Merge branch 'master' into rule-devel
This commit is contained in:
Florian Roth
@@ -35,3 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe
|
||||
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe
|
||||
a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe
|
||||
349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe
|
||||
7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe
|
||||
|
||||
|
@@ -12,7 +12,7 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
eventSource: lambda.amazonaws.com
|
||||
eventName|startswith: UpdateFunctionConfiguration
|
||||
eventName|startswith: 'UpdateFunctionConfiguration'
|
||||
condition: selection
|
||||
level: medium
|
||||
tags:
|
||||
|
||||
@@ -12,10 +12,10 @@ logsource:
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
operationName|startswith: MICROSOFT.NETWORK/DNSZONES
|
||||
operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES'
|
||||
operationName|endswith:
|
||||
- /WRITE
|
||||
- /DELETE
|
||||
- '/WRITE'
|
||||
- '/DELETE'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
|
||||
|
||||
@@ -12,15 +12,15 @@ logsource:
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection1:
|
||||
operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
|
||||
operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
|
||||
operationName|endswith:
|
||||
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
|
||||
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
|
||||
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
|
||||
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
|
||||
selection2:
|
||||
operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
|
||||
operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO'
|
||||
operationName|endswith:
|
||||
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
|
||||
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
|
||||
- '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE'
|
||||
- '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE'
|
||||
condition: selection1 or selection2
|
||||
falsepositives:
|
||||
- Azure Kubernetes Admissions Controller may be done by a system administrator.
|
||||
|
||||
@@ -15,15 +15,15 @@ logsource:
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection1:
|
||||
operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
|
||||
operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH'
|
||||
operationName|endswith:
|
||||
- /CRONJOBS/WRITE
|
||||
- /JOBS/WRITE
|
||||
- '/CRONJOBS/WRITE'
|
||||
- '/JOBS/WRITE'
|
||||
selection2:
|
||||
operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
|
||||
operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH'
|
||||
operationName|endswith:
|
||||
- /CRONJOBS/WRITE
|
||||
- /JOBS/WRITE
|
||||
- '/CRONJOBS/WRITE'
|
||||
- '/JOBS/WRITE'
|
||||
condition: selection1 or selection2
|
||||
falsepositives:
|
||||
- Azure Kubernetes CronJob/Job may be done by a system administrator.
|
||||
|
||||
@@ -12,17 +12,17 @@ logsource:
|
||||
service: gcp.audit
|
||||
detection:
|
||||
selection1:
|
||||
gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.
|
||||
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.'
|
||||
gcp.audit.method_name|endswith:
|
||||
- create
|
||||
- patch
|
||||
- replace
|
||||
- 'create'
|
||||
- 'patch'
|
||||
- 'replace'
|
||||
selection2:
|
||||
gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations.
|
||||
gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.'
|
||||
gcp.audit.method_name|endswith:
|
||||
- create
|
||||
- patch
|
||||
- replace
|
||||
- 'create'
|
||||
- 'patch'
|
||||
- 'replace'
|
||||
condition: selection1 or selection2
|
||||
level: medium
|
||||
tags:
|
||||
|
||||
@@ -17,7 +17,7 @@ logsource:
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
path|endswith: IPC$
|
||||
path|endswith: 'IPC$'
|
||||
name: spoolss
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -0,0 +1,33 @@
|
||||
title: MSI Installation From Suspicious Locations
|
||||
id: c7c8aa1c-5aff-408e-828b-998e3620b341
|
||||
status: experimental
|
||||
description: Detects MSI package installation from suspicious locations
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html
|
||||
date: 2022/08/31
|
||||
logsource:
|
||||
product: windows
|
||||
service: application
|
||||
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
|
||||
detection:
|
||||
selection:
|
||||
Provider_Name: 'MsiInstaller'
|
||||
EventID:
|
||||
- 1040
|
||||
- 1042
|
||||
Data|contains:
|
||||
# Add more suspicious paths
|
||||
- '\Users\Public\'
|
||||
- '\PerfLogs\'
|
||||
- '\Desktop\'
|
||||
- '\Downloads\'
|
||||
- '\AppData\Local\Temp\'
|
||||
- 'C:\Windows\TEMP\'
|
||||
- '\\\\'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Some false positives may occure depending on the environnement
|
||||
level: high
|
||||
tags:
|
||||
- attack.execution
|
||||
@@ -14,7 +14,7 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 8001
|
||||
TargetName|startswith: TERMSRV
|
||||
TargetName|startswith: 'TERMSRV'
|
||||
condition: selection
|
||||
fields:
|
||||
- Computer
|
||||
|
||||
@@ -18,7 +18,7 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
EventID: 4689
|
||||
ProcessName|endswith: nltest.exe
|
||||
ProcessName|endswith: 'nltest.exe'
|
||||
Status: '0x0'
|
||||
condition: selection
|
||||
fields:
|
||||
|
||||
@@ -7,7 +7,7 @@ references:
|
||||
- https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx
|
||||
author: Samir Bousseaden
|
||||
date: 2019/02/16
|
||||
modified: 2022/06/29
|
||||
modified: 2022/09/02
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.command_and_control
|
||||
@@ -32,6 +32,8 @@ detection:
|
||||
SourceAddress:
|
||||
- '127.*'
|
||||
- '::1'
|
||||
filter_app_container:
|
||||
FilterOrigin: 'AppContainer Loopback'
|
||||
filter_thor: # checking BlueKeep vulnerability
|
||||
Application|endswith:
|
||||
- '\thor.exe'
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
title: RTCore Suspicious Service Installation
|
||||
id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c
|
||||
status: experimental
|
||||
description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp
|
||||
date: 2022/08/30
|
||||
logsource:
|
||||
product: windows
|
||||
service: system
|
||||
detection:
|
||||
selection:
|
||||
Provider_Name: 'Service Control Manager'
|
||||
EventID: 7045
|
||||
ServiceName: 'RTCore64'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.persistence
|
||||
@@ -15,8 +15,8 @@ logsource:
|
||||
category: dns_query
|
||||
detection:
|
||||
selection:
|
||||
Image|startswith: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_
|
||||
Image|endswith: \AppInstaller.exe
|
||||
Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_'
|
||||
Image|endswith: '\AppInstaller.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -7,7 +7,7 @@ references:
|
||||
- https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md
|
||||
- https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules
|
||||
date: 2022/08/18
|
||||
modified: 2022/08/26
|
||||
modified: 2022/09/01
|
||||
logsource:
|
||||
product: windows
|
||||
category: driver_load
|
||||
@@ -192,6 +192,9 @@ detection:
|
||||
- 'SHA1=aee092fd31772d33932a7a02dd2d73ede67f7db0'
|
||||
- 'SHA1=118f688c30a2f6c2d1feb955f53ce4acf3086b3b'
|
||||
- 'SHA1=4ede7f018c317ddc6a5f8f935f917621668cb1ec'
|
||||
- 'SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775'
|
||||
- 'SHA1=10b30bdee43b3a2ec4aa63375577ade650269d25'
|
||||
- 'SHA1=c948ae14761095e4d76b55d9de86412258be7afd'
|
||||
- 'SHA256=80599708CE61EC5D6DCFC5977208A2A0BE2252820A88D9BA260D8CDF5DC7FBE4'
|
||||
- 'SHA256=9091E044273FF624585235AC885EB2B05DFB12F3022DCF535B178FF1B2E012D1'
|
||||
- 'SHA256=92EDD48DFAC025D4069EB6491B9730D9D131B77CCEAA480AF9B3C32BC8C5E3A9'
|
||||
@@ -367,6 +370,9 @@ detection:
|
||||
- 'SHA256=d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe'
|
||||
- 'SHA256=e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37'
|
||||
- 'SHA256=f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca'
|
||||
- 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
|
||||
- 'SHA256=ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
|
||||
- 'SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
|
||||
selection_other:
|
||||
- SHA1:
|
||||
- '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77'
|
||||
@@ -547,6 +553,9 @@ detection:
|
||||
- 'aee092fd31772d33932a7a02dd2d73ede67f7db0'
|
||||
- '118f688c30a2f6c2d1feb955f53ce4acf3086b3b'
|
||||
- '4ede7f018c317ddc6a5f8f935f917621668cb1ec'
|
||||
- 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775'
|
||||
- '10b30bdee43b3a2ec4aa63375577ade650269d25'
|
||||
- 'c948ae14761095e4d76b55d9de86412258be7afd'
|
||||
- SHA256:
|
||||
- '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4'
|
||||
- '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1'
|
||||
@@ -761,6 +770,9 @@ detection:
|
||||
- 'd64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe'
|
||||
- 'e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37'
|
||||
- 'f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca'
|
||||
- '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd'
|
||||
- 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1'
|
||||
- '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5'
|
||||
driver_img:
|
||||
ImageLoaded|endswith:
|
||||
- '\ASIO32.sys'
|
||||
@@ -870,6 +882,8 @@ detection:
|
||||
- '\piddrv64.sys'
|
||||
- '\mhyprot2.sys'
|
||||
- '\netfilter.sys'
|
||||
- '\RTCore64.sys'
|
||||
- '\DBUtils_2_3.sys'
|
||||
driver_status:
|
||||
- Signed: 'false'
|
||||
- SignatureStatus: Expired
|
||||
|
||||
@@ -8,22 +8,32 @@ references:
|
||||
- https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html
|
||||
author: frack113, Florian Roth
|
||||
date: 2022/08/12
|
||||
modified: 2022/09/05
|
||||
tags:
|
||||
- attack.t1070.006
|
||||
- attack.defense_evasion
|
||||
logsource:
|
||||
category: file_change
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
PreviousCreationUtcTime|startswith: 2022
|
||||
PreviousCreationUtcTime|startswith: '2022'
|
||||
filter1:
|
||||
CreationUtcTime|startswith: 2022
|
||||
CreationUtcTime|startswith: '2022'
|
||||
selection2:
|
||||
PreviousCreationUtcTime|startswith: 202
|
||||
PreviousCreationUtcTime|startswith: '202'
|
||||
filter2:
|
||||
CreationUtcTime|startswith: 202
|
||||
condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 )
|
||||
gen_filter_updates:
|
||||
- Image:
|
||||
- 'C:\Windows\system32\ProvTool.exe'
|
||||
- 'C:\Windows\System32\usocoreworker.exe'
|
||||
- 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe'
|
||||
- TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\'
|
||||
- TargetFilename|endswith:
|
||||
- '.tmp'
|
||||
- '.temp'
|
||||
condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter*
|
||||
falsepositives:
|
||||
- Changes made to or by the local NTP service
|
||||
level: high
|
||||
tags:
|
||||
- attack.t1070.006
|
||||
- attack.defense_evasion
|
||||
|
||||
@@ -11,7 +11,7 @@ logsource:
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
TargetFilename|endswith: \TeamViewer_Desktop.exe
|
||||
TargetFilename|endswith: '\TeamViewer_Desktop.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -12,16 +12,16 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_wlldropped:
|
||||
TargetFilename|contains: \Microsoft\Word\Startup\
|
||||
TargetFilename|endswith: .wll
|
||||
TargetFilename|contains: '\Microsoft\Word\Startup\'
|
||||
TargetFilename|endswith: '.wll'
|
||||
selection_xlldropped:
|
||||
TargetFilename|contains: \Microsoft\Excel\Startup\
|
||||
TargetFilename|endswith: .xll
|
||||
TargetFilename|contains: '\Microsoft\Excel\Startup\'
|
||||
TargetFilename|endswith: '.xll'
|
||||
selection_generic:
|
||||
TargetFilename|contains: \Microsoft\Addins\
|
||||
TargetFilename|contains: '\Microsoft\Addins\'
|
||||
TargetFilename|endswith:
|
||||
- .xlam
|
||||
- .xla
|
||||
- '.xlam'
|
||||
- '.xla'
|
||||
condition: 1 of selection*
|
||||
falsepositives:
|
||||
- Legitimate add-ins
|
||||
|
||||
@@ -16,7 +16,7 @@ logsource:
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: updata.exe
|
||||
Image|endswith: 'updata.exe'
|
||||
TargetFilename: 'C:\Windows\oci.dll'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -11,13 +11,13 @@ logsource:
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \colorcpl.exe
|
||||
Image|endswith: '\colorcpl.exe'
|
||||
valid_ext:
|
||||
TargetFilename|endswith:
|
||||
- .icm
|
||||
- .gmmp
|
||||
- .cdmp
|
||||
- .camp
|
||||
- '.icm'
|
||||
- '.gmmp'
|
||||
- '.cdmp'
|
||||
- '.camp'
|
||||
condition: selection and not valid_ext
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -11,11 +11,11 @@ logsource:
|
||||
category: file_event
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \cmd.exe
|
||||
Image|endswith: '\cmd.exe'
|
||||
TargetFilename|contains|all:
|
||||
- \Users\
|
||||
- \Desktop\
|
||||
TargetFilename|endswith: .txt
|
||||
- '\Users\'
|
||||
- '\Desktop\'
|
||||
TargetFilename|endswith: '.txt'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -16,7 +16,7 @@ tags:
|
||||
- attack.t1574.002
|
||||
detection:
|
||||
selection_dll:
|
||||
ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll
|
||||
ImageLoaded|endswith: 'MicrosoftAccountTokenProvider.dll'
|
||||
filter_legit:
|
||||
- Image|endswith:
|
||||
- '\BackgroundTaskHost.exe'
|
||||
|
||||
@@ -0,0 +1,30 @@
|
||||
title: Cmstp Suspicious DLL Load
|
||||
id: 75e508f7-932d-4ebc-af77-269237a84ce1
|
||||
status: experimental
|
||||
description: Detects cmstp loading "dll" or "ocx" files from suspicious locations
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml
|
||||
date: 2022/08/30
|
||||
logsource:
|
||||
category: image_load
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ImageLoaded|contains:
|
||||
# Add more suspicious paths as you see fit in your env
|
||||
- '\Users\'
|
||||
- '\AppData\Local\Temp\'
|
||||
- '\PerfLogs\'
|
||||
- '\Windows\Temp\'
|
||||
ImageLoaded|endswith:
|
||||
- '.dll'
|
||||
- '.ocx'
|
||||
Image|endswith: '\cmstp.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unikely
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218.003
|
||||
@@ -6,7 +6,10 @@ author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea)
|
||||
date: 2022/07/17
|
||||
modified: 2022/08/10
|
||||
modified: 2022/09/03
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1070
|
||||
logsource:
|
||||
product: windows
|
||||
category: image_load
|
||||
@@ -21,11 +24,11 @@ detection:
|
||||
- '\AppData\Local\Temp\'
|
||||
- 'C:\PerfLogs\'
|
||||
filter:
|
||||
ImageLoaded|contains: '\Program Files'
|
||||
- Image|endswith: '\msiexec.exe'
|
||||
- ImageLoaded|startswith:
|
||||
- 'C:\Program Files\'
|
||||
- 'C:\Program Files (x86)\'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1070
|
||||
|
||||
@@ -13,9 +13,9 @@ logsource:
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\fxssvc.exe'
|
||||
ImageLoaded|endswith: ualapi.dll
|
||||
ImageLoaded|endswith: 'ualapi.dll'
|
||||
filter:
|
||||
ImageLoaded|startswith: C:\Windows\WinSxS\
|
||||
ImageLoaded|startswith: 'C:\Windows\WinSxS\'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
|
||||
@@ -25,9 +25,9 @@ detection:
|
||||
- '\WsmAuto.dll'
|
||||
- '\Microsoft.WSMan.Management.ni.dll'
|
||||
- OriginalFileName:
|
||||
- WsmSvc.dll
|
||||
- WSMANAUTOMATION.DLL
|
||||
- Microsoft.WSMan.Management.dll
|
||||
- 'WsmSvc.dll'
|
||||
- 'WSMANAUTOMATION.DLL'
|
||||
- 'Microsoft.WSMan.Management.dll'
|
||||
respond_server:
|
||||
Image|endswith: '\svchost.exe'
|
||||
OriginalFileName: 'WsmWmiPl.dll'
|
||||
@@ -44,9 +44,9 @@ detection:
|
||||
- 'svchost.exe -k netsvcs'
|
||||
filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
|
||||
Image|startswith:
|
||||
- C:\Windows\Microsoft.NET\Framework64\v
|
||||
- C:\Windows\Microsoft.NET\Framework\v
|
||||
Image|endswith: \mscorsvw.exe
|
||||
- 'C:\Windows\Microsoft.NET\Framework64\v'
|
||||
- 'C:\Windows\Microsoft.NET\Framework\v'
|
||||
Image|endswith: '\mscorsvw.exe'
|
||||
filter_svr_2019:
|
||||
Image:
|
||||
- 'C:\Windows\System32\Configure-SMRemoting.exe'
|
||||
|
||||
@@ -0,0 +1,29 @@
|
||||
title: Certutil Initiated Connection
|
||||
id: 0dba975d-a193-4ed1-a067-424df57570d1
|
||||
status: experimental
|
||||
description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools.
|
||||
author: frack113, Florian Roth
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil
|
||||
date: 2022/09/02
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1105
|
||||
logsource:
|
||||
category: network_connection
|
||||
product: windows
|
||||
detection:
|
||||
selection_certutil:
|
||||
- Image|endswith: '\certutil.exe'
|
||||
- OriginalFilename: 'CertUtil.exe'
|
||||
selection_network:
|
||||
Initiated: 'true'
|
||||
DestinationPort:
|
||||
- 80
|
||||
- 443
|
||||
- 135
|
||||
- 445
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Legitimate certutil network connection
|
||||
level: high
|
||||
@@ -0,0 +1,22 @@
|
||||
title: Cmstp Making Network Connection
|
||||
id: efafe0bf-4238-479e-af8f-797bd3490d2d
|
||||
status: experimental
|
||||
description: Detects suspicious network connection by Cmstp
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
|
||||
date: 2022/08/30
|
||||
logsource:
|
||||
category: network_connection
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: '\cmstp.exe'
|
||||
Initiated: 'true'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218.003
|
||||
@@ -2,11 +2,15 @@ title: Suspicious Outbound RDP Connections
|
||||
id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23
|
||||
status: test
|
||||
description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement
|
||||
author: Markus Neis - Swisscom
|
||||
author: Markus Neis
|
||||
references:
|
||||
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708
|
||||
date: 2019/05/15
|
||||
modified: 2022/06/20
|
||||
modified: 2022/09/02
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.001
|
||||
- car.2013-07-002
|
||||
logsource:
|
||||
category: network_connection
|
||||
product: windows
|
||||
@@ -40,13 +44,11 @@ detection:
|
||||
- '\Avast Software\Avast\AvastSvc.exe'
|
||||
- '\Ranger\SentinelRanger.exe' # sentinel one
|
||||
- '\Avast\AvastSvc.exe'
|
||||
- Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\'
|
||||
- Image|startswith:
|
||||
- 'C:\Program Files\SplunkUniversalForwarder\bin\'
|
||||
- 'C:\Program Files\Mozilla Firefox\firefox.exe'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Other Remote Desktop RDP tools
|
||||
- Domain controller using dns.exe
|
||||
level: high
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.001
|
||||
- car.2013-07-002
|
||||
|
||||
@@ -114,8 +114,8 @@ detection:
|
||||
- '0x1410'
|
||||
- '0x410'
|
||||
filter_edge: # version in path 96.0.1054.43
|
||||
SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\
|
||||
SourceImage|endswith: \Installer\setup.exe
|
||||
SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application\'
|
||||
SourceImage|endswith: '\Installer\setup.exe'
|
||||
filter_webex:
|
||||
SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe'
|
||||
GrantedAccess: '0x401'
|
||||
|
||||
@@ -83,6 +83,10 @@ detection:
|
||||
- '\AppData\Local\Temp\'
|
||||
- '\vs_bootstrapper_'
|
||||
GrantedAccess: '0x1410'
|
||||
filter_chrome:
|
||||
SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\'
|
||||
SourceImage|endswith: '.tmp\GoogleUpdate.exe'
|
||||
GrantedAccess: '0x410'
|
||||
condition: selection and not 1 of filter*
|
||||
fields:
|
||||
- User
|
||||
|
||||
@@ -4,23 +4,23 @@ status: test
|
||||
description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents
|
||||
author: Florian Roth
|
||||
references:
|
||||
- https://twitter.com/ForensicITGuy/status/1334734244120309760
|
||||
- https://twitter.com/ForensicITGuy/status/1334734244120309760
|
||||
date: 2020/12/08
|
||||
modified: 2022/03/31
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_parent:
|
||||
ParentImage|endswith: '\wmiprvse.exe'
|
||||
selection_mshta:
|
||||
- Image|endswith: '\mshta.exe'
|
||||
- OriginalFileName: 'mshta.exe'
|
||||
condition: selection_parent and selection_mshta
|
||||
selection_parent:
|
||||
ParentImage|endswith: '\wmiprvse.exe'
|
||||
selection_mshta:
|
||||
- Image|endswith: '\mshta.exe'
|
||||
- OriginalFileName: 'mshta.exe'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Unknown
|
||||
level: critical
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.g0092
|
||||
- attack.t1106
|
||||
- attack.execution
|
||||
- attack.g0092
|
||||
- attack.t1106
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \attrib.exe
|
||||
Image|endswith: '\attrib.exe'
|
||||
CommandLine|contains: ' +s '
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -15,7 +15,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_basic:
|
||||
Image|endswith: \attrib.exe
|
||||
Image|endswith: '\attrib.exe'
|
||||
CommandLine|contains: ' +s'
|
||||
selection_paths:
|
||||
CommandLine|contains:
|
||||
|
||||
@@ -13,14 +13,14 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
Image|endswith: \bcdedit.exe
|
||||
CommandLine|contains: set
|
||||
Image|endswith: '\bcdedit.exe'
|
||||
CommandLine|contains: 'set'
|
||||
selection2:
|
||||
- CommandLine|contains|all:
|
||||
- bootstatuspolicy
|
||||
- ignoreallfailures
|
||||
- 'bootstatuspolicy'
|
||||
- 'ignoreallfailures'
|
||||
- CommandLine|contains|all:
|
||||
- recoveryenabled
|
||||
- 'recoveryenabled'
|
||||
- 'no'
|
||||
condition: all of selection*
|
||||
fields:
|
||||
|
||||
@@ -1,44 +1,44 @@
|
||||
title: SquiblyTwo
|
||||
title: SquiblyTwo Execution
|
||||
id: 8d63dadf-b91b-4187-87b6-34a1114577ea
|
||||
status: test
|
||||
description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash
|
||||
author: Markus Neis / Florian Roth
|
||||
author: Markus Neis, Florian Roth
|
||||
references:
|
||||
- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
- https://twitter.com/mattifestation/status/986280382042595328
|
||||
- https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html
|
||||
- https://twitter.com/mattifestation/status/986280382042595328
|
||||
date: 2019/01/16
|
||||
modified: 2022/03/21
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_one:
|
||||
Image|endswith: '\wmic.exe'
|
||||
CommandLine|contains|all:
|
||||
- wmic
|
||||
- format
|
||||
- http
|
||||
selection_wmic_imphash:
|
||||
- Imphash:
|
||||
- 1B1A3F43BF37B5BFE60751F2EE2F326E
|
||||
- 37777A96245A3C74EB217308F3546F4C
|
||||
- 9D87C9D67CE724033C0B40CC4CA1B206
|
||||
- Hashes|contains: # Sysmon field hashes contains all types
|
||||
- IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
|
||||
- IMPHASH=37777A96245A3C74EB217308F3546F4C
|
||||
- IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
|
||||
selection_flags:
|
||||
CommandLine|contains|all:
|
||||
- 'format:'
|
||||
- 'http'
|
||||
condition: selection_one or (selection_wmic_imphash and selection_flags)
|
||||
selection_org:
|
||||
Image|endswith: '\wmic.exe'
|
||||
CommandLine|contains|all:
|
||||
- wmic
|
||||
- format
|
||||
- http
|
||||
selection_renamed_wmic_imphash:
|
||||
- Imphash:
|
||||
- 1B1A3F43BF37B5BFE60751F2EE2F326E
|
||||
- 37777A96245A3C74EB217308F3546F4C
|
||||
- 9D87C9D67CE724033C0B40CC4CA1B206
|
||||
- Hashes|contains: # Sysmon field hashes contains all types
|
||||
- IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E
|
||||
- IMPHASH=37777A96245A3C74EB217308F3546F4C
|
||||
- IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206
|
||||
selection_renamed_flags:
|
||||
CommandLine|contains|all:
|
||||
- 'format:'
|
||||
- 'http'
|
||||
condition: selection_org or all of selection_renamed_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1047
|
||||
- attack.t1220
|
||||
- attack.execution
|
||||
- attack.t1059.005
|
||||
- attack.t1059.007
|
||||
- attack.defense_evasion
|
||||
- attack.t1047
|
||||
- attack.t1220
|
||||
- attack.execution
|
||||
- attack.t1059.005
|
||||
- attack.t1059.007
|
||||
|
||||
@@ -6,7 +6,7 @@ author: Austin Songer @austinsonger
|
||||
date: 2021/10/23
|
||||
modified: 2022/05/16
|
||||
references:
|
||||
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||
- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@@ -23,8 +23,8 @@ fields:
|
||||
- CommandLine
|
||||
- ParentCommandLine
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
|
||||
@@ -0,0 +1,26 @@
|
||||
title: NTLM Coercion Via Certutil.exe
|
||||
id: 6c6d9280-e6d0-4b9d-80ac-254701b64916
|
||||
description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag
|
||||
status: experimental
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/09/01
|
||||
references:
|
||||
- https://github.com/LOLBAS-Project/LOLBAS/issues/243
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\certutil.exe'
|
||||
- OriginalFileName: 'CertUtil.exe'
|
||||
selection_cli:
|
||||
CommandLine|contains|all:
|
||||
- ' -syncwithWU '
|
||||
- ' \\\\'
|
||||
condition: all of selection*
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Powershell ChromeLoader Browser Hijacker
|
||||
id: 27ba3207-dd30-4812-abbf-5d20c57d474e
|
||||
status: experimental
|
||||
description: Detects PowerShell spawning chrome.exe containing load-extension and AppData\Local in the process command line
|
||||
description: Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader'
|
||||
author: Aedan Russell, frack113 (sigma)
|
||||
references:
|
||||
- https://redcanary.com/blog/chromeloader/
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Browser Started with Remote Debugging
|
||||
id: b3d34dc5-2efd-4ae3-845f-8ec14921f449
|
||||
status: experimental
|
||||
description: Detects starting browser with remote debugging flag, may be used for browser injection attacks
|
||||
description: Detects browsers starting with the '--remote-debugging' flag. Which is a technique often used to perform browser injection attacks
|
||||
author: pH-T
|
||||
references:
|
||||
- https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf
|
||||
|
||||
@@ -6,6 +6,7 @@ references:
|
||||
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
|
||||
author: Nasreddine Bencherchali @nas_bench
|
||||
date: 2021/12/18
|
||||
modified: 2022/09/02
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
@@ -28,5 +29,5 @@ detection:
|
||||
- '/enterprise'
|
||||
condition: 1 of selection*
|
||||
falsepositives:
|
||||
- Legitimate administrative use
|
||||
level: medium
|
||||
- Legitimate administrative use (Should be investigated either way)
|
||||
level: high
|
||||
|
||||
@@ -24,7 +24,7 @@ detection:
|
||||
- /q
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate script
|
||||
- Legitimate scripts
|
||||
level: low
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
||||
@@ -1,11 +1,12 @@
|
||||
title: Suspicious Dosfuscation Character in Commandline
|
||||
id: a77c1610-fc73-4019-8e29-0f51efc04a51
|
||||
status: experimental
|
||||
description: Possible Payload Obfuscation
|
||||
description: Detects possible payload obfuscation via the commandline
|
||||
references:
|
||||
- https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf
|
||||
author: frack113
|
||||
date: 2022/02/15
|
||||
modified: 2022/09/02
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
|
||||
@@ -11,8 +11,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_cmd:
|
||||
- OriginalFileName: Cmd.Exe
|
||||
- Image|endswith: \cmd.exe
|
||||
- OriginalFileName: 'Cmd.Exe'
|
||||
- Image|endswith: '\cmd.exe'
|
||||
selection_read:
|
||||
- ParentCommandLine|contains|all:
|
||||
- 'cmd '
|
||||
|
||||
@@ -6,6 +6,10 @@ references:
|
||||
- https://www.poolwatch.io/coin/monero
|
||||
author: Florian Roth
|
||||
date: 2021/10/26
|
||||
modified: 2022/09/05
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1496
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@@ -30,10 +34,13 @@ detection:
|
||||
- 'c3RyYXR1bSt1ZHA6Ly'
|
||||
- 'N0cmF0dW0rdWRwOi8v'
|
||||
- 'zdHJhdHVtK3VkcDovL'
|
||||
condition: selection
|
||||
filter:
|
||||
CommandLine|contains:
|
||||
- ' pool.c '
|
||||
- ' pool.o '
|
||||
- 'gcc -'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Legitimate use of crypto miners
|
||||
- Some build frameworks
|
||||
level: high
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1496
|
||||
@@ -15,8 +15,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
wbadmin_exe:
|
||||
- Image|endswith: \wbadmin.exe
|
||||
- CommandLine|contains: wbadmin
|
||||
- Image|endswith: '\wbadmin.exe'
|
||||
- CommandLine|contains: 'wbadmin'
|
||||
wbadmin_cmd:
|
||||
CommandLine|contains|all:
|
||||
- 'delete '
|
||||
|
||||
@@ -11,8 +11,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
- OriginalFileName: DirLister.exe
|
||||
- Image|endswith: \dirlister.exe
|
||||
- OriginalFileName: 'DirLister.exe'
|
||||
- Image|endswith: '\dirlister.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use
|
||||
|
||||
+1
-1
@@ -14,7 +14,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
reg:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains|all:
|
||||
- ' query '
|
||||
- '/t '
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_mstsc:
|
||||
Image|endswith: \ruby.exe
|
||||
Image|endswith: '\ruby.exe'
|
||||
CommandLine|contains|all:
|
||||
- '-i '
|
||||
- '-u '
|
||||
|
||||
@@ -7,7 +7,7 @@ references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md
|
||||
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11)
|
||||
date: 2019/10/23
|
||||
modified: 2022/08/01
|
||||
modified: 2022/09/03
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@@ -30,7 +30,8 @@ detection:
|
||||
- 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r '
|
||||
- 'S-1-5-19:F'
|
||||
filter_programs:
|
||||
CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code'
|
||||
- Image|contains: '\AppData\Local\Programs\Microsoft VS Code'
|
||||
- Image|endswith: '\Microsoft VS Code\Code.exe'
|
||||
condition: 1 of selection* and not 1 of filter*
|
||||
fields:
|
||||
- ComputerName
|
||||
|
||||
@@ -11,11 +11,11 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \findstr.exe
|
||||
Image|endswith: '\findstr.exe'
|
||||
CommandLine|contains|all:
|
||||
- cpassword
|
||||
- \sysvol\
|
||||
- .xml
|
||||
- 'cpassword'
|
||||
- '\sysvol\'
|
||||
- '.xml'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -11,7 +11,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
Image|endswith: \findstr.exe
|
||||
Image|endswith: '\findstr.exe'
|
||||
CommandLine|contains: 'lsass'
|
||||
selection2:
|
||||
CommandLine|contains:
|
||||
|
||||
@@ -0,0 +1,25 @@
|
||||
title: Fast Reverse Proxy (FRP)
|
||||
id: 32410e29-5f94-4568-b6a3-d91a8adad863
|
||||
status: experimental
|
||||
description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet.
|
||||
references:
|
||||
- https://asec.ahnlab.com/en/38156/
|
||||
- https://github.com/fatedier/frp
|
||||
author: frack113
|
||||
date: 2022/09/02
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1090
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith:
|
||||
- '\frpc.exe'
|
||||
- '\frps.exe'
|
||||
CommandLine|contains: '\frpc.ini'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use
|
||||
level: high
|
||||
@@ -13,7 +13,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: ˚\Rubeus.exe'
|
||||
- Image|endswith: '\Rubeus.exe'
|
||||
- OriginalFileName: 'Rubeus.exe'
|
||||
- CommandLine|contains:
|
||||
- ' asreproast '
|
||||
|
||||
@@ -11,10 +11,10 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \appcmd.exe
|
||||
Image|endswith: '\appcmd.exe'
|
||||
CommandLine|contains|all:
|
||||
- set
|
||||
- config
|
||||
- 'set'
|
||||
- 'config'
|
||||
- '/section:httplogging'
|
||||
- '/dontLog:true'
|
||||
condition: selection
|
||||
|
||||
+17
-17
@@ -4,27 +4,27 @@ status: test
|
||||
description: Detects Obfuscated Powershell via use MSHTA in Scripts
|
||||
author: Nikita Nazarov, oscd.community
|
||||
references:
|
||||
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
|
||||
- https://github.com/Neo23x0/sigma/issues/1009 #(Task31)
|
||||
date: 2020/10/08
|
||||
modified: 2022/03/08
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
CommandLine|contains|all:
|
||||
- 'set'
|
||||
- '&&'
|
||||
- 'mshta'
|
||||
- 'vbscript:createobject'
|
||||
- '.run'
|
||||
- '(window.close)'
|
||||
condition: selection
|
||||
selection:
|
||||
CommandLine|contains|all:
|
||||
- 'set'
|
||||
- '&&'
|
||||
- 'mshta'
|
||||
- 'vbscript:createobject'
|
||||
- '.run'
|
||||
- '(window.close)'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1027
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- attack.defense_evasion
|
||||
- attack.t1027
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
title: Suspicious Ldifde Command Usage
|
||||
id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f
|
||||
description: |
|
||||
Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments.
|
||||
Ldifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute.
|
||||
references:
|
||||
- https://twitter.com/0gtweet/status/1564968845726580736
|
||||
- https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html
|
||||
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11)
|
||||
status: experimental
|
||||
author: '@gott_cyber'
|
||||
date: 2022/09/02
|
||||
tags:
|
||||
- attack.command_and_control
|
||||
- attack.t1105
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_ldif:
|
||||
- Image|endswith: '\ldifde.exe'
|
||||
- OriginalFileName: ldifde.exe.mui
|
||||
selection_cmd:
|
||||
CommandLine|contains|all:
|
||||
- '-i'
|
||||
- '-f'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
@@ -12,8 +12,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: \forfiles.exe
|
||||
- OriginalFileName: forfiles.exe
|
||||
- Image|endswith: '\forfiles.exe'
|
||||
- OriginalFileName: 'forfiles.exe'
|
||||
selection_cli_p:
|
||||
CommandLine|contains:
|
||||
- ' /p '
|
||||
|
||||
@@ -14,10 +14,10 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: \fsianycpu.exe
|
||||
- OriginalFileName: fsianycpu.exe
|
||||
- Image|endswith: \fsi.exe
|
||||
- OriginalFileName: fsi.exe
|
||||
- Image|endswith: '\fsianycpu.exe'
|
||||
- OriginalFileName: 'fsianycpu.exe'
|
||||
- Image|endswith: '\fsi.exe'
|
||||
- OriginalFileName: 'fsi.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use by a software developer.
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \pcalua.exe
|
||||
Image|endswith: '\pcalua.exe'
|
||||
CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a"
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -11,8 +11,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: PktMon.exe
|
||||
- OriginalFileName: PktMon.exe
|
||||
- Image|endswith: 'PktMon.exe'
|
||||
- OriginalFileName: 'PktMon.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use
|
||||
|
||||
@@ -12,8 +12,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: \remote.exe
|
||||
- OriginalFileName: remote.exe
|
||||
- Image|endswith: '\remote.exe'
|
||||
- OriginalFileName: 'remote.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg).
|
||||
|
||||
@@ -11,8 +11,8 @@ logsource:
|
||||
category: process_creation
|
||||
detection:
|
||||
selection:
|
||||
- Image|endswith: ttdinject.exe
|
||||
- OriginalFileName: TTDInject.EXE
|
||||
- Image|endswith: 'ttdinject.exe'
|
||||
- OriginalFileName: 'TTDInject.EXE'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use
|
||||
|
||||
+1
-1
@@ -26,7 +26,7 @@ detection:
|
||||
- '\msiexec.exe'
|
||||
- '\mshta.exe'
|
||||
- '\verclsid.exe'
|
||||
ParentImage|endswith: \wbem\WmiPrvSE.exe
|
||||
ParentImage|endswith: '\wbem\WmiPrvSE.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -14,10 +14,10 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_reg:
|
||||
- Image|endswith: \reg.exe
|
||||
- OriginalFileName: reg.exe
|
||||
- Image|endswith: '\reg.exe'
|
||||
- OriginalFileName: 'reg.exe'
|
||||
selection_path:
|
||||
CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System
|
||||
CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System'
|
||||
selection_key:
|
||||
CommandLine|contains:
|
||||
- GroupPolicyRefreshTimeDC
|
||||
|
||||
@@ -13,12 +13,12 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_mstsc_img:
|
||||
- Image|endswith: \mstsc.exe
|
||||
- Image|endswith: '\mstsc.exe'
|
||||
- OriginalFileName: 'mstsc.exe'
|
||||
selection_mstsc_cli:
|
||||
CommandLine|contains: ' /v:'
|
||||
selection_cmdkey_img:
|
||||
- Image|endswith: \cmdkey.exe
|
||||
- Image|endswith: '\cmdkey.exe'
|
||||
- OriginalFileName: 'cmdkey.exe'
|
||||
selection_cmdkey_cli:
|
||||
CommandLine|contains|all:
|
||||
|
||||
+60
@@ -0,0 +1,60 @@
|
||||
title: Suspicious Manipulation Of Default Accounts
|
||||
id: 5b768e71-86f2-4879-b448-81061cbae951
|
||||
status: experimental
|
||||
description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
|
||||
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
|
||||
date: 2022/09/01
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
Image|endswith:
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
selection_user_option:
|
||||
CommandLine|contains: ' user '
|
||||
selection_username:
|
||||
CommandLine|contains:
|
||||
# Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag
|
||||
- ' Järjestelmänvalvoja ' # Finish
|
||||
- ' Rendszergazda ' # Hungarian
|
||||
- ' Администратор ' # Russian
|
||||
- ' Administrateur ' # French
|
||||
- ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish
|
||||
- ' Administratör ' # Swedish
|
||||
- ' Administrator ' # English
|
||||
- ' guest '
|
||||
# The cases below are for when an attacker requests the net command via 'cmd /c....'
|
||||
# First in double quotes
|
||||
- ' "Järjestelmänvalvoja" ' # Finish
|
||||
- ' "Rendszergazda" ' # Hungarian
|
||||
- ' "Администратор" ' # Russian
|
||||
- ' "Administrateur" ' # French
|
||||
- ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish
|
||||
- ' "Administratör" ' # Swedish
|
||||
- ' "Administrator" ' # English
|
||||
- ' "guest" '
|
||||
# Second in single quotes
|
||||
- " 'Järjestelmänvalvoja' " # Finish
|
||||
- " 'Rendszergazda' " # Hungarian
|
||||
- " 'Администратор' " # Russian
|
||||
- " 'Administrateur' " # French
|
||||
- " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish
|
||||
- " 'Administratör' " # Swedish
|
||||
- " 'Administrator' " # English
|
||||
- " 'guest' "
|
||||
filter:
|
||||
CommandLine|contains|all:
|
||||
- 'guest'
|
||||
- '/active no'
|
||||
condition: all of selection_* and not filter
|
||||
falsepositives:
|
||||
- Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium
|
||||
level: high
|
||||
tags:
|
||||
- attack.collection
|
||||
- attack.t1560.001
|
||||
@@ -4,7 +4,7 @@ status: experimental
|
||||
description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE
|
||||
author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali
|
||||
date: 2019/01/16
|
||||
modified: 2022/08/22
|
||||
modified: 2022/09/02
|
||||
references:
|
||||
- https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
|
||||
- https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
|
||||
@@ -37,6 +37,7 @@ detection:
|
||||
- ' administrateurs'
|
||||
- 'enterprise admins'
|
||||
- 'Exchange Trusted Subsystem'
|
||||
- 'Remote Desktop Users'
|
||||
- ' /do' # short for domain
|
||||
# Covers 'accounts' flag
|
||||
selection_accounts_root:
|
||||
|
||||
@@ -4,29 +4,29 @@ status: test
|
||||
description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware
|
||||
author: Sander Wiebing
|
||||
references:
|
||||
- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
|
||||
- https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/
|
||||
date: 2020/05/23
|
||||
modified: 2021/11/27
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains|all:
|
||||
- netsh
|
||||
- firewall add portopening
|
||||
- tcp 3389
|
||||
selection2:
|
||||
CommandLine|contains|all:
|
||||
- netsh
|
||||
- advfirewall firewall add rule
|
||||
- action=allow
|
||||
- protocol=TCP
|
||||
- localport=3389
|
||||
condition: 1 of selection*
|
||||
selection1:
|
||||
CommandLine|contains|all:
|
||||
- netsh
|
||||
- firewall add portopening
|
||||
- tcp 3389
|
||||
selection2:
|
||||
CommandLine|contains|all:
|
||||
- netsh
|
||||
- advfirewall firewall add rule
|
||||
- action=allow
|
||||
- protocol=TCP
|
||||
- localport=3389
|
||||
condition: 1 of selection*
|
||||
falsepositives:
|
||||
- Legitimate administration
|
||||
- Legitimate administration
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.004
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.004
|
||||
|
||||
@@ -7,18 +7,18 @@ references:
|
||||
- https://twitter.com/mattifestation/status/735261176745988096
|
||||
- https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120
|
||||
date: 2018/08/17
|
||||
modified: 2021/11/27
|
||||
modified: 2022/09/02
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection1:
|
||||
CommandLine|contains: 'System.Management.Automation.AmsiUtils'
|
||||
selection2:
|
||||
CommandLine|contains: 'amsiInitFailed'
|
||||
condition: all of selection*
|
||||
selection:
|
||||
CommandLine|contains:
|
||||
- 'System.Management.Automation.AmsiUtils'
|
||||
- 'amsiInitFailed'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Potential Admin Activity
|
||||
- Unlikely
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \cmd.exe
|
||||
Image|endswith: '\cmd.exe'
|
||||
CommandLine|contains|all:
|
||||
- '> '
|
||||
- ':'
|
||||
|
||||
@@ -0,0 +1,31 @@
|
||||
title: Add SafeBoot Keys Via Reg Utility
|
||||
id: d7662ff6-9e97-4596-a61d-9839e32dee8d
|
||||
related:
|
||||
- id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
|
||||
type: similar
|
||||
status: experimental
|
||||
description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not
|
||||
references:
|
||||
- https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/09/02
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: 'reg.exe'
|
||||
- OriginalFileName: 'reg.exe'
|
||||
selection_safeboot:
|
||||
CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot'
|
||||
selection_flag:
|
||||
CommandLine|contains:
|
||||
- ' copy '
|
||||
- ' add '
|
||||
condition: all of selection*
|
||||
falsepositives:
|
||||
- Unlikely
|
||||
level: high
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1562.001
|
||||
@@ -13,7 +13,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains:
|
||||
- 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths'
|
||||
- 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths'
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_reg:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains:
|
||||
- 'SOFTWARE\Microsoft\Windows Defender\'
|
||||
- 'SOFTWARE\Policies\Microsoft\Windows Defender\'
|
||||
|
||||
@@ -1,5 +1,8 @@
|
||||
title: Delete SafeBoot Keys Via Reg Utility
|
||||
id: fc0e89b5-adb0-43c1-b749-c12a10ec37de
|
||||
related:
|
||||
- id: d7662ff6-9e97-4596-a61d-9839e32dee8d
|
||||
type: similar
|
||||
status: experimental
|
||||
description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products
|
||||
references:
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa'
|
||||
CommandLine|contains|all:
|
||||
- ' add '
|
||||
|
||||
@@ -15,7 +15,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains|all:
|
||||
- 'add '
|
||||
- 'SYSTEM\CurrentControlSet\Services\'
|
||||
|
||||
@@ -14,7 +14,7 @@ detection:
|
||||
Image|endswith: '\rundll32.exe'
|
||||
ParentImage|endswith: '\explorer.exe'
|
||||
filter:
|
||||
CommandLine|contains: '\shell32.dll,OpenAs_RunDLL'
|
||||
CommandLine|contains: '\shell32.dll,OpenAs_RunDLL'
|
||||
condition: selection and not filter
|
||||
fields:
|
||||
- Image
|
||||
@@ -23,4 +23,4 @@ falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.defense_evasion
|
||||
|
||||
+1
-1
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \rundll32.exe
|
||||
Image|endswith: '\rundll32.exe'
|
||||
CommandLine|contains:
|
||||
- '-sta '
|
||||
- '-localserver '
|
||||
|
||||
@@ -4,7 +4,7 @@ description: Detects a windows service to be stopped
|
||||
status: experimental
|
||||
author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali
|
||||
date: 2019/10/23
|
||||
modified: 2022/08/22
|
||||
modified: 2022/09/01
|
||||
tags:
|
||||
- attack.impact
|
||||
- attack.t1489
|
||||
@@ -22,7 +22,7 @@ detection:
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
selection_sc_net_cli:
|
||||
CommandLine|contains: 'stop'
|
||||
CommandLine|contains: ' stop '
|
||||
selection_pwsh:
|
||||
Image|endswith:
|
||||
- '\powershell.exe'
|
||||
|
||||
@@ -13,8 +13,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \python.exe
|
||||
CommandLine|contains: adidnsdump
|
||||
Image|endswith: '\python.exe'
|
||||
CommandLine|contains: 'adidnsdump'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -13,7 +13,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \cipher.exe
|
||||
Image|endswith: '\cipher.exe'
|
||||
CommandLine|contains: ' /w:'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
title: Suspicious CLSID Folder Name In Suspicious Locations
|
||||
id: 90b63c33-2b97-4631-a011-ceb0f47b77c3
|
||||
status: experimental
|
||||
description: Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://twitter.com/Kostastsale/status/1565257924204986369
|
||||
date: 2022/09/01
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
# Uncomment this section and remove the filter if you want the rule to be more specific to processes
|
||||
#selection_img:
|
||||
# Image|endswith:
|
||||
# - '\rundll32.exe'
|
||||
selection_folder:
|
||||
CommandLine|contains:
|
||||
# Add more suspicious or unexpected paths
|
||||
- '\AppData\Roaming\'
|
||||
- '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with CLSID
|
||||
selection_clsid:
|
||||
CommandLine|contains|all:
|
||||
- '\{'
|
||||
- '}\'
|
||||
filter:
|
||||
Image|contains|all:
|
||||
- '\{'
|
||||
- '}\'
|
||||
condition: all of selection_* and not filter
|
||||
falsepositives:
|
||||
- Some FP is expected with some installers
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1027
|
||||
@@ -11,7 +11,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \cscript.exe
|
||||
Image|endswith: '\cscript.exe'
|
||||
CommandLine|contains: '.vbs'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -12,9 +12,9 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \explorer.exe
|
||||
ParentImage|endswith: \cmd.exe
|
||||
CommandLine|contains: explorer.exe
|
||||
Image|endswith: '\explorer.exe'
|
||||
ParentImage|endswith: '\cmd.exe'
|
||||
CommandLine|contains: 'explorer.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate explorer.exe run from cmd.exe
|
||||
|
||||
@@ -11,7 +11,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \findstr.exe
|
||||
Image|endswith: '\findstr.exe'
|
||||
CommandLine|contains: ' 385201'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \HOSTNAME.EXE
|
||||
Image|endswith: '\HOSTNAME.EXE'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -13,8 +13,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \InstallUtil.exe
|
||||
Image|contains: Microsoft.NET\Framework
|
||||
Image|endswith: '\InstallUtil.exe'
|
||||
Image|contains: 'Microsoft.NET\Framework'
|
||||
CommandLine|contains|all:
|
||||
- '/logfile= '
|
||||
- '/LogToConsole=false'
|
||||
|
||||
@@ -11,7 +11,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \reg.exe
|
||||
Image|endswith: '\reg.exe'
|
||||
CommandLine|contains|all:
|
||||
- 'SOFTWARE\Microsoft\Cryptography'
|
||||
- '/v '
|
||||
|
||||
@@ -7,7 +7,7 @@ references:
|
||||
- https://twitter.com/cyb3rops/status/1562072617552678912
|
||||
- https://ss64.com/nt/cmd.html
|
||||
date: 2022/08/23
|
||||
modified: 2022/08/28
|
||||
modified: 2022/08/31
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
@@ -50,6 +50,7 @@ detection:
|
||||
filter_falsepositives:
|
||||
- CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules'
|
||||
- CommandLine|endswith: 'cmd.exe/c .'
|
||||
- CommandLine: 'cmd.exe /c'
|
||||
condition: 1 of selection* and not 1 of filter*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
title: Suspicious Net Use Command Combo
|
||||
id: f0507c0f-a3a2-40f5-acc6-7f543c334993
|
||||
status: experimental
|
||||
description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files
|
||||
author: pH-T
|
||||
references:
|
||||
- https://twitter.com/ShadowChasing1/status/1552595370961944576
|
||||
- https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
|
||||
date: 2022/09/01
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
image:
|
||||
Image|contains: '\cmd.exe'
|
||||
selection_base:
|
||||
CommandLine|contains|all:
|
||||
- ' net use http'
|
||||
- '& start /b '
|
||||
- '\DavWWWRoot\'
|
||||
selection_ext:
|
||||
CommandLine|contains:
|
||||
- '.exe '
|
||||
- '.dll '
|
||||
- '.bat '
|
||||
- '.vbs '
|
||||
- '.ps1 '
|
||||
condition: image and all of selection*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
@@ -1,11 +1,13 @@
|
||||
title: PowerShell Web Download and Execution
|
||||
id: 85b0b087-eddf-4a2b-b033-d771fa2b9775
|
||||
status: experimental
|
||||
description: Detects suspicious ways to download files or content using PowerShell
|
||||
description: Detects suspicious ways to download files or content and execute them using PowerShell
|
||||
author: Florian Roth
|
||||
date: 2022/03/24
|
||||
modified: 2022/09/02
|
||||
tags:
|
||||
- attack.t1546.013
|
||||
- attack.execution
|
||||
- attack.t1059
|
||||
references:
|
||||
- https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd
|
||||
logsource:
|
||||
@@ -16,6 +18,7 @@ detection:
|
||||
CommandLine|contains:
|
||||
- '.DownloadString('
|
||||
- '.DownloadFile('
|
||||
- 'Invoke-WebRequest '
|
||||
execution:
|
||||
CommandLine|contains:
|
||||
- 'IEX('
|
||||
@@ -23,7 +26,7 @@ detection:
|
||||
- 'I`EX'
|
||||
- 'IE`X'
|
||||
- 'I`E`X'
|
||||
- ' | IEX'
|
||||
- '| IEX'
|
||||
- '|IEX '
|
||||
- 'Invoke-Execution'
|
||||
- ';iex $'
|
||||
|
||||
@@ -13,13 +13,13 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \print.exe
|
||||
CommandLine|startswith: print
|
||||
Image|endswith: '\print.exe'
|
||||
CommandLine|startswith: 'print'
|
||||
CommandLine|contains|all:
|
||||
- /D
|
||||
- .exe
|
||||
- '/D'
|
||||
- '.exe'
|
||||
filter_print:
|
||||
CommandLine|contains: print.exe
|
||||
CommandLine|contains: 'print.exe'
|
||||
condition: selection and not filter_print
|
||||
falsepositives:
|
||||
- Unknown
|
||||
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: rasdial.exe
|
||||
Image|endswith: 'rasdial.exe'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- False positives depend on scripts and administrative tools used in the monitored environment
|
||||
|
||||
@@ -13,8 +13,8 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection_reg:
|
||||
- Image|endswith: \reg.exe
|
||||
- OriginalFileName: reg.exe
|
||||
- Image|endswith: '\reg.exe'
|
||||
- OriginalFileName: 'reg.exe'
|
||||
selection_path:
|
||||
CommandLine|contains:
|
||||
- '\Software\AppDataLow\Software\Microsoft\'
|
||||
|
||||
@@ -11,7 +11,7 @@ references:
|
||||
- https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib
|
||||
- https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen
|
||||
date: 2019/01/16
|
||||
modified: 2022/08/19
|
||||
modified: 2022/08/30
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
@@ -84,7 +84,10 @@ detection:
|
||||
- 'http'
|
||||
filter:
|
||||
CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver'
|
||||
condition: selection and not filter
|
||||
filter_parent: # Settings
|
||||
ParentImage: 'C:\Windows\System32\control.exe'
|
||||
ParentCommandLine|contains: '.cpl'
|
||||
condition: selection and not 1 of filter*
|
||||
falsepositives:
|
||||
- False positives depend on scripts and administrative tools used in the monitored environment
|
||||
level: medium
|
||||
|
||||
@@ -2,28 +2,31 @@ title: Disable Important Scheduled Task
|
||||
id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980
|
||||
status: experimental
|
||||
description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc.
|
||||
author: frack113
|
||||
author: frack113, Nasreddine Bencherchali
|
||||
references:
|
||||
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task
|
||||
- https://twitter.com/MichalKoczwara/status/1553634816016498688
|
||||
- https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/
|
||||
date: 2021/12/26
|
||||
modified: 2022/08/01
|
||||
modified: 2022/09/02
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
schtasks_exe:
|
||||
Image|endswith: \schtasks.exe
|
||||
Image|endswith: '\schtasks.exe'
|
||||
CommandLine|contains|all:
|
||||
- /Change
|
||||
- /TN
|
||||
- /disable
|
||||
- '/Change'
|
||||
- '/TN'
|
||||
- '/disable'
|
||||
#split to add other
|
||||
CommandLine|contains:
|
||||
- 'Microsoft\Windows\SystemRestore\SR'
|
||||
- 'Microsoft\Windows\Windows Defender\'
|
||||
- 'Microsoft\Windows\BitLocker'
|
||||
- 'Microsoft\Windows\WindowsBackup\'
|
||||
- 'Microsoft\Windows\WindowsUpdate\'
|
||||
- 'Microsoft\Windows\UpdateOrchestrator\'
|
||||
- 'Windows\ExploitGuard'
|
||||
condition: all of schtasks_*
|
||||
falsepositives:
|
||||
|
||||
@@ -0,0 +1,34 @@
|
||||
title: Suspicious Schtasks Schedule Type
|
||||
id: 7a02e22e-b885-4404-b38b-1ddc7e65258a
|
||||
description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type
|
||||
status: experimental
|
||||
references:
|
||||
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change
|
||||
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1053.005
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/08/31
|
||||
logsource:
|
||||
product: windows
|
||||
category: process_creation
|
||||
detection:
|
||||
selection_img:
|
||||
- Image|endswith: '\schtasks.exe'
|
||||
- OriginalFileName: 'schtasks.exe'
|
||||
selection_time:
|
||||
CommandLine|contains:
|
||||
- ' ONLOGON '
|
||||
- ' ONSTART '
|
||||
- ' ONCE '
|
||||
- ' ONIDLE '
|
||||
selection_privs:
|
||||
CommandLine|contains:
|
||||
- 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM
|
||||
- ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space
|
||||
- 'HIGHEST'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
@@ -0,0 +1,319 @@
|
||||
title: Suspicious Stop Windows Service
|
||||
id: ce72ef99-22f1-43d4-8695-419dcb5d9330
|
||||
related:
|
||||
- id: eb87818d-db5d-49cc-a987-d5da331fbd90
|
||||
type: derived
|
||||
description: Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts
|
||||
status: experimental
|
||||
author: Nasreddine Bencherchali
|
||||
references:
|
||||
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg
|
||||
- https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html
|
||||
date: 2022/09/01
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1489
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_sc_net_img:
|
||||
- OriginalFileName:
|
||||
- 'sc.exe'
|
||||
- 'net.exe'
|
||||
- 'net1.exe'
|
||||
- Image|endswith:
|
||||
- '\sc.exe'
|
||||
- '\net.exe'
|
||||
- '\net1.exe'
|
||||
selection_sc_net_cli:
|
||||
CommandLine|contains: ' stop '
|
||||
selection_pwsh:
|
||||
Image|endswith:
|
||||
- '\powershell.exe'
|
||||
- '\pwsh.exe'
|
||||
CommandLine|contains: 'Stop-Service '
|
||||
services:
|
||||
CommandLine|contains:
|
||||
- 'VSS'
|
||||
- 'HealthTLService'
|
||||
- 'ThreatLockerService'
|
||||
- '"Veritas System Recovery"'
|
||||
- 'EPlntegrationService'
|
||||
- 'EPRedline'
|
||||
- '"Client Agent 7.60"'
|
||||
- 'SQLAgent$SVSTEM_BGC'
|
||||
- '"Sophos Device Control Service"'
|
||||
- '"Zoolz 2 Service"'
|
||||
- '"Sophos AutoUpdate Service"'
|
||||
- '"Sophos System Protection Service"'
|
||||
- 'POVFSService'
|
||||
- 'MSSQLFDLauncherSTPSAMA'
|
||||
- '"Symantec System Recovery"'
|
||||
- 'Antivirus'
|
||||
- '"Sophos Health Service"'
|
||||
- 'MSSQLFDLauncherSTPS'
|
||||
- 'AcrSch2Svc'
|
||||
- 'MSSQLSSVSTEM_BGC'
|
||||
- 'MSSQLFDLauncherSPROFXENGAGEMENT'
|
||||
- 'SQLAgentSTPS'
|
||||
- '"Sophos Message Router"'
|
||||
- 'MSSQLFDLauncher$S8SMONITORING'
|
||||
- 'MySQL80'
|
||||
- 'MSSQLSECWDB2'
|
||||
- 'MSSQLWEEAMSQL2008R2'
|
||||
- '"Sophos Clean Service"'
|
||||
- '"Sophos Web Control Service"'
|
||||
- 'EhttpSry'
|
||||
- 'MSOLAPSTPSAMA'
|
||||
- '"Veeam Backup Catalog Data Service"'
|
||||
- 'MSSQLSSBSMONITORIMG'
|
||||
- 'AcronisAgent'
|
||||
- 'MySQLS7'
|
||||
- 'UTODetect'
|
||||
- 'MSSQLFOLauncherSSVSTEM_BGC'
|
||||
- 'MSSQLSBKUPEXEC'
|
||||
- 'SQLAgentSPRACTTICEBGC'
|
||||
- '"Sophos MCS Client"'
|
||||
- 'BackupExeclobEngine'
|
||||
- 'SQLAgentSVEEAMSQL2008R2'
|
||||
- '143Svc'
|
||||
- '"SQLsafe Backup Service"'
|
||||
- 'SQLAgentSCXDB'
|
||||
- '"Sophos Safestore Service"'
|
||||
- 'svcienericHost'
|
||||
- 'MSSQLSTPSAMA'
|
||||
- 'SQLAgentSCITRIX_METAFRAME'
|
||||
- 'WeanClOudSve'
|
||||
- '"Sophos File Scanner Service"'
|
||||
- '"Sophos Agent"'
|
||||
- 'M8EndpointAgent'
|
||||
- 'mSSQLSFRACTICEMGT'
|
||||
- 'SQLAgentSTPSAMA'
|
||||
- 'McAfeeframework'
|
||||
- '"Enterprise Client Service"'
|
||||
- 'SQLAgentSSBSMONITORING'
|
||||
- 'MSSQLSVEEAMSQL2012'
|
||||
- 'SQ1SafeOLRService'
|
||||
- 'VeeamEnterpriseHanagerSvc'
|
||||
- 'SQLAgentSSQL EXPRESS'
|
||||
- 'MSSQ!I.SPROFXENGAGEMEHT'
|
||||
- 'IMANSVC'
|
||||
- 'ARSM'
|
||||
- 'MSSQLFOLavocher'
|
||||
- 'MSExchangeMIA'
|
||||
- 'TruekeyScheduler'
|
||||
- 'MSSQ0SOPHOS'
|
||||
- '"SQL Backups"'
|
||||
- 'MSSQLSTPS'
|
||||
- 'Weems JY'
|
||||
- 'MSSQ0SHAREPOINT'
|
||||
- 'mfevto'
|
||||
- 'msftesq1SPROO'
|
||||
- 'wozyprobackup'
|
||||
- 'MSSQLSSQL_2008'
|
||||
- 'MSSQLSSQLEXPRESS'
|
||||
- 'MSSQLSPRACTTICEBGE'
|
||||
- 'VeeamRISTSvc'
|
||||
- 'HMS'
|
||||
- '"Sophos MCS Agent"'
|
||||
- '"Acronis VSS Provider"'
|
||||
- 'MSSQLSVIEAMSQL2008112'
|
||||
- 'HISSQLFDLauncherSSHAREPOINIT'
|
||||
- '"SQLsafe Filter Service"'
|
||||
- 'MSSQLSPROO'
|
||||
- 'SQLAgentSPROO'
|
||||
- 'MSOLAPSTPS'
|
||||
- 'VeemaDep/oySvc'
|
||||
- '"SQL Server (MSSQLSERVER)"'
|
||||
- '"SQL Server (SQLEXPRESS)'
|
||||
- 'BackupExecAgentAccelerator'
|
||||
- 'McAfeeEngineService'
|
||||
- 'BackupExecAgentBrowser'
|
||||
- 'McAfeeFramework'
|
||||
- 'BackupExecDeviceMediaService'
|
||||
- 'McAfeeFrameworkMcAfeeFramework'
|
||||
- 'BackupExecJobEngine'
|
||||
- 'McTaskManager'
|
||||
- 'BackupExecManagementService'
|
||||
- 'mfemms'
|
||||
- 'BackupExecRPCService'
|
||||
- 'mfevtp'
|
||||
- 'BackupExecVSSProvider'
|
||||
- 'MMS'
|
||||
- 'bedbg'
|
||||
- 'mozyprobackup'
|
||||
- 'DCAgent'
|
||||
- 'MsDtsServer'
|
||||
- 'MsDtsServer100'
|
||||
- 'MsDtsServer110'
|
||||
- 'EraserSvc11710'
|
||||
- 'MSExchangeES'
|
||||
- 'EsgShKernel'
|
||||
- 'MSExchangeIS'
|
||||
- 'FA_Scheduler'
|
||||
- 'MSExchangeMGMT'
|
||||
- 'IISAdmin'
|
||||
- 'MSExchangeMTA'
|
||||
- 'IMAP4Svc'
|
||||
- 'MSExchangeSA'
|
||||
- 'macmnsvc'
|
||||
- 'MSExchangeSRS'
|
||||
- 'masvc'
|
||||
- 'MSOLAP$SQL_2008'
|
||||
- 'MBAMService'
|
||||
- 'MSOLAP$SYSTEM_BGC'
|
||||
- 'MBEndpointAgent'
|
||||
- 'MSOLAP$TPS'
|
||||
- 'McShield'
|
||||
- 'MSSQLSERVER'
|
||||
- 'MSSQL$ECWDB2'
|
||||
- 'MSSQLServerADHelper100'
|
||||
- 'MSSQL$PRACTICEMGT'
|
||||
- 'MSSQLServerOLAPService'
|
||||
- 'MSSQL$PRACTTICEBGC'
|
||||
- 'MySQL57'
|
||||
- 'MSSQL$PROFXENGAGEMENT'
|
||||
- 'ntrtscan'
|
||||
- 'MSSQL$SBSMONITORING'
|
||||
- 'OracleClientCache80'
|
||||
- 'MSSQL$SHAREPOINT'
|
||||
- 'PDVFSService'
|
||||
- 'MSSQL$SQL_2008'
|
||||
- 'POP3Svc'
|
||||
- 'MSSQL$SYSTEM_BGC'
|
||||
- 'ReportServer'
|
||||
- 'MSSQL$TPS'
|
||||
- 'ReportServer$SQL_2008'
|
||||
- 'MSSQL$TPSAMA'
|
||||
- 'ReportServer$SYSTEM_BGC'
|
||||
- 'ReportServer$TPS'
|
||||
- 'MSSQL$VEEAMSQL2012'
|
||||
- 'ReportServer$TPSAMA'
|
||||
- 'MSSQLFDLauncher'
|
||||
- 'RESvc'
|
||||
- 'MSSQLFDLauncher$PROFXENGAGEMENT'
|
||||
- 'sacsvr'
|
||||
- 'MSSQLFDLauncher$SBSMONITORING'
|
||||
- 'MSSQLFDLauncher$SHAREPOINT'
|
||||
- 'SamSs'
|
||||
- 'MSSQLFDLauncher$SQL_2008'
|
||||
- 'SAVAdminService'
|
||||
- 'MSSQLFDLauncher$SYSTEM_BGC'
|
||||
- 'SAVService'
|
||||
- 'MSOLAP$TPSAMA'
|
||||
- 'MSSQLFDLauncher$TPS'
|
||||
- 'MSSQL$BKUPEXEC'
|
||||
- 'MSSQLFDLauncher$TPSAMA'
|
||||
- 'Smcinst'
|
||||
- 'SQLTELEMETRY$ECWDB2'
|
||||
- 'SmcService'
|
||||
- 'SQLWriter'
|
||||
- 'SMTPSvc'
|
||||
- 'SstpSvc'
|
||||
- 'SNAC'
|
||||
- 'svcGenericHost'
|
||||
- 'SntpService'
|
||||
- 'swi_filter'
|
||||
- 'sophossps'
|
||||
- 'swi_service'
|
||||
- 'SQLAgent$BKUPEXEC'
|
||||
- 'swi_update_64'
|
||||
- 'SQLAgent$ECWDB2'
|
||||
- 'TmCCSF'
|
||||
- 'SQLAgent$PRACTTICEBGC'
|
||||
- 'tmlisten'
|
||||
- 'SQLAgent$PRACTTICEMGT'
|
||||
- 'TrueKey'
|
||||
- 'SQLAgent$PROFXENGAGEMENT'
|
||||
- 'TrueKeyScheduler'
|
||||
- 'SQLAgent$SBSMONITORING'
|
||||
- 'TrueKeyServiceHelper'
|
||||
- 'SQLAgent$SHAREPOINT'
|
||||
- 'SQLAgent$SQL_2008'
|
||||
- 'UI0Detect'
|
||||
- 'SQLAgent$SYSTEM_BGC'
|
||||
- 'SQLAgent$TPS'
|
||||
- 'VeeamBackupSvc'
|
||||
- 'SQLAgent$TPSAMA'
|
||||
- 'VeeamBrokerSvc'
|
||||
- 'SQLAgent$VEEAMSQL2012'
|
||||
- 'VeeamCatalogSvc'
|
||||
- 'SQLBrowser'
|
||||
- 'VeeamCloudSvc'
|
||||
- 'SDRSVC'
|
||||
- 'SQLSafeOLRService'
|
||||
- 'SepMasterService'
|
||||
- 'SQLSERVERAGENT'
|
||||
- 'ShMonitor'
|
||||
- 'SQLTELEMETRY'
|
||||
- 'VeeamDeploymentService'
|
||||
- 'NetMsmqActivator'
|
||||
- 'VeeamDeploySvc'
|
||||
- 'EhttpSrv'
|
||||
- 'VeeamEnterpriseManagerSvc'
|
||||
- 'ekrn'
|
||||
- 'VeeamMountSvc'
|
||||
- 'ESHASRV'
|
||||
- 'VeeamNFSSvc'
|
||||
- 'MSSQL$SOPHOS'
|
||||
- 'VeeamRESTSvc'
|
||||
- 'SQLAgent$SOPHOS'
|
||||
- 'VeeamTransportSvc'
|
||||
- 'AVP'
|
||||
- 'W3Svc'
|
||||
- 'klnagent'
|
||||
- 'MSSQL$SQLEXPRESS'
|
||||
- 'WRSVC'
|
||||
- 'SQLAgent$SQLEXPRESS'
|
||||
- 'wbengine'
|
||||
- 'MSSQL$VEEAMSQL2008R2'
|
||||
- 'kavfsslp'
|
||||
- 'SQLAgent$VEEAMSQL2008R2'
|
||||
- 'VeeamHvIntegrationSvc'
|
||||
- 'KAVFSGT'
|
||||
- 'swi_update'
|
||||
- 'KAVFS'
|
||||
- 'SQLAgent$CXDB'
|
||||
- 'mfefire'
|
||||
- 'SQLAgent$CITRIX_METAFRAME'
|
||||
- '“SQL Backups”'
|
||||
- '“avast! Antivirus”'
|
||||
- 'MSSQL$PROD'
|
||||
- 'aswBcc'
|
||||
- '“Zoolz 2 Service”'
|
||||
- '“Avast Business Console Client Antivirus Service”'
|
||||
- 'MSSQLServerADHelper'
|
||||
- 'mfewc'
|
||||
- 'SQLAgent$PROD'
|
||||
- 'Telemetryserver'
|
||||
- 'msftesql$PROD'
|
||||
- 'WdNisSvc'
|
||||
- 'WinDefend'
|
||||
- 'MCAFEETOMCATSRV530'
|
||||
- 'MCAFEEEVENTPARSERSRV'
|
||||
- 'MSSQLFDLauncher$ITRIS'
|
||||
- 'MSSQL$EPOSERVER'
|
||||
- 'MSSQL$ITRIS'
|
||||
- 'SQLAgent$EPOSERVER'
|
||||
- 'SQLAgent$ITRIS'
|
||||
- 'SQLTELEMETRY$ITRIS'
|
||||
- 'SentinelHelperService'
|
||||
- 'MsDtsServer130'
|
||||
- 'LogProcessorService'
|
||||
- 'SSISTELEMETRY130'
|
||||
- 'EPUpdateService'
|
||||
- 'MSSQLLaunchpad$ITRIS'
|
||||
- 'TmPfw'
|
||||
- 'BITS'
|
||||
- 'SentinelAgent'
|
||||
- 'BrokerInfrastructure'
|
||||
- 'EPProtectedService'
|
||||
- 'epag'
|
||||
- 'epredline'
|
||||
- 'EPIntegrationService'
|
||||
- 'EPSecurityService'
|
||||
condition: services and (all of selection_sc_net* or selection_pwsh)
|
||||
falsepositives:
|
||||
- Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry
|
||||
level: high
|
||||
@@ -0,0 +1,27 @@
|
||||
title: Suspicious Usage Of ShellExec_rundll
|
||||
id: d87bd452-6da1-456e-8155-7dc988157b7d
|
||||
description: Detects suspicious usage of the ShellExec_rundll function to launch other commands as seen in the the raspberry-robin attack
|
||||
status: experimental
|
||||
references:
|
||||
- https://redcanary.com/blog/raspberry-robin/
|
||||
author: Nasreddine Bencherchali
|
||||
date: 2022/09/01
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_openasrundll:
|
||||
CommandLine|contains: ',ShellExec_rundll'
|
||||
selection_suspcli:
|
||||
CommandLine|contains:
|
||||
# Add more LOLBINs and Susp Paths
|
||||
- 'regsvr32'
|
||||
- 'C:\Users\Public\'
|
||||
- 'odbcconf'
|
||||
- '\Desktop\'
|
||||
condition: all of selection_*
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
@@ -12,7 +12,7 @@ logsource:
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|endswith: \shutdown.exe
|
||||
Image|endswith: '\shutdown.exe'
|
||||
CommandLine|contains:
|
||||
- '/r '
|
||||
- '/s '
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user