diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 3717f73f1..e29877a27 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -35,3 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe +7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 83a17e8da..8512640c3 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -12,7 +12,7 @@ logsource: detection: selection: eventSource: lambda.amazonaws.com - eventName|startswith: UpdateFunctionConfiguration + eventName|startswith: 'UpdateFunctionConfiguration' condition: selection level: medium tags: diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index ba6de103b..c44fe5d39 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -12,10 +12,10 @@ logsource: service: activitylogs detection: selection: - operationName|startswith: MICROSOFT.NETWORK/DNSZONES + operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES' operationName|endswith: - - /WRITE - - /DELETE + - '/WRITE' + - '/DELETE' condition: selection falsepositives: - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 9ea9e0829..c182b52a3 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -12,15 +12,15 @@ logsource: service: activitylogs detection: selection1: - operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' + - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' selection2: - operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' + - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' condition: selection1 or selection2 falsepositives: - Azure Kubernetes Admissions Controller may be done by a system administrator. diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 9ad66faa6..9fe793bb7 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -15,15 +15,15 @@ logsource: service: activitylogs detection: selection1: - operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' operationName|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE + - '/CRONJOBS/WRITE' + - '/JOBS/WRITE' selection2: - operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' operationName|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE + - '/CRONJOBS/WRITE' + - '/JOBS/WRITE' condition: selection1 or selection2 falsepositives: - Azure Kubernetes CronJob/Job may be done by a system administrator. diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index 9bdabb295..c90eb6aee 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,17 +12,17 @@ logsource: service: gcp.audit detection: selection1: - gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.' gcp.audit.method_name|endswith: - - create - - patch - - replace + - 'create' + - 'patch' + - 'replace' selection2: - gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations. + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.' gcp.audit.method_name|endswith: - - create - - patch - - replace + - 'create' + - 'patch' + - 'replace' condition: selection1 or selection2 level: medium tags: diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index 59b8daad8..b9f7565d5 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -17,7 +17,7 @@ logsource: service: smb_files detection: selection: - path|endswith: IPC$ + path|endswith: 'IPC$' name: spoolss condition: selection falsepositives: diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml new file mode 100644 index 000000000..f6c9b9282 --- /dev/null +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -0,0 +1,33 @@ +title: MSI Installation From Suspicious Locations +id: c7c8aa1c-5aff-408e-828b-998e3620b341 +status: experimental +description: Detects MSI package installation from suspicious locations +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html +date: 2022/08/31 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'MsiInstaller' + EventID: + - 1040 + - 1042 + Data|contains: + # Add more suspicious paths + - '\Users\Public\' + - '\PerfLogs\' + - '\Desktop\' + - '\Downloads\' + - '\AppData\Local\Temp\' + - 'C:\Windows\TEMP\' + - '\\\\' + condition: selection +falsepositives: + - Some false positives may occure depending on the environnement +level: high +tags: + - attack.execution diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml index 658223ac7..54797e52e 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 8001 - TargetName|startswith: TERMSRV + TargetName|startswith: 'TERMSRV' condition: selection fields: - Computer diff --git a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml index c96408c76..3fe554d24 100644 --- a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: 4689 - ProcessName|endswith: nltest.exe + ProcessName|endswith: 'nltest.exe' Status: '0x0' condition: selection fields: diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index 4362daa68..5fa8dbec8 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -7,7 +7,7 @@ references: - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx author: Samir Bousseaden date: 2019/02/16 -modified: 2022/06/29 +modified: 2022/09/02 tags: - attack.defense_evasion - attack.command_and_control @@ -32,6 +32,8 @@ detection: SourceAddress: - '127.*' - '::1' + filter_app_container: + FilterOrigin: 'AppContainer Loopback' filter_thor: # checking BlueKeep vulnerability Application|endswith: - '\thor.exe' diff --git a/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml new file mode 100644 index 000000000..24c49ef67 --- /dev/null +++ b/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml @@ -0,0 +1,22 @@ +title: RTCore Suspicious Service Installation +id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c +status: experimental +description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse +author: Nasreddine Bencherchali +references: + - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp +date: 2022/08/30 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'RTCore64' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence diff --git a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml index a39bb70fe..bf34c6179 100644 --- a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml @@ -15,8 +15,8 @@ logsource: category: dns_query detection: selection: - Image|startswith: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_ - Image|endswith: \AppInstaller.exe + Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_' + Image|endswith: '\AppInstaller.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 01f1a2951..55f55661b 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -7,7 +7,7 @@ references: - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules date: 2022/08/18 -modified: 2022/08/26 +modified: 2022/09/01 logsource: product: windows category: driver_load @@ -192,6 +192,9 @@ detection: - 'SHA1=aee092fd31772d33932a7a02dd2d73ede67f7db0' - 'SHA1=118f688c30a2f6c2d1feb955f53ce4acf3086b3b' - 'SHA1=4ede7f018c317ddc6a5f8f935f917621668cb1ec' + - 'SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775' + - 'SHA1=10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'SHA1=c948ae14761095e4d76b55d9de86412258be7afd' - 'SHA256=80599708CE61EC5D6DCFC5977208A2A0BE2252820A88D9BA260D8CDF5DC7FBE4' - 'SHA256=9091E044273FF624585235AC885EB2B05DFB12F3022DCF535B178FF1B2E012D1' - 'SHA256=92EDD48DFAC025D4069EB6491B9730D9D131B77CCEAA480AF9B3C32BC8C5E3A9' @@ -367,6 +370,9 @@ detection: - 'SHA256=d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe' - 'SHA256=e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37' - 'SHA256=f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca' + - 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd' + - 'SHA256=ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - 'SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' selection_other: - SHA1: - '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77' @@ -547,6 +553,9 @@ detection: - 'aee092fd31772d33932a7a02dd2d73ede67f7db0' - '118f688c30a2f6c2d1feb955f53ce4acf3086b3b' - '4ede7f018c317ddc6a5f8f935f917621668cb1ec' + - 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775' + - '10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'c948ae14761095e4d76b55d9de86412258be7afd' - SHA256: - '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4' - '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1' @@ -761,6 +770,9 @@ detection: - 'd64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe' - 'e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37' - 'f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca' + - '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd' + - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' driver_img: ImageLoaded|endswith: - '\ASIO32.sys' @@ -870,6 +882,8 @@ detection: - '\piddrv64.sys' - '\mhyprot2.sys' - '\netfilter.sys' + - '\RTCore64.sys' + - '\DBUtils_2_3.sys' driver_status: - Signed: 'false' - SignatureStatus: Expired diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 11b21c196..9becf4856 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,22 +8,32 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 +modified: 2022/09/05 +tags: + - attack.t1070.006 + - attack.defense_evasion logsource: category: file_change product: windows detection: selection1: - PreviousCreationUtcTime|startswith: 2022 + PreviousCreationUtcTime|startswith: '2022' filter1: - CreationUtcTime|startswith: 2022 + CreationUtcTime|startswith: '2022' selection2: - PreviousCreationUtcTime|startswith: 202 + PreviousCreationUtcTime|startswith: '202' filter2: CreationUtcTime|startswith: 202 - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) + gen_filter_updates: + - Image: + - 'C:\Windows\system32\ProvTool.exe' + - 'C:\Windows\System32\usocoreworker.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' + - TargetFilename|endswith: + - '.tmp' + - '.temp' + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high -tags: - - attack.t1070.006 - - attack.defense_evasion diff --git a/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml index 6a2e0a3c4..1a8fcf21a 100644 --- a/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml @@ -11,7 +11,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: \TeamViewer_Desktop.exe + TargetFilename|endswith: '\TeamViewer_Desktop.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_win_office_persistence.yml b/rules/windows/file_event/file_event_win_office_persistence.yml index 16a87e66c..af5c704af 100644 --- a/rules/windows/file_event/file_event_win_office_persistence.yml +++ b/rules/windows/file_event/file_event_win_office_persistence.yml @@ -12,16 +12,16 @@ logsource: product: windows detection: selection_wlldropped: - TargetFilename|contains: \Microsoft\Word\Startup\ - TargetFilename|endswith: .wll + TargetFilename|contains: '\Microsoft\Word\Startup\' + TargetFilename|endswith: '.wll' selection_xlldropped: - TargetFilename|contains: \Microsoft\Excel\Startup\ - TargetFilename|endswith: .xll + TargetFilename|contains: '\Microsoft\Excel\Startup\' + TargetFilename|endswith: '.xll' selection_generic: - TargetFilename|contains: \Microsoft\Addins\ + TargetFilename|contains: '\Microsoft\Addins\' TargetFilename|endswith: - - .xlam - - .xla + - '.xlam' + - '.xla' condition: 1 of selection* falsepositives: - Legitimate add-ins diff --git a/rules/windows/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file_event/file_event_win_pingback_backdoor.yml index 5b9417ab3..605c24787 100644 --- a/rules/windows/file_event/file_event_win_pingback_backdoor.yml +++ b/rules/windows/file_event/file_event_win_pingback_backdoor.yml @@ -16,7 +16,7 @@ logsource: category: file_event detection: selection: - Image|endswith: updata.exe + Image|endswith: 'updata.exe' TargetFilename: 'C:\Windows\oci.dll' condition: selection falsepositives: diff --git a/rules/windows/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file_event/file_event_win_susp_colorcpl.yml index 3b6822fe3..1eaa671db 100644 --- a/rules/windows/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file_event/file_event_win_susp_colorcpl.yml @@ -11,13 +11,13 @@ logsource: category: file_event detection: selection: - Image|endswith: \colorcpl.exe + Image|endswith: '\colorcpl.exe' valid_ext: TargetFilename|endswith: - - .icm - - .gmmp - - .cdmp - - .camp + - '.icm' + - '.gmmp' + - '.cdmp' + - '.camp' condition: selection and not valid_ext falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml index 8c47cc0c0..ad488b343 100644 --- a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml @@ -11,11 +11,11 @@ logsource: category: file_event detection: selection: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' TargetFilename|contains|all: - - \Users\ - - \Desktop\ - TargetFilename|endswith: .txt + - '\Users\' + - '\Desktop\' + TargetFilename|endswith: '.txt' condition: selection falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index b1e9c1eea..94b145850 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -16,7 +16,7 @@ tags: - attack.t1574.002 detection: selection_dll: - ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll + ImageLoaded|endswith: 'MicrosoftAccountTokenProvider.dll' filter_legit: - Image|endswith: - '\BackgroundTaskHost.exe' diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml new file mode 100644 index 000000000..6c5dea61b --- /dev/null +++ b/rules/windows/image_load/image_load_susp_cmstp.yml @@ -0,0 +1,30 @@ +title: Cmstp Suspicious DLL Load +id: 75e508f7-932d-4ebc-af77-269237a84ce1 +status: experimental +description: Detects cmstp loading "dll" or "ocx" files from suspicious locations +author: Nasreddine Bencherchali +references: + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml +date: 2022/08/30 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains: + # Add more suspicious paths as you see fit in your env + - '\Users\' + - '\AppData\Local\Temp\' + - '\PerfLogs\' + - '\Windows\Temp\' + ImageLoaded|endswith: + - '.dll' + - '.ocx' + Image|endswith: '\cmstp.exe' + condition: selection +falsepositives: + - Unikely +level: high +tags: + - attack.defense_evasion + - attack.t1218.003 diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index f683c2f77..836cbd315 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,10 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/08/10 +modified: 2022/09/03 +tags: + - attack.defense_evasion + - attack.t1070 logsource: product: windows category: image_load @@ -21,11 +24,11 @@ detection: - '\AppData\Local\Temp\' - 'C:\PerfLogs\' filter: - ImageLoaded|contains: '\Program Files' + - Image|endswith: '\msiexec.exe' + - ImageLoaded|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' condition: selection and not filter falsepositives: - Unknown level: high -tags: - - attack.defense_evasion - - attack.t1070 diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml index 568dc22b7..02d9c099c 100644 --- a/rules/windows/image_load/image_load_susp_fax_dll.yml +++ b/rules/windows/image_load/image_load_susp_fax_dll.yml @@ -13,9 +13,9 @@ logsource: detection: selection: Image|endswith: '\fxssvc.exe' - ImageLoaded|endswith: ualapi.dll + ImageLoaded|endswith: 'ualapi.dll' filter: - ImageLoaded|startswith: C:\Windows\WinSxS\ + ImageLoaded|startswith: 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index d2cbb8742..1ce9ae1f7 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -25,9 +25,9 @@ detection: - '\WsmAuto.dll' - '\Microsoft.WSMan.Management.ni.dll' - OriginalFileName: - - WsmSvc.dll - - WSMANAUTOMATION.DLL - - Microsoft.WSMan.Management.dll + - 'WsmSvc.dll' + - 'WSMANAUTOMATION.DLL' + - 'Microsoft.WSMan.Management.dll' respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' @@ -44,9 +44,9 @@ detection: - 'svchost.exe -k netsvcs' filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Image|startswith: - - C:\Windows\Microsoft.NET\Framework64\v - - C:\Windows\Microsoft.NET\Framework\v - Image|endswith: \mscorsvw.exe + - 'C:\Windows\Microsoft.NET\Framework64\v' + - 'C:\Windows\Microsoft.NET\Framework\v' + Image|endswith: '\mscorsvw.exe' filter_svr_2019: Image: - 'C:\Windows\System32\Configure-SMRemoting.exe' diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml new file mode 100644 index 000000000..12d8c9b0f --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -0,0 +1,29 @@ +title: Certutil Initiated Connection +id: 0dba975d-a193-4ed1-a067-424df57570d1 +status: experimental +description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools. +author: frack113, Florian Roth +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: network_connection + product: windows +detection: + selection_certutil: + - Image|endswith: '\certutil.exe' + - OriginalFilename: 'CertUtil.exe' + selection_network: + Initiated: 'true' + DestinationPort: + - 80 + - 443 + - 135 + - 445 + condition: all of selection* +falsepositives: + - Legitimate certutil network connection +level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml new file mode 100644 index 000000000..2b0927bb0 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -0,0 +1,22 @@ +title: Cmstp Making Network Connection +id: efafe0bf-4238-479e-af8f-797bd3490d2d +status: experimental +description: Detects suspicious network connection by Cmstp +author: Nasreddine Bencherchali +references: + - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ +date: 2022/08/30 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\cmstp.exe' + Initiated: 'true' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml index a8f288079..fd89cf440 100755 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml @@ -2,11 +2,15 @@ title: Suspicious Outbound RDP Connections id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -author: Markus Neis - Swisscom +author: Markus Neis references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 date: 2019/05/15 -modified: 2022/06/20 +modified: 2022/09/02 +tags: + - attack.lateral_movement + - attack.t1021.001 + - car.2013-07-002 logsource: category: network_connection product: windows @@ -40,13 +44,11 @@ detection: - '\Avast Software\Avast\AvastSvc.exe' - '\Ranger\SentinelRanger.exe' # sentinel one - '\Avast\AvastSvc.exe' - - Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\' + - Image|startswith: + - 'C:\Program Files\SplunkUniversalForwarder\bin\' + - 'C:\Program Files\Mozilla Firefox\firefox.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools - Domain controller using dns.exe level: high -tags: - - attack.lateral_movement - - attack.t1021.001 - - car.2013-07-002 diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 17542f99a..ab575a468 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -114,8 +114,8 @@ detection: - '0x1410' - '0x410' filter_edge: # version in path 96.0.1054.43 - SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\ - SourceImage|endswith: \Installer\setup.exe + SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application\' + SourceImage|endswith: '\Installer\setup.exe' filter_webex: SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe' GrantedAccess: '0x401' diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index e84103481..e984d6e97 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -83,6 +83,10 @@ detection: - '\AppData\Local\Temp\' - '\vs_bootstrapper_' GrantedAccess: '0x1410' + filter_chrome: + SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' + SourceImage|endswith: '.tmp\GoogleUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml index 57fabd44f..dd2e5bddc 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml @@ -4,23 +4,23 @@ status: test description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents author: Florian Roth references: - - https://twitter.com/ForensicITGuy/status/1334734244120309760 + - https://twitter.com/ForensicITGuy/status/1334734244120309760 date: 2020/12/08 modified: 2022/03/31 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_parent: - ParentImage|endswith: '\wmiprvse.exe' - selection_mshta: - - Image|endswith: '\mshta.exe' - - OriginalFileName: 'mshta.exe' - condition: selection_parent and selection_mshta + selection_parent: + ParentImage|endswith: '\wmiprvse.exe' + selection_mshta: + - Image|endswith: '\mshta.exe' + - OriginalFileName: 'mshta.exe' + condition: all of selection_* falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.execution - - attack.g0092 - - attack.t1106 + - attack.execution + - attack.g0092 + - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/rules/windows/process_creation/proc_creation_win_attrib_system.yml index 849ac3882..ae2142b61 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \attrib.exe + Image|endswith: '\attrib.exe' CommandLine|contains: ' +s ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 364747f58..683ab0932 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_basic: - Image|endswith: \attrib.exe + Image|endswith: '\attrib.exe' CommandLine|contains: ' +s' selection_paths: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml index 820816abf..c042386d7 100644 --- a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml +++ b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml @@ -13,14 +13,14 @@ logsource: product: windows detection: selection1: - Image|endswith: \bcdedit.exe - CommandLine|contains: set + Image|endswith: '\bcdedit.exe' + CommandLine|contains: 'set' selection2: - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures + - 'bootstatuspolicy' + - 'ignoreallfailures' - CommandLine|contains|all: - - recoveryenabled + - 'recoveryenabled' - 'no' condition: all of selection* fields: diff --git a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml index b36661bce..8a20323d1 100644 --- a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml @@ -1,44 +1,44 @@ -title: SquiblyTwo +title: SquiblyTwo Execution id: 8d63dadf-b91b-4187-87b6-34a1114577ea status: test description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -author: Markus Neis / Florian Roth +author: Markus Neis, Florian Roth references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 date: 2019/01/16 modified: 2022/03/21 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_one: - Image|endswith: '\wmic.exe' - CommandLine|contains|all: - - wmic - - format - - http - selection_wmic_imphash: - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - - IMPHASH=37777A96245A3C74EB217308F3546F4C - - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 - selection_flags: - CommandLine|contains|all: - - 'format:' - - 'http' - condition: selection_one or (selection_wmic_imphash and selection_flags) + selection_org: + Image|endswith: '\wmic.exe' + CommandLine|contains|all: + - wmic + - format + - http + selection_renamed_wmic_imphash: + - Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E + - IMPHASH=37777A96245A3C74EB217308F3546F4C + - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 + selection_renamed_flags: + CommandLine|contains|all: + - 'format:' + - 'http' + condition: selection_org or all of selection_renamed_* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1047 - - attack.t1220 - - attack.execution - - attack.t1059.005 - - attack.t1059.007 + - attack.defense_evasion + - attack.t1047 + - attack.t1220 + - attack.execution + - attack.t1059.005 + - attack.t1059.007 diff --git a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml index 8a9dfa8a0..d7d897909 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml @@ -6,7 +6,7 @@ author: Austin Songer @austinsonger date: 2021/10/23 modified: 2022/05/16 references: -- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 + - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 logsource: category: process_creation product: windows @@ -23,8 +23,8 @@ fields: - CommandLine - ParentCommandLine tags: -- attack.defense_evasion -- attack.t1218 + - attack.defense_evasion + - attack.t1218 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml new file mode 100644 index 000000000..cd5fb9f3b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -0,0 +1,26 @@ +title: NTLM Coercion Via Certutil.exe +id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 +description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/01 +references: + - https://github.com/LOLBAS-Project/LOLBAS/issues/243 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\certutil.exe' + - OriginalFileName: 'CertUtil.exe' + selection_cli: + CommandLine|contains|all: + - ' -syncwithWU ' + - ' \\\\' + condition: all of selection* +tags: + - attack.defense_evasion + - attack.t1218 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml b/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml index 0104f9083..c0aac1205 100644 --- a/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml @@ -1,7 +1,7 @@ title: Powershell ChromeLoader Browser Hijacker id: 27ba3207-dd30-4812-abbf-5d20c57d474e status: experimental -description: Detects PowerShell spawning chrome.exe containing load-extension and AppData\Local in the process command line +description: Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader' author: Aedan Russell, frack113 (sigma) references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml index 7dedcad4e..1a16aa8eb 100644 --- a/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml @@ -1,7 +1,7 @@ title: Browser Started with Remote Debugging id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 status: experimental -description: Detects starting browser with remote debugging flag, may be used for browser injection attacks +description: Detects browsers starting with the '--remote-debugging' flag. Which is a technique often used to perform browser injection attacks author: pH-T references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf diff --git a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml index b9dd23129..8d7579ea8 100644 --- a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml @@ -6,6 +6,7 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe author: Nasreddine Bencherchali @nas_bench date: 2021/12/18 +modified: 2022/09/02 tags: - attack.defense_evasion - attack.t1562.001 @@ -28,5 +29,5 @@ detection: - '/enterprise' condition: 1 of selection* falsepositives: - - Legitimate administrative use -level: medium + - Legitimate administrative use (Should be investigated either way) +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml index 584649299..48aca389f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml @@ -24,7 +24,7 @@ detection: - /q condition: selection falsepositives: - - Legitimate script + - Legitimate scripts level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index a4b11d9c2..62e9c6e27 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -1,11 +1,12 @@ title: Suspicious Dosfuscation Character in Commandline id: a77c1610-fc73-4019-8e29-0f51efc04a51 status: experimental -description: Possible Payload Obfuscation +description: Detects possible payload obfuscation via the commandline references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf author: frack113 date: 2022/02/15 +modified: 2022/09/02 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml b/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml index 54949d4c5..5cb6f6ffc 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection_cmd: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: 'Cmd.Exe' + - Image|endswith: '\cmd.exe' selection_read: - ParentCommandLine|contains|all: - 'cmd ' diff --git a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml index 4db11b093..9c8713444 100644 --- a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml +++ b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml @@ -6,6 +6,10 @@ references: - https://www.poolwatch.io/coin/monero author: Florian Roth date: 2021/10/26 +modified: 2022/09/05 +tags: + - attack.impact + - attack.t1496 logsource: category: process_creation product: windows @@ -30,10 +34,13 @@ detection: - 'c3RyYXR1bSt1ZHA6Ly' - 'N0cmF0dW0rdWRwOi8v' - 'zdHJhdHVtK3VkcDovL' - condition: selection + filter: + CommandLine|contains: + - ' pool.c ' + - ' pool.o ' + - 'gcc -' + condition: selection and not filter falsepositives: - Legitimate use of crypto miners + - Some build frameworks level: high -tags: - - attack.impact - - attack.t1496 \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml index 6c41c701b..ee0e58bb6 100644 --- a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml +++ b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: wbadmin_exe: - - Image|endswith: \wbadmin.exe - - CommandLine|contains: wbadmin + - Image|endswith: '\wbadmin.exe' + - CommandLine|contains: 'wbadmin' wbadmin_cmd: CommandLine|contains|all: - 'delete ' diff --git a/rules/windows/process_creation/proc_creation_win_dirlister.yml b/rules/windows/process_creation/proc_creation_win_dirlister.yml index f51ca641d..6ec5dbe0c 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - OriginalFileName: DirLister.exe - - Image|endswith: \dirlister.exe + - OriginalFileName: 'DirLister.exe' + - Image|endswith: '\dirlister.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index 7fa8f4973..f68b1fb99 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: reg: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - ' query ' - '/t ' diff --git a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml index 843ad0759..862a2e4eb 100644 --- a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection_mstsc: - Image|endswith: \ruby.exe + Image|endswith: '\ruby.exe' CommandLine|contains|all: - '-i ' - '-u ' diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index d88652a6d..32e4c6c75 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) date: 2019/10/23 -modified: 2022/08/01 +modified: 2022/09/03 logsource: category: process_creation product: windows @@ -30,7 +30,8 @@ detection: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' filter_programs: - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' + - Image|contains: '\AppData\Local\Programs\Microsoft VS Code' + - Image|endswith: '\Microsoft VS Code\Code.exe' condition: 1 of selection* and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 46335f35f..74e7dffb0 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -11,11 +11,11 @@ logsource: product: windows detection: selection: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains|all: - - cpassword - - \sysvol\ - - .xml + - 'cpassword' + - '\sysvol\' + - '.xml' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index b8633188b..45734b3a4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection1: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains: 'lsass' selection2: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_frp.yml b/rules/windows/process_creation/proc_creation_win_frp.yml new file mode 100644 index 000000000..566ff53d9 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_frp.yml @@ -0,0 +1,25 @@ +title: Fast Reverse Proxy (FRP) +id: 32410e29-5f94-4568-b6a3-d91a8adad863 +status: experimental +description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +references: + - https://asec.ahnlab.com/en/38156/ + - https://github.com/fatedier/frp +author: frack113 +date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1090 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\frpc.exe' + - '\frps.exe' + CommandLine|contains: '\frpc.ini' + condition: selection +falsepositives: + - Legitimate use +level: high diff --git a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml index dbf26444a..0d5a5f0c3 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - - Image|endswith: ˚\Rubeus.exe' + - Image|endswith: '\Rubeus.exe' - OriginalFileName: 'Rubeus.exe' - CommandLine|contains: - ' asreproast ' diff --git a/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml index b9df78894..cbcbd0a27 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml @@ -11,10 +11,10 @@ logsource: product: windows detection: selection: - Image|endswith: \appcmd.exe + Image|endswith: '\appcmd.exe' CommandLine|contains|all: - - set - - config + - 'set' + - 'config' - '/section:httplogging' - '/dontLog:true' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml index c8fa2a698..fef63f164 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml @@ -4,27 +4,27 @@ status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts author: Nikita Nazarov, oscd.community references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) date: 2020/10/08 modified: 2022/03/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'set' - - '&&' - - 'mshta' - - 'vbscript:createobject' - - '.run' - - '(window.close)' - condition: selection + selection: + CommandLine|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml new file mode 100644 index 000000000..03c0e5335 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -0,0 +1,32 @@ +title: Suspicious Ldifde Command Usage +id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f +description: | + Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments. + Ldifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute. +references: + - https://twitter.com/0gtweet/status/1564968845726580736 + - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +status: experimental +author: '@gott_cyber' +date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1105 + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection_ldif: + - Image|endswith: '\ldifde.exe' + - OriginalFileName: ldifde.exe.mui + selection_cmd: + CommandLine|contains|all: + - '-i' + - '-f' + condition: all of selection_* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml index faa1e637e..5f4809fe7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \forfiles.exe - - OriginalFileName: forfiles.exe + - Image|endswith: '\forfiles.exe' + - OriginalFileName: 'forfiles.exe' selection_cli_p: CommandLine|contains: - ' /p ' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index e70af9399..04b8c37f4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - - Image|endswith: \fsianycpu.exe - - OriginalFileName: fsianycpu.exe - - Image|endswith: \fsi.exe - - OriginalFileName: fsi.exe + - Image|endswith: '\fsianycpu.exe' + - OriginalFileName: 'fsianycpu.exe' + - Image|endswith: '\fsi.exe' + - OriginalFileName: 'fsi.exe' condition: selection falsepositives: - Legitimate use by a software developer. diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 7362fda51..54f1fade6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \pcalua.exe + Image|endswith: '\pcalua.exe' CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a" condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml index 03ff6c151..3f049184e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - Image|endswith: PktMon.exe - - OriginalFileName: PktMon.exe + - Image|endswith: 'PktMon.exe' + - OriginalFileName: 'PktMon.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml index b67d12378..2c7e3e456 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - - Image|endswith: \remote.exe - - OriginalFileName: remote.exe + - Image|endswith: '\remote.exe' + - OriginalFileName: 'remote.exe' condition: selection falsepositives: - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index 0883160aa..55cd28dcc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -11,8 +11,8 @@ logsource: category: process_creation detection: selection: - - Image|endswith: ttdinject.exe - - OriginalFileName: TTDInject.EXE + - Image|endswith: 'ttdinject.exe' + - OriginalFileName: 'TTDInject.EXE' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 665232bd3..658c9c1ad 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -26,7 +26,7 @@ detection: - '\msiexec.exe' - '\mshta.exe' - '\verclsid.exe' - ParentImage|endswith: \wbem\WmiPrvSE.exe + ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml index e755f5f89..788134856 100644 --- a/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml +++ b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' selection_path: - CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System + CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System' selection_key: CommandLine|contains: - GroupPolicyRefreshTimeDC diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index f1ebcd170..e7200ba8f 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -13,12 +13,12 @@ logsource: product: windows detection: selection_mstsc_img: - - Image|endswith: \mstsc.exe + - Image|endswith: '\mstsc.exe' - OriginalFileName: 'mstsc.exe' selection_mstsc_cli: CommandLine|contains: ' /v:' selection_cmdkey_img: - - Image|endswith: \cmdkey.exe + - Image|endswith: '\cmdkey.exe' - OriginalFileName: 'cmdkey.exe' selection_cmdkey_cli: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml new file mode 100644 index 000000000..8dedecc69 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -0,0 +1,60 @@ +title: Suspicious Manipulation Of Default Accounts +id: 5b768e71-86f2-4879-b448-81061cbae951 +status: experimental +description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +author: Nasreddine Bencherchali +references: + - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: + - '\net.exe' + - '\net1.exe' + selection_user_option: + CommandLine|contains: ' user ' + selection_username: + CommandLine|contains: + # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag + - ' Järjestelmänvalvoja ' # Finish + - ' Rendszergazda ' # Hungarian + - ' Администратор ' # Russian + - ' Administrateur ' # French + - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish + - ' Administratör ' # Swedish + - ' Administrator ' # English + - ' guest ' + # The cases below are for when an attacker requests the net command via 'cmd /c....' + # First in double quotes + - ' "Järjestelmänvalvoja" ' # Finish + - ' "Rendszergazda" ' # Hungarian + - ' "Администратор" ' # Russian + - ' "Administrateur" ' # French + - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish + - ' "Administratör" ' # Swedish + - ' "Administrator" ' # English + - ' "guest" ' + # Second in single quotes + - " 'Järjestelmänvalvoja' " # Finish + - " 'Rendszergazda' " # Hungarian + - " 'Администратор' " # Russian + - " 'Administrateur' " # French + - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish + - " 'Administratör' " # Swedish + - " 'Administrator' " # English + - " 'guest' " + filter: + CommandLine|contains|all: + - 'guest' + - '/active no' + condition: all of selection_* and not filter +falsepositives: + - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium +level: high +tags: + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index 6524390d2..7a57ffdbf 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 -modified: 2022/08/22 +modified: 2022/09/02 references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ @@ -37,6 +37,7 @@ detection: - ' administrateurs' - 'enterprise admins' - 'Exchange Trusted Subsystem' + - 'Remote Desktop Users' - ' /do' # short for domain # Covers 'accounts' flag selection_accounts_root: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml index c875ca215..f2179507f 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml @@ -4,29 +4,29 @@ status: test description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware author: Sander Wiebing references: - - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ + - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ date: 2020/05/23 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 - selection2: - CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 - condition: 1 of selection* + selection1: + CommandLine|contains|all: + - netsh + - firewall add portopening + - tcp 3389 + selection2: + CommandLine|contains|all: + - netsh + - advfirewall firewall add rule + - action=allow + - protocol=TCP + - localport=3389 + condition: 1 of selection* falsepositives: - - Legitimate administration + - Legitimate administration level: high tags: - - attack.defense_evasion - - attack.t1562.004 + - attack.defense_evasion + - attack.t1562.004 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index 5a12f4b7d..3b7affa43 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -7,18 +7,18 @@ references: - https://twitter.com/mattifestation/status/735261176745988096 - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 date: 2018/08/17 -modified: 2021/11/27 +modified: 2022/09/02 logsource: category: process_creation product: windows detection: - selection1: - CommandLine|contains: 'System.Management.Automation.AmsiUtils' - selection2: - CommandLine|contains: 'amsiInitFailed' - condition: all of selection* + selection: + CommandLine|contains: + - 'System.Management.Automation.AmsiUtils' + - 'amsiInitFailed' + condition: selection falsepositives: - - Potential Admin Activity + - Unlikely level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml b/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml index 82a9dddce..2d3201046 100644 --- a/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml +++ b/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' CommandLine|contains|all: - '> ' - ':' diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml new file mode 100644 index 000000000..e891fb92f --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -0,0 +1,31 @@ +title: Add SafeBoot Keys Via Reg Utility +id: d7662ff6-9e97-4596-a61d-9839e32dee8d +related: + - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de + type: similar +status: experimental +description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not +references: + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +author: Nasreddine Bencherchali +date: 2022/09/02 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: 'reg.exe' + - OriginalFileName: 'reg.exe' + selection_safeboot: + CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot' + selection_flag: + CommandLine|contains: + - ' copy ' + - ' add ' + condition: all of selection* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 7885f41d7..49cffb491 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths' diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml index ec4972e4c..95158c6d0 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection_reg: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: - 'SOFTWARE\Microsoft\Windows Defender\' - 'SOFTWARE\Policies\Microsoft\Windows Defender\' diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 9ef55c3e1..8ef99bb3c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -1,5 +1,8 @@ title: Delete SafeBoot Keys Via Reg Utility id: fc0e89b5-adb0-43c1-b749-c12a10ec37de +related: + - id: d7662ff6-9e97-4596-a61d-9839e32dee8d + type: similar status: experimental description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml index 5a2eaee7f..2a0e9d6c8 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa' CommandLine|contains|all: - ' add ' diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 4ef863756..fca482d00 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - 'add ' - 'SYSTEM\CurrentControlSet\Services\' diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 22ca470aa..9d73005a8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -14,7 +14,7 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' + CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' condition: selection and not filter fields: - Image @@ -23,4 +23,4 @@ falsepositives: - Unknown level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index b082d9ad1..d7aab415a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \rundll32.exe + Image|endswith: '\rundll32.exe' CommandLine|contains: - '-sta ' - '-localserver ' diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 93145acf9..c99cdc0b1 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/08/22 +modified: 2022/09/01 tags: - attack.impact - attack.t1489 @@ -22,7 +22,7 @@ detection: - '\net.exe' - '\net1.exe' selection_sc_net_cli: - CommandLine|contains: 'stop' + CommandLine|contains: ' stop ' selection_pwsh: Image|endswith: - '\powershell.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml index e685e5f27..920abf901 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: \python.exe - CommandLine|contains: adidnsdump + Image|endswith: '\python.exe' + CommandLine|contains: 'adidnsdump' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml index a42c69d63..d957d0a23 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cipher.exe + Image|endswith: '\cipher.exe' CommandLine|contains: ' /w:' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml new file mode 100644 index 000000000..55e39ac5e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -0,0 +1,36 @@ +title: Suspicious CLSID Folder Name In Suspicious Locations +id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 +status: experimental +description: Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID +author: Nasreddine Bencherchali +references: + - https://twitter.com/Kostastsale/status/1565257924204986369 +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + # Uncomment this section and remove the filter if you want the rule to be more specific to processes + #selection_img: + # Image|endswith: + # - '\rundll32.exe' + selection_folder: + CommandLine|contains: + # Add more suspicious or unexpected paths + - '\AppData\Roaming\' + - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with CLSID + selection_clsid: + CommandLine|contains|all: + - '\{' + - '}\' + filter: + Image|contains|all: + - '\{' + - '}\' + condition: all of selection_* and not filter +falsepositives: + - Some FP is expected with some installers +level: medium +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml index 068486647..7b120d39e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cscript.exe + Image|endswith: '\cscript.exe' CommandLine|contains: '.vbs' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml index 08a99c7ea..e2bf2c3b8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml @@ -12,9 +12,9 @@ logsource: product: windows detection: selection: - Image|endswith: \explorer.exe - ParentImage|endswith: \cmd.exe - CommandLine|contains: explorer.exe + Image|endswith: '\explorer.exe' + ParentImage|endswith: '\cmd.exe' + CommandLine|contains: 'explorer.exe' condition: selection falsepositives: - Legitimate explorer.exe run from cmd.exe diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml index 0a8b8b564..3115ae5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains: ' 385201' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml index 1f784ad01..cb9ce8cd4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \HOSTNAME.EXE + Image|endswith: '\HOSTNAME.EXE' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml b/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml index 4a01fbe5f..538d0bb28 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: \InstallUtil.exe - Image|contains: Microsoft.NET\Framework + Image|endswith: '\InstallUtil.exe' + Image|contains: 'Microsoft.NET\Framework' CommandLine|contains|all: - '/logfile= ' - '/LogToConsole=false' diff --git a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml index 294d70f06..58e39bcea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - 'SOFTWARE\Microsoft\Cryptography' - '/v ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml index 55e05ebf2..40dd12e69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html date: 2022/08/23 -modified: 2022/08/28 +modified: 2022/08/31 tags: - attack.execution - attack.t1059.001 @@ -50,6 +50,7 @@ detection: filter_falsepositives: - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules' - CommandLine|endswith: 'cmd.exe/c .' + - CommandLine: 'cmd.exe /c' condition: 1 of selection* and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml new file mode 100644 index 000000000..405c01968 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml @@ -0,0 +1,34 @@ +title: Suspicious Net Use Command Combo +id: f0507c0f-a3a2-40f5-acc6-7f543c334993 +status: experimental +description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files +author: pH-T +references: + - https://twitter.com/ShadowChasing1/status/1552595370961944576 + - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + image: + Image|contains: '\cmd.exe' + selection_base: + CommandLine|contains|all: + - ' net use http' + - '& start /b ' + - '\DavWWWRoot\' + selection_ext: + CommandLine|contains: + - '.exe ' + - '.dll ' + - '.bat ' + - '.vbs ' + - '.ps1 ' + condition: image and all of selection* +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml index 419b5624a..4d8a6f5ba 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml @@ -1,11 +1,13 @@ title: PowerShell Web Download and Execution id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 status: experimental -description: Detects suspicious ways to download files or content using PowerShell +description: Detects suspicious ways to download files or content and execute them using PowerShell author: Florian Roth date: 2022/03/24 +modified: 2022/09/02 tags: - - attack.t1546.013 + - attack.execution + - attack.t1059 references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd logsource: @@ -16,6 +18,7 @@ detection: CommandLine|contains: - '.DownloadString(' - '.DownloadFile(' + - 'Invoke-WebRequest ' execution: CommandLine|contains: - 'IEX(' @@ -23,7 +26,7 @@ detection: - 'I`EX' - 'IE`X' - 'I`E`X' - - ' | IEX' + - '| IEX' - '|IEX ' - 'Invoke-Execution' - ';iex $' diff --git a/rules/windows/process_creation/proc_creation_win_susp_print.yml b/rules/windows/process_creation/proc_creation_win_susp_print.yml index cdce6db20..d7f8dfc8e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_print.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_print.yml @@ -13,13 +13,13 @@ logsource: product: windows detection: selection: - Image|endswith: \print.exe - CommandLine|startswith: print + Image|endswith: '\print.exe' + CommandLine|startswith: 'print' CommandLine|contains|all: - - /D - - .exe + - '/D' + - '.exe' filter_print: - CommandLine|contains: print.exe + CommandLine|contains: 'print.exe' condition: selection and not filter_print falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml index 0be3e83c4..f8284b9e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: rasdial.exe + Image|endswith: 'rasdial.exe' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index 27f52bcaa..e0764e923 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: - '\Software\AppDataLow\Software\Microsoft\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml index da194c306..0f6cb9324 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen date: 2019/01/16 -modified: 2022/08/19 +modified: 2022/08/30 logsource: category: process_creation product: windows @@ -84,7 +84,10 @@ detection: - 'http' filter: CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver' - condition: selection and not filter + filter_parent: # Settings + ParentImage: 'C:\Windows\System32\control.exe' + ParentCommandLine|contains: '.cpl' + condition: selection and not 1 of filter* falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 58b736101..2abc0aaa4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -2,28 +2,31 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc. -author: frack113 +author: frack113, Nasreddine Bencherchali references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2021/12/26 -modified: 2022/08/01 +modified: 2022/09/02 logsource: category: process_creation product: windows detection: schtasks_exe: - Image|endswith: \schtasks.exe + Image|endswith: '\schtasks.exe' CommandLine|contains|all: - - /Change - - /TN - - /disable + - '/Change' + - '/TN' + - '/disable' #split to add other CommandLine|contains: - 'Microsoft\Windows\SystemRestore\SR' - 'Microsoft\Windows\Windows Defender\' - 'Microsoft\Windows\BitLocker' + - 'Microsoft\Windows\WindowsBackup\' + - 'Microsoft\Windows\WindowsUpdate\' + - 'Microsoft\Windows\UpdateOrchestrator\' - 'Windows\ExploitGuard' condition: all of schtasks_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml new file mode 100644 index 000000000..e34973df4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -0,0 +1,34 @@ +title: Suspicious Schtasks Schedule Type +id: 7a02e22e-b885-4404-b38b-1ddc7e65258a +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +status: experimental +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +tags: + - attack.execution + - attack.t1053.005 +author: Nasreddine Bencherchali +date: 2022/08/31 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_time: + CommandLine|contains: + - ' ONLOGON ' + - ' ONSTART ' + - ' ONCE ' + - ' ONIDLE ' + selection_privs: + CommandLine|contains: + - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + - 'HIGHEST' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml new file mode 100644 index 000000000..120b97e89 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -0,0 +1,319 @@ +title: Suspicious Stop Windows Service +id: ce72ef99-22f1-43d4-8695-419dcb5d9330 +related: + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: derived +description: Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts +status: experimental +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg + - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html +date: 2022/09/01 +tags: + - attack.defense_evasion + - attack.t1489 +logsource: + category: process_creation + product: windows +detection: + selection_sc_net_img: + - OriginalFileName: + - 'sc.exe' + - 'net.exe' + - 'net1.exe' + - Image|endswith: + - '\sc.exe' + - '\net.exe' + - '\net1.exe' + selection_sc_net_cli: + CommandLine|contains: ' stop ' + selection_pwsh: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: 'Stop-Service ' + services: + CommandLine|contains: + - 'VSS' + - 'HealthTLService' + - 'ThreatLockerService' + - '"Veritas System Recovery"' + - 'EPlntegrationService' + - 'EPRedline' + - '"Client Agent 7.60"' + - 'SQLAgent$SVSTEM_BGC' + - '"Sophos Device Control Service"' + - '"Zoolz 2 Service"' + - '"Sophos AutoUpdate Service"' + - '"Sophos System Protection Service"' + - 'POVFSService' + - 'MSSQLFDLauncherSTPSAMA' + - '"Symantec System Recovery"' + - 'Antivirus' + - '"Sophos Health Service"' + - 'MSSQLFDLauncherSTPS' + - 'AcrSch2Svc' + - 'MSSQLSSVSTEM_BGC' + - 'MSSQLFDLauncherSPROFXENGAGEMENT' + - 'SQLAgentSTPS' + - '"Sophos Message Router"' + - 'MSSQLFDLauncher$S8SMONITORING' + - 'MySQL80' + - 'MSSQLSECWDB2' + - 'MSSQLWEEAMSQL2008R2' + - '"Sophos Clean Service"' + - '"Sophos Web Control Service"' + - 'EhttpSry' + - 'MSOLAPSTPSAMA' + - '"Veeam Backup Catalog Data Service"' + - 'MSSQLSSBSMONITORIMG' + - 'AcronisAgent' + - 'MySQLS7' + - 'UTODetect' + - 'MSSQLFOLauncherSSVSTEM_BGC' + - 'MSSQLSBKUPEXEC' + - 'SQLAgentSPRACTTICEBGC' + - '"Sophos MCS Client"' + - 'BackupExeclobEngine' + - 'SQLAgentSVEEAMSQL2008R2' + - '143Svc' + - '"SQLsafe Backup Service"' + - 'SQLAgentSCXDB' + - '"Sophos Safestore Service"' + - 'svcienericHost' + - 'MSSQLSTPSAMA' + - 'SQLAgentSCITRIX_METAFRAME' + - 'WeanClOudSve' + - '"Sophos File Scanner Service"' + - '"Sophos Agent"' + - 'M8EndpointAgent' + - 'mSSQLSFRACTICEMGT' + - 'SQLAgentSTPSAMA' + - 'McAfeeframework' + - '"Enterprise Client Service"' + - 'SQLAgentSSBSMONITORING' + - 'MSSQLSVEEAMSQL2012' + - 'SQ1SafeOLRService' + - 'VeeamEnterpriseHanagerSvc' + - 'SQLAgentSSQL EXPRESS' + - 'MSSQ!I.SPROFXENGAGEMEHT' + - 'IMANSVC' + - 'ARSM' + - 'MSSQLFOLavocher' + - 'MSExchangeMIA' + - 'TruekeyScheduler' + - 'MSSQ0SOPHOS' + - '"SQL Backups"' + - 'MSSQLSTPS' + - 'Weems JY' + - 'MSSQ0SHAREPOINT' + - 'mfevto' + - 'msftesq1SPROO' + - 'wozyprobackup' + - 'MSSQLSSQL_2008' + - 'MSSQLSSQLEXPRESS' + - 'MSSQLSPRACTTICEBGE' + - 'VeeamRISTSvc' + - 'HMS' + - '"Sophos MCS Agent"' + - '"Acronis VSS Provider"' + - 'MSSQLSVIEAMSQL2008112' + - 'HISSQLFDLauncherSSHAREPOINIT' + - '"SQLsafe Filter Service"' + - 'MSSQLSPROO' + - 'SQLAgentSPROO' + - 'MSOLAPSTPS' + - 'VeemaDep/oySvc' + - '"SQL Server (MSSQLSERVER)"' + - '"SQL Server (SQLEXPRESS)' + - 'BackupExecAgentAccelerator' + - 'McAfeeEngineService' + - 'BackupExecAgentBrowser' + - 'McAfeeFramework' + - 'BackupExecDeviceMediaService' + - 'McAfeeFrameworkMcAfeeFramework' + - 'BackupExecJobEngine' + - 'McTaskManager' + - 'BackupExecManagementService' + - 'mfemms' + - 'BackupExecRPCService' + - 'mfevtp' + - 'BackupExecVSSProvider' + - 'MMS' + - 'bedbg' + - 'mozyprobackup' + - 'DCAgent' + - 'MsDtsServer' + - 'MsDtsServer100' + - 'MsDtsServer110' + - 'EraserSvc11710' + - 'MSExchangeES' + - 'EsgShKernel' + - 'MSExchangeIS' + - 'FA_Scheduler' + - 'MSExchangeMGMT' + - 'IISAdmin' + - 'MSExchangeMTA' + - 'IMAP4Svc' + - 'MSExchangeSA' + - 'macmnsvc' + - 'MSExchangeSRS' + - 'masvc' + - 'MSOLAP$SQL_2008' + - 'MBAMService' + - 'MSOLAP$SYSTEM_BGC' + - 'MBEndpointAgent' + - 'MSOLAP$TPS' + - 'McShield' + - 'MSSQLSERVER' + - 'MSSQL$ECWDB2' + - 'MSSQLServerADHelper100' + - 'MSSQL$PRACTICEMGT' + - 'MSSQLServerOLAPService' + - 'MSSQL$PRACTTICEBGC' + - 'MySQL57' + - 'MSSQL$PROFXENGAGEMENT' + - 'ntrtscan' + - 'MSSQL$SBSMONITORING' + - 'OracleClientCache80' + - 'MSSQL$SHAREPOINT' + - 'PDVFSService' + - 'MSSQL$SQL_2008' + - 'POP3Svc' + - 'MSSQL$SYSTEM_BGC' + - 'ReportServer' + - 'MSSQL$TPS' + - 'ReportServer$SQL_2008' + - 'MSSQL$TPSAMA' + - 'ReportServer$SYSTEM_BGC' + - 'ReportServer$TPS' + - 'MSSQL$VEEAMSQL2012' + - 'ReportServer$TPSAMA' + - 'MSSQLFDLauncher' + - 'RESvc' + - 'MSSQLFDLauncher$PROFXENGAGEMENT' + - 'sacsvr' + - 'MSSQLFDLauncher$SBSMONITORING' + - 'MSSQLFDLauncher$SHAREPOINT' + - 'SamSs' + - 'MSSQLFDLauncher$SQL_2008' + - 'SAVAdminService' + - 'MSSQLFDLauncher$SYSTEM_BGC' + - 'SAVService' + - 'MSOLAP$TPSAMA' + - 'MSSQLFDLauncher$TPS' + - 'MSSQL$BKUPEXEC' + - 'MSSQLFDLauncher$TPSAMA' + - 'Smcinst' + - 'SQLTELEMETRY$ECWDB2' + - 'SmcService' + - 'SQLWriter' + - 'SMTPSvc' + - 'SstpSvc' + - 'SNAC' + - 'svcGenericHost' + - 'SntpService' + - 'swi_filter' + - 'sophossps' + - 'swi_service' + - 'SQLAgent$BKUPEXEC' + - 'swi_update_64' + - 'SQLAgent$ECWDB2' + - 'TmCCSF' + - 'SQLAgent$PRACTTICEBGC' + - 'tmlisten' + - 'SQLAgent$PRACTTICEMGT' + - 'TrueKey' + - 'SQLAgent$PROFXENGAGEMENT' + - 'TrueKeyScheduler' + - 'SQLAgent$SBSMONITORING' + - 'TrueKeyServiceHelper' + - 'SQLAgent$SHAREPOINT' + - 'SQLAgent$SQL_2008' + - 'UI0Detect' + - 'SQLAgent$SYSTEM_BGC' + - 'SQLAgent$TPS' + - 'VeeamBackupSvc' + - 'SQLAgent$TPSAMA' + - 'VeeamBrokerSvc' + - 'SQLAgent$VEEAMSQL2012' + - 'VeeamCatalogSvc' + - 'SQLBrowser' + - 'VeeamCloudSvc' + - 'SDRSVC' + - 'SQLSafeOLRService' + - 'SepMasterService' + - 'SQLSERVERAGENT' + - 'ShMonitor' + - 'SQLTELEMETRY' + - 'VeeamDeploymentService' + - 'NetMsmqActivator' + - 'VeeamDeploySvc' + - 'EhttpSrv' + - 'VeeamEnterpriseManagerSvc' + - 'ekrn' + - 'VeeamMountSvc' + - 'ESHASRV' + - 'VeeamNFSSvc' + - 'MSSQL$SOPHOS' + - 'VeeamRESTSvc' + - 'SQLAgent$SOPHOS' + - 'VeeamTransportSvc' + - 'AVP' + - 'W3Svc' + - 'klnagent' + - 'MSSQL$SQLEXPRESS' + - 'WRSVC' + - 'SQLAgent$SQLEXPRESS' + - 'wbengine' + - 'MSSQL$VEEAMSQL2008R2' + - 'kavfsslp' + - 'SQLAgent$VEEAMSQL2008R2' + - 'VeeamHvIntegrationSvc' + - 'KAVFSGT' + - 'swi_update' + - 'KAVFS' + - 'SQLAgent$CXDB' + - 'mfefire' + - 'SQLAgent$CITRIX_METAFRAME' + - '“SQL Backups”' + - '“avast! Antivirus”' + - 'MSSQL$PROD' + - 'aswBcc' + - '“Zoolz 2 Service”' + - '“Avast Business Console Client Antivirus Service”' + - 'MSSQLServerADHelper' + - 'mfewc' + - 'SQLAgent$PROD' + - 'Telemetryserver' + - 'msftesql$PROD' + - 'WdNisSvc' + - 'WinDefend' + - 'MCAFEETOMCATSRV530' + - 'MCAFEEEVENTPARSERSRV' + - 'MSSQLFDLauncher$ITRIS' + - 'MSSQL$EPOSERVER' + - 'MSSQL$ITRIS' + - 'SQLAgent$EPOSERVER' + - 'SQLAgent$ITRIS' + - 'SQLTELEMETRY$ITRIS' + - 'SentinelHelperService' + - 'MsDtsServer130' + - 'LogProcessorService' + - 'SSISTELEMETRY130' + - 'EPUpdateService' + - 'MSSQLLaunchpad$ITRIS' + - 'TmPfw' + - 'BITS' + - 'SentinelAgent' + - 'BrokerInfrastructure' + - 'EPProtectedService' + - 'epag' + - 'epredline' + - 'EPIntegrationService' + - 'EPSecurityService' + condition: services and (all of selection_sc_net* or selection_pwsh) +falsepositives: + - Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml new file mode 100644 index 000000000..e1c22b98d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml @@ -0,0 +1,27 @@ +title: Suspicious Usage Of ShellExec_rundll +id: d87bd452-6da1-456e-8155-7dc988157b7d +description: Detects suspicious usage of the ShellExec_rundll function to launch other commands as seen in the the raspberry-robin attack +status: experimental +references: + - https://redcanary.com/blog/raspberry-robin/ +author: Nasreddine Bencherchali +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + selection_openasrundll: + CommandLine|contains: ',ShellExec_rundll' + selection_suspcli: + CommandLine|contains: + # Add more LOLBINs and Susp Paths + - 'regsvr32' + - 'C:\Users\Public\' + - 'odbcconf' + - '\Desktop\' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml index 952810c5b..49d37234c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \shutdown.exe + Image|endswith: '\shutdown.exe' CommandLine|contains: - '/r ' - '/s ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml index 9a9b615ed..3b98d4dd0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml @@ -17,56 +17,56 @@ logsource: product: windows detection: spoolsv: - ParentImage|endswith: \spoolsv.exe + ParentImage|endswith: '\spoolsv.exe' IntegrityLevel: System suspicious_unrestricted: Image|endswith: - - \gpupdate.exe - - \whoami.exe - - \nltest.exe - - \taskkill.exe - - \wmic.exe - - \taskmgr.exe - - \sc.exe - - \findstr.exe - - \curl.exe - - \wget.exe - - \certutil.exe - - \bitsadmin.exe - - \accesschk.exe - - \wevtutil.exe - - \bcdedit.exe - - \fsutil.exe - - \cipher.exe - - \schtasks.exe - - \write.exe - - \wuauclt.exe + - '\gpupdate.exe' + - '\whoami.exe' + - '\nltest.exe' + - '\taskkill.exe' + - '\wmic.exe' + - '\taskmgr.exe' + - '\sc.exe' + - '\findstr.exe' + - '\curl.exe' + - '\wget.exe' + - '\certutil.exe' + - '\bitsadmin.exe' + - '\accesschk.exe' + - '\wevtutil.exe' + - '\bcdedit.exe' + - '\fsutil.exe' + - '\cipher.exe' + - '\schtasks.exe' + - '\write.exe' + - '\wuauclt.exe' suspicious_net: - Image|endswith: \net.exe + Image|endswith: '\net.exe' suspicious_net_filter: - CommandLine|contains: start + CommandLine|contains: 'start' suspicious_cmd: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' suspicious_cmd_filter: CommandLine|contains: - - .spl - - route add - - program files + - '.spl' + - 'route add' + - 'program files' suspicious_netsh: - Image|endswith: \netsh.exe + Image|endswith: '\netsh.exe' suspicious_netsh_filter: CommandLine|contains: - 'add portopening' - 'rule name' suspicious_powershell: Image|endswith: - - \powershell.exe - - \pwsh.exe + - '\powershell.exe' + - '\pwsh.exe' suspicious_powershell_filter: - CommandLine|contains: .spl + CommandLine|contains: '.spl' suspicious_rundll32: - Image|endswith: \rundll32.exe - CommandLine|endswith: rundll32.exe + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) diff --git a/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml b/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml index 714c41b07..c3b5569b2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - - Image|endswith: \systeminfo.exe - - OriginalFileName: sysinfo.exe + - Image|endswith: '\systeminfo.exe' + - OriginalFileName: 'sysinfo.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml index 524acbcc1..24ee1274f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - CommandLine|contains: tasklist - - Image|endswith: \tasklist.exe + - CommandLine|contains: 'tasklist' + - Image|endswith: '\tasklist.exe' - OriginalFileName: 'tasklist.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_trufflesnout.yml index 2d9b9503e..30f854856 100644 --- a/rules/windows/process_creation/proc_creation_win_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_trufflesnout.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - - OriginalFileName: TruffleSnout.exe - - Image|endswith: \TruffleSnout.exe + - OriginalFileName: 'TruffleSnout.exe' + - Image|endswith: '\TruffleSnout.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml index 157547676..74c0dfa64 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ date: 2019/10/24 -modified: 2022/05/16 +modified: 2022/08/30 logsource: category: process_creation product: windows @@ -19,8 +19,11 @@ detection: selection_cli: CommandLine|contains: - '/s' + - '-s' - '/au' + - '-au' - '/ni' + - '-ni' condition: all of selection* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml index 9a1557497..dd964b0e8 100644 --- a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml @@ -12,7 +12,7 @@ logsource: detection: selection: - Description: 'Web Browser Password Viewer' - - Image|endswith: \WebBrowserPassView.exe + - Image|endswith: '\WebBrowserPassView.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index 7cf95a1a5..6ac08e03b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -13,17 +13,17 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: - - process - - qfe + - 'process' + - 'qfe' filter: CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - - call - - create + - 'call' + - 'create' condition: all of selection* and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index 395005d21..1f5ab1965 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -13,14 +13,14 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' - - process - - call - - create + - 'process' + - 'call' + - 'create' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index f9811671d..77249816d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -17,12 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' - - service + - 'service' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index 93b1d543d..24f115923 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -12,10 +12,10 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: - CommandLine|contains: call uninstall + CommandLine|contains: 'call uninstall' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml new file mode 100644 index 000000000..746b689ec --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml @@ -0,0 +1,24 @@ +title: Wscript Shell Run In CommandLine +id: 2c28c248-7f50-417a-9186-a85b223010ee +status: experimental +description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity +author: Nasreddine Bencherchali +date: 2022/08/31 +references: + - http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Wscript.' + - '.Shell' + - '.Run' + condition: selection +falsepositives: + - Rare legitimate inline scripting by some administrators +level: high diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index d6d79a612..d6fe350c8 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -16,8 +16,8 @@ detection: Details: DWORD (0x00000001) condition: selection falsepositives: - - Unknown + - Legitmate use of the feature (alerts should be investigated either way) level: medium tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index 2aca01788..e4a73cafd 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -15,7 +15,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: \open\command\DelegateExecute + TargetObject|endswith: '\open\command\DelegateExecute' Details: (Empty) condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 09ee0df1f..3c26e4b6f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -13,11 +13,11 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\' TargetObject|endswith: - - AutoShareWks - - AutoShareServer - Details: DWORD (0x00000000) + - 'AutoShareWks' + - 'AutoShareServer' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index 532756d32..30c87d624 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -16,9 +16,9 @@ detection: #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ - TargetObject|endswith: \EnableFirewall - Details: DWORD (0x00000000) + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\' + TargetObject|endswith: '\EnableFirewall' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 37760557d..3563aa1a2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -15,9 +15,9 @@ detection: selection_set_1: EventType: SetValue TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools' - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskmgr' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr' - 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index 5de3afd02..e6c0e3d8e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -12,8 +12,8 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience - Details: DWORD (0x00000000) + TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 75a52bd13..a0d67a125 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -14,9 +14,9 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ - TargetObject|endswith: \Enabled - Details: DWORD (0x00000000) + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' + TargetObject|endswith: '\Enabled' + Details: 'DWORD (0x00000000)' filter_wevutil: Image|endswith: '\Windows\system32\wevtutil.exe' #FP generated during installation of manifests via wevtutil filter_iis: diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index e755507fe..322cf5715 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -12,8 +12,8 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun - Details: DWORD (0x00000001) + TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' + Details: 'DWORD (0x00000001)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml index 116d4acdc..4690ef61e 100644 --- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml +++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml @@ -15,12 +15,12 @@ logsource: detection: selection_HideFileExt: EventType: SetValue - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt - Details: DWORD (0x00000001) + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt' + Details: 'DWORD (0x00000001)' selection_Hidden: EventType: SetValue - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden - Details: DWORD (0x00000002) + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden' + Details: 'DWORD (0x00000002)' condition: 1 of selection_* falsepositives: - Administrative scripts diff --git a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml index 5a4b3de35..6e9968124 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml @@ -13,9 +13,9 @@ logsource: detection: selection_domains: EventType: SetValue - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings + TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings' filter_dword: - Details|startswith: DWORD + Details|startswith: 'DWORD' filter_office: Details: - 'Cookie:' diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 1b29771e1..27e863f79 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index 6413434c0..ddc1c6bf9 100644 --- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -13,16 +13,16 @@ logsource: detection: selection_word: EventType: SetValue - TargetObject|endswith: \Word\Security\AllowDDE + TargetObject|endswith: '\Word\Security\AllowDDE' Details: - - DWORD (0x00000001) - - DWORD (0x00000002) + - 'DWORD (0x00000001)' + - 'DWORD (0x00000002)' selection_excel: EventType: SetValue TargetObject|endswith: - - \Excel\Security\DisableDDEServerLaunch - - \Excel\Security\DisableDDEServerLookup - Details: DWORD (0x00000000) + - '\Excel\Security\DisableDDEServerLaunch' + - '\Excel\Security\DisableDDEServerLookup' + Details: 'DWORD (0x00000000)' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 4570449f0..0d9630a45 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -17,10 +17,10 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: - TargetObject|endswith: Stamp - Details: DWORD (0x00000001) + TargetObject|endswith: 'Stamp' + Details: 'DWORD (0x00000001)' selectionUserDefined: - TargetObject|endswith: UserDefinedUrl + TargetObject|endswith: 'UserDefinedUrl' filter_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 7cc7ca808..753f0d395 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/08/10 +modified: 2022/09/02 logsource: category: registry_set product: windows @@ -28,6 +28,8 @@ detection: - '\FileCoAuthLib64.dll' - '\FileSyncShell64.dll' - '\FileSyncApi64.dll' + filter_health_service: + Image: 'C:\WINDOWS\system32\SecurityHealthService.exe' filter2: Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' @@ -37,11 +39,11 @@ detection: - '\AppData\Roaming\Dropbox\' - '\DropboxExt64.*.dll' filter4: - Details|endswith: TmopIEPlg.dll #TrendMicro osce + Details|endswith: 'TmopIEPlg.dll' #TrendMicro osce filter5: Image: - - C:\WINDOWS\system32\wuauclt.exe - - C:\WINDOWS\system32\svchost.exe + - 'C:\WINDOWS\system32\wuauclt.exe' + - 'C:\WINDOWS\system32\svchost.exe' filter_defender: Image|startswith: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' @@ -74,6 +76,9 @@ detection: filter_poqexec: Image: 'C:\Windows\System32\poqexec.exe' Details|contains: 'C:\Windows\System32\Autopilot.dll' + filter_sec_health_svc: + Image: 'C:\Windows\system32\SecurityHealthService.exe' + Details|contains: 'C:\Windows\System32\SecurityHealth' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml new file mode 100644 index 000000000..cc87fa1ba --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -0,0 +1,26 @@ +title: Tamper With Sophos AV Registry Keys +id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101 +description: Detects tamper attempts to sophos av functionality via registry key modification +author: Nasreddine Bencherchali +date: 2022/09/02 +status: experimental +references: + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled' + - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled' + - '\Sophos\SAVService\TamperProtection\Enabled' + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index bb3268bd4..8c09aacb7 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -14,10 +14,10 @@ logsource: detection: selection1: EventType: SetValue - TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand + TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand' selection2: EventType: SetValue - TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue + TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue' Details|contains: '-1???\Software\Classes\' condition: 1 of selection* falsepositives: