From 0d794357e8c8061882b270158979e420228f512e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Jul 2021 15:52:35 +0200 Subject: [PATCH 1/3] rule: reg disable security services --- .../win_susp_reg_disable_sec_services.yml | 39 +++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_reg_disable_sec_services.yml diff --git a/rules/windows/process_creation/win_susp_reg_disable_sec_services.yml b/rules/windows/process_creation/win_susp_reg_disable_sec_services.yml new file mode 100644 index 000000000..33d8699bf --- /dev/null +++ b/rules/windows/process_creation/win_susp_reg_disable_sec_services.yml @@ -0,0 +1,39 @@ +title: Reg Disable Security Service +id: 5e95028c-5229-4214-afae-d653d573d0ec +description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service +status: experimental +references: + - https://twitter.com/JohnLaTwC/status/1415295021041979392 +author: Florian Roth, John Lambert (idea) +date: 2021/07/14 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection_reg: + CommandLine|contains|all: + - 'reg' + - 'add' + - ' /d 4' + - ' /v Start' + selection_services: + CommandLine|contains: + - '\Sense ' + - '\WinDefend' + - '\MsMpSvc' + - '\NisSrv' + - '\WdBoot ' + - '\WdNisDrv' + - '\WdNisSvc' + - '\wscsvc ' + - '\SecurityHealthService' + - '\wuauserv' + - '\UsoSvc ' + condition: selection_reg and selection_services +falsepositives: + - Unknown + - Other security solution installers +level: high From 530e04faec7182838c6be9cbd762317ca6635bc9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Jul 2021 15:52:52 +0200 Subject: [PATCH 2/3] rule: Script Execution from Temp Folder --- .../win_susp_script_exec_from_temp.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_script_exec_from_temp.yml diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml new file mode 100644 index 000000000..128c635b3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -0,0 +1,34 @@ +title: Suspicious Script Execution From Temp Folder +id: a6a39bdb-935c-4f0a-ab77-35f4bbf44d33 +description: Detects a suspicious script executions from temporary folder +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ +author: Florian Roth, Max Altgelt +date: 2021/07/14 +tags: + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection_image1: + Image|endswith: + - '\powershell.exe' + - '\mshta.exe' + - '\wscript.exe' + - '\cscript.exe' + CommandLine|contains: + - '\Windows\Temp' + - '\Temporary Internet' + - '\AppData\Local\Temp' + - '\AppData\Roaming\Temp' + - '%TEMP%' + - '%TMP%' + - '%LocalAppData%\Temp' + filter: + CommandLine|contains: ' >' + condition: selection and not filter +falsepositives: + - Administrative scripts +level: high From e516aecc743894fe214ad78bea32ea98dddc0aac Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 14 Jul 2021 15:58:55 +0200 Subject: [PATCH 3/3] fix: error in selector --- .../windows/process_creation/win_susp_script_exec_from_temp.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml index 128c635b3..58a7ebdcc 100644 --- a/rules/windows/process_creation/win_susp_script_exec_from_temp.yml +++ b/rules/windows/process_creation/win_susp_script_exec_from_temp.yml @@ -12,7 +12,7 @@ logsource: category: process_creation product: windows detection: - selection_image1: + selection: Image|endswith: - '\powershell.exe' - '\mshta.exe'