLSSVSTEM_BGC' + - 'MSSQLSTPS' + - 'MSSQLSTPSAMA' + - 'MSSQLSVEEAMSQL2012' + - 'MSSQLSVIEAMSQL2008112' + - 'MSSQLWEEAMSQL2008R2' + - 'MySQL57' + - 'MySQL80' + - 'MySQLS7' + - 'NetMsmqActivator' + - 'ntrtscan' + - 'OracleClientCache80' + - 'PDVFSService' + - 'POP3Svc' + - 'POVFSService' + - 'ReportServer' + - 'ReportServer$SQL_2008' + - 'ReportServer$SYSTEM_BGC' + - 'ReportServer$TPS' + - 'ReportServer$TPSAMA' + - 'RESvc' + - 'sacsvr' + - 'SamSs' + - 'SAVAdminService' + - 'SAVService' + - 'SDRSVC' + - 'SentinelAgent' + - 'SentinelHelperService' + - 'SepMasterService' + - 'ShMonitor' + - 'Smcinst' + - 'SmcService' + - 'SMTPSvc' + - 'SNAC' + - 'SntpService' + - 'sophossps' + - 'SQ1SafeOLRService' + - 'SQLAgent$BKUPEXEC' + - 'SQLAgent$CITRIX_METAFRAME' + - 'SQLAgent$CXDB' + - 'SQLAgent$ECWDB2' - 'SQLAgent$EPOSERVER' - 'SQLAgent$ITRIS' + - 'SQLAgent$PRACTTICEBGC' + - 'SQLAgent$PRACTTICEMGT' + - 'SQLAgent$PROD' + - 'SQLAgent$PROFXENGAGEMENT' + - 'SQLAgent$SBSMONITORING' + - 'SQLAgent$SHAREPOINT' + - 'SQLAgent$SOPHOS' + - 'SQLAgent$SQL_2008' + - 'SQLAgent$SQLEXPRESS' + - 'SQLAgent$SVSTEM_BGC' + - 'SQLAgent$SYSTEM_BGC' + - 'SQLAgent$TPS' + - 'SQLAgent$TPSAMA' + - 'SQLAgent$VEEAMSQL2008R2' + - 'SQLAgent$VEEAMSQL2012' + - 'SQLAgentSCITRIX_METAFRAME' + - 'SQLAgentSCXDB' + - 'SQLAgentSPRACTTICEBGC' + - 'SQLAgentSPROO' + - 'SQLAgentSSBSMONITORING' + - 'SQLAgentSSQL EXPRESS' + - 'SQLAgentSTPS' + - 'SQLAgentSTPSAMA' + - 'SQLAgentSVEEAMSQL2008R2' + - 'SQLBrowser' + - 'SQLSafeOLRService' + - 'SQLSERVERAGENT' + - 'SQLTELEMETRY' + - 'SQLTELEMETRY$ECWDB2' - 'SQLTELEMETRY$ITRIS' - - 'SentinelHelperService' - - 'MsDtsServer130' - - 'LogProcessorService' + - 'SQLWriter' - 'SSISTELEMETRY130' - - 'EPUpdateService' - - 'MSSQLLaunchpad$ITRIS' + - 'SstpSvc' + - 'svcGenericHost' + - 'svcienericHost' + - 'swi_filter' + - 'swi_service' + - 'swi_update' + - 'swi_update_64' + - 'Telemetryserver' + - 'ThreatLockerService' + - 'TmCCSF' + - 'tmlisten' - 'TmPfw' - - 'BITS' - - 'SentinelAgent' - - 'BrokerInfrastructure' - - 'EPProtectedService' - - 'epag' - - 'epredline' - - 'EPIntegrationService' - - 'EPSecurityService' + - 'TrueKey' + - 'TruekeyScheduler' + - 'TrueKeyServiceHelper' + - 'UI0Detect' + - 'UTODetect' + - 'VeeamBackupSvc' + - 'VeeamBrokerSvc' + - 'VeeamCatalogSvc' + - 'VeeamCloudSvc' + - 'VeeamDeploymentService' + - 'VeeamDeploySvc' + - 'VeeamEnterpriseHanagerSvc' + - 'VeeamEnterpriseManagerSvc' + - 'VeeamHvIntegrationSvc' + - 'VeeamMountSvc' + - 'VeeamNFSSvc' + - 'VeeamRESTSvc' + - 'VeeamRISTSvc' + - 'VeeamTransportSvc' + - 'VeemaDep/oySvc' + - 'VSS' + - 'W3Svc' + - 'wbengine' + - 'WdNisSvc' + - 'WeanClOudSve' + - 'Weems JY' + - 'WinDefend' + - 'wozyprobackup' + - 'WRSVC' condition: services and (all of selection_sc_net* or selection_pwsh) falsepositives: - Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry diff --git a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml index 81ad32a3d..d7a701df1 100644 --- a/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/raw_access_thread_disk_access_using_illegitimate_tools.yml @@ -6,7 +6,7 @@ references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2022/11/08 +modified: 2022/11/29 tags: - attack.defense_evasion - attack.t1006 @@ -24,7 +24,6 @@ detection: - 'C:\Windows\servicing\' - 'C:\Windows\CCM\' - 'C:\Windows\uus\' - - 'C:\Windows\WinSxs\' filter_3: ProcessId: 4 filter_specific: diff --git a/tests/test_rules.py b/tests/test_rules.py index a76aa41bb..ca972a980 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -13,6 +13,7 @@ import re from attackcti import attack_client from colorama import init from colorama import Fore +import collections class TestRules(unittest.TestCase): @@ -126,23 +127,35 @@ class TestRules(unittest.TestCase): "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): - def check_list_or_recurse_on_dict(item, depth: int) -> None: + def check_list_or_recurse_on_dict(item, depth: int, special: bool) -> None: if type(item) == list: - check_if_list_contain_duplicates(item, depth) + check_if_list_contain_duplicates(item, depth, special) elif type(item) == dict and depth <= MAX_DEPTH: - for sub_item in item.values(): - check_list_or_recurse_on_dict(sub_item, depth + 1) + for keys, sub_item in item.items(): + if "|base64" in keys: # Covers both "base64" and "base64offset" modifiers + check_list_or_recurse_on_dict(sub_item, depth + 1, True) + else: + check_list_or_recurse_on_dict(sub_item, depth + 1, special) - def check_if_list_contain_duplicates(item: list, depth: int) -> None: + def check_if_list_contain_duplicates(item: list, depth: int, special: bool) -> None: try: - if len(item) != len(set(item)): - print(Fore.RED + "Rule {} has duplicate filters".format(file)) + # We use a list comprehension to convert all the element to lowercase. Since we don't care about casing in SIGMA except for the following modifiers + # - "base64offset" + # - "base64" + if special: + item_ = item + else: + item_= [i.lower() for i in item] + if len(item_) != len(set(item_)): + # We find the duplicates and then print them to the user + duplicates = [i for i, count in collections.Counter(item_).items() if count > 1] + print(Fore.RED + "Rule {} has duplicate filters {}".format(file, duplicates)) files_with_duplicate_filters.append(file) except: # unhashable types like dictionaries for sub_item in item: if type(sub_item) == dict and depth <= MAX_DEPTH: - check_list_or_recurse_on_dict(sub_item, depth + 1) + check_list_or_recurse_on_dict(sub_item, depth + 1, special) MAX_DEPTH = 3 files_with_duplicate_filters = [] @@ -150,7 +163,7 @@ class TestRules(unittest.TestCase): for file in self.yield_next_rule_file_path(self.path_to_rules): detection = self.get_rule_part( file_path=file, part_name="detection") - check_list_or_recurse_on_dict(detection, 1) + check_list_or_recurse_on_dict(detection, 1, False) self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters")