From 8dfe06a33b03c4b2575a93b39dd3431f2e6a10d9 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 31 Aug 2022 11:35:12 +0430 Subject: [PATCH 01/59] Adding Google Chrome FP --- .../proc_access_win_susp_proc_access_lsass_susp_source.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index e84103481..e984d6e97 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -83,6 +83,10 @@ detection: - '\AppData\Local\Temp\' - '\vs_bootstrapper_' GrantedAccess: '0x1410' + filter_chrome: + SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' + SourceImage|endswith: '.tmp\GoogleUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User From ea183cae1334a985308e4fcb942d853684a2645d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 09:39:16 +0200 Subject: [PATCH 02/59] Updates+New Rules --- .../win_susp_rtcore64_service_install.yml | 22 ++++++++++++ .../driver_load/driver_load_vuln_drivers.yml | 3 +- .../image_load/image_load_susp_cmstp.yml | 31 +++++++++++++++++ .../net_connection_win_susp_cmstp.yml | 21 ++++++++++++ .../proc_creation_win_apt_ta505_dropper.yml | 26 +++++++------- ...n_win_invoke_obfuscation_via_use_mhsta.yml | 34 +++++++++---------- .../proc_creation_win_uac_bypass_cmstp.yml | 5 ++- .../proc_creation_win_wscript_shell_cli.yml | 24 +++++++++++++ 8 files changed, 134 insertions(+), 32 deletions(-) create mode 100644 rules/windows/builtin/system/win_susp_rtcore64_service_install.yml create mode 100644 rules/windows/image_load/image_load_susp_cmstp.yml create mode 100644 rules/windows/network_connection/net_connection_win_susp_cmstp.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml diff --git a/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml b/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml new file mode 100644 index 000000000..24c49ef67 --- /dev/null +++ b/rules/windows/builtin/system/win_susp_rtcore64_service_install.yml @@ -0,0 +1,22 @@ +title: RTCore Suspicious Service Installation +id: 91c49341-e2ef-40c0-ac45-49ec5c3fe26c +status: experimental +description: Detects the installation of RTCore service. Which could be an indication of Micro-Star MSI Afterburner vulnerable driver abuse +author: Nasreddine Bencherchali +references: + - https://github.com/br-sn/CheekyBlinder/blob/e1764a8a0e7cda8a3716aefa35799f560686e01c/CheekyBlinder/CheekyBlinder.cpp +date: 2022/08/30 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + ServiceName: 'RTCore64' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.persistence diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 01f1a2951..c6c110f56 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -7,7 +7,7 @@ references: - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules date: 2022/08/18 -modified: 2022/08/26 +modified: 2022/08/30 logsource: product: windows category: driver_load @@ -870,6 +870,7 @@ detection: - '\piddrv64.sys' - '\mhyprot2.sys' - '\netfilter.sys' + - '\RTCore64.sys' driver_status: - Signed: 'false' - SignatureStatus: Expired diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml new file mode 100644 index 000000000..472bed24a --- /dev/null +++ b/rules/windows/image_load/image_load_susp_cmstp.yml @@ -0,0 +1,31 @@ +title: Cmstp Suspicious DLL Load +id: 75e508f7-932d-4ebc-af77-269237a84ce1 +status: experimental +description: Detects cmstp loading "dll" or "ocx" files from suspicious locations +author: Nasreddine Bencherchali +references: + - https://github.com/vadim-hunter/Detection-Ideas-Rules/blob/02bcbfc2bfb8b4da601bb30de0344ae453aa1afe/TTPs/Defense%20Evasion/T1218%20-%20Signed%20Binary%20Proxy%20Execution/T1218.003%20-%20CMSTP/Procedures.yaml +date: 2022/08/30 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|contains: + # Add more suspicious paths as you see fit in your env + - '\Users\' + - '\AppData\Local\Temp\' + - '\PerfLogs\' + - '\Windows\Temp\' + ImageLoaded|endswith: + - '.dll' + - '.ocx' + Image|endswith: + - '\cmstp.exe' + condition: selection +falsepositives: + - Unikely +level: high +tags: + - attack.defense_evasion + - attack.t1218.003 diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml new file mode 100644 index 000000000..a9212b313 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -0,0 +1,21 @@ +title: Cmstp Making Network Connection +id: efafe0bf-4238-479e-af8f-797bd3490d2d +status: experimental +description: Detects suspicious network connection by Cmstp +author: Nasreddine Bencherchali +references: + - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ +date: 2022/08/30 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\cmstp.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218.003 diff --git a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml index 57fabd44f..dd2e5bddc 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_ta505_dropper.yml @@ -4,23 +4,23 @@ status: test description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents author: Florian Roth references: - - https://twitter.com/ForensicITGuy/status/1334734244120309760 + - https://twitter.com/ForensicITGuy/status/1334734244120309760 date: 2020/12/08 modified: 2022/03/31 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_parent: - ParentImage|endswith: '\wmiprvse.exe' - selection_mshta: - - Image|endswith: '\mshta.exe' - - OriginalFileName: 'mshta.exe' - condition: selection_parent and selection_mshta + selection_parent: + ParentImage|endswith: '\wmiprvse.exe' + selection_mshta: + - Image|endswith: '\mshta.exe' + - OriginalFileName: 'mshta.exe' + condition: all of selection_* falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.execution - - attack.g0092 - - attack.t1106 + - attack.execution + - attack.g0092 + - attack.t1106 diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml index c8fa2a698..fef63f164 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_use_mhsta.yml @@ -4,27 +4,27 @@ status: test description: Detects Obfuscated Powershell via use MSHTA in Scripts author: Nikita Nazarov, oscd.community references: - - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) date: 2020/10/08 modified: 2022/03/08 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine|contains|all: - - 'set' - - '&&' - - 'mshta' - - 'vbscript:createobject' - - '.run' - - '(window.close)' - condition: selection + selection: + CommandLine|contains|all: + - 'set' + - '&&' + - 'mshta' + - 'vbscript:createobject' + - '.run' + - '(window.close)' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1027 - - attack.execution - - attack.t1059.001 + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml index 157547676..74c0dfa64 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/ date: 2019/10/24 -modified: 2022/05/16 +modified: 2022/08/30 logsource: category: process_creation product: windows @@ -19,8 +19,11 @@ detection: selection_cli: CommandLine|contains: - '/s' + - '-s' - '/au' + - '-au' - '/ni' + - '-ni' condition: all of selection* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml new file mode 100644 index 000000000..746b689ec --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wscript_shell_cli.yml @@ -0,0 +1,24 @@ +title: Wscript Shell Run In CommandLine +id: 2c28c248-7f50-417a-9186-a85b223010ee +status: experimental +description: Detects the presence of the keywords "Wscript", "Shell" and "Run" in the command, which could indicate a suspicious activity +author: Nasreddine Bencherchali +date: 2022/08/31 +references: + - http://blog.talosintelligence.com/2022/08/modernloader-delivers-multiple-stealers.html +tags: + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Wscript.' + - '.Shell' + - '.Run' + condition: selection +falsepositives: + - Rare legitimate inline scripting by some administrators +level: high From 399a18b76205c735e317148718d165b78f4afdf5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 09:41:25 +0200 Subject: [PATCH 03/59] Update net_connection_win_susp_cmstp.yml --- .../network_connection/net_connection_win_susp_cmstp.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml index a9212b313..bbd3aeae4 100644 --- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -12,7 +12,8 @@ logsource: detection: selection: Image|endswith: '\cmstp.exe' - condition: selection and not filter + Initiated: 'true' + condition: selectionss falsepositives: - Unknown level: high From 77c564083901fcfa880070b80a09c5d9f6964eba Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 09:42:25 +0200 Subject: [PATCH 04/59] Update net_connection_win_susp_cmstp.yml --- .../network_connection/net_connection_win_susp_cmstp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml index bbd3aeae4..886ec0413 100644 --- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\cmstp.exe' Initiated: 'true' - condition: selectionss + condition: selections falsepositives: - Unknown level: high From 343b0ef1999925213e82cbb00f8e4501ba9c4c20 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 09:46:18 +0200 Subject: [PATCH 05/59] Update net_connection_win_susp_cmstp.yml --- .../network_connection/net_connection_win_susp_cmstp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml index 886ec0413..2b0927bb0 100644 --- a/rules/windows/network_connection/net_connection_win_susp_cmstp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_cmstp.yml @@ -13,7 +13,7 @@ detection: selection: Image|endswith: '\cmstp.exe' Initiated: 'true' - condition: selections + condition: selection falsepositives: - Unknown level: high From 80098113d06750ddb9ab275d7df1049f88d4ea7c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 09:53:07 +0200 Subject: [PATCH 06/59] Update image_load_susp_cmstp.yml --- rules/windows/image_load/image_load_susp_cmstp.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_cmstp.yml b/rules/windows/image_load/image_load_susp_cmstp.yml index 472bed24a..6c5dea61b 100644 --- a/rules/windows/image_load/image_load_susp_cmstp.yml +++ b/rules/windows/image_load/image_load_susp_cmstp.yml @@ -20,8 +20,7 @@ detection: ImageLoaded|endswith: - '.dll' - '.ocx' - Image|endswith: - - '\cmstp.exe' + Image|endswith: '\cmstp.exe' condition: selection falsepositives: - Unikely From 783fd8b160b8e5ba0813652049fd331cfe071cdb Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 10:08:31 +0200 Subject: [PATCH 07/59] Create proc_creation_win_susp_schtasks_schedule_type.yml --- ...eation_win_susp_schtasks_schedule_type.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml new file mode 100644 index 000000000..e34973df4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -0,0 +1,34 @@ +title: Suspicious Schtasks Schedule Type +id: 7a02e22e-b885-4404-b38b-1ddc7e65258a +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +status: experimental +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +tags: + - attack.execution + - attack.t1053.005 +author: Nasreddine Bencherchali +date: 2022/08/31 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_time: + CommandLine|contains: + - ' ONLOGON ' + - ' ONSTART ' + - ' ONCE ' + - ' ONIDLE ' + selection_privs: + CommandLine|contains: + - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + - 'HIGHEST' + condition: all of selection_* +falsepositives: + - Unknown +level: high From b7fe798a8d7652b60dfc333886acdae4fd051913 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 10:24:04 +0200 Subject: [PATCH 08/59] Update known-FPs.csv --- .github/workflows/known-FPs.csv | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 3717f73f1..1b0fe040a 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -35,3 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe +7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe \ No newline at end of file From b0768ed5cdafc29ee6a0a15c1c75b8b6e0c338e3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 11:05:41 +0200 Subject: [PATCH 09/59] Update known-FPs.csv --- .github/workflows/known-FPs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 1b0fe040a..03d75e46a 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -35,4 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe -7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe \ No newline at end of file +7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;schtasks\.exe \ No newline at end of file From 475bb1a90bb2450ddc25339511e99ec16191dda8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 11:12:18 +0200 Subject: [PATCH 10/59] Update known-FPs.csv --- .github/workflows/known-FPs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 03d75e46a..d018a9404 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -35,4 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe -7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;schtasks\.exe \ No newline at end of file +7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;.* \ No newline at end of file From 35f102f8a0755c52580ba75e85ca51aec84fcc1c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 11:40:39 +0200 Subject: [PATCH 11/59] Update known-FPs.csv --- .github/workflows/known-FPs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index d018a9404..e29877a27 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -35,4 +35,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe -7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;.* \ No newline at end of file +7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe From 7b92cbb6d0f1100a56365b409e82f2f0a46722b3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 13:54:50 +0200 Subject: [PATCH 12/59] Create win_msi_install_from_susp_locations.yml --- .../win_msi_install_from_susp_locations.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/application/win_msi_install_from_susp_locations.yml diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml new file mode 100644 index 000000000..9a4ac1ae7 --- /dev/null +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -0,0 +1,33 @@ +title: MSI Installation From Suspicious Locations +id: c7c8aa1c-5aff-408e-828b-998e3620b341 +status: experimental +description: Detects MSI package installation from suspicious locations +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'MsiInstaller' + EventID: + - 1040 + - 1042 + Data|contains: + # Add more suspicious paths + - '\Users\Public\' + - '\PerfLogs\' + - '\Desktop\' + - '\Downloads\' + - '\AppData\Local\Temp\' + - 'C:\Windows\TEMP\' + - '\\\\' + condition: selection +falsepositives: + - Some false positives may occure depending on the environnement +level: high +tags: + - attack.execution From b0bd1a2184edf953d12d598860c756ea56c5839f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 31 Aug 2022 13:55:30 +0200 Subject: [PATCH 13/59] Update win_msi_install_from_susp_locations.yml --- .../builtin/application/win_msi_install_from_susp_locations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml index 9a4ac1ae7..f6c9b9282 100644 --- a/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml +++ b/rules/windows/builtin/application/win_msi_install_from_susp_locations.yml @@ -5,7 +5,7 @@ description: Detects MSI package installation from suspicious locations author: Nasreddine Bencherchali references: - https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html -date: 2022/08/14 +date: 2022/08/31 logsource: product: windows service: application From 893fc6c15d6bf0db4578a9016c23f0b18fe75d9d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 31 Aug 2022 13:55:43 +0200 Subject: [PATCH 14/59] fix: FP with controller config --- .../proc_creation_win_susp_rundll32_activity.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml index da194c306..0f6cb9324 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml @@ -11,7 +11,7 @@ references: - https://twitter.com/eral4m/status/1479106975967240209 # scrobj.dll,GenerateTypeLib - https://twitter.com/eral4m/status/1479080793003671557 # shimgvw.dll,ImageView_Fullscreen date: 2019/01/16 -modified: 2022/08/19 +modified: 2022/08/30 logsource: category: process_creation product: windows @@ -84,7 +84,10 @@ detection: - 'http' filter: CommandLine|contains: 'shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaver' - condition: selection and not filter + filter_parent: # Settings + ParentImage: 'C:\Windows\System32\control.exe' + ParentCommandLine|contains: '.cpl' + condition: selection and not 1 of filter* falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: medium From 1bb172e4ae6cce3e867a228f35c45c6524f8d572 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 31 Aug 2022 19:38:25 +0000 Subject: [PATCH 15/59] False positive when commandline is only cmd.exe /c --- .../process_creation/proc_creation_win_susp_missing_spaces.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml index 55e05ebf2..40dd12e69 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_missing_spaces.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/cyb3rops/status/1562072617552678912 - https://ss64.com/nt/cmd.html date: 2022/08/23 -modified: 2022/08/28 +modified: 2022/08/31 tags: - attack.execution - attack.t1059.001 @@ -50,6 +50,7 @@ detection: filter_falsepositives: - CommandLine|contains: 'AppData\Local\Programs\Microsoft VS Code\resources\app\node_modules' - CommandLine|endswith: 'cmd.exe/c .' + - CommandLine: 'cmd.exe /c' condition: 1 of selection* and not 1 of filter* falsepositives: - Unknown From a0a30bad8c9caf0bd28d849cc29524abd9541fa8 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Thu, 1 Sep 2022 13:03:19 +0200 Subject: [PATCH 16/59] Correcting values for startswith --- .../file_change/file_change_win_2022_timestomping.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 11b21c196..0c8f13a13 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -13,13 +13,13 @@ logsource: product: windows detection: selection1: - PreviousCreationUtcTime|startswith: 2022 + PreviousCreationUtcTime|startswith: '2022' filter1: - CreationUtcTime|startswith: 2022 + CreationUtcTime|startswith: '2022' selection2: - PreviousCreationUtcTime|startswith: 202 + PreviousCreationUtcTime|startswith: '202' filter2: - CreationUtcTime|startswith: 202 + CreationUtcTime|startswith: '202' condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - Changes made to or by the local NTP service From a428756340f319e55ab598c1b99c1699b1164983 Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Thu, 1 Sep 2022 14:38:06 +0200 Subject: [PATCH 17/59] new rule: susp net use combo --- .../proc_creation_win_susp_net_use.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_net_use.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml new file mode 100644 index 000000000..cbc047d07 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml @@ -0,0 +1,33 @@ +title: Suspicious Net Use Command Combo +id: f0507c0f-a3a2-40f5-acc6-7f543c334993 +status: test +description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files +author: pH-T +references: + - https://twitter.com/ShadowChasing1/status/1552595370961944576 +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + image: + Image|contains: '\cmd.exe' + selection_base: + CommandLine|contains|all: + - ' net use http' + - '& start /b ' + - '\DavWWWRoot\' + selection_ext: + CommandLine|contains: + - '.exe ' + - '.dll ' + - '.bat ' + - '.vbs ' + - '.ps1 ' + condition: image and all of selection* +falsepositives: + - Unknown +level: high +tags: + - attack.execution + - attack.t1059.001 From 6b2f12cbe6cb98d6c85c47b1f6856f2f1d29cd28 Mon Sep 17 00:00:00 2001 From: Paul Hager <28906717+pH-T@users.noreply.github.com> Date: Thu, 1 Sep 2022 15:01:38 +0200 Subject: [PATCH 18/59] fix: proc_creation_win_susp_net_use status --- .../windows/process_creation/proc_creation_win_susp_net_use.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml index cbc047d07..7df7b88a3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml @@ -1,6 +1,6 @@ title: Suspicious Net Use Command Combo id: f0507c0f-a3a2-40f5-acc6-7f543c334993 -status: test +status: experimental description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files author: pH-T references: From 0b0190ccb1cb88245c86ec7a64c635c265c408f9 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Thu, 1 Sep 2022 15:22:26 +0200 Subject: [PATCH 19/59] Added quotes to strings --- .../aws_attached_malicious_lambda_layer.yml | 2 +- .../azure_dns_zone_modified_or_deleted.yml | 6 +- .../azure_kubernetes_admission_controller.yml | 12 ++-- .../cloud/azure/azure_kubernetes_cronjob.yml | 12 ++-- .../gcp_kubernetes_admission_controller.yml | 16 ++--- .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 2 +- .../builtin/ntlm/win_susp_ntlm_rdp.yml | 2 +- .../win_lolbas_execution_of_nltest.yml | 2 +- .../dns_query_win_lobas_appinstaller.yml | 4 +- ...e_event_win_install_teamviewer_desktop.yml | 2 +- .../file_event_win_office_persistence.yml | 14 ++-- .../file_event_win_pingback_backdoor.yml | 2 +- .../file_event_win_susp_colorcpl.yml | 10 +-- .../file_event_win_susp_desktop_txt.yml | 8 +-- .../image_load_abusing_azure_browser_sso.yml | 2 +- .../image_load/image_load_susp_fax_dll.yml | 4 +- .../image_load_wsman_provider_image_load.yml | 12 ++-- ...proc_access_win_cred_dump_lsass_access.yml | 4 +- .../proc_creation_win_attrib_system.yml | 2 +- ..._creation_win_attrib_system_susp_paths.yml | 2 +- .../proc_creation_win_bootconf_mod.yml | 10 +-- .../proc_creation_win_cmd_read_contents.yml | 4 +- ..._creation_win_delete_systemstatebackup.yml | 4 +- .../proc_creation_win_dirlister.yml | 4 +- ...numeration_for_credentials_in_registry.yml | 2 +- .../proc_creation_win_evil_winrm.yml | 2 +- ...roc_creation_win_findstr_gpp_passwords.yml | 8 +-- .../proc_creation_win_findstr_lsass.yml | 2 +- .../proc_creation_win_hack_rubeus.yml | 2 +- .../proc_creation_win_iis_http_logging.yml | 6 +- .../proc_creation_win_lolbin_forfiles.yml | 4 +- ...reation_win_lolbin_fsharp_interpreters.yml | 8 +-- .../proc_creation_win_lolbin_pcalua.yml | 2 +- .../proc_creation_win_lolbin_pktmon.yml | 4 +- .../proc_creation_win_lolbin_remote.yml | 4 +- .../proc_creation_win_lolbin_ttdinject.yml | 4 +- ...n_lolbins_with_wmiprvse_parent_process.yml | 2 +- ...ation_win_modify_group_policy_settings.yml | 6 +- .../proc_creation_win_mstsc.yml | 4 +- .../proc_creation_win_redirect_to_stream.yml | 2 +- ...oc_creation_win_reg_defender_exclusion.yml | 2 +- ...oc_creation_win_reg_defender_tampering.yml | 2 +- .../proc_creation_win_reg_lsass_ppl.yml | 2 +- ...ation_win_reg_service_imagepath_change.yml | 2 +- ...on_win_rundll32_registered_com_objects.yml | 2 +- .../proc_creation_win_susp_adidnsdump.yml | 4 +- .../proc_creation_win_susp_cipher.yml | 2 +- .../proc_creation_win_susp_cscript_vbs.yml | 2 +- .../proc_creation_win_susp_explorer.yml | 6 +- .../proc_creation_win_susp_findstr_385201.yml | 2 +- .../proc_creation_win_susp_hostname.yml | 2 +- .../proc_creation_win_susp_instalutil.yml | 4 +- .../proc_creation_win_susp_machineguid.yml | 2 +- .../proc_creation_win_susp_print.yml | 10 +-- ...roc_creation_win_susp_rasdial_activity.yml | 2 +- .../proc_creation_win_susp_reg_add.yml | 4 +- ...roc_creation_win_susp_schtasks_disable.yml | 8 +-- ...c_creation_win_susp_schtasks_run_level.yml | 34 ++++++++++ .../proc_creation_win_susp_shutdown.yml | 2 +- ...ation_win_susp_spoolsv_child_processes.yml | 66 +++++++++---------- .../proc_creation_win_susp_systeminfo.yml | 4 +- ...roc_creation_win_susp_tasklist_command.yml | 4 +- .../proc_creation_win_trufflesnout.yml | 4 +- .../proc_creation_win_webbrowserpassview.yml | 2 +- .../proc_creation_win_wmic_reconnaissance.yml | 10 +-- .../proc_creation_win_wmic_remote_command.yml | 8 +-- .../proc_creation_win_wmic_remote_service.yml | 4 +- ...c_creation_win_wmic_remove_application.yml | 4 +- ...y_set_bypass_uac_using_delegateexecute.yml | 2 +- ...istry_set_disable_administrative_share.yml | 8 +-- ...registry_set_disable_defender_firewall.yml | 6 +- ..._disable_security_center_notifications.yml | 4 +- .../registry_set_disable_winevt_logging.yml | 6 +- .../registry_set_disallowrun_execution.yml | 4 +- .../registry_set_hidden_extention.yml | 8 +-- .../registry_set_ie_persistence.yml | 4 +- .../registry_set/registry_set_mal_adwind.yml | 2 +- .../registry_set_office_enable_dde.yml | 12 ++-- ...egistry_set_outlook_registry_todaypage.yml | 6 +- .../registry_set_persistence_search_order.yml | 6 +- .../registry_set_uac_bypass_sdclt.yml | 4 +- script.sh | 6 ++ 82 files changed, 261 insertions(+), 221 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml create mode 100755 script.sh diff --git a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml index 83a17e8da..8512640c3 100644 --- a/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml +++ b/rules/cloud/aws/aws_attached_malicious_lambda_layer.yml @@ -12,7 +12,7 @@ logsource: detection: selection: eventSource: lambda.amazonaws.com - eventName|startswith: UpdateFunctionConfiguration + eventName|startswith: 'UpdateFunctionConfiguration' condition: selection level: medium tags: diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index ba6de103b..c44fe5d39 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -12,10 +12,10 @@ logsource: service: activitylogs detection: selection: - operationName|startswith: MICROSOFT.NETWORK/DNSZONES + operationName|startswith: 'MICROSOFT.NETWORK/DNSZONES' operationName|endswith: - - /WRITE - - /DELETE + - '/WRITE' + - '/DELETE' condition: selection falsepositives: - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 9ea9e0829..c182b52a3 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -12,15 +12,15 @@ logsource: service: activitylogs detection: selection1: - operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' + - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' selection2: - operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO' operationName|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + - '/MUTATINGWEBHOOKCONFIGURATIONS/WRITE' + - '/VALIDATINGWEBHOOKCONFIGURATIONS/WRITE' condition: selection1 or selection2 falsepositives: - Azure Kubernetes Admissions Controller may be done by a system administrator. diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 9ad66faa6..9fe793bb7 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -15,15 +15,15 @@ logsource: service: activitylogs detection: selection1: - operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + operationName|startswith: 'MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH' operationName|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE + - '/CRONJOBS/WRITE' + - '/JOBS/WRITE' selection2: - operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + operationName|startswith: 'MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH' operationName|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE + - '/CRONJOBS/WRITE' + - '/JOBS/WRITE' condition: selection1 or selection2 falsepositives: - Azure Kubernetes CronJob/Job may be done by a system administrator. diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index 9bdabb295..c90eb6aee 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,17 +12,17 @@ logsource: service: gcp.audit detection: selection1: - gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.mutatingwebhookconfigurations.' gcp.audit.method_name|endswith: - - create - - patch - - replace + - 'create' + - 'patch' + - 'replace' selection2: - gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations. + gcp.audit.method_name|startswith: 'admissionregistration.k8s.io.v*.validatingwebhookconfigurations.' gcp.audit.method_name|endswith: - - create - - patch - - replace + - 'create' + - 'patch' + - 'replace' condition: selection1 or selection2 level: medium tags: diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml index 59b8daad8..b9f7565d5 100644 --- a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -17,7 +17,7 @@ logsource: service: smb_files detection: selection: - path|endswith: IPC$ + path|endswith: 'IPC$' name: spoolss condition: selection falsepositives: diff --git a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml index 658223ac7..54797e52e 100644 --- a/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/ntlm/win_susp_ntlm_rdp.yml @@ -14,7 +14,7 @@ logsource: detection: selection: EventID: 8001 - TargetName|startswith: TERMSRV + TargetName|startswith: 'TERMSRV' condition: selection fields: - Computer diff --git a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml index c96408c76..3fe554d24 100644 --- a/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml +++ b/rules/windows/builtin/security/win_lolbas_execution_of_nltest.yml @@ -18,7 +18,7 @@ logsource: detection: selection: EventID: 4689 - ProcessName|endswith: nltest.exe + ProcessName|endswith: 'nltest.exe' Status: '0x0' condition: selection fields: diff --git a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml index a39bb70fe..bf34c6179 100644 --- a/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml +++ b/rules/windows/dns_query/dns_query_win_lobas_appinstaller.yml @@ -15,8 +15,8 @@ logsource: category: dns_query detection: selection: - Image|startswith: C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_ - Image|endswith: \AppInstaller.exe + Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_' + Image|endswith: '\AppInstaller.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml b/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml index 6a2e0a3c4..1a8fcf21a 100644 --- a/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml +++ b/rules/windows/file_event/file_event_win_install_teamviewer_desktop.yml @@ -11,7 +11,7 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: \TeamViewer_Desktop.exe + TargetFilename|endswith: '\TeamViewer_Desktop.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_win_office_persistence.yml b/rules/windows/file_event/file_event_win_office_persistence.yml index 16a87e66c..af5c704af 100644 --- a/rules/windows/file_event/file_event_win_office_persistence.yml +++ b/rules/windows/file_event/file_event_win_office_persistence.yml @@ -12,16 +12,16 @@ logsource: product: windows detection: selection_wlldropped: - TargetFilename|contains: \Microsoft\Word\Startup\ - TargetFilename|endswith: .wll + TargetFilename|contains: '\Microsoft\Word\Startup\' + TargetFilename|endswith: '.wll' selection_xlldropped: - TargetFilename|contains: \Microsoft\Excel\Startup\ - TargetFilename|endswith: .xll + TargetFilename|contains: '\Microsoft\Excel\Startup\' + TargetFilename|endswith: '.xll' selection_generic: - TargetFilename|contains: \Microsoft\Addins\ + TargetFilename|contains: '\Microsoft\Addins\' TargetFilename|endswith: - - .xlam - - .xla + - '.xlam' + - '.xla' condition: 1 of selection* falsepositives: - Legitimate add-ins diff --git a/rules/windows/file_event/file_event_win_pingback_backdoor.yml b/rules/windows/file_event/file_event_win_pingback_backdoor.yml index 5b9417ab3..605c24787 100644 --- a/rules/windows/file_event/file_event_win_pingback_backdoor.yml +++ b/rules/windows/file_event/file_event_win_pingback_backdoor.yml @@ -16,7 +16,7 @@ logsource: category: file_event detection: selection: - Image|endswith: updata.exe + Image|endswith: 'updata.exe' TargetFilename: 'C:\Windows\oci.dll' condition: selection falsepositives: diff --git a/rules/windows/file_event/file_event_win_susp_colorcpl.yml b/rules/windows/file_event/file_event_win_susp_colorcpl.yml index 3b6822fe3..1eaa671db 100644 --- a/rules/windows/file_event/file_event_win_susp_colorcpl.yml +++ b/rules/windows/file_event/file_event_win_susp_colorcpl.yml @@ -11,13 +11,13 @@ logsource: category: file_event detection: selection: - Image|endswith: \colorcpl.exe + Image|endswith: '\colorcpl.exe' valid_ext: TargetFilename|endswith: - - .icm - - .gmmp - - .cdmp - - .camp + - '.icm' + - '.gmmp' + - '.cdmp' + - '.camp' condition: selection and not valid_ext falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml index 8c47cc0c0..ad488b343 100644 --- a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml @@ -11,11 +11,11 @@ logsource: category: file_event detection: selection: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' TargetFilename|contains|all: - - \Users\ - - \Desktop\ - TargetFilename|endswith: .txt + - '\Users\' + - '\Desktop\' + TargetFilename|endswith: '.txt' condition: selection falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml index b1e9c1eea..94b145850 100644 --- a/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml +++ b/rules/windows/image_load/image_load_abusing_azure_browser_sso.yml @@ -16,7 +16,7 @@ tags: - attack.t1574.002 detection: selection_dll: - ImageLoaded|endswith: MicrosoftAccountTokenProvider.dll + ImageLoaded|endswith: 'MicrosoftAccountTokenProvider.dll' filter_legit: - Image|endswith: - '\BackgroundTaskHost.exe' diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml index 568dc22b7..02d9c099c 100644 --- a/rules/windows/image_load/image_load_susp_fax_dll.yml +++ b/rules/windows/image_load/image_load_susp_fax_dll.yml @@ -13,9 +13,9 @@ logsource: detection: selection: Image|endswith: '\fxssvc.exe' - ImageLoaded|endswith: ualapi.dll + ImageLoaded|endswith: 'ualapi.dll' filter: - ImageLoaded|startswith: C:\Windows\WinSxS\ + ImageLoaded|startswith: 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index d2cbb8742..1ce9ae1f7 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -25,9 +25,9 @@ detection: - '\WsmAuto.dll' - '\Microsoft.WSMan.Management.ni.dll' - OriginalFileName: - - WsmSvc.dll - - WSMANAUTOMATION.DLL - - Microsoft.WSMan.Management.dll + - 'WsmSvc.dll' + - 'WSMANAUTOMATION.DLL' + - 'Microsoft.WSMan.Management.dll' respond_server: Image|endswith: '\svchost.exe' OriginalFileName: 'WsmWmiPl.dll' @@ -44,9 +44,9 @@ detection: - 'svchost.exe -k netsvcs' filter_mscorsvw: #Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe Image|startswith: - - C:\Windows\Microsoft.NET\Framework64\v - - C:\Windows\Microsoft.NET\Framework\v - Image|endswith: \mscorsvw.exe + - 'C:\Windows\Microsoft.NET\Framework64\v' + - 'C:\Windows\Microsoft.NET\Framework\v' + Image|endswith: '\mscorsvw.exe' filter_svr_2019: Image: - 'C:\Windows\System32\Configure-SMRemoting.exe' diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index 17542f99a..ab575a468 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -114,8 +114,8 @@ detection: - '0x1410' - '0x410' filter_edge: # version in path 96.0.1054.43 - SourceImage|startswith: C:\Program Files (x86)\Microsoft\Edge\Application\ - SourceImage|endswith: \Installer\setup.exe + SourceImage|startswith: 'C:\Program Files (x86)\Microsoft\Edge\Application\' + SourceImage|endswith: '\Installer\setup.exe' filter_webex: SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe' GrantedAccess: '0x401' diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system.yml b/rules/windows/process_creation/proc_creation_win_attrib_system.yml index 849ac3882..ae2142b61 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \attrib.exe + Image|endswith: '\attrib.exe' CommandLine|contains: ' +s ' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml index 364747f58..683ab0932 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_system_susp_paths.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_basic: - Image|endswith: \attrib.exe + Image|endswith: '\attrib.exe' CommandLine|contains: ' +s' selection_paths: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml index 820816abf..c042386d7 100644 --- a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml +++ b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml @@ -13,14 +13,14 @@ logsource: product: windows detection: selection1: - Image|endswith: \bcdedit.exe - CommandLine|contains: set + Image|endswith: '\bcdedit.exe' + CommandLine|contains: 'set' selection2: - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures + - 'bootstatuspolicy' + - 'ignoreallfailures' - CommandLine|contains|all: - - recoveryenabled + - 'recoveryenabled' - 'no' condition: all of selection* fields: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml b/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml index 54949d4c5..5cb6f6ffc 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_read_contents.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection_cmd: - - OriginalFileName: Cmd.Exe - - Image|endswith: \cmd.exe + - OriginalFileName: 'Cmd.Exe' + - Image|endswith: '\cmd.exe' selection_read: - ParentCommandLine|contains|all: - 'cmd ' diff --git a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml index 6c41c701b..ee0e58bb6 100644 --- a/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml +++ b/rules/windows/process_creation/proc_creation_win_delete_systemstatebackup.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: wbadmin_exe: - - Image|endswith: \wbadmin.exe - - CommandLine|contains: wbadmin + - Image|endswith: '\wbadmin.exe' + - CommandLine|contains: 'wbadmin' wbadmin_cmd: CommandLine|contains|all: - 'delete ' diff --git a/rules/windows/process_creation/proc_creation_win_dirlister.yml b/rules/windows/process_creation/proc_creation_win_dirlister.yml index f51ca641d..6ec5dbe0c 100644 --- a/rules/windows/process_creation/proc_creation_win_dirlister.yml +++ b/rules/windows/process_creation/proc_creation_win_dirlister.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - OriginalFileName: DirLister.exe - - Image|endswith: \dirlister.exe + - OriginalFileName: 'DirLister.exe' + - Image|endswith: '\dirlister.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml index 7fa8f4973..f68b1fb99 100644 --- a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml +++ b/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml @@ -14,7 +14,7 @@ logsource: product: windows detection: reg: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - ' query ' - '/t ' diff --git a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml index 843ad0759..862a2e4eb 100644 --- a/rules/windows/process_creation/proc_creation_win_evil_winrm.yml +++ b/rules/windows/process_creation/proc_creation_win_evil_winrm.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection_mstsc: - Image|endswith: \ruby.exe + Image|endswith: '\ruby.exe' CommandLine|contains|all: - '-i ' - '-u ' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml index 46335f35f..74e7dffb0 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_gpp_passwords.yml @@ -11,11 +11,11 @@ logsource: product: windows detection: selection: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains|all: - - cpassword - - \sysvol\ - - .xml + - 'cpassword' + - '\sysvol\' + - '.xml' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml index b8633188b..45734b3a4 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_lsass.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection1: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains: 'lsass' selection2: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml index dbf26444a..0d5a5f0c3 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_rubeus.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - - Image|endswith: ˚\Rubeus.exe' + - Image|endswith: '\Rubeus.exe' - OriginalFileName: 'Rubeus.exe' - CommandLine|contains: - ' asreproast ' diff --git a/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml b/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml index b9df78894..cbcbd0a27 100644 --- a/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml +++ b/rules/windows/process_creation/proc_creation_win_iis_http_logging.yml @@ -11,10 +11,10 @@ logsource: product: windows detection: selection: - Image|endswith: \appcmd.exe + Image|endswith: '\appcmd.exe' CommandLine|contains|all: - - set - - config + - 'set' + - 'config' - '/section:httplogging' - '/dontLog:true' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml index faa1e637e..5f4809fe7 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_forfiles.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \forfiles.exe - - OriginalFileName: forfiles.exe + - Image|endswith: '\forfiles.exe' + - OriginalFileName: 'forfiles.exe' selection_cli_p: CommandLine|contains: - ' /p ' diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml index e70af9399..04b8c37f4 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_fsharp_interpreters.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection: - - Image|endswith: \fsianycpu.exe - - OriginalFileName: fsianycpu.exe - - Image|endswith: \fsi.exe - - OriginalFileName: fsi.exe + - Image|endswith: '\fsianycpu.exe' + - OriginalFileName: 'fsianycpu.exe' + - Image|endswith: '\fsi.exe' + - OriginalFileName: 'fsi.exe' condition: selection falsepositives: - Legitimate use by a software developer. diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml index 7362fda51..54f1fade6 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pcalua.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \pcalua.exe + Image|endswith: '\pcalua.exe' CommandLine|contains: ' -a' # No space after the flag because it accepts anything as long as there a "-a" condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml index 03ff6c151..3f049184e 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - Image|endswith: PktMon.exe - - OriginalFileName: PktMon.exe + - Image|endswith: 'PktMon.exe' + - OriginalFileName: 'PktMon.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml index b67d12378..2c7e3e456 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_remote.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - - Image|endswith: \remote.exe - - OriginalFileName: remote.exe + - Image|endswith: '\remote.exe' + - OriginalFileName: 'remote.exe' condition: selection falsepositives: - Approved installs of Windows SDK with Debugging Tools for Windows (WinDbg). diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml index 0883160aa..55cd28dcc 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_ttdinject.yml @@ -11,8 +11,8 @@ logsource: category: process_creation detection: selection: - - Image|endswith: ttdinject.exe - - OriginalFileName: TTDInject.EXE + - Image|endswith: 'ttdinject.exe' + - OriginalFileName: 'TTDInject.EXE' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index 665232bd3..658c9c1ad 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -26,7 +26,7 @@ detection: - '\msiexec.exe' - '\mshta.exe' - '\verclsid.exe' - ParentImage|endswith: \wbem\WmiPrvSE.exe + ParentImage|endswith: '\wbem\WmiPrvSE.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml index e755f5f89..788134856 100644 --- a/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml +++ b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml @@ -14,10 +14,10 @@ logsource: product: windows detection: selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' selection_path: - CommandLine|contains: \SOFTWARE\Policies\Microsoft\Windows\System + CommandLine|contains: '\SOFTWARE\Policies\Microsoft\Windows\System' selection_key: CommandLine|contains: - GroupPolicyRefreshTimeDC diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index f1ebcd170..e7200ba8f 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -13,12 +13,12 @@ logsource: product: windows detection: selection_mstsc_img: - - Image|endswith: \mstsc.exe + - Image|endswith: '\mstsc.exe' - OriginalFileName: 'mstsc.exe' selection_mstsc_cli: CommandLine|contains: ' /v:' selection_cmdkey_img: - - Image|endswith: \cmdkey.exe + - Image|endswith: '\cmdkey.exe' - OriginalFileName: 'cmdkey.exe' selection_cmdkey_cli: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml b/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml index 82a9dddce..2d3201046 100644 --- a/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml +++ b/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' CommandLine|contains|all: - '> ' - ':' diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml index 7885f41d7..49cffb491 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_exclusion.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: - 'SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths' - 'SOFTWARE\Microsoft\Microsoft Antimalware\Exclusions\Paths' diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml index ec4972e4c..95158c6d0 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection_reg: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: - 'SOFTWARE\Microsoft\Windows Defender\' - 'SOFTWARE\Policies\Microsoft\Windows Defender\' diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml index 5a2eaee7f..2a0e9d6c8 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains: 'SYSTEM\CurrentControlSet\Control\Lsa' CommandLine|contains|all: - ' add ' diff --git a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml index 4ef863756..fca482d00 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_service_imagepath_change.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - 'add ' - 'SYSTEM\CurrentControlSet\Services\' diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml index b082d9ad1..d7aab415a 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_registered_com_objects.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \rundll32.exe + Image|endswith: '\rundll32.exe' CommandLine|contains: - '-sta ' - '-localserver ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml index e685e5f27..920abf901 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: \python.exe - CommandLine|contains: adidnsdump + Image|endswith: '\python.exe' + CommandLine|contains: 'adidnsdump' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml index a42c69d63..d957d0a23 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cipher.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cipher.exe + Image|endswith: '\cipher.exe' CommandLine|contains: ' /w:' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml index 068486647..7b120d39e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \cscript.exe + Image|endswith: '\cscript.exe' CommandLine|contains: '.vbs' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml index 08a99c7ea..e2bf2c3b8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml @@ -12,9 +12,9 @@ logsource: product: windows detection: selection: - Image|endswith: \explorer.exe - ParentImage|endswith: \cmd.exe - CommandLine|contains: explorer.exe + Image|endswith: '\explorer.exe' + ParentImage|endswith: '\cmd.exe' + CommandLine|contains: 'explorer.exe' condition: selection falsepositives: - Legitimate explorer.exe run from cmd.exe diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml index 0a8b8b564..3115ae5c8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr_385201.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \findstr.exe + Image|endswith: '\findstr.exe' CommandLine|contains: ' 385201' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml index 1f784ad01..cb9ce8cd4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_hostname.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_hostname.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \HOSTNAME.EXE + Image|endswith: '\HOSTNAME.EXE' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml b/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml index 4a01fbe5f..538d0bb28 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_instalutil.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: \InstallUtil.exe - Image|contains: Microsoft.NET\Framework + Image|endswith: '\InstallUtil.exe' + Image|contains: 'Microsoft.NET\Framework' CommandLine|contains|all: - '/logfile= ' - '/LogToConsole=false' diff --git a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml index 294d70f06..58e39bcea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_machineguid.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: \reg.exe + Image|endswith: '\reg.exe' CommandLine|contains|all: - 'SOFTWARE\Microsoft\Cryptography' - '/v ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_print.yml b/rules/windows/process_creation/proc_creation_win_susp_print.yml index cdce6db20..d7f8dfc8e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_print.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_print.yml @@ -13,13 +13,13 @@ logsource: product: windows detection: selection: - Image|endswith: \print.exe - CommandLine|startswith: print + Image|endswith: '\print.exe' + CommandLine|startswith: 'print' CommandLine|contains|all: - - /D - - .exe + - '/D' + - '.exe' filter_print: - CommandLine|contains: print.exe + CommandLine|contains: 'print.exe' condition: selection and not filter_print falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml index 0be3e83c4..f8284b9e4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: rasdial.exe + Image|endswith: 'rasdial.exe' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index 27f52bcaa..e0764e923 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection_reg: - - Image|endswith: \reg.exe - - OriginalFileName: reg.exe + - Image|endswith: '\reg.exe' + - OriginalFileName: 'reg.exe' selection_path: CommandLine|contains: - '\Software\AppDataLow\Software\Microsoft\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 58b736101..c55a53407 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -14,11 +14,11 @@ logsource: product: windows detection: schtasks_exe: - Image|endswith: \schtasks.exe + Image|endswith: '\schtasks.exe' CommandLine|contains|all: - - /Change - - /TN - - /disable + - '/Change' + - '/TN' + - '/disable' #split to add other CommandLine|contains: - 'Microsoft\Windows\SystemRestore\SR' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml new file mode 100644 index 000000000..232fb689b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml @@ -0,0 +1,34 @@ +title: Scheduled Task Creation With Highest Run Level +id: 4035f650-fe4c-48b7-ac2f-c1b83f1dae2f +status: experimental +description: Detects the creation of suspicious tasks with Highest Run Level +author: elhoim +date: 2022/04/27 +references: + - https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains: + - ' /create ' + - ' /RL ' + - 'Highest' + condition: + selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.005 + - attack.s0111 + - car.2013-08-001 +falsepositives: + - Administrative activity + - Software installation +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml index 952810c5b..49d37234c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shutdown.yml @@ -12,7 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: \shutdown.exe + Image|endswith: '\shutdown.exe' CommandLine|contains: - '/r ' - '/s ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml index 9a9b615ed..3b98d4dd0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_spoolsv_child_processes.yml @@ -17,56 +17,56 @@ logsource: product: windows detection: spoolsv: - ParentImage|endswith: \spoolsv.exe + ParentImage|endswith: '\spoolsv.exe' IntegrityLevel: System suspicious_unrestricted: Image|endswith: - - \gpupdate.exe - - \whoami.exe - - \nltest.exe - - \taskkill.exe - - \wmic.exe - - \taskmgr.exe - - \sc.exe - - \findstr.exe - - \curl.exe - - \wget.exe - - \certutil.exe - - \bitsadmin.exe - - \accesschk.exe - - \wevtutil.exe - - \bcdedit.exe - - \fsutil.exe - - \cipher.exe - - \schtasks.exe - - \write.exe - - \wuauclt.exe + - '\gpupdate.exe' + - '\whoami.exe' + - '\nltest.exe' + - '\taskkill.exe' + - '\wmic.exe' + - '\taskmgr.exe' + - '\sc.exe' + - '\findstr.exe' + - '\curl.exe' + - '\wget.exe' + - '\certutil.exe' + - '\bitsadmin.exe' + - '\accesschk.exe' + - '\wevtutil.exe' + - '\bcdedit.exe' + - '\fsutil.exe' + - '\cipher.exe' + - '\schtasks.exe' + - '\write.exe' + - '\wuauclt.exe' suspicious_net: - Image|endswith: \net.exe + Image|endswith: '\net.exe' suspicious_net_filter: - CommandLine|contains: start + CommandLine|contains: 'start' suspicious_cmd: - Image|endswith: \cmd.exe + Image|endswith: '\cmd.exe' suspicious_cmd_filter: CommandLine|contains: - - .spl - - route add - - program files + - '.spl' + - 'route add' + - 'program files' suspicious_netsh: - Image|endswith: \netsh.exe + Image|endswith: '\netsh.exe' suspicious_netsh_filter: CommandLine|contains: - 'add portopening' - 'rule name' suspicious_powershell: Image|endswith: - - \powershell.exe - - \pwsh.exe + - '\powershell.exe' + - '\pwsh.exe' suspicious_powershell_filter: - CommandLine|contains: .spl + CommandLine|contains: '.spl' suspicious_rundll32: - Image|endswith: \rundll32.exe - CommandLine|endswith: rundll32.exe + Image|endswith: '\rundll32.exe' + CommandLine|endswith: 'rundll32.exe' condition: spoolsv and ( suspicious_unrestricted or (suspicious_net and not suspicious_net_filter) diff --git a/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml b/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml index 714c41b07..c3b5569b2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - - Image|endswith: \systeminfo.exe - - OriginalFileName: sysinfo.exe + - Image|endswith: '\systeminfo.exe' + - OriginalFileName: 'sysinfo.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml index 524acbcc1..24ee1274f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml @@ -11,8 +11,8 @@ logsource: product: windows detection: selection: - - CommandLine|contains: tasklist - - Image|endswith: \tasklist.exe + - CommandLine|contains: 'tasklist' + - Image|endswith: '\tasklist.exe' - OriginalFileName: 'tasklist.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_trufflesnout.yml b/rules/windows/process_creation/proc_creation_win_trufflesnout.yml index 2d9b9503e..30f854856 100644 --- a/rules/windows/process_creation/proc_creation_win_trufflesnout.yml +++ b/rules/windows/process_creation/proc_creation_win_trufflesnout.yml @@ -12,8 +12,8 @@ logsource: product: windows detection: selection: - - OriginalFileName: TruffleSnout.exe - - Image|endswith: \TruffleSnout.exe + - OriginalFileName: 'TruffleSnout.exe' + - Image|endswith: '\TruffleSnout.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml b/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml index 9a1557497..dd964b0e8 100644 --- a/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml +++ b/rules/windows/process_creation/proc_creation_win_webbrowserpassview.yml @@ -12,7 +12,7 @@ logsource: detection: selection: - Description: 'Web Browser Password Viewer' - - Image|endswith: \WebBrowserPassView.exe + - Image|endswith: '\WebBrowserPassView.exe' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index 7cf95a1a5..6ac08e03b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -13,17 +13,17 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: - - process - - qfe + - 'process' + - 'qfe' filter: CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - - call - - create + - 'call' + - 'create' condition: all of selection* and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index 395005d21..1f5ab1965 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -13,14 +13,14 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' - - process - - call - - create + - 'process' + - 'call' + - 'create' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index f9811671d..77249816d 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -17,12 +17,12 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' - - service + - 'service' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index 93b1d543d..24f115923 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -12,10 +12,10 @@ logsource: product: windows detection: selection_img: - - Image|endswith: \WMIC.exe + - Image|endswith: '\WMIC.exe' - OriginalFileName: 'wmic.exe' selection_cli: - CommandLine|contains: call uninstall + CommandLine|contains: 'call uninstall' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml index 2aca01788..e4a73cafd 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_delegateexecute.yml @@ -15,7 +15,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: \open\command\DelegateExecute + TargetObject|endswith: '\open\command\DelegateExecute' Details: (Empty) condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml index 09ee0df1f..3c26e4b6f 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_administrative_share.yml @@ -13,11 +13,11 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\ + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\' TargetObject|endswith: - - AutoShareWks - - AutoShareServer - Details: DWORD (0x00000000) + - 'AutoShareWks' + - 'AutoShareServer' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml index 532756d32..30c87d624 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_defender_firewall.yml @@ -16,9 +16,9 @@ detection: #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall - TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ - TargetObject|endswith: \EnableFirewall - Details: DWORD (0x00000000) + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\' + TargetObject|endswith: '\EnableFirewall' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index 5de3afd02..e6c0e3d8e 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -12,8 +12,8 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience - Details: DWORD (0x00000000) + TargetObject|endswith: 'Windows\CurrentVersion\ImmersiveShell\UseActionCenterExperience' + Details: 'DWORD (0x00000000)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 75a52bd13..a0d67a125 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -14,9 +14,9 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\ - TargetObject|endswith: \Enabled - Details: DWORD (0x00000000) + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\' + TargetObject|endswith: '\Enabled' + Details: 'DWORD (0x00000000)' filter_wevutil: Image|endswith: '\Windows\system32\wevtutil.exe' #FP generated during installation of manifests via wevtutil filter_iis: diff --git a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml index e755507fe..322cf5715 100644 --- a/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml +++ b/rules/windows/registry/registry_set/registry_set_disallowrun_execution.yml @@ -12,8 +12,8 @@ logsource: detection: selection: EventType: SetValue - TargetObject|endswith: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun - Details: DWORD (0x00000001) + TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun' + Details: 'DWORD (0x00000001)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml index 116d4acdc..4690ef61e 100644 --- a/rules/windows/registry/registry_set/registry_set_hidden_extention.yml +++ b/rules/windows/registry/registry_set/registry_set_hidden_extention.yml @@ -15,12 +15,12 @@ logsource: detection: selection_HideFileExt: EventType: SetValue - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt - Details: DWORD (0x00000001) + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt' + Details: 'DWORD (0x00000001)' selection_Hidden: EventType: SetValue - TargetObject|endswith: \SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden - Details: DWORD (0x00000002) + TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden' + Details: 'DWORD (0x00000002)' condition: 1 of selection_* falsepositives: - Administrative scripts diff --git a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml index 5a4b3de35..6e9968124 100644 --- a/rules/windows/registry/registry_set/registry_set_ie_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_ie_persistence.yml @@ -13,9 +13,9 @@ logsource: detection: selection_domains: EventType: SetValue - TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings + TargetObject|contains: '\Software\Microsoft\Windows\CurrentVersion\Internet Settings' filter_dword: - Details|startswith: DWORD + Details|startswith: 'DWORD' filter_office: Details: - 'Cookie:' diff --git a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml index 1b29771e1..27e863f79 100644 --- a/rules/windows/registry/registry_set/registry_set_mal_adwind.yml +++ b/rules/windows/registry/registry_set/registry_set_mal_adwind.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' Details|startswith: '%AppData%\Roaming\Oracle\bin\' condition: selection level: high diff --git a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml index 6413434c0..ddc1c6bf9 100644 --- a/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml +++ b/rules/windows/registry/registry_set/registry_set_office_enable_dde.yml @@ -13,16 +13,16 @@ logsource: detection: selection_word: EventType: SetValue - TargetObject|endswith: \Word\Security\AllowDDE + TargetObject|endswith: '\Word\Security\AllowDDE' Details: - - DWORD (0x00000001) - - DWORD (0x00000002) + - 'DWORD (0x00000001)' + - 'DWORD (0x00000002)' selection_excel: EventType: SetValue TargetObject|endswith: - - \Excel\Security\DisableDDEServerLaunch - - \Excel\Security\DisableDDEServerLookup - Details: DWORD (0x00000000) + - '\Excel\Security\DisableDDEServerLaunch' + - '\Excel\Security\DisableDDEServerLookup' + Details: 'DWORD (0x00000000)' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml index 4570449f0..0d9630a45 100644 --- a/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml +++ b/rules/windows/registry/registry_set/registry_set_outlook_registry_todaypage.yml @@ -17,10 +17,10 @@ detection: - 'Software\Microsoft\Office\' - '\Outlook\Today\' selectionStamp: - TargetObject|endswith: Stamp - Details: DWORD (0x00000001) + TargetObject|endswith: 'Stamp' + Details: 'DWORD (0x00000001)' selectionUserDefined: - TargetObject|endswith: UserDefinedUrl + TargetObject|endswith: 'UserDefinedUrl' filter_office: Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 7cc7ca808..31ec2a029 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -37,11 +37,11 @@ detection: - '\AppData\Roaming\Dropbox\' - '\DropboxExt64.*.dll' filter4: - Details|endswith: TmopIEPlg.dll #TrendMicro osce + Details|endswith: 'TmopIEPlg.dll' #TrendMicro osce filter5: Image: - - C:\WINDOWS\system32\wuauclt.exe - - C:\WINDOWS\system32\svchost.exe + - 'C:\WINDOWS\system32\wuauclt.exe' + - 'C:\WINDOWS\system32\svchost.exe' filter_defender: Image|startswith: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' diff --git a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml index bb3268bd4..8c09aacb7 100755 --- a/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml +++ b/rules/windows/registry/registry_set/registry_set_uac_bypass_sdclt.yml @@ -14,10 +14,10 @@ logsource: detection: selection1: EventType: SetValue - TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand + TargetObject|endswith: 'Software\Classes\exefile\shell\runas\command\isolatedCommand' selection2: EventType: SetValue - TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue + TargetObject|endswith: 'Software\Classes\Folder\shell\open\command\SymbolicLinkValue' Details|contains: '-1???\Software\Classes\' condition: 1 of selection* falsepositives: diff --git a/script.sh b/script.sh new file mode 100755 index 000000000..ba2bfbee2 --- /dev/null +++ b/script.sh @@ -0,0 +1,6 @@ +for i in $(find . -type f -iname *.yml | grep -i suspicious); +do + DIR=$(dirname $i) + NEW_NAME=$(basename $i | sed 's/suspicious/susp/') + git mv $i $DIR/$NEW_NAME +done \ No newline at end of file From 33ff230ae152eba84e03137ef30310143403430c Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Thu, 1 Sep 2022 15:27:20 +0200 Subject: [PATCH 20/59] Added modified date --- rules/windows/file_change/file_change_win_2022_timestomping.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 0c8f13a13..7f2d5165d 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,6 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 +modified: 2022/09/01 logsource: category: file_change product: windows From 1e791b85c01d835a8298dbc2563307d06870f5ce Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Thu, 1 Sep 2022 15:44:16 +0200 Subject: [PATCH 21/59] Removing dev rule added by mistake --- ...c_creation_win_susp_schtasks_run_level.yml | 34 ------------------- 1 file changed, 34 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml deleted file mode 100644 index 232fb689b..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_run_level.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Scheduled Task Creation With Highest Run Level -id: 4035f650-fe4c-48b7-ac2f-c1b83f1dae2f -status: experimental -description: Detects the creation of suspicious tasks with Highest Run Level -author: elhoim -date: 2022/04/27 -references: - - https://docs.microsoft.com/en-us/windows/win32/taskschd/schtasks -logsource: - category: process_creation - product: windows -detection: - selection: - Image|endswith: '\schtasks.exe' - CommandLine|contains: - - ' /create ' - - ' /RL ' - - 'Highest' - condition: - selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.005 - - attack.s0111 - - car.2013-08-001 -falsepositives: - - Administrative activity - - Software installation -level: low \ No newline at end of file From dee365f56216aa15afd7724d1eb501982f87c512 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 1 Sep 2022 17:52:57 +0200 Subject: [PATCH 22/59] fix: FP in testing environment --- .../registry_set/registry_set_persistence_search_order.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 7cc7ca808..9652087b7 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/08/10 +modified: 2022/09/01 logsource: category: registry_set product: windows @@ -74,6 +74,9 @@ detection: filter_poqexec: Image: 'C:\Windows\System32\poqexec.exe' Details|contains: 'C:\Windows\System32\Autopilot.dll' + filter_sec_health_svc: + Image: 'C:\Windows\system32\SecurityHealthService.exe' + Details|contains: '\C:\Windows\System32\SecurityHealth' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From 9a1a87de186c15a36e001bd4fdeb2c5a84559060 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Sep 2022 06:42:47 +0200 Subject: [PATCH 23/59] Update proc_creation_win_susp_net_use.yml --- .../windows/process_creation/proc_creation_win_susp_net_use.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml index 7df7b88a3..405c01968 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_net_use.yml @@ -5,6 +5,7 @@ description: Detects net use command combo which executes files from WebDAV serv author: pH-T references: - https://twitter.com/ShadowChasing1/status/1552595370961944576 + - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior date: 2022/09/01 logsource: category: process_creation From 48c1104b1a58521c40b6ba7d476fc00118dcf08d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:15:21 +0200 Subject: [PATCH 24/59] New+Update --- .../driver_load/driver_load_vuln_drivers.yml | 15 +- .../proc_creation_win_bypass_squiblytwo.yml | 66 ++-- .../proc_creation_win_certoc_execution.yml | 6 +- ...oc_creation_win_certutil_ntlm_coercion.yml | 26 ++ ...roc_creation_win_chrome_load_extension.yml | 2 +- ...c_creation_win_chrome_remote_debugging.yml | 2 +- .../proc_creation_win_cleanwipe.yml | 4 +- .../proc_creation_win_cmd_delete.yml | 2 +- .../proc_creation_win_cmd_dosfuscation.yml | 4 +- ..._win_net_default_accounts_manipulation.yml | 35 ++ ..._creation_win_rundll32_parent_explorer.yml | 4 +- .../proc_creation_win_service_stop.yml | 4 +- ...roc_creation_win_susp_clsid_foldername.yml | 32 ++ ..._creation_win_susp_openas_rundll_usage.yml | 27 ++ .../proc_creation_win_susp_service_stop.yml | 319 ++++++++++++++++++ 15 files changed, 501 insertions(+), 47 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml create mode 100644 rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_service_stop.yml diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index c6c110f56..55f55661b 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -7,7 +7,7 @@ references: - https://github.com/eclypsium/Screwed-Drivers/blob/master/DRIVERS.md - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules date: 2022/08/18 -modified: 2022/08/30 +modified: 2022/09/01 logsource: product: windows category: driver_load @@ -192,6 +192,9 @@ detection: - 'SHA1=aee092fd31772d33932a7a02dd2d73ede67f7db0' - 'SHA1=118f688c30a2f6c2d1feb955f53ce4acf3086b3b' - 'SHA1=4ede7f018c317ddc6a5f8f935f917621668cb1ec' + - 'SHA1=f6f11ad2cd2b0cf95ed42324876bee1d83e01775' + - 'SHA1=10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'SHA1=c948ae14761095e4d76b55d9de86412258be7afd' - 'SHA256=80599708CE61EC5D6DCFC5977208A2A0BE2252820A88D9BA260D8CDF5DC7FBE4' - 'SHA256=9091E044273FF624585235AC885EB2B05DFB12F3022DCF535B178FF1B2E012D1' - 'SHA256=92EDD48DFAC025D4069EB6491B9730D9D131B77CCEAA480AF9B3C32BC8C5E3A9' @@ -367,6 +370,9 @@ detection: - 'SHA256=d64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe' - 'SHA256=e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37' - 'SHA256=f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca' + - 'SHA256=01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd' + - 'SHA256=ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - 'SHA256=0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' selection_other: - SHA1: - '80fa962bdfb76dfcb9e5d13efc38bb3d392f2e77' @@ -547,6 +553,9 @@ detection: - 'aee092fd31772d33932a7a02dd2d73ede67f7db0' - '118f688c30a2f6c2d1feb955f53ce4acf3086b3b' - '4ede7f018c317ddc6a5f8f935f917621668cb1ec' + - 'f6f11ad2cd2b0cf95ed42324876bee1d83e01775' + - '10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'c948ae14761095e4d76b55d9de86412258be7afd' - SHA256: - '80599708ce61ec5d6dcfc5977208a2a0be2252820a88d9ba260d8cdf5dc7fbe4' - '9091e044273ff624585235ac885eb2b05dfb12f3022dcf535b178ff1b2e012d1' @@ -761,6 +770,9 @@ detection: - 'd64f906376f21677d0585e93dae8b36248f94be7091b01fd1d4381916a326afe' - 'e0afb8b937a5907fbe55a1d1cc7574e9304007ef33fa80ff3896e997a1beaf37' - 'f83c357106a7d1d055b5cb75c8414aa3219354deb16ae9ee7efe8ee4c8c670ca' + - '01aa278b07b58dc46c84bd0b1b5c8e9ee4e62ea0bf7a695862444af32e87f1fd' + - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' driver_img: ImageLoaded|endswith: - '\ASIO32.sys' @@ -871,6 +883,7 @@ detection: - '\mhyprot2.sys' - '\netfilter.sys' - '\RTCore64.sys' + - '\DBUtils_2_3.sys' driver_status: - Signed: 'false' - SignatureStatus: Expired diff --git a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml index b36661bce..8a20323d1 100644 --- a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml @@ -1,44 +1,44 @@ -title: SquiblyTwo +title: SquiblyTwo Execution id: 8d63dadf-b91b-4187-87b6-34a1114577ea status: test description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -author: Markus Neis / Florian Roth +author: Markus Neis, Florian Roth references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 date: 2019/01/16 modified: 2022/03/21 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_one: - Image|endswith: '\wmic.exe' - CommandLine|contains|all: - - wmic - - format - - http - selection_wmic_imphash: - - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - - Hashes|contains: # Sysmon field hashes contains all types - - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E - - IMPHASH=37777A96245A3C74EB217308F3546F4C - - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 - selection_flags: - CommandLine|contains|all: - - 'format:' - - 'http' - condition: selection_one or (selection_wmic_imphash and selection_flags) + selection_org: + Image|endswith: '\wmic.exe' + CommandLine|contains|all: + - wmic + - format + - http + selection_renamed_wmic_imphash: + - Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + - Hashes|contains: # Sysmon field hashes contains all types + - IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E + - IMPHASH=37777A96245A3C74EB217308F3546F4C + - IMPHASH=9D87C9D67CE724033C0B40CC4CA1B206 + selection_renamed_flags: + CommandLine|contains|all: + - 'format:' + - 'http' + condition: selection_org or all of selection_renamed_* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1047 - - attack.t1220 - - attack.execution - - attack.t1059.005 - - attack.t1059.007 + - attack.defense_evasion + - attack.t1047 + - attack.t1220 + - attack.execution + - attack.t1059.005 + - attack.t1059.007 diff --git a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml index 8a9dfa8a0..d7d897909 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_execution.yml @@ -6,7 +6,7 @@ author: Austin Songer @austinsonger date: 2021/10/23 modified: 2022/05/16 references: -- https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 + - https://twitter.com/sblmsrsn/status/1445758411803480072?s=20 logsource: category: process_creation product: windows @@ -23,8 +23,8 @@ fields: - CommandLine - ParentCommandLine tags: -- attack.defense_evasion -- attack.t1218 + - attack.defense_evasion + - attack.t1218 falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml new file mode 100644 index 000000000..553268041 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -0,0 +1,26 @@ +title: NTLM Coercion Via Certutil.exe +id: 6c6d9280-e6d0-4b9d-80ac-254701b64916 +description: Detects possible NTLM coercion via certutil using the 'syncwithWU' flag +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/01 +references: + - https://github.com/LOLBAS-Project/LOLBAS/issues/243 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\certutil.exe' + - OriginalFileName: 'CertUtil.exe' + selection_cli: + CommandLine|contains|all: + - ' -syncwithWU ' + - ' \\\\' + condition: all of selection* +tags: + - attack.defense_evasion + - attack.t1218 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml b/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml index 0104f9083..c0aac1205 100644 --- a/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_chrome_load_extension.yml @@ -1,7 +1,7 @@ title: Powershell ChromeLoader Browser Hijacker id: 27ba3207-dd30-4812-abbf-5d20c57d474e status: experimental -description: Detects PowerShell spawning chrome.exe containing load-extension and AppData\Local in the process command line +description: Detects PowerShell process spawning a 'chrome.exe' process with the 'load-extension' flag to start a new chrome instance with custom extensions, as seen being used in 'ChromeLoader' author: Aedan Russell, frack113 (sigma) references: - https://redcanary.com/blog/chromeloader/ diff --git a/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml b/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml index 7dedcad4e..1a16aa8eb 100644 --- a/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml +++ b/rules/windows/process_creation/proc_creation_win_chrome_remote_debugging.yml @@ -1,7 +1,7 @@ title: Browser Started with Remote Debugging id: b3d34dc5-2efd-4ae3-845f-8ec14921f449 status: experimental -description: Detects starting browser with remote debugging flag, may be used for browser injection attacks +description: Detects browsers starting with the '--remote-debugging' flag. Which is a technique often used to perform browser injection attacks author: pH-T references: - https://yoroi.company/wp-content/uploads/2022/05/EternityGroup_report_compressed.pdf diff --git a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml index b9dd23129..83ee8cb3c 100644 --- a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml @@ -28,5 +28,5 @@ detection: - '/enterprise' condition: 1 of selection* falsepositives: - - Legitimate administrative use -level: medium + - Legitimate administrative use (Should be investigated either way) +level: high diff --git a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml index 584649299..48aca389f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml @@ -24,7 +24,7 @@ detection: - /q condition: selection falsepositives: - - Legitimate script + - Legitimate scripts level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index a4b11d9c2..72449143a 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -1,11 +1,12 @@ title: Suspicious Dosfuscation Character in Commandline id: a77c1610-fc73-4019-8e29-0f51efc04a51 status: experimental -description: Possible Payload Obfuscation +description: Detects possible payload obfuscation via the commandline references: - https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/dosfuscation-report.pdf author: frack113 date: 2022/02/15 +modified: 2022/09/02 logsource: category: process_creation product: windows @@ -21,6 +22,7 @@ detection: - ' s^et ' - ' s^e^t ' - ' se^t ' + - ':~' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml new file mode 100644 index 000000000..ff04ad0f7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -0,0 +1,35 @@ +title: Suspicious Manipulation Of Default Accounts +id: 5b768e71-86f2-4879-b448-81061cbae951 +status: experimental +description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc +author: Nasreddine Bencherchali +references: + - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + selection_user_option: + CommandLine|contains: ' user ' + selection_username: + CommandLine|contains: + # Need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag + - ' Järjestelmänvalvoja ' # Finish + - ' Rendszergazda ' # Hungarian + - ' Администратор ' # Russian + - ' Administrateur ' # French + - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish + - ' Administratör ' # Swedish + - ' guest ' + condition: selection +falsepositives: + - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium +level: high +tags: + - attack.collection + - attack.t1560.001 diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml index 22ca470aa..9d73005a8 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_parent_explorer.yml @@ -14,7 +14,7 @@ detection: Image|endswith: '\rundll32.exe' ParentImage|endswith: '\explorer.exe' filter: - CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' + CommandLine|contains: '\shell32.dll,OpenAs_RunDLL' condition: selection and not filter fields: - Image @@ -23,4 +23,4 @@ falsepositives: - Unknown level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_service_stop.yml b/rules/windows/process_creation/proc_creation_win_service_stop.yml index 93145acf9..c99cdc0b1 100644 --- a/rules/windows/process_creation/proc_creation_win_service_stop.yml +++ b/rules/windows/process_creation/proc_creation_win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 -modified: 2022/08/22 +modified: 2022/09/01 tags: - attack.impact - attack.t1489 @@ -22,7 +22,7 @@ detection: - '\net.exe' - '\net1.exe' selection_sc_net_cli: - CommandLine|contains: 'stop' + CommandLine|contains: ' stop ' selection_pwsh: Image|endswith: - '\powershell.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml new file mode 100644 index 000000000..403b2219e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -0,0 +1,32 @@ +title: Suspicious CLSID Folder Name In Suspicious Locations +id: 90b63c33-2b97-4631-a011-ceb0f47b77c3 +status: experimental +description: Detects usage of a CLSID folder name located in a suspicious location from the commandline as seen being used in IcedID +author: Nasreddine Bencherchali +references: + - https://twitter.com/Kostastsale/status/1565257924204986369 +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + # Uncomment this section if you want the rule to be more specific to processes + #selection_img: + # Image|endswith: + # - '\rundll32.exe' + selection_folder: + CommandLine|contains: + # Add more suspicious or unexpected paths + - '\AppData\Roaming\' + - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with CLSID + selection_clsid: + CommandLine|contains|all: + - '\{' + - '}\' + condition: all of selection_* +falsepositives: + - Some FP is expected with some installers +level: high +tags: + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml new file mode 100644 index 000000000..ec4732d84 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml @@ -0,0 +1,27 @@ +title: Suspicious Usage Of OpenAs_RunDLL +id: d87bd452-6da1-456e-8155-7dc988157b7d +description: Detects suspicious usage of the OpenAs_RunDLL function to launch other commands as seen in the the raspberry-robin attack +status: experimental +references: + - https://redcanary.com/blog/raspberry-robin/ +author: Nasreddine Bencherchali +date: 2022/09/01 +logsource: + category: process_creation + product: windows +detection: + selection_openasrundll: + CommandLine|contains: ',OpenAs_RunDLL' + selection_suspcli: + CommandLine|contains: + # Add more LOLBINs and Susp Paths + - 'regsvr32' + - 'C:\Users\Public\' + - 'odbcconf' + - '\Desktop\' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml new file mode 100644 index 000000000..120b97e89 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_service_stop.yml @@ -0,0 +1,319 @@ +title: Suspicious Stop Windows Service +id: ce72ef99-22f1-43d4-8695-419dcb5d9330 +related: + - id: eb87818d-db5d-49cc-a987-d5da331fbd90 + type: derived +description: Detects the usage of one of the the commands to stop services such as 'net', 'sc'...etc in order to stop critical or important windows services such as AV, Backup...etc. As seen being used in some ransomware scripts +status: experimental +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus/Genshin%20Impact%20Figure%2010.jpg + - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html +date: 2022/09/01 +tags: + - attack.defense_evasion + - attack.t1489 +logsource: + category: process_creation + product: windows +detection: + selection_sc_net_img: + - OriginalFileName: + - 'sc.exe' + - 'net.exe' + - 'net1.exe' + - Image|endswith: + - '\sc.exe' + - '\net.exe' + - '\net1.exe' + selection_sc_net_cli: + CommandLine|contains: ' stop ' + selection_pwsh: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains: 'Stop-Service ' + services: + CommandLine|contains: + - 'VSS' + - 'HealthTLService' + - 'ThreatLockerService' + - '"Veritas System Recovery"' + - 'EPlntegrationService' + - 'EPRedline' + - '"Client Agent 7.60"' + - 'SQLAgent$SVSTEM_BGC' + - '"Sophos Device Control Service"' + - '"Zoolz 2 Service"' + - '"Sophos AutoUpdate Service"' + - '"Sophos System Protection Service"' + - 'POVFSService' + - 'MSSQLFDLauncherSTPSAMA' + - '"Symantec System Recovery"' + - 'Antivirus' + - '"Sophos Health Service"' + - 'MSSQLFDLauncherSTPS' + - 'AcrSch2Svc' + - 'MSSQLSSVSTEM_BGC' + - 'MSSQLFDLauncherSPROFXENGAGEMENT' + - 'SQLAgentSTPS' + - '"Sophos Message Router"' + - 'MSSQLFDLauncher$S8SMONITORING' + - 'MySQL80' + - 'MSSQLSECWDB2' + - 'MSSQLWEEAMSQL2008R2' + - '"Sophos Clean Service"' + - '"Sophos Web Control Service"' + - 'EhttpSry' + - 'MSOLAPSTPSAMA' + - '"Veeam Backup Catalog Data Service"' + - 'MSSQLSSBSMONITORIMG' + - 'AcronisAgent' + - 'MySQLS7' + - 'UTODetect' + - 'MSSQLFOLauncherSSVSTEM_BGC' + - 'MSSQLSBKUPEXEC' + - 'SQLAgentSPRACTTICEBGC' + - '"Sophos MCS Client"' + - 'BackupExeclobEngine' + - 'SQLAgentSVEEAMSQL2008R2' + - '143Svc' + - '"SQLsafe Backup Service"' + - 'SQLAgentSCXDB' + - '"Sophos Safestore Service"' + - 'svcienericHost' + - 'MSSQLSTPSAMA' + - 'SQLAgentSCITRIX_METAFRAME' + - 'WeanClOudSve' + - '"Sophos File Scanner Service"' + - '"Sophos Agent"' + - 'M8EndpointAgent' + - 'mSSQLSFRACTICEMGT' + - 'SQLAgentSTPSAMA' + - 'McAfeeframework' + - '"Enterprise Client Service"' + - 'SQLAgentSSBSMONITORING' + - 'MSSQLSVEEAMSQL2012' + - 'SQ1SafeOLRService' + - 'VeeamEnterpriseHanagerSvc' + - 'SQLAgentSSQL EXPRESS' + - 'MSSQ!I.SPROFXENGAGEMEHT' + - 'IMANSVC' + - 'ARSM' + - 'MSSQLFOLavocher' + - 'MSExchangeMIA' + - 'TruekeyScheduler' + - 'MSSQ0SOPHOS' + - '"SQL Backups"' + - 'MSSQLSTPS' + - 'Weems JY' + - 'MSSQ0SHAREPOINT' + - 'mfevto' + - 'msftesq1SPROO' + - 'wozyprobackup' + - 'MSSQLSSQL_2008' + - 'MSSQLSSQLEXPRESS' + - 'MSSQLSPRACTTICEBGE' + - 'VeeamRISTSvc' + - 'HMS' + - '"Sophos MCS Agent"' + - '"Acronis VSS Provider"' + - 'MSSQLSVIEAMSQL2008112' + - 'HISSQLFDLauncherSSHAREPOINIT' + - '"SQLsafe Filter Service"' + - 'MSSQLSPROO' + - 'SQLAgentSPROO' + - 'MSOLAPSTPS' + - 'VeemaDep/oySvc' + - '"SQL Server (MSSQLSERVER)"' + - '"SQL Server (SQLEXPRESS)' + - 'BackupExecAgentAccelerator' + - 'McAfeeEngineService' + - 'BackupExecAgentBrowser' + - 'McAfeeFramework' + - 'BackupExecDeviceMediaService' + - 'McAfeeFrameworkMcAfeeFramework' + - 'BackupExecJobEngine' + - 'McTaskManager' + - 'BackupExecManagementService' + - 'mfemms' + - 'BackupExecRPCService' + - 'mfevtp' + - 'BackupExecVSSProvider' + - 'MMS' + - 'bedbg' + - 'mozyprobackup' + - 'DCAgent' + - 'MsDtsServer' + - 'MsDtsServer100' + - 'MsDtsServer110' + - 'EraserSvc11710' + - 'MSExchangeES' + - 'EsgShKernel' + - 'MSExchangeIS' + - 'FA_Scheduler' + - 'MSExchangeMGMT' + - 'IISAdmin' + - 'MSExchangeMTA' + - 'IMAP4Svc' + - 'MSExchangeSA' + - 'macmnsvc' + - 'MSExchangeSRS' + - 'masvc' + - 'MSOLAP$SQL_2008' + - 'MBAMService' + - 'MSOLAP$SYSTEM_BGC' + - 'MBEndpointAgent' + - 'MSOLAP$TPS' + - 'McShield' + - 'MSSQLSERVER' + - 'MSSQL$ECWDB2' + - 'MSSQLServerADHelper100' + - 'MSSQL$PRACTICEMGT' + - 'MSSQLServerOLAPService' + - 'MSSQL$PRACTTICEBGC' + - 'MySQL57' + - 'MSSQL$PROFXENGAGEMENT' + - 'ntrtscan' + - 'MSSQL$SBSMONITORING' + - 'OracleClientCache80' + - 'MSSQL$SHAREPOINT' + - 'PDVFSService' + - 'MSSQL$SQL_2008' + - 'POP3Svc' + - 'MSSQL$SYSTEM_BGC' + - 'ReportServer' + - 'MSSQL$TPS' + - 'ReportServer$SQL_2008' + - 'MSSQL$TPSAMA' + - 'ReportServer$SYSTEM_BGC' + - 'ReportServer$TPS' + - 'MSSQL$VEEAMSQL2012' + - 'ReportServer$TPSAMA' + - 'MSSQLFDLauncher' + - 'RESvc' + - 'MSSQLFDLauncher$PROFXENGAGEMENT' + - 'sacsvr' + - 'MSSQLFDLauncher$SBSMONITORING' + - 'MSSQLFDLauncher$SHAREPOINT' + - 'SamSs' + - 'MSSQLFDLauncher$SQL_2008' + - 'SAVAdminService' + - 'MSSQLFDLauncher$SYSTEM_BGC' + - 'SAVService' + - 'MSOLAP$TPSAMA' + - 'MSSQLFDLauncher$TPS' + - 'MSSQL$BKUPEXEC' + - 'MSSQLFDLauncher$TPSAMA' + - 'Smcinst' + - 'SQLTELEMETRY$ECWDB2' + - 'SmcService' + - 'SQLWriter' + - 'SMTPSvc' + - 'SstpSvc' + - 'SNAC' + - 'svcGenericHost' + - 'SntpService' + - 'swi_filter' + - 'sophossps' + - 'swi_service' + - 'SQLAgent$BKUPEXEC' + - 'swi_update_64' + - 'SQLAgent$ECWDB2' + - 'TmCCSF' + - 'SQLAgent$PRACTTICEBGC' + - 'tmlisten' + - 'SQLAgent$PRACTTICEMGT' + - 'TrueKey' + - 'SQLAgent$PROFXENGAGEMENT' + - 'TrueKeyScheduler' + - 'SQLAgent$SBSMONITORING' + - 'TrueKeyServiceHelper' + - 'SQLAgent$SHAREPOINT' + - 'SQLAgent$SQL_2008' + - 'UI0Detect' + - 'SQLAgent$SYSTEM_BGC' + - 'SQLAgent$TPS' + - 'VeeamBackupSvc' + - 'SQLAgent$TPSAMA' + - 'VeeamBrokerSvc' + - 'SQLAgent$VEEAMSQL2012' + - 'VeeamCatalogSvc' + - 'SQLBrowser' + - 'VeeamCloudSvc' + - 'SDRSVC' + - 'SQLSafeOLRService' + - 'SepMasterService' + - 'SQLSERVERAGENT' + - 'ShMonitor' + - 'SQLTELEMETRY' + - 'VeeamDeploymentService' + - 'NetMsmqActivator' + - 'VeeamDeploySvc' + - 'EhttpSrv' + - 'VeeamEnterpriseManagerSvc' + - 'ekrn' + - 'VeeamMountSvc' + - 'ESHASRV' + - 'VeeamNFSSvc' + - 'MSSQL$SOPHOS' + - 'VeeamRESTSvc' + - 'SQLAgent$SOPHOS' + - 'VeeamTransportSvc' + - 'AVP' + - 'W3Svc' + - 'klnagent' + - 'MSSQL$SQLEXPRESS' + - 'WRSVC' + - 'SQLAgent$SQLEXPRESS' + - 'wbengine' + - 'MSSQL$VEEAMSQL2008R2' + - 'kavfsslp' + - 'SQLAgent$VEEAMSQL2008R2' + - 'VeeamHvIntegrationSvc' + - 'KAVFSGT' + - 'swi_update' + - 'KAVFS' + - 'SQLAgent$CXDB' + - 'mfefire' + - 'SQLAgent$CITRIX_METAFRAME' + - '“SQL Backups”' + - '“avast! Antivirus”' + - 'MSSQL$PROD' + - 'aswBcc' + - '“Zoolz 2 Service”' + - '“Avast Business Console Client Antivirus Service”' + - 'MSSQLServerADHelper' + - 'mfewc' + - 'SQLAgent$PROD' + - 'Telemetryserver' + - 'msftesql$PROD' + - 'WdNisSvc' + - 'WinDefend' + - 'MCAFEETOMCATSRV530' + - 'MCAFEEEVENTPARSERSRV' + - 'MSSQLFDLauncher$ITRIS' + - 'MSSQL$EPOSERVER' + - 'MSSQL$ITRIS' + - 'SQLAgent$EPOSERVER' + - 'SQLAgent$ITRIS' + - 'SQLTELEMETRY$ITRIS' + - 'SentinelHelperService' + - 'MsDtsServer130' + - 'LogProcessorService' + - 'SSISTELEMETRY130' + - 'EPUpdateService' + - 'MSSQLLaunchpad$ITRIS' + - 'TmPfw' + - 'BITS' + - 'SentinelAgent' + - 'BrokerInfrastructure' + - 'EPProtectedService' + - 'epag' + - 'epredline' + - 'EPIntegrationService' + - 'EPSecurityService' + condition: services and (all of selection_sc_net* or selection_pwsh) +falsepositives: + - Administrator or tools shutting down the services due to upgrade or removal purposes. If you experience some FP please consider adding filters to the parent process launching this command and not removing the entry +level: high From d0e7732dddc94222e5aa842d8e35266553eb56a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:19:25 +0200 Subject: [PATCH 25/59] Update proc_creation_win_susp_openas_rundll_usage.yml --- .../proc_creation_win_susp_openas_rundll_usage.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml index ec4732d84..548480483 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml @@ -19,7 +19,7 @@ detection: - 'C:\Users\Public\' - 'odbcconf' - '\Desktop\' - condition: selection + condition: all of selection_* falsepositives: - Unknown level: medium From 48ac804c9e665152eff7e5254c1faa28047b53fa Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:21:48 +0200 Subject: [PATCH 26/59] fix: remove part of UNC path --- .../registry_set/registry_set_persistence_search_order.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 9652087b7..4954a8d86 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -76,7 +76,7 @@ detection: Details|contains: 'C:\Windows\System32\Autopilot.dll' filter_sec_health_svc: Image: 'C:\Windows\system32\SecurityHealthService.exe' - Details|contains: '\C:\Windows\System32\SecurityHealth' + Details|contains: 'C:\Windows\System32\SecurityHealth' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From ed88295732d89e9b59efa7f3dd96e1b63e0bc53d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:28:28 +0200 Subject: [PATCH 27/59] Update proc_creation_win_susp_clsid_foldername.yml --- .../proc_creation_win_susp_clsid_foldername.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 403b2219e..9df28b052 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -10,20 +10,19 @@ logsource: category: process_creation product: windows detection: - # Uncomment this section if you want the rule to be more specific to processes + # Uncomment this section and remove the filter if you want the rule to be more specific to processes #selection_img: # Image|endswith: # - '\rundll32.exe' - selection_folder: - CommandLine|contains: - # Add more suspicious or unexpected paths - - '\AppData\Roaming\' - - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with CLSID selection_clsid: CommandLine|contains|all: - '\{' - '}\' - condition: all of selection_* + filter: + Image|contains|all: + - '\{' + - '}\' + condition: all of selection_* and not filter falsepositives: - Some FP is expected with some installers level: high From 5f03a73dd261e0e378bf7ca2bad566870540a702 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:33:13 +0200 Subject: [PATCH 28/59] Update proc_creation_win_susp_clsid_foldername.yml --- .../proc_creation_win_susp_clsid_foldername.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 9df28b052..4d3178252 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -14,6 +14,11 @@ detection: #selection_img: # Image|endswith: # - '\rundll32.exe' + selection_folder: + CommandLine|contains: + # Add more suspicious or unexpected paths + - '\AppData\Roaming\' + - '\AppData\Local\Temp\' # This could generate some FP with some installers creating folders with CLSID selection_clsid: CommandLine|contains|all: - '\{' From b02a2ff2dc7aeba219301a19e4e8b64a54f71694 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 09:49:14 +0200 Subject: [PATCH 29/59] Update proc_creation_win_net_default_accounts_manipulation.yml --- .../proc_creation_win_net_default_accounts_manipulation.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index ff04ad0f7..d8c5ba7bb 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -10,7 +10,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: Image|endswith: - '\net.exe' - '\net1.exe' @@ -26,7 +26,7 @@ detection: - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish - ' Administratör ' # Swedish - ' guest ' - condition: selection + condition: all of selection_* falsepositives: - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium level: high From 8bb29b0e66f65d65aa5c64cb3d93c88cb3ac397b Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 2 Sep 2022 10:29:40 +0200 Subject: [PATCH 30/59] Add proc_creation_win_frp --- .../proc_creation_win_frp.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_frp.yml diff --git a/rules/windows/process_creation/proc_creation_win_frp.yml b/rules/windows/process_creation/proc_creation_win_frp.yml new file mode 100644 index 000000000..4b30d77b4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_frp.yml @@ -0,0 +1,25 @@ +title: Fast Reverse Proxy +id: 32410e29-5f94-4568-b6a3-d91a8adad863 +status: experimental +description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. +references: + - https://asec.ahnlab.com/en/38156/ + - https://github.com/fatedier/frp +author: frack113 +date: 2022/09/02 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\frpc.exe' + - '\frps.exe' + condition: selection +falsepositives: + - Legitimate administrative use +level: medium +tags: + - attack.command_and_control + - attack.t1090 + From 37f08c4cbbf5541452f8d8c911ba24f70392a730 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 11:52:13 +0200 Subject: [PATCH 31/59] More updates --- .../proc_creation_win_net_recon.yml | 1 + ...proc_creation_win_netsh_allow_port_rdp.yml | 38 +++++++++---------- ...oc_creation_win_powershell_amsi_bypass.yml | 12 +++--- .../proc_creation_win_reg_add_safeboot.yml | 31 +++++++++++++++ .../proc_creation_win_reg_delete_safeboot.yml | 3 ++ ...et_allow_rdp_remote_assistance_feature.yml | 6 +-- .../registry_set_disable_function_user.yml | 4 +- .../registry_set_sophos_av_tamaper.yml | 26 +++++++++++++ 8 files changed, 91 insertions(+), 30 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml create mode 100644 rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index 6524390d2..e0164ce8e 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -37,6 +37,7 @@ detection: - ' administrateurs' - 'enterprise admins' - 'Exchange Trusted Subsystem' + - 'Remote Desktop Users' - ' /do' # short for domain # Covers 'accounts' flag selection_accounts_root: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml index c875ca215..f2179507f 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml @@ -4,29 +4,29 @@ status: test description: Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware author: Sander Wiebing references: - - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ + - https://labs.sentinelone.com/sarwent-malware-updates-command-detonation/ date: 2020/05/23 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 - selection2: - CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 - condition: 1 of selection* + selection1: + CommandLine|contains|all: + - netsh + - firewall add portopening + - tcp 3389 + selection2: + CommandLine|contains|all: + - netsh + - advfirewall firewall add rule + - action=allow + - protocol=TCP + - localport=3389 + condition: 1 of selection* falsepositives: - - Legitimate administration + - Legitimate administration level: high tags: - - attack.defense_evasion - - attack.t1562.004 + - attack.defense_evasion + - attack.t1562.004 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index 5a12f4b7d..110404f91 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -7,18 +7,18 @@ references: - https://twitter.com/mattifestation/status/735261176745988096 - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 date: 2018/08/17 -modified: 2021/11/27 +modified: 2022/09/02 logsource: category: process_creation product: windows detection: selection1: - CommandLine|contains: 'System.Management.Automation.AmsiUtils' - selection2: - CommandLine|contains: 'amsiInitFailed' - condition: all of selection* + CommandLine|contains: + - 'System.Management.Automation.AmsiUtils' + - 'amsiInitFailed' + condition: selection falsepositives: - - Potential Admin Activity + - Unlikely level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml new file mode 100644 index 000000000..55a4b0960 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -0,0 +1,31 @@ +title: Add SafeBoot Keys Via Reg Utility +id: d7662ff6-9e97-4596-a61d-9839e32dee8d +related: + - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de + type: similar +status: experimental +description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +references: + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +author: Nasreddine Bencherchali +date: 2022/09/02 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: 'reg.exe' + - OriginalFileName: 'reg.exe' + selection_safeboot: + CommandLine|contains: '\SYSTEM\CurrentControlSet\Control\SafeBoot' + selection_flag: + CommandLine|contains: + - ' copy ' + - ' add ' + condition: all of selection* +falsepositives: + - Unlikely +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml index 9ef55c3e1..8ef99bb3c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_delete_safeboot.yml @@ -1,5 +1,8 @@ title: Delete SafeBoot Keys Via Reg Utility id: fc0e89b5-adb0-43c1-b749-c12a10ec37de +related: + - id: d7662ff6-9e97-4596-a61d-9839e32dee8d + type: similar status: experimental description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products references: diff --git a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml index d6d79a612..d6fe350c8 100644 --- a/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml +++ b/rules/windows/registry/registry_set/registry_set_allow_rdp_remote_assistance_feature.yml @@ -16,8 +16,8 @@ detection: Details: DWORD (0x00000001) condition: selection falsepositives: - - Unknown + - Legitmate use of the feature (alerts should be investigated either way) level: medium tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index 37760557d..3563aa1a2 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -15,9 +15,9 @@ detection: selection_set_1: EventType: SetValue TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools' - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskmgr' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskmgr' - 'SOFTWARE\Policies\Microsoft\Windows\Explorer\DisableNotificationCenter' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableChangePassword' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml new file mode 100644 index 000000000..4cff4fa0e --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -0,0 +1,26 @@ +title: Tamper With Sophos AV Registry Keys +id: 9f4662ac-17ca-43aa-8f12-5d7b989d0101 +description: Detects tamper attempts to sophos av functionality via registry key modification +author: Nasreddine Bencherchali +date: 2022/09/02 +status: experimental +references: + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled' + - '\Sophos\SAVService\TamperProtection\Enabled' + Details: + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 From 884891746b5df23e07aaa6ca87af870fe4d2afbf Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 12:02:18 +0200 Subject: [PATCH 32/59] Update proc_creation_win_powershell_amsi_bypass.yml --- .../proc_creation_win_powershell_amsi_bypass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index 110404f91..3b7affa43 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -12,7 +12,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection: CommandLine|contains: - 'System.Management.Automation.AmsiUtils' - 'amsiInitFailed' From 3c83e6c51bb3e7c45ecf177958aba942c65b6077 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 12:03:57 +0200 Subject: [PATCH 33/59] Update registry_set_sophos_av_tamaper.yml --- .../registry/registry_set/registry_set_sophos_av_tamaper.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml index 4cff4fa0e..f6871c2c8 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -15,8 +15,7 @@ detection: TargetObject|contains: - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled' - '\Sophos\SAVService\TamperProtection\Enabled' - Details: - Details: DWORD (0x00000000) + Details: DWORD (0x00000000) condition: selection falsepositives: - Some FP may occure when the feature is disabled by the AV itself, you should always investigate if the action was legitimate From 116a72c206b725414e0ad52a413ff14033d454e9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 13:31:49 +0200 Subject: [PATCH 34/59] Fix FP --- .../image_load/image_load_susp_dll_load_system_process.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index f683c2f77..f5468e8d4 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/08/10 +modified: 2022/09/02 logsource: product: windows category: image_load @@ -21,7 +21,10 @@ detection: - '\AppData\Local\Temp\' - 'C:\PerfLogs\' filter: - ImageLoaded|contains: '\Program Files' + ImageLoaded|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - 'C:\ProgramData\' condition: selection and not filter falsepositives: - Unknown From 0bdd7ea35cfe447be818c9009d7460dd87206f42 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 13:53:59 +0200 Subject: [PATCH 35/59] Update registry_set_sophos_av_tamaper.yml --- .../registry/registry_set/registry_set_sophos_av_tamaper.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml index f6871c2c8..cc87fa1ba 100644 --- a/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml +++ b/rules/windows/registry/registry_set/registry_set_sophos_av_tamaper.yml @@ -14,6 +14,7 @@ detection: EventType: SetValue TargetObject|contains: - '\Sophos Endpoint Defense\TamperProtection\Config\SAVEnabled' + - '\Sophos Endpoint Defense\TamperProtection\Config\SEDEnabled' - '\Sophos\SAVService\TamperProtection\Enabled' Details: DWORD (0x00000000) condition: selection From e0a74d62387ddb23a923bc37dfa85bdd6667f15d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 14:17:17 +0200 Subject: [PATCH 36/59] Update proc_creation_win_net_default_accounts_manipulation.yml --- ..._win_net_default_accounts_manipulation.yml | 23 ++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index d8c5ba7bb..76e660db1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -5,6 +5,7 @@ description: Detects suspicious manipulations of default accounts such as 'admin author: Nasreddine Bencherchali references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html + - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ date: 2022/09/01 logsource: category: process_creation @@ -18,14 +19,34 @@ detection: CommandLine|contains: ' user ' selection_username: CommandLine|contains: - # Need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag + # Note: We need to write the full account name for cases starting with 'admin' to avoid lookups only with the user flag - ' Järjestelmänvalvoja ' # Finish - ' Rendszergazda ' # Hungarian - ' Администратор ' # Russian - ' Administrateur ' # French - ' Administrador ' # Portuguese (Brazil + Portugal) + Spanish - ' Administratör ' # Swedish + - ' Administrator ' # English - ' guest ' + # The cases below are for when an attacker requests the net command via 'cmd /c....' + # First in double quotes + - ' "Järjestelmänvalvoja" ' # Finish + - ' "Rendszergazda" ' # Hungarian + - ' "Администратор" ' # Russian + - ' "Administrateur" ' # French + - ' "Administrador" ' # Portuguese (Brazil + Portugal) + Spanish + - ' "Administratör" ' # Swedish + - ' "Administrator" ' # English + - ' "guest" ' + # Second in single quotes + - " 'Järjestelmänvalvoja' " # Finish + - " 'Rendszergazda' " # Hungarian + - " 'Администратор' " # Russian + - " 'Administrateur' " # French + - " 'Administrador' " # Portuguese (Brazil + Portugal) + Spanish + - " 'Administratör' " # Swedish + - " 'Administrator' " # English + - " 'guest' " condition: all of selection_* falsepositives: - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium From 927b29e85ae4936ed7937ac0f483d607b4af3538 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 14:28:47 +0200 Subject: [PATCH 37/59] Update proc_creation_win_susp_powershell_download_iex.yml --- .../proc_creation_win_susp_powershell_download_iex.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml index 419b5624a..ef24899b6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml @@ -1,11 +1,13 @@ title: PowerShell Web Download and Execution id: 85b0b087-eddf-4a2b-b033-d771fa2b9775 status: experimental -description: Detects suspicious ways to download files or content using PowerShell +description: Detects suspicious ways to download files or content and execute them using PowerShell author: Florian Roth date: 2022/03/24 +modified: 2022/09/02 tags: - - attack.t1546.013 + - attack.execution + - attack.t1059 references: - https://github.com/VirtualAlllocEx/Payload-Download-Cradles/blob/88e8eca34464a547c90d9140d70e9866dcbc6a12/Download-Cradles.cmd logsource: @@ -16,6 +18,7 @@ detection: CommandLine|contains: - '.DownloadString(' - '.DownloadFile(' + - 'Invoke-WebRequest ' execution: CommandLine|contains: - 'IEX(' @@ -24,6 +27,7 @@ detection: - 'IE`X' - 'I`E`X' - ' | IEX' + - '| IEX' - '|IEX ' - 'Invoke-Execution' - ';iex $' From f6026b697272bafe75b37caa5d2e08678838287c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 14:39:52 +0200 Subject: [PATCH 38/59] Update proc_creation_win_susp_schtasks_disable.yml --- .../proc_creation_win_susp_schtasks_disable.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 58b736101..bd735578c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -2,13 +2,13 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc. -author: frack113 +author: frack113, Nasreddine Bencherchali references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2021/12/26 -modified: 2022/08/01 +modified: 2022/09/02 logsource: category: process_creation product: windows @@ -24,6 +24,9 @@ detection: - 'Microsoft\Windows\SystemRestore\SR' - 'Microsoft\Windows\Windows Defender\' - 'Microsoft\Windows\BitLocker' + - 'Microsoft\Windows\WindowsBackup\' + - 'Microsoft\Windows\WindowsUpdate\' + - 'Microsoft\Windows\UpdateOrchestrator\' - 'Windows\ExploitGuard' condition: all of schtasks_* falsepositives: From 3ee77e1446d2a6f1e7d0583431a655c2bd26c700 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 16:57:23 +0200 Subject: [PATCH 39/59] fix: FPs noticed with Aurora --- .../builtin/security/win_rdp_reverse_tunnel.yml | 4 +++- .../net_connection_win_susp_rdp.yml | 16 +++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index 4362daa68..5fa8dbec8 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -7,7 +7,7 @@ references: - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx author: Samir Bousseaden date: 2019/02/16 -modified: 2022/06/29 +modified: 2022/09/02 tags: - attack.defense_evasion - attack.command_and_control @@ -32,6 +32,8 @@ detection: SourceAddress: - '127.*' - '::1' + filter_app_container: + FilterOrigin: 'AppContainer Loopback' filter_thor: # checking BlueKeep vulnerability Application|endswith: - '\thor.exe' diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml index a8f288079..fd89cf440 100755 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml @@ -2,11 +2,15 @@ title: Suspicious Outbound RDP Connections id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement -author: Markus Neis - Swisscom +author: Markus Neis references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 date: 2019/05/15 -modified: 2022/06/20 +modified: 2022/09/02 +tags: + - attack.lateral_movement + - attack.t1021.001 + - car.2013-07-002 logsource: category: network_connection product: windows @@ -40,13 +44,11 @@ detection: - '\Avast Software\Avast\AvastSvc.exe' - '\Ranger\SentinelRanger.exe' # sentinel one - '\Avast\AvastSvc.exe' - - Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\' + - Image|startswith: + - 'C:\Program Files\SplunkUniversalForwarder\bin\' + - 'C:\Program Files\Mozilla Firefox\firefox.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools - Domain controller using dns.exe level: high -tags: - - attack.lateral_movement - - attack.t1021.001 - - car.2013-07-002 From 6a6454cda9007c88654a27cf6565c1247b4ad160 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 16:59:54 +0200 Subject: [PATCH 40/59] fix: Health Service filter --- .../registry_set/registry_set_persistence_search_order.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 7cc7ca808..f78379f6b 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/08/10 +modified: 2022/09/02 logsource: category: registry_set product: windows @@ -28,6 +28,8 @@ detection: - '\FileCoAuthLib64.dll' - '\FileSyncShell64.dll' - '\FileSyncApi64.dll' + filter_health_service: + Image: 'C:\WINDOWS\system32\SecurityHealthService.exe' filter2: Details|contains|all: - '\AppData\Local\Microsoft\TeamsMeetingAddin\' From 3e1116bbfb9e414fc5864ee9501047ab3d591c0d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:19:27 +0200 Subject: [PATCH 41/59] Update proc_creation_win_frp.yml --- .../process_creation/proc_creation_win_frp.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_frp.yml b/rules/windows/process_creation/proc_creation_win_frp.yml index 4b30d77b4..df052004f 100644 --- a/rules/windows/process_creation/proc_creation_win_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_frp.yml @@ -7,6 +7,9 @@ references: - https://github.com/fatedier/frp author: frack113 date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1090 logsource: category: process_creation product: windows @@ -15,11 +18,9 @@ detection: Image|endswith: - '\frpc.exe' - '\frps.exe' + CommandLine|contains: + - '\frpc.ini' condition: selection falsepositives: - - Legitimate administrative use -level: medium -tags: - - attack.command_and_control - - attack.t1090 - + - Legitimate use +level: high From b33b2317c877fd235c67cbd7790532d5728891c6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:22:23 +0200 Subject: [PATCH 42/59] Update proc_creation_win_frp.yml --- rules/windows/process_creation/proc_creation_win_frp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_frp.yml b/rules/windows/process_creation/proc_creation_win_frp.yml index df052004f..99f8ef416 100644 --- a/rules/windows/process_creation/proc_creation_win_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_frp.yml @@ -1,4 +1,4 @@ -title: Fast Reverse Proxy +title: Fast Reverse Proxy (FRP) id: 32410e29-5f94-4568-b6a3-d91a8adad863 status: experimental description: Detects the use of Fast Reverse Proxy. frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the Internet. From 693b7761c1a6f4928b9e11f91c572c9e2947cdb8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:23:23 +0200 Subject: [PATCH 43/59] Add net_connection_win_certutil --- .../net_connection_win_certutil.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/network_connection/net_connection_win_certutil.yml diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml new file mode 100644 index 000000000..018985142 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -0,0 +1,27 @@ +title: Certuil Initiated Connection +id: 0dba975d-a193-4ed1-a067-424df57570d1 +status: experimental +description: Attackers can abuse `certutil.exe` to download malware, offensive security tools +author: frack113 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil +date: 2022/09/02 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\certuil.exe' + Initiated: 'true' + DestinationPort: + - 80 + - 443 + - 135 + - 445 + condition: selection +falsepositives: + - Legitimate certuil network connection +level: medium +tags: + - attack.command_and_Control + - attack.t1105 \ No newline at end of file From da6ca9ece7bd3571b6e8c2681b1bff4131312f79 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:27:15 +0200 Subject: [PATCH 44/59] Update proc_creation_win_certutil_ntlm_coercion.yml --- .../proc_creation_win_certutil_ntlm_coercion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml index 553268041..cd5fb9f3b 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_ntlm_coercion.yml @@ -23,4 +23,4 @@ tags: - attack.t1218 falsepositives: - Unknown -level: medium +level: high From 8f0ade9ad9308f3d5928400b88cebfc39ba9e660 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:28:36 +0200 Subject: [PATCH 45/59] Fix name --- .../network_connection/net_connection_win_certutil.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml index 018985142..b5cae73a2 100644 --- a/rules/windows/network_connection/net_connection_win_certutil.yml +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -1,4 +1,4 @@ -title: Certuil Initiated Connection +title: Certutil Initiated Connection id: 0dba975d-a193-4ed1-a067-424df57570d1 status: experimental description: Attackers can abuse `certutil.exe` to download malware, offensive security tools @@ -11,7 +11,7 @@ logsource: product: windows detection: selection: - Image|endswith: '\certuil.exe' + Image|endswith: '\certutil.exe' Initiated: 'true' DestinationPort: - 80 @@ -20,8 +20,8 @@ detection: - 445 condition: selection falsepositives: - - Legitimate certuil network connection + - Legitimate certutil network connection level: medium tags: - attack.command_and_Control - - attack.t1105 \ No newline at end of file + - attack.t1105 From 5e5f3c803e261e2af07009559433b1aa9a639d77 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:32:50 +0200 Subject: [PATCH 46/59] Fix tag --- .../windows/network_connection/net_connection_win_certutil.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml index b5cae73a2..6d376759e 100644 --- a/rules/windows/network_connection/net_connection_win_certutil.yml +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -23,5 +23,5 @@ falsepositives: - Legitimate certutil network connection level: medium tags: - - attack.command_and_Control + - attack.command_and_control - attack.t1105 From 168df94b73b080ef5918d401bc9c37618fd3caa7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:36:10 +0200 Subject: [PATCH 47/59] Update proc_creation_win_susp_clsid_foldername.yml --- .../proc_creation_win_susp_clsid_foldername.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml index 4d3178252..55e39ac5e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_clsid_foldername.yml @@ -30,7 +30,7 @@ detection: condition: all of selection_* and not filter falsepositives: - Some FP is expected with some installers -level: high +level: medium tags: - attack.defense_evasion - attack.t1027 From 19d8cdbaed0bf23de2e27885f79d2be664947a8c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:36:54 +0200 Subject: [PATCH 48/59] Update proc_creation_win_susp_powershell_download_iex.yml --- .../proc_creation_win_susp_powershell_download_iex.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml index ef24899b6..4d8a6f5ba 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml @@ -26,7 +26,6 @@ detection: - 'I`EX' - 'IE`X' - 'I`E`X' - - ' | IEX' - '| IEX' - '|IEX ' - 'Invoke-Execution' From 99e3b5d4409f47fcf6d0f8d3c53e70dedc7254eb Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:43:19 +0200 Subject: [PATCH 49/59] Update proc_creation_win_frp.yml --- rules/windows/process_creation/proc_creation_win_frp.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_frp.yml b/rules/windows/process_creation/proc_creation_win_frp.yml index 99f8ef416..566ff53d9 100644 --- a/rules/windows/process_creation/proc_creation_win_frp.yml +++ b/rules/windows/process_creation/proc_creation_win_frp.yml @@ -18,8 +18,7 @@ detection: Image|endswith: - '\frpc.exe' - '\frps.exe' - CommandLine|contains: - - '\frpc.ini' + CommandLine|contains: '\frpc.ini' condition: selection falsepositives: - Legitimate use From 1adbd8f0b3708b98714f8ca254e17a8ea4ab8c9e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 2 Sep 2022 17:44:53 +0200 Subject: [PATCH 50/59] Fix after review --- .../image_load/image_load_susp_dll_load_system_process.yml | 1 - .../process_creation/proc_creation_win_cleanwipe.yml | 1 + .../process_creation/proc_creation_win_cmd_dosfuscation.yml | 1 - .../proc_creation_win_net_default_accounts_manipulation.yml | 6 +++++- .../process_creation/proc_creation_win_net_recon.yml | 2 +- .../process_creation/proc_creation_win_reg_add_safeboot.yml | 2 +- ...ml => proc_creation_win_susp_shellexec_rundll_usage.yml} | 6 +++--- 7 files changed, 11 insertions(+), 8 deletions(-) rename rules/windows/process_creation/{proc_creation_win_susp_openas_rundll_usage.yml => proc_creation_win_susp_shellexec_rundll_usage.yml} (71%) diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index f5468e8d4..ae92f3456 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -24,7 +24,6 @@ detection: ImageLoaded|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - - 'C:\ProgramData\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml index 83ee8cb3c..8d7579ea8 100644 --- a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml @@ -6,6 +6,7 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe author: Nasreddine Bencherchali @nas_bench date: 2021/12/18 +modified: 2022/09/02 tags: - attack.defense_evasion - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml index 72449143a..62e9c6e27 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dosfuscation.yml @@ -22,7 +22,6 @@ detection: - ' s^et ' - ' s^e^t ' - ' se^t ' - - ':~' condition: selection falsepositives: - Legitimate use diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 76e660db1..8dedecc69 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -47,7 +47,11 @@ detection: - " 'Administratör' " # Swedish - " 'Administrator' " # English - " 'guest' " - condition: all of selection_* + filter: + CommandLine|contains|all: + - 'guest' + - '/active no' + condition: all of selection_* and not filter falsepositives: - Some fasle positives could occure with the admin or guest account. It depends on the scripts being used by the admins in your env. If you experience a lot of FP you could reduce the level to medium level: high diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index e0164ce8e..7a57ffdbf 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 -modified: 2022/08/22 +modified: 2022/09/02 references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml index 55a4b0960..e891fb92f 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_safeboot.yml @@ -4,7 +4,7 @@ related: - id: fc0e89b5-adb0-43c1-b749-c12a10ec37de type: similar status: experimental -description: Detects execution of "reg.exe" commands with the "delete" flag on safe boot registry keys. Often used by attacker to prevent safeboot execution of security products +description: Detects execution of "reg.exe" commands with the "add" or "copy" flags on safe boot registry keys. Often used by attacker to allow the ransomware to work in safe mode as some security products do not references: - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ author: Nasreddine Bencherchali diff --git a/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml similarity index 71% rename from rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml rename to rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml index 548480483..e1c22b98d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_openas_rundll_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shellexec_rundll_usage.yml @@ -1,6 +1,6 @@ -title: Suspicious Usage Of OpenAs_RunDLL +title: Suspicious Usage Of ShellExec_rundll id: d87bd452-6da1-456e-8155-7dc988157b7d -description: Detects suspicious usage of the OpenAs_RunDLL function to launch other commands as seen in the the raspberry-robin attack +description: Detects suspicious usage of the ShellExec_rundll function to launch other commands as seen in the the raspberry-robin attack status: experimental references: - https://redcanary.com/blog/raspberry-robin/ @@ -11,7 +11,7 @@ logsource: product: windows detection: selection_openasrundll: - CommandLine|contains: ',OpenAs_RunDLL' + CommandLine|contains: ',ShellExec_rundll' selection_suspcli: CommandLine|contains: # Add more LOLBINs and Susp Paths From 7530008f2615d07362880a681521dfe9499f497b Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Fri, 2 Sep 2022 19:18:52 -0400 Subject: [PATCH 51/59] Create proc_creation_win_ldifde_file_load.yml --- .../proc_creation_win_ldifde_file_load.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml new file mode 100644 index 000000000..247fa7181 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -0,0 +1,30 @@ +title: Suspicious Ldifde Command Usage +id: 6f535e01-ca1f-40be-ab8d-45b19c0c8b7f +description: | + Detects the use of Ldifde.exe with specific command line arguments to potentially load an LDIF file containing HTTP-based arguments. + Ldifde.exe is present, by default, on domain controllers and only requires user-level authentication to execute. +references: + - https://twitter.com/0gtweet/status/1564968845726580736 + - https://strontic.github.io/xcyclopedia/library/ldifde.exe-979DE101F5059CEC1D2C56967CA2BAC0.html + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731033(v=ws.11) +status: experimental +author: '@gott_cyber' +date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1105 + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\ldifde.exe' + CommandLine|contains|all: + - '-i' + - '-f' + condition: selection +falsepositives: + - Unknown +level: medium From c7eddebe40ddfd0de33afd2adc01eb93420d748a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 3 Sep 2022 09:30:24 +0200 Subject: [PATCH 52/59] fix: Msiexec FPs noticed with Aurora --- .../image_load/image_load_susp_dll_load_system_process.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml index f683c2f77..90a8dc127 100644 --- a/rules/windows/image_load/image_load_susp_dll_load_system_process.yml +++ b/rules/windows/image_load/image_load_susp_dll_load_system_process.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://github.com/hackerhouse-opensource/iscsicpl_bypassUAC (Idea) date: 2022/07/17 -modified: 2022/08/10 +modified: 2022/09/03 logsource: product: windows category: image_load @@ -21,7 +21,8 @@ detection: - '\AppData\Local\Temp\' - 'C:\PerfLogs\' filter: - ImageLoaded|contains: '\Program Files' + - ImageLoaded|contains: '\Program Files' + - Image|endswith: '\msiexec.exe' condition: selection and not filter falsepositives: - Unknown From 1af75b397d08e7eccb283d9865c4bb6f32da87e1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 3 Sep 2022 09:48:36 +0200 Subject: [PATCH 53/59] fix: VSCode file permissions changes --- .../proc_creation_win_file_permission_modifications.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index d88652a6d..32e4c6c75 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) date: 2019/10/23 -modified: 2022/08/01 +modified: 2022/09/03 logsource: category: process_creation product: windows @@ -30,7 +30,8 @@ detection: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' filter_programs: - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' + - Image|contains: '\AppData\Local\Programs\Microsoft VS Code' + - Image|endswith: '\Microsoft VS Code\Code.exe' condition: 1 of selection* and not 1 of filter* fields: - ComputerName From 38d6a52e4d05f383c573e4240f6e7f5b893994f4 Mon Sep 17 00:00:00 2001 From: Gott <47673777+danielgottt@users.noreply.github.com> Date: Sat, 3 Sep 2022 10:02:51 -0400 Subject: [PATCH 54/59] Update proc_creation_win_ldifde_file_load.yml Implemented suggestions --- .../proc_creation_win_ldifde_file_load.yml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml index 247fa7181..03c0e5335 100644 --- a/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml +++ b/rules/windows/process_creation/proc_creation_win_ldifde_file_load.yml @@ -19,12 +19,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\ldifde.exe' - CommandLine|contains|all: - - '-i' - - '-f' - condition: selection + selection_ldif: + - Image|endswith: '\ldifde.exe' + - OriginalFileName: ldifde.exe.mui + selection_cmd: + CommandLine|contains|all: + - '-i' + - '-f' + condition: all of selection_* falsepositives: - Unknown level: medium From 7529857747e460194999baa3ae7b50f2977e4b6a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Sep 2022 10:42:39 +0200 Subject: [PATCH 55/59] Delete script.sh --- script.sh | 6 ------ 1 file changed, 6 deletions(-) delete mode 100755 script.sh diff --git a/script.sh b/script.sh deleted file mode 100755 index ba2bfbee2..000000000 --- a/script.sh +++ /dev/null @@ -1,6 +0,0 @@ -for i in $(find . -type f -iname *.yml | grep -i suspicious); -do - DIR=$(dirname $i) - NEW_NAME=$(basename $i | sed 's/suspicious/susp/') - git mv $i $DIR/$NEW_NAME -done \ No newline at end of file From 468b303660ec49603a9bd9ce4e80e2ba6d9d9e3f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Sep 2022 11:59:15 +0200 Subject: [PATCH 56/59] Update net_connection_win_certutil.yml --- .../net_connection_win_certutil.yml | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil.yml index 6d376759e..12d8c9b0f 100644 --- a/rules/windows/network_connection/net_connection_win_certutil.yml +++ b/rules/windows/network_connection/net_connection_win_certutil.yml @@ -1,27 +1,29 @@ title: Certutil Initiated Connection id: 0dba975d-a193-4ed1-a067-424df57570d1 status: experimental -description: Attackers can abuse `certutil.exe` to download malware, offensive security tools -author: frack113 +description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools. +author: frack113, Florian Roth references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil date: 2022/09/02 +tags: + - attack.command_and_control + - attack.t1105 logsource: category: network_connection product: windows detection: - selection: - Image|endswith: '\certutil.exe' + selection_certutil: + - Image|endswith: '\certutil.exe' + - OriginalFilename: 'CertUtil.exe' + selection_network: Initiated: 'true' DestinationPort: - 80 - 443 - 135 - 445 - condition: selection + condition: all of selection* falsepositives: - Legitimate certutil network connection -level: medium -tags: - - attack.command_and_control - - attack.t1105 +level: high From 7b5c8875967a3e32dacdd4171013f2a894242f78 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Sep 2022 16:50:49 +0200 Subject: [PATCH 57/59] fix: FPs with File Creation Date Changed to Another Year --- .../file_change/file_change_win_2022_timestomping.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index 11b21c196..d7dc7372f 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,6 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 +modified: 2022/09/05 logsource: category: file_change product: windows @@ -20,7 +21,13 @@ detection: PreviousCreationUtcTime|startswith: 202 filter2: CreationUtcTime|startswith: 202 - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) + gen_filter_updates: + - Image: 'C:\Windows\system32\ProvTool.exe' + - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' + - TargetFilename|endswith: + - '.tmp' + - '.temp' + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From 96a55cc3cb5ca9c9ce7d5180644d317f35ffe097 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Sep 2022 16:52:01 +0200 Subject: [PATCH 58/59] refactor: extend values --- .../file_change/file_change_win_2022_timestomping.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index d7dc7372f..d2461c302 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -22,7 +22,10 @@ detection: filter2: CreationUtcTime|startswith: 202 gen_filter_updates: - - Image: 'C:\Windows\system32\ProvTool.exe' + - Image: + - 'C:\Windows\system32\ProvTool.exe' + - 'C:\Windows\System32\usocoreworker.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' - TargetFilename|endswith: - '.tmp' From f188b9abfd02792c5f4ca8b7ad07836d24c9c294 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Sep 2022 23:01:42 +0200 Subject: [PATCH 59/59] fix: FPs with crypto miner cmdlines --- .../proc_creation_win_crypto_mining_monero.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml index 4db11b093..9c8713444 100644 --- a/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml +++ b/rules/windows/process_creation/proc_creation_win_crypto_mining_monero.yml @@ -6,6 +6,10 @@ references: - https://www.poolwatch.io/coin/monero author: Florian Roth date: 2021/10/26 +modified: 2022/09/05 +tags: + - attack.impact + - attack.t1496 logsource: category: process_creation product: windows @@ -30,10 +34,13 @@ detection: - 'c3RyYXR1bSt1ZHA6Ly' - 'N0cmF0dW0rdWRwOi8v' - 'zdHJhdHVtK3VkcDovL' - condition: selection + filter: + CommandLine|contains: + - ' pool.c ' + - ' pool.o ' + - 'gcc -' + condition: selection and not filter falsepositives: - Legitimate use of crypto miners + - Some build frameworks level: high -tags: - - attack.impact - - attack.t1496 \ No newline at end of file