From 206adbb2b60015422678c956b9d05ae5bb1d39af Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Thu, 1 Jul 2021 12:18:30 +0545 Subject: [PATCH] Merging upstream updates --- .github/workflows/pypi-publish.yml | 27 - .github/workflows/sigma-test.yml | 10 +- CHANGELOG.md | 30 + Makefile | 3 +- Pipfile | 9 +- Pipfile.lock | 651 ++++++++++++------ README.md | 52 +- contrib/sigma2sumologic.py | 2 +- ...stall_elevated_parent_child_correlated.yml | 42 ++ ...ess_fake_files_with_stored_credentials.yml | 29 + rules-unsupported/win_remote_schtask.yml | 44 ++ rules-unsupported/win_remote_service.yml | 50 ++ rules/cloud/aws_ec2_startup_script_change.yml | 2 +- rules/cloud/aws_ec2_vm_export_failure.yml | 2 +- .../aws_snapshot_backup_exfiltration.yml | 24 + rules/cloud/aws_update_login_profile.yml | 2 +- rules/compliance/cleartext_protocols.yml | 2 +- rules/compliance/host_without_firewall.yml | 3 +- rules/linux/at_command.yml | 23 + .../auditd/lnx_auditd_create_account.yml | 4 +- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 2 +- .../auditd/lnx_auditd_masquerading_crond.yml | 4 +- .../auditd/lnx_auditd_susp_exe_folders.yml | 34 +- rules/linux/auditd/lnx_auditd_web_rce.yml | 2 +- rules/linux/lnx_base64_decode.yml | 22 + rules/linux/lnx_binary_padding.yml | 35 + rules/linux/lnx_buffer_overflows.yml | 2 +- rules/linux/lnx_change_file_time_attr.yml | 33 + rules/linux/lnx_clear_logs.yml | 26 + .../lnx_file_and_directory_discovery.yml | 29 + rules/linux/lnx_file_copy.yml | 16 +- rules/linux/lnx_file_deletion.yml | 23 + .../linux/lnx_file_or_folder_permissions.yml | 2 +- rules/linux/lnx_find_cred_in_files.yml | 29 + rules/linux/lnx_install_root_certificate.yml | 22 + rules/linux/lnx_ldso_preload_injection.yml | 17 + rules/linux/lnx_local_account.yml | 39 ++ rules/linux/lnx_local_groups.yml | 27 + rules/linux/lnx_network_service_scanning.yml | 47 ++ rules/linux/lnx_password_policy_discovery.yml | 25 + rules/linux/lnx_process_discovery.yml | 23 + rules/linux/lnx_remote_system_discovery.yml | 45 ++ rules/linux/lnx_schedule_task_job_cron.yml | 26 + .../linux/lnx_security_software_discovery.yml | 31 + rules/linux/lnx_security_tools_disabling.yml | 111 ++- rules/linux/lnx_shell_susp_rev_shells.yml | 2 +- rules/linux/lnx_shellshock.yml | 12 +- rules/linux/lnx_split_file_into_pieces.yml | 26 + rules/linux/lnx_sudo_cve_2019_14287.yml | 2 +- rules/linux/lnx_susp_histfile_operations.yml | 42 ++ rules/linux/lnx_susp_named.yml | 2 +- rules/linux/lnx_susp_ssh.yml | 2 +- rules/linux/lnx_symlink_etc_passwd.yml | 18 + rules/linux/lnx_system_info_discovery.yml | 49 ++ ...x_system_network_connections_discovery.yml | 26 + rules/linux/lnx_system_network_discovery.yml | 32 + rules/linux/lnx_system_shutdown_reboot.yml | 40 ++ rules/linux/macos_applescript.yml | 24 + rules/linux/macos_base64_decode.yml | 22 + rules/linux/macos_binary_padding.yml | 33 + rules/linux/macos_change_file_time_attr.yml | 29 + rules/linux/macos_clear_system_logs.yml | 27 + rules/linux/macos_create_account.yml | 25 + rules/linux/macos_create_hidden_account.yml | 33 + rules/linux/macos_creds_from_keychain.yml | 29 + rules/linux/macos_disable_security_tools.yml | 42 ++ rules/linux/macos_emond_launch_daemon.yml | 26 + .../macos_file_and_directory_discovery.yml | 31 + rules/linux/macos_find_cred_in_files.yml | 28 + rules/linux/macos_gui_input_capture.yml | 39 ++ rules/linux/macos_local_account.yml | 48 ++ rules/linux/macos_local_groups.yml | 36 + .../linux/macos_network_service_scanning.yml | 29 + rules/linux/macos_network_sniffing.yml | 24 + rules/linux/macos_remote_system_discovery.yml | 48 ++ rules/linux/macos_schedule_task_job_cron.yml | 26 + rules/linux/macos_screencapture.yml | 22 + .../macos_security_software_discovery.yml | 39 ++ rules/linux/macos_split_file_into_pieces.yml | 23 + rules/linux/macos_startup_items.yml | 24 + .../linux/macos_susp_histfile_operations.yml | 33 + ...s_system_network_connections_discovery.yml | 26 + .../linux/macos_system_network_discovery.yml | 32 + rules/linux/macos_system_shutdown_reboot.yml | 26 + rules/linux/macos_xattr_gatekeeper_bypass.yml | 24 + rules/network/net_mal_dns_cobaltstrike.yml | 11 +- rules/network/net_susp_dns_b64_queries.yml | 6 +- .../network/net_susp_dns_txt_exec_strings.yml | 10 +- .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 23 + .../zeek/zeek_dns_suspicious_zbit_flag.yml | 68 ++ ...k_http_executable_download_from_webdav.yml | 8 +- ...eek_http_exfiltration_compressed_files.yml | 30 + .../zeek/zeek_http_webdav_put_request.yml | 27 + ..._smb_converted_win_impacket_secretdump.yml | 7 +- .../zeek_smb_converted_win_susp_psexec.yml | 18 +- ...verted_win_susp_raccess_sensitive_fext.yml | 26 +- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 2 +- rules/proxy/proxy_apt_domestic_kitten.yml | 26 + rules/proxy/proxy_baby_shark.yml | 20 + rules/proxy/proxy_chafer_malware.yml | 4 +- rules/proxy/proxy_cobalt_amazon.yml | 4 +- rules/proxy/proxy_cobalt_malformed_uas.yml | 25 + rules/proxy/proxy_cobalt_ocsp.yml | 2 +- rules/proxy/proxy_cobalt_onedrive.yml | 9 +- rules/proxy/proxy_download_susp_dyndns.yml | 144 ++-- .../proxy_download_susp_tlds_blacklist.yml | 126 ++-- .../proxy_download_susp_tlds_whitelist.yml | 38 +- rules/proxy/proxy_downloadcradle_webdav.yml | 4 +- rules/proxy/proxy_ios_implant.yml | 4 +- rules/proxy/proxy_powershell_ua.yml | 4 +- rules/proxy/proxy_susp_flash_download_loc.yml | 10 +- rules/proxy/proxy_telegram_api.yml | 6 +- rules/proxy/proxy_ua_apt.yml | 3 +- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 14 +- rules/proxy/proxy_ua_cryptominer.yml | 8 +- rules/proxy/proxy_ua_frameworks.yml | 2 +- rules/proxy/proxy_ua_hacktool.yml | 102 +-- rules/proxy/proxy_ursnif_malware.yml | 21 +- rules/web/web_cve_2021_26814_wzuh_rce.yml | 25 + .../web/web_exchange_exploitation_hafnium.yml | 62 ++ .../web/web_expl_exchange_cve_2021_28480.yml | 23 + rules/web/web_nginx_core_dump.yml | 20 + .../web/web_sonicwall_jarrewrite_exploit.yml | 27 + .../web/web_unc2546_dewmode_php_webshell.yml | 31 + rules/web/win_powershell_snapins_hafnium.yml | 30 + rules/web/win_webshell_regeorg.yml | 10 +- .../builtin/win_GPO_scheduledtasks.yml | 6 +- .../win_account_backdoor_dcsync_rights.yml | 2 +- .../windows/builtin/win_account_discovery.yml | 26 +- .../builtin/win_ad_object_writedac_access.yml | 2 +- ...win_ad_replication_non_machine_account.yml | 2 +- rules/windows/builtin/win_admin_rdp_login.yml | 2 +- .../builtin/win_admin_share_access.yml | 2 +- ...in_alert_active_directory_user_control.yml | 4 +- .../win_alert_enable_weak_encryption.yml | 12 +- .../builtin/win_alert_lsass_access.yml | 2 +- .../builtin/win_alert_mimikatz_keywords.yml | 22 +- rules/windows/builtin/win_apt_stonedrill.yml | 2 +- ...ary_shell_execution_via_settingcontent.yml | 30 + .../builtin/win_asr_bypass_via_appvlp_re.yml | 25 + rules/windows/builtin/win_atsvc_task.yml | 2 +- .../windows/builtin/win_av_relevant_match.yml | 54 +- .../builtin/win_camera_microphone_access.yml | 29 + .../win_cobaltstrike_service_installs.yml | 34 + .../win_dce_rpc_smb_spoolss_named_pipe.yml | 25 + .../builtin/win_dcom_iertutil_dll_hijack.yml | 25 + rules/windows/builtin/win_dcsync.yml | 19 +- .../builtin/win_disable_event_logging.yml | 4 +- .../win_dpapi_domain_backupkey_extraction.yml | 2 +- ..._dpapi_domain_masterkey_backup_attempt.yml | 2 +- ...win_exploit_cve_2021_1675_printspooler.yml | 38 + .../win_global_catalog_enumeration.yml | 8 +- rules/windows/builtin/win_hack_smbexec.yml | 2 +- .../builtin/win_hidden_user_creation.yml | 25 + ...n_hybridconnectionmgr_svc_installation.yml | 23 + .../win_hybridconnectionmgr_svc_running.yml | 28 + .../builtin/win_impacket_secretdump.yml | 7 +- .../win_invoke_obfuscation_clip+_services.yml | 43 ++ ...ke_obfuscation_obfuscated_iex_services.yml | 14 +- ...win_invoke_obfuscation_stdin+_services.yml | 43 ++ .../win_invoke_obfuscation_var+_services.yml | 40 ++ ...voke_obfuscation_via_compress_services.yml | 43 ++ ...invoke_obfuscation_via_rundll_services.yml | 43 ++ ..._invoke_obfuscation_via_stdin_services.yml | 43 ++ ...voke_obfuscation_via_use_clip_services.yml | 43 ++ ...oke_obfuscation_via_use_mshta_services.yml | 43 ++ ..._obfuscation_via_use_rundll32_services.yml | 43 ++ ..._invoke_obfuscation_via_var++_services.yml | 42 ++ rules/windows/builtin/win_iso_mount.yml | 27 + .../win_lsass_access_non_system_account.yml | 37 +- rules/windows/builtin/win_mal_creddumper.yml | 12 +- .../builtin/win_mal_service_installs.yml | 4 +- rules/windows/builtin/win_mal_wceaux_dll.yml | 2 +- ...or_impacket_smb_psexec_service_install.yml | 45 ++ ...tstrike_getsystem_service_installation.yml | 29 +- .../builtin/win_mmc20_lateral_movement.yml | 6 +- rules/windows/builtin/win_moriya_rootkit.yml | 3 +- .../builtin/win_net_ntlm_downgrade.yml | 31 +- .../builtin/win_net_use_admin_share.yml | 27 + ..._renamed_user_account_with_dollar_sign.yml | 2 +- .../windows/builtin/win_ntfs_vuln_exploit.yml | 22 + .../builtin/win_possible_dc_shadow.yml | 4 +- ...powershell_script_installed_as_service.yml | 43 ++ .../builtin/win_privesc_cve_2020_1472.yml | 28 + .../win_protected_storage_service_access.yml | 4 +- ...n_register_new_logon_process_by_rubeus.yml | 2 +- .../builtin/win_remote_powershell_session.yml | 7 +- .../win_root_certificate_installed.yml | 47 ++ .../win_sam_registry_hive_handle_request.yml | 2 +- .../builtin/win_scheduled_task_deletion.yml | 26 + .../win_scm_database_handle_failure.yml | 5 +- .../win_scm_database_privileged_operation.yml | 5 +- ...scrcons_remote_wmi_scripteventconsumer.yml | 27 + ...in_set_oabvirtualdirectory_externalurl.yml | 25 + .../win_smb_file_creation_admin_shares.yml | 26 + .../builtin/win_software_discovery.yml | 41 ++ .../builtin/win_susp_eventlog_cleared.yml | 16 +- .../builtin/win_susp_failed_guest_logon.yml | 26 + ...usp_failed_logons_explicit_credentials.yml | 26 + .../win_susp_failed_logons_single_process.yml | 29 + .../win_susp_failed_logons_single_source.yml | 2 +- ...p_failed_logons_single_source_kerberos.yml | 30 + ..._failed_logons_single_source_kerberos2.yml | 30 + ..._failed_logons_single_source_kerberos3.yml | 30 + ..._susp_failed_logons_single_source_ntlm.yml | 30 + ...susp_failed_logons_single_source_ntlm2.yml | 30 + ...usp_failed_remote_logons_single_source.yml | 29 + .../win_susp_local_anon_logon_created.yml | 6 +- .../win_susp_logon_explicit_credentials.yml | 33 + rules/windows/builtin/win_susp_lsass_dump.yml | 5 +- .../builtin/win_susp_lsass_dump_generic.yml | 18 +- .../builtin/win_susp_mshta_execution.yml | 20 +- .../builtin/win_susp_msmpeng_crash.yml | 8 +- .../builtin/win_susp_net_recon_activity.yml | 20 +- rules/windows/builtin/win_susp_ntlm_auth.yml | 2 +- rules/windows/builtin/win_susp_ntlm_rdp.yml | 2 +- .../windows/builtin/win_susp_proceshacker.yml | 24 + rules/windows/builtin/win_susp_psexec.yml | 10 +- .../win_susp_raccess_sensitive_fext.yml | 26 +- .../windows/builtin/win_susp_rc4_kerberos.yml | 2 +- rules/windows/builtin/win_susp_sam_dump.yml | 5 +- rules/windows/builtin/win_susp_sdelete.yml | 6 +- .../builtin/win_susp_time_modification.yml | 3 +- rules/windows/builtin/win_susp_wmi_login.yml | 2 +- ...uspicious_outbound_kerberos_connection.yml | 2 +- ...uspicious_werfault_connection_outbound.yml | 44 ++ .../builtin/win_svcctl_remote_service.yml | 2 +- .../builtin/win_syskey_registry_access.yml | 4 +- .../win_sysmon_channel_reference_deletion.yml | 35 + .../builtin/win_tap_driver_installation.yml | 19 +- ...ith_credential_data_via_network_shares.yml | 6 +- ...win_user_added_to_local_administrators.yml | 2 +- ...ileged_service_lsaregisterlogonprocess.yml | 2 +- .../builtin/win_user_driver_loaded.yml | 26 +- .../builtin/win_volume_shadow_copy_mount.yml | 23 + ..._vssaudit_secevent_source_registration.yml | 25 + .../windows/builtin/win_vul_cve_2020_0688.yml | 7 +- .../win_wmiprvse_wbemcomn_dll_hijack.yml | 26 + .../sysmon_cactustorch.yml | 16 +- .../sysmon_cobaltstrike_process_injection.yml | 3 +- .../sysmon_createremotethread_loadlibrary.yml | 5 +- .../sysmon_password_dumper_lsass.yml | 8 +- .../sysmon_susp_powershell_rundll32.yml | 8 +- .../sysmon_suspicious_remote_thread.yml | 7 +- .../sysmon_ads_executable.yml | 6 +- .../sysmon_regedit_export_to_ads.yml | 24 + .../sysmon_mimikatz_detection_lsass.yml | 6 +- rules/windows/dns_query/dns_mega_nz.yml | 22 + .../sysmon_possible_dns_rebinding.yml | 3 +- .../driver_load/sysmon_susp_driver_load.yml | 6 +- .../sysmon_vuln_dell_driver_load.yml | 30 + ...mon_sysinternals_sdelete_file_deletion.yml | 24 + .../sysmon_creation_system_file.yml | 70 +- .../sysmon_ghostpack_safetykatz.yml | 2 +- .../sysmon_non_priv_program_files_move.yml | 31 + .../file_event/sysmon_outlook_newform.yml | 24 + .../file_event/sysmon_pcre_net_temp_file.yml | 23 + .../sysmon_powershell_exploit_scripts.yml | 192 +++--- .../file_event/sysmon_quarkspw_filedump.yml | 4 +- .../sysmon_startup_folder_file_write.yml | 22 + .../sysmon_susp_adsi_cache_usage.yml | 3 +- .../file_event/sysmon_susp_clr_logs.yml | 29 + .../sysmon_susp_pfx_file_creation.yml | 22 + ...cexplorer_driver_created_in_tmp_folder.yml | 11 +- .../sysmon_tsclient_filewrite_startup.yml | 4 +- .../sysmon_webshell_creation_detect.yml | 2 +- .../win_cve_2021_1675_printspooler.yml | 25 + .../win_outlook_c2_macro_creation.yml | 24 + .../file_event/win_rclone_exec_file.yml | 25 + ...susp_multiple_files_renamed_or_deleted.yml | 27 + ..._alternate_powershell_hosts_moduleload.yml | 25 + .../sysmon_cve_2021_1675_print_nightmare.yml | 6 +- .../sysmon_in_memory_powershell.yml | 10 +- .../sysmon_mimikatz_inmemory_detection.yml | 4 +- .../image_load/sysmon_pcre_net_load.yml | 23 + ...sysmon_powershell_execution_moduleload.yml | 6 +- ...cons_imageload_wmi_scripteventconsumer.yml | 30 + .../image_load/sysmon_susp_image_load.yml | 10 +- ...n_susp_office_dotnet_assembly_dll_load.yml | 14 +- ...sysmon_susp_office_dotnet_clr_dll_load.yml | 14 +- ...sysmon_susp_office_dotnet_gac_dll_load.yml | 14 +- .../sysmon_susp_office_dsparse_dll_load.yml | 14 +- .../sysmon_susp_office_kerberos_dll_load.yml | 14 +- .../sysmon_susp_python_image_load.yml | 25 + ...sysmon_susp_script_dotnet_clr_dll_load.yml | 31 + .../sysmon_susp_system_drawing_load.yml | 24 + .../sysmon_susp_winword_vbadll_load.yml | 18 +- .../sysmon_susp_winword_wmidll_load.yml | 24 +- ...sysmon_svchost_dll_search_order_hijack.yml | 16 +- .../image_load/sysmon_tttracer_mod_load.yml | 38 + .../image_load/sysmon_uac_bypass_via_dism.yml | 31 + .../sysmon_uipromptforcreds_dlls.yml | 29 + .../image_load/sysmon_wmi_module_load.yml | 2 +- .../sysmon_wmic_remote_xsl_scripting_dlls.yml | 26 + .../sysmon_wsman_provider_image_load.yml | 38 + rules/windows/malware/av_exploiting.yml | 24 +- rules/windows/malware/av_password_dumper.yml | 22 +- rules/windows/malware/av_relevant_files.yml | 89 ++- rules/windows/malware/av_webshell.yml | 74 +- rules/windows/malware/mal_azorult_reg.yml | 8 +- .../malware/win_mal_blue_mockingbird.yml | 3 +- rules/windows/malware/win_mal_darkside.yml | 28 + rules/windows/malware/win_mal_flowcloud.yml | 10 +- rules/windows/malware/win_mal_lockergoga.yml | 23 + .../malware/win_mal_octopus_scanner.yml | 8 +- rules/windows/malware/win_mal_ryuk.yml | 13 +- rules/windows/malware/win_mal_ursnif.yml | 5 +- .../silenttrinity_stager_msbuild_activity.yml | 26 + .../sysmon_dllhost_net_connections.yml | 42 +- .../sysmon_malware_backconnect_ports.yml | 42 +- .../sysmon_notepad_network_connection.yml | 2 +- .../sysmon_powershell_network_connection.yml | 40 +- .../sysmon_rdp_reverse_tunnel.yml | 12 +- ...smon_remote_powershell_session_network.yml | 2 +- .../sysmon_rundll32_net_connections.yml | 42 +- ..._susp_prog_location_network_connection.yml | 28 +- .../network_connection/sysmon_susp_rdp.yml | 40 +- .../sysmon_win_binary_github_com.yml | 8 +- .../sysmon_win_binary_susp_com.yml | 10 +- .../sysmon_wuauclt_network_connection.yml | 21 + rules/windows/other/win_defender_disabled.yml | 22 +- .../other/win_defender_history_delete.yml | 5 +- .../win_exchange_TransportAgent_failed.yml | 24 + .../other/win_lateral_movement_condrv.yml | 28 + rules/windows/other/win_ldap_recon.yml | 76 ++ rules/windows/other/win_pcap_drivers.yml | 22 +- ...gon_exploitation_using_wellknown_tools.yml | 28 + rules/windows/other/win_tool_psexec.yml | 22 +- rules/windows/other/win_wmi_persistence.yml | 48 +- ...sysmon_alternate_powershell_hosts_pipe.yml | 5 +- .../sysmon_apt_turla_namedpipes.yml | 7 +- .../sysmon_cred_dump_tools_named_pipes.yml | 3 +- .../pipe_created/sysmon_mal_cobaltstrike.yml | 36 + .../sysmon_mal_namedpipes.yml | 18 +- .../sysmon_powershell_execution_pipe.yml | 21 + .../sysmon_psexec_pipes_artifacts.yml | 26 + .../powershell_CL_Invocation_LOLScript.yml | 26 + .../powershell_CL_Invocation_LOLScript_v2.yml | 28 + ...powershell_CL_Mutexverifiers_LOLScript.yml | 26 + ...ershell_CL_Mutexverifiers_LOLScript_v2.yml | 28 + .../powershell_accessing_win_api.yml | 71 ++ .../powershell_alternate_powershell_hosts.yml | 39 +- .../powershell_bad_opsec_artifacts.yml | 42 ++ .../powershell_clear_powershell_history.yml | 41 +- .../powershell_cmdline_reversed_strings.yml | 51 ++ .../powershell_cmdline_special_characters.yml | 36 + ...wershell_cmdline_specific_comb_methods.yml | 55 ++ .../powershell/powershell_code_injection.yml | 22 + .../powershell_decompress_commands.yml | 26 + ...powershell_delete_volume_shadow_copies.yml | 37 + .../powershell/powershell_exe_calling_ps.yml | 10 +- .../powershell/powershell_get_clipboard.yml | 26 + .../powershell_icmp_exfiltration.yml | 25 + .../powershell_invoke_obfuscation_clip+.yml | 27 + .../powershell_invoke_obfuscation_stdin+.yml | 27 + .../powershell_invoke_obfuscation_var+.yml | 27 + ...rshell_invoke_obfuscation_via_compress.yml | 27 + ...wershell_invoke_obfuscation_via_rundll.yml | 27 + ...owershell_invoke_obfuscation_via_stdin.yml | 27 + ...rshell_invoke_obfuscation_via_use_clip.yml | 27 + ...shell_invoke_obfuscation_via_use_mhsta.yml | 27 + ...ll_invoke_obfuscation_via_use_rundll32.yml | 27 + ...owershell_invoke_obfuscation_via_var++.yml | 27 + .../powershell_malicious_commandlets.yml | 200 +++--- .../powershell_malicious_keywords.yml | 42 +- ...wershell_nishang_malicious_commandlets.yml | 6 +- ...rshell_powerview_malicious_commandlets.yml | 2 +- .../powershell_prompt_credentials.yml | 4 +- .../powershell_remote_powershell_session.yml | 2 +- .../powershell/powershell_shellcode_b64.yml | 14 +- ...shell_suspicious_export_pfxcertificate.yml | 25 + ...powershell_suspicious_getprocess_lsass.yml | 24 + ...ershell_suspicious_invocation_specific.yml | 56 +- .../powershell_suspicious_keywords.yml | 8 +- ...hell_suspicious_mounted_share_deletion.yml | 24 + .../powershell_suspicious_profile_create.yml | 6 +- ...owershell_tamper_with_windows_defender.yml | 29 + .../powershell_winlogon_helper_dll.yml | 13 +- ...shell_wsman_com_provider_no_powershell.yml | 28 + .../process_access/sysmon_cmstp_execution.yml | 4 +- .../sysmon_cred_dump_lsass_access.yml | 3 +- .../sysmon_in_memory_assembly_execution.yml | 28 +- .../process_access/sysmon_invoke_phantom.yml | 6 +- .../sysmon_lazagne_cred_dump_lsass_access.yml | 10 +- ...ndocumented_autoelevated_com_interface.yml | 29 + .../sysmon_lsass_dump_comsvcs_dll.yml | 25 + .../process_access/sysmon_lsass_memdump.yml | 10 +- .../sysmon_malware_verclsid_shellcode.yml | 10 +- .../sysmon_mimikatz_trough_winrm.yml | 4 +- .../sysmon_svchost_cred_dump.yml | 23 + .../win_susp_shell_spawn_from_winrm.yml | 31 + .../process_creation_SDelete.yml | 32 + .../process_creation_c3_load_by_rundll32.yml | 24 + ...creation_cobaltstrike_load_by_rundll32.yml | 26 + .../process_creation_dotnet.yml | 33 + .../process_creation_msdeploy.yml | 34 + .../sysmon_abusing_debug_privilege.yml | 44 ++ ..._accesschk_usage_after_priv_escalation.yml | 30 + ...levated_msi_spawned_cmd_and_powershell.yml | 32 + ...d_cmd_and_powershell_spawned_processes.yml | 35 + ...ays_install_elevated_windows_installer.yml | 37 + ...ecution.yml => sysmon_cmstp_execution.yml} | 2 +- .../sysmon_high_integrity_sdclt.yml | 24 + ...on_scripts_userinitmprlogonscript_proc.yml | 8 +- .../sysmon_long_powershell_commandline.yml | 28 + .../sysmon_proxy_execution_wuauclt.yml | 32 + .../sysmon_rclone_execution.yml | 16 +- .../sysmon_sdclt_child_process.yml | 22 + .../sysmon_susp_plink_remote_forward.yml | 25 + .../sysmon_susp_webdav_client_execution.yml | 23 + .../win_CL_Invocation_LOLScript.yml | 26 + .../win_CL_Mutexverifiers_LOLScript.yml | 26 + .../win_ad_find_discovery.yml | 43 ++ .../win_apt_apt29_thinktanks.yml | 6 +- .../win_apt_bear_activity_gtr19.yml | 17 +- .../process_creation/win_apt_bluemashroom.yml | 9 +- .../process_creation/win_apt_chafer_mar18.yml | 38 +- .../process_creation/win_apt_cloudhopper.yml | 6 +- .../process_creation/win_apt_dragonfly.yml | 4 +- .../process_creation/win_apt_elise.yml | 4 +- .../win_apt_emissarypanda_sep19.yml | 4 +- .../process_creation/win_apt_empiremonkey.yml | 14 +- .../win_apt_equationgroup_dll_u_load.yml | 6 +- .../win_apt_evilnum_jul20.yml | 3 +- .../win_apt_greenbug_may20.yml | 3 +- .../process_creation/win_apt_hafnium.yml | 72 ++ .../win_apt_hurricane_panda.yml | 9 +- .../win_apt_judgement_panda_gtr19.yml | 18 +- .../win_apt_ke3chang_regadd.yml | 2 +- .../win_apt_lazarus_activity_apr21.yml | 5 +- .../win_apt_lazarus_activity_dec20.yml | 3 +- .../win_apt_lazarus_loader.yml | 9 +- .../win_apt_lazarus_session_highjack.yml | 12 +- .../process_creation/win_apt_mustangpanda.yml | 21 +- .../process_creation/win_apt_slingshot.yml | 1 - .../process_creation/win_apt_sofacy.yml | 17 +- .../win_apt_tropictrooper.yml | 2 +- .../process_creation/win_apt_unc2452_cmds.yml | 48 ++ .../process_creation/win_apt_unc2452_ps.yml | 31 + .../win_apt_unidentified_nov_18.yml | 10 +- .../win_apt_winnti_pipemon.yml | 12 +- .../process_creation/win_apt_wocao.yml | 4 +- .../process_creation/win_apt_zxshell.yml | 8 +- .../win_attrib_hiding_files.yml | 8 +- .../win_bad_opsec_sacrificial_processes.yml | 25 + .../process_creation/win_bootconf_mod.yml | 2 +- .../win_bypass_squiblytwo.yml | 19 +- .../win_class_exec_xwizard.yml | 22 + .../process_creation/win_cmdkey_recon.yml | 4 +- .../win_commandline_path_traversal.yml | 6 +- .../win_control_panel_item.yml | 18 +- ..._credential_access_via_password_filter.yml | 26 + .../process_creation/win_crime_fireball.yml | 4 +- .../win_crime_maze_ransomware.yml | 4 +- .../win_crime_snatch_ransomware.yml | 2 +- .../win_detecting_fake_instances_of_hxtsr.yml | 22 + .../win_dns_exfiltration_tools_execution.yml | 2 +- .../win_dnscat2_powershell_implementation.yml | 6 +- .../win_etw_trace_evasion.yml | 6 +- .../win_exchange_transportagent.yml | 33 + .../win_exploit_cve_2015_1641.yml | 4 +- .../win_exploit_cve_2017_0261.yml | 4 +- .../win_exploit_cve_2017_11882.yml | 2 +- .../win_exploit_cve_2017_8759.yml | 4 +- .../win_exploit_cve_2019_1378.yml | 24 +- .../win_exploit_cve_2019_1388.yml | 8 +- .../win_exploit_cve_2020_10189.yml | 6 +- .../win_grabbing_sensitive_hives_via_reg.yml | 2 +- .../process_creation/win_hack_koadic.yml | 15 +- .../process_creation/win_hack_rubeus.yml | 23 +- .../win_hack_secutyxploded.yml | 4 +- rules/windows/process_creation/win_hh_chm.yml | 2 +- .../win_hiding_malware_in_fonts_folder.yml | 28 + .../win_hktl_createminidump.yml | 6 +- .../process_creation/win_hwp_exploits.yml | 4 +- .../win_impacket_lateralization.yml | 33 +- .../process_creation/win_indirect_cmd.yml | 2 +- ...n_indirect_cmd_compatibility_assistant.yml | 29 + .../win_install_reg_debugger_backdoor.yml | 20 +- .../process_creation/win_interactive_at.yml | 2 +- .../win_invoke_obfuscation_clip+.yml | 23 + .../win_invoke_obfuscation_stdin+.yml | 23 + .../win_invoke_obfuscation_var+.yml | 23 + .../win_invoke_obfuscation_via_compress.yml | 23 + .../win_invoke_obfuscation_via_rundll.yml | 23 + .../win_invoke_obfuscation_via_stdin.yml | 23 + .../win_invoke_obfuscation_via_use_clip.yml | 23 + .../win_invoke_obfuscation_via_use_mhsta.yml | 23 + ...in_invoke_obfuscation_via_use_rundll32.yml | 23 + .../win_invoke_obfuscation_via_var++.yml | 23 + .../process_creation/win_lethalhta.yml | 4 +- .../win_lolbas_execution_of_wuauclt.yml | 29 + .../win_lolbin_execution_via_winget.yml | 26 + .../process_creation/win_lsass_dump.yml | 2 +- .../process_creation/win_mal_adwind.yml | 34 +- .../process_creation/win_malware_dridex.yml | 22 +- .../process_creation/win_malware_dtrack.yml | 2 +- .../process_creation/win_malware_emotet.yml | 18 +- .../process_creation/win_malware_formbook.yml | 34 +- .../process_creation/win_malware_notpetya.yml | 13 +- .../process_creation/win_malware_qbot.yml | 15 +- .../win_malware_script_dropper.yml | 35 +- .../win_malware_trickbot_recon_activity.yml | 2 +- .../process_creation/win_malware_wannacry.yml | 51 +- .../win_manage-bde_lolbas.yml | 27 + .../win_mavinject_proc_inj.yml | 2 +- ...r_cobaltstrike_getsystem_service_start.yml | 10 +- .../process_creation/win_mmc_spawn_shell.yml | 26 +- ..._modif_of_services_for_via_commandline.yml | 27 + ...in_monitoring_for_persistence_via_bits.yml | 27 + .../process_creation/win_mshta_javascript.yml | 2 +- .../win_mshta_spawn_shell.yml | 26 +- .../process_creation/win_netsh_fw_add.yml | 8 +- .../win_netsh_fw_add_susp_image.yml | 66 +- .../process_creation/win_netsh_port_fwd.yml | 27 +- .../win_netsh_port_fwd_3389.yml | 11 +- .../win_netsh_wifi_credential_harvesting.yml | 13 +- .../process_creation/win_nltest_query.yml | 24 + .../win_non_interactive_powershell.yml | 10 +- .../win_non_priv_reg_or_ps.yml | 45 ++ .../process_creation/win_office_shell.yml | 60 +- ..._office_spawn_exe_from_users_directory.yml | 26 +- .../win_plugx_susp_exe_locations.yml | 106 +-- .../win_possible_applocker_bypass.yml | 2 +- .../win_powershell_amsi_bypass.yml | 8 +- .../win_powershell_audio_capture.yml | 2 +- .../win_powershell_b64_shellcode.yml | 8 +- .../win_powershell_defender_exclusion.yml | 32 + .../win_powershell_disable_windef_av.yml | 39 ++ .../win_powershell_dll_execution.yml | 14 +- .../win_powershell_download.yml | 16 +- ...in_powershell_reverse_shell_connection.yml | 29 + .../win_powersploit_empire_schtasks.yml | 27 +- .../win_proc_wrong_parent.yml | 40 +- ...in_process_creation_bitsadmin_download.yml | 12 +- .../win_process_dump_rundll32_comsvcs.yml | 4 +- .../win_purplesharp_indicators.yml | 23 + .../win_rasautou_dll_execution.yml | 30 + .../process_creation/win_reg_add_run_key.yml | 22 + .../win_regedit_export_critical_keys.yml | 35 + .../win_regedit_export_keys.yml | 35 + .../win_regedit_import_keys.yml | 35 + .../win_regedit_import_keys_ads.yml | 35 + rules/windows/process_creation/win_regini.yml | 29 + .../process_creation/win_regini_ads.yml | 28 + .../win_remote_powershell_session_process.yml | 8 +- .../win_remote_time_discovery.yml | 2 +- .../win_renamed_binary_highly_relevant.yml | 28 +- .../process_creation/win_renamed_megasync.yml | 27 + .../process_creation/win_renamed_paexec.yml | 6 +- .../win_renamed_powershell.yml | 6 +- .../process_creation/win_renamed_procdump.yml | 22 +- .../process_creation/win_renamed_psexec.yml | 6 +- ...un_powershell_script_from_input_stream.yml | 25 + .../process_creation/win_run_virtualbox.yml | 37 + .../win_rundll32_without_parameters.yml | 30 + .../win_script_event_consumer_spawn.yml | 38 + .../win_sdbinst_shim_persistence.yml | 15 +- .../win_shadow_copies_deletion.yml | 19 +- .../win_shell_spawn_mshta.yml | 33 + .../win_shell_spawn_susp_program.yml | 28 +- .../win_silenttrinity_stage_use.yml | 5 +- .../win_soundrec_audio_capture.yml | 2 +- .../windows/process_creation/win_spn_enum.yml | 8 +- ...uthenticated_privileged_console_access.yml | 27 + .../win_sus_auditpol_usage.yml | 27 + .../process_creation/win_susp_adfind.yml | 21 +- .../process_creation/win_susp_atbroker.yml | 53 ++ .../process_creation/win_susp_bcdedit.yml | 14 +- .../process_creation/win_susp_calc.yml | 6 +- .../win_susp_certutil_command.yml | 41 +- .../win_susp_certutil_encode.yml | 13 +- .../process_creation/win_susp_cli_escape.yml | 6 +- .../win_susp_cmd_http_appdata.yml | 12 +- .../win_susp_codepage_switch.yml | 18 +- .../win_susp_commands_recon_activity.yml | 21 +- .../win_susp_compression_params.yml | 16 +- .../win_susp_comsvcs_procdump.yml | 9 +- .../process_creation/win_susp_conhost.yml | 5 +- .../win_susp_control_dll_load.yml | 6 +- .../win_susp_copy_lateral_movement.yml | 38 +- .../win_susp_copy_system32.yml | 6 +- .../process_creation/win_susp_covenant.yml | 15 +- .../win_susp_crackmapexec_execution.yml | 17 +- .../windows/process_creation/win_susp_csc.yml | 14 +- .../process_creation/win_susp_csc_folder.yml | 20 +- .../windows/process_creation/win_susp_csi.yml | 38 + .../win_susp_curl_start_combo.yml | 4 +- ...susp_direct_asep_reg_keys_modification.yml | 2 +- .../win_susp_disable_eventlog.yml | 33 + .../win_susp_disable_raccine.yml | 33 + .../process_creation/win_susp_diskshadow.yml | 27 + .../win_susp_double_extension.yml | 24 +- .../process_creation/win_susp_exec_folder.yml | 42 -- .../win_susp_execution_path.yml | 41 +- .../win_susp_execution_path_webserver.yml | 20 +- .../process_creation/win_susp_explorer.yml | 26 + .../win_susp_file_characteristics.yml | 4 +- ...p_file_download_via_gfxdownloadwrapper.yml | 27 + .../process_creation/win_susp_findstr.yml | 32 + .../process_creation/win_susp_findstr_lnk.yml | 4 +- .../win_susp_finger_usage.yml | 22 + .../windows/process_creation/win_susp_ftp.yml | 32 + .../windows/process_creation/win_susp_gup.yml | 10 +- .../win_susp_iss_module_install.yml | 8 +- .../win_susp_mounted_share_deletion.yml | 25 + .../process_creation/win_susp_msiexec_cwd.yml | 10 +- .../win_susp_msiexec_web_install.yml | 9 +- .../win_susp_net_execution.yml | 25 +- .../process_creation/win_susp_ngrok_pua.yml | 45 ++ .../process_creation/win_susp_ntdsutil.yml | 7 +- .../process_creation/win_susp_outlook.yml | 10 +- .../win_susp_outlook_temp.yml | 3 +- .../process_creation/win_susp_pcwutl.yml | 27 + .../process_creation/win_susp_pester.yml | 35 + .../process_creation/win_susp_ping_hex_ip.yml | 11 +- .../win_susp_powershell_empire_uac_bypass.yml | 6 +- .../win_susp_powershell_enc_cmd.yml | 56 +- .../win_susp_powershell_getprocess_lsass.yml | 22 + .../win_susp_powershell_hidden_b64_cmd.yml | 102 +-- .../win_susp_powershell_parent_combo.yml | 12 +- .../process_creation/win_susp_print.yml | 34 + .../process_creation/win_susp_procdump.yml | 28 +- .../win_susp_procdump_lsass.yml | 33 + .../win_susp_procs_req_dlls.yml | 33 + .../win_susp_prog_location_process_starts.yml | 28 - .../process_creation/win_susp_ps_appdata.yml | 15 +- .../win_susp_psexex_paexec_flags.yml | 34 + .../process_creation/win_susp_rar_flags.yml | 3 +- .../process_creation/win_susp_rclone_exec.yml | 37 + .../win_susp_regedit_trustedinstaller.yml | 20 + .../win_susp_register_cimprovider.yml | 28 + .../win_susp_regsvr32_anomalies.yml | 36 +- .../win_susp_renamed_debugview.yml | 2 +- .../win_susp_renamed_paexec.yml | 25 + .../process_creation/win_susp_rpcping.yml | 41 ++ .../win_susp_run_locations.yml | 27 +- .../win_susp_rundll32_activity.yml | 70 +- .../win_susp_rundll32_by_ordinal.yml | 15 +- .../win_susp_rundll32_inline_vbs.yml | 22 + .../win_susp_rundll32_no_params.yml | 27 + ...p_rundll32_setupapi_installhinfsection.yml | 35 + .../win_susp_rundll32_sys.yml | 25 + .../win_susp_runonce_execution.yml | 29 + .../win_susp_runscripthelper.yml | 27 + .../win_susp_schtask_creation.yml | 4 +- .../win_susp_schtask_creation_temp_folder.yml | 30 + .../win_susp_screenconnect_access.yml | 23 + .../win_susp_service_dacl_modification.yml | 33 + .../process_creation/win_susp_service_dir.yml | 32 + .../win_susp_shell_spawn_from_mssql.yml | 17 +- .../win_susp_shimcache_flush.yml | 39 ++ .../win_susp_sqldumper_activity.yml | 28 + .../win_susp_squirrel_lolbin.yml | 17 +- .../process_creation/win_susp_svchost.yml | 14 +- .../win_susp_svchost_no_cli.yml | 5 +- .../win_susp_sysprep_appdata.yml | 7 +- .../win_susp_sysvol_access.yml | 8 +- .../win_susp_taskmgr_localsystem.yml | 4 +- .../win_susp_taskmgr_parent.yml | 10 +- .../win_susp_tracker_execution.yml | 31 + .../win_susp_tscon_localsystem.yml | 2 +- .../win_susp_tscon_rdp_redirect.yml | 2 +- .../win_susp_use_of_sqlps_bin.yml | 31 + .../win_susp_use_of_sqltoolsps_bin.yml | 31 + .../win_susp_use_of_te_bin.yml | 27 + .../win_susp_use_of_vsjitdebugger_bin.yml | 28 + .../win_susp_userinit_child.yml | 7 +- .../process_creation/win_susp_vboxdrvInst.yml | 31 + .../win_susp_vbscript_unc2452.yml | 26 + .../win_susp_volsnap_disable.yml | 25 + .../process_creation/win_susp_whoami.yml | 5 +- .../win_susp_winrm_AWL_bypass.yml | 47 ++ .../win_susp_winrm_execution.yml | 27 + .../win_susp_wmi_execution.yml | 28 +- .../win_susp_wmic_eventconsumer_create.yml | 27 + ...n_susp_wmic_security_product_uninstall.yml | 35 + .../process_creation/win_susp_wsl_lolbin.yml | 27 + .../process_creation/win_susp_wuauclt.yml | 7 +- .../win_syncappvpublishingserver_exe.yml | 30 + .../win_system_exe_anomaly.yml | 68 +- .../win_task_folder_evasion.yml | 4 +- .../win_termserv_proc_spawn.yml | 8 +- .../process_creation/win_trust_discovery.yml | 2 +- .../process_creation/win_uac_cmstp.yml | 2 +- .../process_creation/win_uac_fodhelper.yml | 2 +- .../process_creation/win_uac_wsreset.yml | 2 +- .../win_using_settingsynchost_as_lolbin.yml | 33 + .../win_verclsid_runs_com.yml | 29 + .../win_visual_basic_compiler.yml | 22 + .../win_vul_java_remote_debugging.yml | 6 +- .../win_webshell_detection.yml | 77 ++- .../win_webshell_recon_detection.yml | 28 +- .../process_creation/win_webshell_spawn.yml | 25 +- .../process_creation/win_whoami_priv.yml | 23 + .../win_win10_sched_task_0day.yml | 6 +- .../process_creation/win_winword_dll_load.yml | 25 + ..._wmi_backdoor_exchange_transport_agent.yml | 4 +- .../win_wmi_spwns_powershell.yml | 16 +- .../win_wmiprvse_spawning_process.yml | 17 +- .../win_workflow_compiler.yml | 2 +- ...win_write_protect_for_storage_disabled.yml | 20 + ...w_disk_access_using_illegitimate_tools.yml | 6 +- .../sysmon_apt_oceanlotus_registry.yml | 29 +- .../sysmon_asep_reg_keys_modification.yml | 221 +++++- .../sysmon_bypass_via_wsreset.yml | 29 + .../registry_event/sysmon_cmstp_execution.yml | 11 +- .../sysmon_cobaltstrike_service_installs.yml | 37 + .../registry_event/sysmon_comhijack_sdclt.yml | 2 - .../registry_event/sysmon_cve-2020-1048.yml | 4 - .../registry_event/sysmon_dhcp_calloutdll.yml | 7 +- ...ble_microsoft_office_security_features.yml | 37 + ...y_events_logging_adding_reg_key_minint.yml | 2 +- ...ysmon_disable_wdigest_credential_guard.yml | 21 + .../sysmon_dns_serverlevelplugindll.yml | 9 +- ...on_enabling_cor_profiler_env_variables.yml | 25 + .../registry_event/sysmon_hack_wce_reg.yml | 6 +- ...n_hybridconnectionmgr_svc_installation.yml | 22 + ...gon_scripts_userinitmprlogonscript_reg.yml | 4 +- .../sysmon_modify_screensaver_binary_path.yml | 27 + .../sysmon_new_application_appcompat.yml | 24 + ..._dll_added_to_appcertdlls_registry_key.yml | 2 +- ...dll_added_to_appinit_dlls_registry_key.yml | 14 +- .../sysmon_office_vsto_persistence.yml | 5 +- .../sysmon_powershell_as_service.yml | 26 + .../sysmon_rdp_registry_modification.yml | 2 +- .../sysmon_rdp_settings_hijack.yml | 8 +- .../sysmon_reg_office_security.yml | 12 +- .../sysmon_reg_silentprocessexit.yml | 22 + .../sysmon_reg_silentprocessexit_lsass.yml | 21 + .../sysmon_reg_vbs_payload_stored.yml | 31 + .../sysmon_registry_add_local_hidden_user.yml | 24 + ...ysmon_registry_persistence_key_linking.yml | 7 +- ...smon_registry_persistence_search_order.yml | 37 +- .../sysmon_removal_amsi_registry_key.yml | 26 + ...mon_removal_com_hijacking_registry_key.yml | 26 + .../sysmon_runonce_persistence.yml | 23 + .../sysmon_stickykey_like_backdoor.yml | 39 +- .../sysmon_susp_atbroker_change.yml | 26 + .../sysmon_susp_download_run_key.yml | 12 +- .../sysmon_susp_lsass_dll_load.yml | 6 +- .../sysmon_susp_mic_cam_access.yml | 5 +- .../sysmon_susp_reg_persist_explorer_run.yml | 24 +- .../sysmon_susp_run_key_img_folder.yml | 30 +- .../sysmon_susp_service_installed.yml | 12 +- ...sysmon_suspicious_keyboard_layout_load.yml | 6 +- .../sysmon_sysinternals_eula_accepted.yml | 6 +- ...mon_sysinternals_sdelete_registry_keys.yml | 23 + .../registry_event/sysmon_taskcache_entry.yml | 21 + .../sysmon_uac_bypass_eventvwr.yml | 7 +- .../sysmon_uac_bypass_sdclt.yml | 3 +- ...sysmon_volume_shadow_copy_service_keys.yml | 24 + .../sysmon_wab_dllpath_reg_change.yml | 26 + ...smon_wdigest_enable_uselogoncredential.yml | 22 + .../sysmon_win_reg_persistence.yml | 21 +- .../sysmon_win_reg_telemetry_persistence.yml | 29 + .../win_outlook_c2_registry_key.yml | 25 + .../win_outlook_registry_todaypage.yml | 32 + .../win_outlook_registry_webview.yml | 31 + .../win_portproxy_registry_key.yml | 26 + ...sing_windows_telemetry_for_persistence.yml | 41 ++ ...napi_in_powershell_credentials_dumping.yml | 26 + .../sysmon/sysmon_config_modification.yml | 38 + .../sysmon_dcom_iertutil_dll_hijack.yml | 29 + ...mon_dns_hybridconnectionmgr_servicebus.yml | 22 + .../sysmon_wmiprvse_wbemcomn_dll_hijack.yml | 36 + .../sysmon_wmi_event_subscription.yml | 2 +- .../sysmon_wmi_susp_scripting.yml | 33 +- tests/test-backend-es-qs.py | 2 +- tests/test-backend-netwitness.py | 2 +- tests/test_rules.py | 18 +- LICENSE.LGPL.txt => tools/LICENSE.LGPL.txt | 0 tools/MANIFEST.in | 2 + tools/README.md | 18 +- tools/config/carbon-black-eedr.yml | 141 ++++ tools/config/carbon-black.yml | 5 - tools/config/chronicle.yml | 180 +++++ tools/config/crowdstrike.yml | 2 +- tools/config/devo-network.yml | 22 + tools/config/devo-web.yml | 29 + tools/config/devo-windows.yml | 144 ++++ tools/config/ecs-dns.yml | 1 - tools/config/ecs-proxy.yml | 1 - .../ecs-zeek-elastic-beats-implementation.yml | 3 +- tools/config/elk-windows.yml | 15 + tools/config/elk-winlogbeat-sp.yml | 17 +- tools/config/elk-winlogbeat.yml | 17 +- tools/config/fireeye-helix.yml | 18 + tools/config/generic/sysmon.yml | 129 +++- tools/config/generic/windows-audit.yml | 14 +- tools/config/logpoint-windows.yml | 16 +- tools/config/logstash-windows.yml | 15 + tools/config/powershell-windows-all.yml | 15 + tools/config/powershell.yml | 15 + tools/config/splunk-windows.yml | 15 + tools/config/stix-custom.yml | 128 ++++ tools/config/stix-linux.yml | 36 - tools/config/stix-qradar.yml | 51 -- tools/config/stix-shifter.yml | 115 ++++ tools/config/stix-windows.yml | 269 -------- tools/config/stix.yml | 175 ----- tools/config/stix2.0.yml | 284 ++++++++ tools/config/sumologic.yml | 15 + tools/config/thor.yml | 180 ++++- tools/config/winlogbeat-modules-enabled.yml | 50 +- tools/config/winlogbeat-old.yml | 19 +- tools/config/winlogbeat.yml | 31 +- tools/requirements-devel.txt | 10 - tools/requirements.txt | 5 - tools/setup.py | 2 +- tools/sigma/backends/base.py | 2 + tools/sigma/backends/carbonblack.py | 4 +- tools/sigma/backends/chronicle.py | 192 ++++++ tools/sigma/backends/devo.py | 254 +++++++ tools/sigma/backends/elasticsearch.py | 264 ++++++- tools/sigma/backends/fireeye-helix.py | 6 +- tools/sigma/backends/limacharlie.py | 347 ++++++---- tools/sigma/backends/mdatp.py | 92 ++- tools/sigma/backends/netwitness-epl.py | 4 +- tools/sigma/backends/netwitness.py | 2 +- tools/sigma/backends/powershell.py | 15 +- tools/sigma/backends/qradar.py | 17 +- tools/sigma/backends/sql.py | 18 +- tools/sigma/backends/stix.py | 5 +- tools/sigma/backends/sumologic.py | 2 +- tools/sigma/backends/sysmon.py | 10 +- tools/sigma/backends/tools.py | 4 +- tools/sigma/backends/uberagent.py | 149 +++- tools/sigma/config/collection.py | 2 +- tools/sigma/configuration.py | 17 + tools/sigma/filter.py | 97 ++- tools/sigma/parser/collection.py | 12 +- tools/sigma/parser/condition.py | 3 +- tools/sigma/parser/rule.py | 31 +- tools/sigma/sigma-similarity.py | 2 +- tools/sigma/sigma2misp.py | 2 +- tools/sigma/sigma_similarity.py | 2 +- tools/sigma/sigmac.py | 16 +- tools/tests/test_backend_devo.py | 237 +++++++ tools/tests/test_backend_sql.py | 18 +- tools/tests/test_backend_sqlite.py | 8 +- 841 files changed, 17716 insertions(+), 3950 deletions(-) delete mode 100644 .github/workflows/pypi-publish.yml create mode 100644 rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml create mode 100644 rules-unsupported/win_access_fake_files_with_stored_credentials.yml create mode 100644 rules-unsupported/win_remote_schtask.yml create mode 100644 rules-unsupported/win_remote_service.yml create mode 100644 rules/cloud/aws_snapshot_backup_exfiltration.yml create mode 100644 rules/linux/at_command.yml create mode 100644 rules/linux/lnx_base64_decode.yml create mode 100644 rules/linux/lnx_binary_padding.yml create mode 100644 rules/linux/lnx_change_file_time_attr.yml create mode 100644 rules/linux/lnx_clear_logs.yml create mode 100644 rules/linux/lnx_file_and_directory_discovery.yml create mode 100644 rules/linux/lnx_file_deletion.yml create mode 100644 rules/linux/lnx_find_cred_in_files.yml create mode 100644 rules/linux/lnx_install_root_certificate.yml create mode 100644 rules/linux/lnx_ldso_preload_injection.yml create mode 100644 rules/linux/lnx_local_account.yml create mode 100644 rules/linux/lnx_local_groups.yml create mode 100644 rules/linux/lnx_network_service_scanning.yml create mode 100644 rules/linux/lnx_password_policy_discovery.yml create mode 100644 rules/linux/lnx_process_discovery.yml create mode 100644 rules/linux/lnx_remote_system_discovery.yml create mode 100644 rules/linux/lnx_schedule_task_job_cron.yml create mode 100644 rules/linux/lnx_security_software_discovery.yml create mode 100644 rules/linux/lnx_split_file_into_pieces.yml create mode 100644 rules/linux/lnx_susp_histfile_operations.yml create mode 100644 rules/linux/lnx_symlink_etc_passwd.yml create mode 100644 rules/linux/lnx_system_info_discovery.yml create mode 100644 rules/linux/lnx_system_network_connections_discovery.yml create mode 100644 rules/linux/lnx_system_network_discovery.yml create mode 100644 rules/linux/lnx_system_shutdown_reboot.yml create mode 100644 rules/linux/macos_applescript.yml create mode 100644 rules/linux/macos_base64_decode.yml create mode 100644 rules/linux/macos_binary_padding.yml create mode 100644 rules/linux/macos_change_file_time_attr.yml create mode 100644 rules/linux/macos_clear_system_logs.yml create mode 100644 rules/linux/macos_create_account.yml create mode 100644 rules/linux/macos_create_hidden_account.yml create mode 100644 rules/linux/macos_creds_from_keychain.yml create mode 100644 rules/linux/macos_disable_security_tools.yml create mode 100644 rules/linux/macos_emond_launch_daemon.yml create mode 100644 rules/linux/macos_file_and_directory_discovery.yml create mode 100644 rules/linux/macos_find_cred_in_files.yml create mode 100644 rules/linux/macos_gui_input_capture.yml create mode 100644 rules/linux/macos_local_account.yml create mode 100644 rules/linux/macos_local_groups.yml create mode 100644 rules/linux/macos_network_service_scanning.yml create mode 100644 rules/linux/macos_network_sniffing.yml create mode 100644 rules/linux/macos_remote_system_discovery.yml create mode 100644 rules/linux/macos_schedule_task_job_cron.yml create mode 100644 rules/linux/macos_screencapture.yml create mode 100644 rules/linux/macos_security_software_discovery.yml create mode 100644 rules/linux/macos_split_file_into_pieces.yml create mode 100644 rules/linux/macos_startup_items.yml create mode 100644 rules/linux/macos_susp_histfile_operations.yml create mode 100644 rules/linux/macos_system_network_connections_discovery.yml create mode 100644 rules/linux/macos_system_network_discovery.yml create mode 100644 rules/linux/macos_system_shutdown_reboot.yml create mode 100644 rules/linux/macos_xattr_gatekeeper_bypass.yml create mode 100644 rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml create mode 100644 rules/network/zeek/zeek_http_exfiltration_compressed_files.yml create mode 100644 rules/network/zeek/zeek_http_webdav_put_request.yml create mode 100644 rules/proxy/proxy_apt_domestic_kitten.yml create mode 100644 rules/proxy/proxy_baby_shark.yml create mode 100644 rules/proxy/proxy_cobalt_malformed_uas.yml create mode 100644 rules/web/web_cve_2021_26814_wzuh_rce.yml create mode 100644 rules/web/web_exchange_exploitation_hafnium.yml create mode 100644 rules/web/web_expl_exchange_cve_2021_28480.yml create mode 100644 rules/web/web_nginx_core_dump.yml create mode 100644 rules/web/web_sonicwall_jarrewrite_exploit.yml create mode 100644 rules/web/web_unc2546_dewmode_php_webshell.yml create mode 100644 rules/web/win_powershell_snapins_hafnium.yml create mode 100644 rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml create mode 100644 rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml create mode 100644 rules/windows/builtin/win_camera_microphone_access.yml create mode 100644 rules/windows/builtin/win_cobaltstrike_service_installs.yml create mode 100644 rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml create mode 100644 rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml create mode 100644 rules/windows/builtin/win_hidden_user_creation.yml create mode 100644 rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml create mode 100644 rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_var+_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml create mode 100644 rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml create mode 100644 rules/windows/builtin/win_iso_mount.yml create mode 100644 rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml create mode 100644 rules/windows/builtin/win_net_use_admin_share.yml create mode 100644 rules/windows/builtin/win_ntfs_vuln_exploit.yml create mode 100644 rules/windows/builtin/win_powershell_script_installed_as_service.yml create mode 100644 rules/windows/builtin/win_privesc_cve_2020_1472.yml create mode 100644 rules/windows/builtin/win_root_certificate_installed.yml create mode 100644 rules/windows/builtin/win_scheduled_task_deletion.yml create mode 100644 rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml create mode 100644 rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml create mode 100644 rules/windows/builtin/win_smb_file_creation_admin_shares.yml create mode 100644 rules/windows/builtin/win_software_discovery.yml create mode 100644 rules/windows/builtin/win_susp_failed_guest_logon.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_process.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml create mode 100644 rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml create mode 100644 rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml create mode 100644 rules/windows/builtin/win_susp_logon_explicit_credentials.yml create mode 100644 rules/windows/builtin/win_susp_proceshacker.yml create mode 100644 rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml create mode 100644 rules/windows/builtin/win_sysmon_channel_reference_deletion.yml create mode 100644 rules/windows/builtin/win_volume_shadow_copy_mount.yml create mode 100644 rules/windows/builtin/win_vssaudit_secevent_source_registration.yml create mode 100644 rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml rename rules/windows/{sysmon => create_remote_thread}/sysmon_cactustorch.yml (74%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_cobaltstrike_process_injection.yml (95%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_createremotethread_loadlibrary.yml (74%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_password_dumper_lsass.yml (85%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_susp_powershell_rundll32.yml (82%) rename rules/windows/{sysmon => create_remote_thread}/sysmon_suspicious_remote_thread.yml (96%) rename rules/windows/{sysmon => create_stream_hash}/sysmon_ads_executable.yml (88%) create mode 100644 rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml create mode 100644 rules/windows/dns_query/dns_mega_nz.yml rename rules/windows/{sysmon => dns_query}/sysmon_possible_dns_rebinding.yml (97%) create mode 100644 rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml create mode 100644 rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml create mode 100644 rules/windows/file_event/sysmon_non_priv_program_files_move.yml create mode 100644 rules/windows/file_event/sysmon_outlook_newform.yml create mode 100644 rules/windows/file_event/sysmon_pcre_net_temp_file.yml create mode 100644 rules/windows/file_event/sysmon_startup_folder_file_write.yml create mode 100644 rules/windows/file_event/sysmon_susp_clr_logs.yml create mode 100644 rules/windows/file_event/sysmon_susp_pfx_file_creation.yml create mode 100644 rules/windows/file_event/win_cve_2021_1675_printspooler.yml create mode 100644 rules/windows/file_event/win_outlook_c2_macro_creation.yml create mode 100644 rules/windows/file_event/win_rclone_exec_file.yml create mode 100644 rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml create mode 100644 rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml create mode 100644 rules/windows/image_load/sysmon_pcre_net_load.yml create mode 100644 rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml create mode 100644 rules/windows/image_load/sysmon_susp_python_image_load.yml create mode 100644 rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml create mode 100644 rules/windows/image_load/sysmon_susp_system_drawing_load.yml create mode 100644 rules/windows/image_load/sysmon_tttracer_mod_load.yml create mode 100644 rules/windows/image_load/sysmon_uac_bypass_via_dism.yml create mode 100644 rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml create mode 100644 rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml create mode 100644 rules/windows/image_load/sysmon_wsman_provider_image_load.yml create mode 100644 rules/windows/malware/win_mal_darkside.yml create mode 100644 rules/windows/malware/win_mal_lockergoga.yml create mode 100644 rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml create mode 100644 rules/windows/network_connection/sysmon_wuauclt_network_connection.yml create mode 100644 rules/windows/other/win_exchange_TransportAgent_failed.yml create mode 100644 rules/windows/other/win_lateral_movement_condrv.yml create mode 100644 rules/windows/other/win_ldap_recon.yml create mode 100644 rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml rename rules/windows/{sysmon => pipe_created}/sysmon_alternate_powershell_hosts_pipe.yml (80%) rename rules/windows/{sysmon => pipe_created}/sysmon_apt_turla_namedpipes.yml (92%) rename rules/windows/{sysmon => pipe_created}/sysmon_cred_dump_tools_named_pipes.yml (95%) create mode 100644 rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml rename rules/windows/{sysmon => pipe_created}/sysmon_mal_namedpipes.yml (74%) create mode 100644 rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml create mode 100644 rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml create mode 100644 rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml create mode 100644 rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml create mode 100644 rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml create mode 100644 rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml create mode 100644 rules/windows/powershell/powershell_accessing_win_api.yml create mode 100644 rules/windows/powershell/powershell_bad_opsec_artifacts.yml create mode 100644 rules/windows/powershell/powershell_cmdline_reversed_strings.yml create mode 100644 rules/windows/powershell/powershell_cmdline_special_characters.yml create mode 100644 rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml create mode 100644 rules/windows/powershell/powershell_code_injection.yml create mode 100644 rules/windows/powershell/powershell_decompress_commands.yml create mode 100644 rules/windows/powershell/powershell_delete_volume_shadow_copies.yml create mode 100644 rules/windows/powershell/powershell_get_clipboard.yml create mode 100644 rules/windows/powershell/powershell_icmp_exfiltration.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_var+.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml create mode 100644 rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml create mode 100644 rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml create mode 100644 rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml create mode 100644 rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml create mode 100644 rules/windows/powershell/powershell_tamper_with_windows_defender.yml create mode 100644 rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml create mode 100644 rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml create mode 100755 rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml create mode 100644 rules/windows/process_access/sysmon_svchost_cred_dump.yml create mode 100644 rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml create mode 100644 rules/windows/process_creation/process_creation_SDelete.yml create mode 100644 rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml create mode 100644 rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml create mode 100644 rules/windows/process_creation/process_creation_dotnet.yml create mode 100644 rules/windows/process_creation/process_creation_msdeploy.yml create mode 100644 rules/windows/process_creation/sysmon_abusing_debug_privilege.yml create mode 100644 rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml create mode 100644 rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml rename rules/windows/process_creation/{cmstp_execution.yml => sysmon_cmstp_execution.yml} (95%) create mode 100644 rules/windows/process_creation/sysmon_high_integrity_sdclt.yml create mode 100644 rules/windows/process_creation/sysmon_long_powershell_commandline.yml create mode 100644 rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml create mode 100644 rules/windows/process_creation/sysmon_sdclt_child_process.yml create mode 100644 rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml create mode 100644 rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml create mode 100644 rules/windows/process_creation/win_CL_Invocation_LOLScript.yml create mode 100644 rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml create mode 100644 rules/windows/process_creation/win_ad_find_discovery.yml create mode 100644 rules/windows/process_creation/win_apt_hafnium.yml create mode 100644 rules/windows/process_creation/win_apt_unc2452_cmds.yml create mode 100644 rules/windows/process_creation/win_apt_unc2452_ps.yml create mode 100644 rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml create mode 100644 rules/windows/process_creation/win_class_exec_xwizard.yml create mode 100644 rules/windows/process_creation/win_credential_access_via_password_filter.yml create mode 100644 rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml create mode 100644 rules/windows/process_creation/win_exchange_transportagent.yml create mode 100644 rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml create mode 100644 rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_clip+.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_var+.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml create mode 100644 rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml create mode 100644 rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml create mode 100644 rules/windows/process_creation/win_lolbin_execution_via_winget.yml create mode 100644 rules/windows/process_creation/win_manage-bde_lolbas.yml create mode 100644 rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml create mode 100644 rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml create mode 100644 rules/windows/process_creation/win_nltest_query.yml create mode 100644 rules/windows/process_creation/win_non_priv_reg_or_ps.yml create mode 100644 rules/windows/process_creation/win_powershell_defender_exclusion.yml create mode 100644 rules/windows/process_creation/win_powershell_disable_windef_av.yml create mode 100644 rules/windows/process_creation/win_powershell_reverse_shell_connection.yml create mode 100644 rules/windows/process_creation/win_purplesharp_indicators.yml create mode 100644 rules/windows/process_creation/win_rasautou_dll_execution.yml create mode 100644 rules/windows/process_creation/win_reg_add_run_key.yml create mode 100644 rules/windows/process_creation/win_regedit_export_critical_keys.yml create mode 100644 rules/windows/process_creation/win_regedit_export_keys.yml create mode 100644 rules/windows/process_creation/win_regedit_import_keys.yml create mode 100644 rules/windows/process_creation/win_regedit_import_keys_ads.yml create mode 100644 rules/windows/process_creation/win_regini.yml create mode 100644 rules/windows/process_creation/win_regini_ads.yml create mode 100644 rules/windows/process_creation/win_renamed_megasync.yml create mode 100644 rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml create mode 100644 rules/windows/process_creation/win_run_virtualbox.yml create mode 100644 rules/windows/process_creation/win_rundll32_without_parameters.yml create mode 100644 rules/windows/process_creation/win_script_event_consumer_spawn.yml create mode 100644 rules/windows/process_creation/win_shell_spawn_mshta.yml create mode 100644 rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml create mode 100644 rules/windows/process_creation/win_sus_auditpol_usage.yml create mode 100644 rules/windows/process_creation/win_susp_atbroker.yml create mode 100644 rules/windows/process_creation/win_susp_csi.yml create mode 100644 rules/windows/process_creation/win_susp_disable_eventlog.yml create mode 100644 rules/windows/process_creation/win_susp_disable_raccine.yml create mode 100644 rules/windows/process_creation/win_susp_diskshadow.yml delete mode 100644 rules/windows/process_creation/win_susp_exec_folder.yml create mode 100644 rules/windows/process_creation/win_susp_explorer.yml create mode 100644 rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml create mode 100644 rules/windows/process_creation/win_susp_findstr.yml create mode 100644 rules/windows/process_creation/win_susp_finger_usage.yml create mode 100644 rules/windows/process_creation/win_susp_ftp.yml create mode 100644 rules/windows/process_creation/win_susp_mounted_share_deletion.yml create mode 100644 rules/windows/process_creation/win_susp_ngrok_pua.yml create mode 100644 rules/windows/process_creation/win_susp_pcwutl.yml create mode 100644 rules/windows/process_creation/win_susp_pester.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml create mode 100644 rules/windows/process_creation/win_susp_print.yml create mode 100644 rules/windows/process_creation/win_susp_procdump_lsass.yml create mode 100644 rules/windows/process_creation/win_susp_procs_req_dlls.yml delete mode 100644 rules/windows/process_creation/win_susp_prog_location_process_starts.yml create mode 100644 rules/windows/process_creation/win_susp_psexex_paexec_flags.yml create mode 100644 rules/windows/process_creation/win_susp_rclone_exec.yml create mode 100644 rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml create mode 100644 rules/windows/process_creation/win_susp_register_cimprovider.yml create mode 100644 rules/windows/process_creation/win_susp_renamed_paexec.yml create mode 100644 rules/windows/process_creation/win_susp_rpcping.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_no_params.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_sys.yml create mode 100644 rules/windows/process_creation/win_susp_runonce_execution.yml create mode 100644 rules/windows/process_creation/win_susp_runscripthelper.yml create mode 100644 rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml create mode 100644 rules/windows/process_creation/win_susp_screenconnect_access.yml create mode 100644 rules/windows/process_creation/win_susp_service_dacl_modification.yml create mode 100644 rules/windows/process_creation/win_susp_service_dir.yml create mode 100644 rules/windows/process_creation/win_susp_shimcache_flush.yml create mode 100644 rules/windows/process_creation/win_susp_sqldumper_activity.yml create mode 100644 rules/windows/process_creation/win_susp_tracker_execution.yml create mode 100644 rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml create mode 100644 rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml create mode 100644 rules/windows/process_creation/win_susp_use_of_te_bin.yml create mode 100644 rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml create mode 100644 rules/windows/process_creation/win_susp_vboxdrvInst.yml create mode 100644 rules/windows/process_creation/win_susp_vbscript_unc2452.yml create mode 100644 rules/windows/process_creation/win_susp_volsnap_disable.yml create mode 100644 rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml create mode 100644 rules/windows/process_creation/win_susp_winrm_execution.yml create mode 100644 rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml create mode 100644 rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml create mode 100644 rules/windows/process_creation/win_susp_wsl_lolbin.yml create mode 100644 rules/windows/process_creation/win_syncappvpublishingserver_exe.yml create mode 100644 rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml create mode 100644 rules/windows/process_creation/win_verclsid_runs_com.yml create mode 100644 rules/windows/process_creation/win_visual_basic_compiler.yml create mode 100644 rules/windows/process_creation/win_whoami_priv.yml create mode 100644 rules/windows/process_creation/win_winword_dll_load.yml create mode 100644 rules/windows/process_creation/win_write_protect_for_storage_disabled.yml rename rules/windows/{sysmon => raw_access_thread}/sysmon_raw_disk_access_using_illegitimate_tools.yml (91%) create mode 100644 rules/windows/registry_event/sysmon_bypass_via_wsreset.yml create mode 100644 rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml create mode 100644 rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml create mode 100644 rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml create mode 100644 rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml create mode 100644 rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml create mode 100644 rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml create mode 100644 rules/windows/registry_event/sysmon_new_application_appcompat.yml create mode 100644 rules/windows/registry_event/sysmon_powershell_as_service.yml create mode 100644 rules/windows/registry_event/sysmon_reg_silentprocessexit.yml create mode 100644 rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml create mode 100644 rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml create mode 100644 rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml create mode 100644 rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml create mode 100644 rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml create mode 100644 rules/windows/registry_event/sysmon_runonce_persistence.yml create mode 100644 rules/windows/registry_event/sysmon_susp_atbroker_change.yml create mode 100644 rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml create mode 100644 rules/windows/registry_event/sysmon_taskcache_entry.yml create mode 100644 rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml create mode 100644 rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml create mode 100644 rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml create mode 100644 rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml create mode 100644 rules/windows/registry_event/win_outlook_c2_registry_key.yml create mode 100644 rules/windows/registry_event/win_outlook_registry_todaypage.yml create mode 100644 rules/windows/registry_event/win_outlook_registry_webview.yml create mode 100644 rules/windows/registry_event/win_portproxy_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml create mode 100644 rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml create mode 100644 rules/windows/sysmon/sysmon_config_modification.yml create mode 100644 rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml create mode 100644 rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml create mode 100644 rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml rename rules/windows/{sysmon => wmi_event}/sysmon_wmi_event_subscription.yml (95%) rename rules/windows/{sysmon => wmi_event}/sysmon_wmi_susp_scripting.yml (53%) rename LICENSE.LGPL.txt => tools/LICENSE.LGPL.txt (100%) create mode 100644 tools/MANIFEST.in create mode 100644 tools/config/carbon-black-eedr.yml create mode 100644 tools/config/chronicle.yml create mode 100644 tools/config/devo-network.yml create mode 100644 tools/config/devo-web.yml create mode 100644 tools/config/devo-windows.yml create mode 100644 tools/config/stix-custom.yml delete mode 100644 tools/config/stix-linux.yml delete mode 100644 tools/config/stix-qradar.yml create mode 100644 tools/config/stix-shifter.yml delete mode 100644 tools/config/stix-windows.yml delete mode 100644 tools/config/stix.yml create mode 100644 tools/config/stix2.0.yml delete mode 100644 tools/requirements-devel.txt delete mode 100644 tools/requirements.txt create mode 100644 tools/sigma/backends/chronicle.py create mode 100644 tools/sigma/backends/devo.py create mode 100644 tools/tests/test_backend_devo.py diff --git a/.github/workflows/pypi-publish.yml b/.github/workflows/pypi-publish.yml deleted file mode 100644 index efeff2dc6..000000000 --- a/.github/workflows/pypi-publish.yml +++ /dev/null @@ -1,27 +0,0 @@ -# This workflows will upload a Python Package using Twine when a release is created -# For more information see: https://help.github.com/en/actions/language-and-framework-guides/using-python-with-github-actions#publishing-to-package-registries - -name: Upload Sigmatools Package to PyPI -on: - release: - types: [created] - -jobs: - deploy: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: Set up Python - uses: actions/setup-python@v1 - with: - python-version: '3.x' - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install setuptools wheel twine - - name: Build and publish - env: - TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} - TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} - run: | - make upload diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 28931b92e..d94d319dd 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -8,7 +8,7 @@ on: branches: - "*" pull_request: - branches: [ master ] + branches: [ master, oscd ] jobs: test-sigma: @@ -22,10 +22,12 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install -r tools/requirements.txt -r tools/requirements-devel.txt + pip install pipenv + pipenv lock + pipenv install --dev --deploy - name: Test Sigma Tools and Rules run: | - make test + pipenv run make test - name: Test SQL(ite) Backend run: | - make test-backend-sql + pipenv run make test-backend-sql diff --git a/CHANGELOG.md b/CHANGELOG.md index a7c913f51..22c20035f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,36 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html) from version 0.14.0. +## 0.19.1 - 2021-02-28 + +### Changed + +* Added LGPL license to distribution + +## 0.19 - 2021-02-23 + +### Added + +* New parameters for Elastic backends +* Various field mappings +* FireEye Helix backend +* Generic log source image_load +* Kibana NDJSON backend +* uberAgent ESA backend +* SumoLogic CSE backend + +### Changed + +* Updated mdatp backend fields +* QRadar query generation optimized +* MDATP: case insensitive search + +### Fixed + +* Fixing Qradar implementation for create valid AQL queries +* Nested conditions +* Various minor bug fixes + ## 0.18.1 - 2020-08-25 Release created for technical reasons (issues with extended README and PyPI), no real changes done. diff --git a/Makefile b/Makefile index deeb2c735..9fe44fecf 100644 --- a/Makefile +++ b/Makefile @@ -57,8 +57,9 @@ test-sigmac: $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t arcsight-esm -c tools/config/arcsight.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/qradar.yml rules/ > /dev/null - $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix.yml -c tools/config/stix-qradar.yml -c tools/config/stix-windows.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t stix -c tools/config/stix-custom.yml -c tools/config/stix-shifter.yml -c tools/config/stix2.0.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t limacharlie -c tools/config/limacharlie.yml rules/ > /dev/null + $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t chronicle -c tools/config/chronicle.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t carbonblack -c tools/config/carbon-black.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null $(COVERAGE) run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null diff --git a/Pipfile b/Pipfile index 6b51f7499..060d74e88 100644 --- a/Pipfile +++ b/Pipfile @@ -10,13 +10,16 @@ elasticsearch = "~=7.6" elasticsearch-async = "~=6.2" pytest = "~=5.4" colorama = "*" +setuptools = "*" +stix2 = "*" +attackcti = "*" [packages] -requests = "~=2.23" -urllib3 = "~=1.25" +requests = "~=2.25" +urllib3 = "~=1.26" progressbar2 = "~=3.47" pymisp = "~=2.4.123" PyYAML = "~=5.1" [requires] -python_version = "3.6" +python_version = "3.8" diff --git a/Pipfile.lock b/Pipfile.lock index 3436ea040..f83fca957 100644 --- a/Pipfile.lock +++ b/Pipfile.lock @@ -1,11 +1,11 @@ { "_meta": { "hash": { - "sha256": "588c969e3c9cf945190a258f9607bbcc53ee9715d34e538b130a852459e4848a" + "sha256": "9d6e50bfd41bb3de5ebbae350555fe4b67c24e2c186aac053905a7740a69e8b2" }, "pipfile-spec": 6, "requires": { - "python_version": "3.6" + "python_version": "3.8" }, "sources": [ { @@ -18,46 +18,38 @@ "default": { "attrs": { "hashes": [ - "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", - "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "version": "==19.3.0" + "version": "==21.2.0" }, "certifi": { "hashes": [ - "sha256:017c25db2a153ce562900032d5bc68e9f191e44e9a0f762f373977de9df1fbb3", - "sha256:25b64c7da4cd7479594d035c08c2d809eb4aab3a26e5a990ea98cc450c320f1f" + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" ], - "version": "==2019.11.28" + "version": "==2021.5.30" }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "version": "==4.0.0" }, "deprecated": { "hashes": [ - "sha256:408038ab5fdeca67554e8f6742d1521cd3cd0ee0ff9d47f29318a4f4da31c308", - "sha256:8b6a5aa50e482d8244a62e5582b96c372e87e3a28e8b49c316e46b95c76a611d" + "sha256:08452d69b6b5bc66e8330adde0a4f8642e969b9e1702904d137eeb29c8ffc771", + "sha256:6d2de2de7931a968874481ef30208fd4e08da39177d61d3d4ebdf4366e7dbca1" ], - "version": "==1.2.7" + "version": "==1.2.12" }, "idna": { "hashes": [ - "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb", - "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa" + "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", + "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "version": "==2.9" - }, - "importlib-metadata": { - "hashes": [ - "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f", - "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e" - ], - "markers": "python_version < '3.8'", - "version": "==1.6.0" + "version": "==2.10" }, "jsonschema": { "hashes": [ @@ -68,25 +60,25 @@ }, "progressbar2": { "hashes": [ - "sha256:2c21c14482016162852c8265da03886c2b4dea6f84e5a817ad9b39f6bd82a772", - "sha256:7849b84c01a39e4eddd2b369a129fed5e24dfb78d484ae63f9e08e58277a2928" + "sha256:ef72be284e7f2b61ac0894b44165926f13f5d995b2bf3cd8a8dedc6224b255a7", + "sha256:fe2738e7ecb7df52ad76307fe610c460c52b50f5335fd26c3ab80ff7655ba1e0" ], "index": "pypi", - "version": "==3.50.1" + "version": "==3.53.1" }, "pymisp": { "hashes": [ - "sha256:1d27bc81ed492b5e6e216d099dcadf943d5c0c09457d6464ed33db8da39d0fdd", - "sha256:318cb9cee371ce3918b3216e2c1a61938747203f89f9d42d4e4a51b40066f9b3" + "sha256:7ab159ba589f54d105c59cb990722369c57d8f587b5df215a79ed4059cb57b8a", + "sha256:c6496a6884fe3a671e9dd3c314564b4e94b8827845f5ea0004ab3649373e9db2" ], "index": "pypi", - "version": "==2.4.123" + "version": "==2.4.141.1" }, "pyrsistent": { "hashes": [ - "sha256:28669905fe725965daa16184933676547c5bb40a5153055a8dee2a4bd7933ad3" + "sha256:2e636185d9eb976a18a8a8e96efce62f2905fea90041958d8cc2a189756ebf3e" ], - "version": "==0.16.0" + "version": "==0.17.3" }, "python-dateutil": { "hashes": [ @@ -97,82 +89,125 @@ }, "python-utils": { "hashes": [ - "sha256:ebaadab29d0cb9dca0a82eab9c405f5be5125dbbff35b8f32cc433fa498dbaa7", - "sha256:f21fc09ff58ea5ebd1fd2e8ef7f63e39d456336900f26bdc9334a03a3f7d8089" + "sha256:18fbc1a1df9a9061e3059a48ebe5c8a66b654d688b0e3ecca8b339a7f168f208", + "sha256:352d5b1febeebf9b3cdb9f3c87a3b26ef22d3c9e274a8ec1e7048ecd2fac4349" ], - "version": "==2.4.0" + "version": "==2.5.6" }, "pyyaml": { "hashes": [ - "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c", - "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95", - "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2", - "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4", - "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad", - "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba", - "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1", - "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e", - "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673", - "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13", - "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19" + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" ], "index": "pypi", - "version": "==5.1" + "version": "==5.4.1" }, "requests": { "hashes": [ - "sha256:43999036bfa82904b6af1d99e4882b560e5e2c68e5c4b0aa03b655f3d7d73fee", - "sha256:b3f43d496c6daba4493e7c431722aeb7dbc6288f52a6e04e7b6023b0247817e6" + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "index": "pypi", - "version": "==2.23.0" + "version": "==2.25.1" }, "six": { "hashes": [ - "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a", - "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "version": "==1.14.0" + "version": "==1.16.0" }, "urllib3": { "hashes": [ - "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", - "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.25.8" + "version": "==1.26.5" }, "wrapt": { "hashes": [ "sha256:b62ffa81fb85f4332a4f609cab4ac40709470da05643a082ec1eb88e6d9b97d7" ], "version": "==1.12.1" - }, - "zipp": { - "hashes": [ - "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b", - "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96" - ], - "version": "==3.1.0" } }, "develop": { "aiohttp": { "hashes": [ - "sha256:1e984191d1ec186881ffaed4581092ba04f7c61582a177b187d3a2f07ed9719e", - "sha256:259ab809ff0727d0e834ac5e8a283dc5e3e0ecc30c4d80b3cd17a4139ce1f326", - "sha256:2f4d1a4fdce595c947162333353d4a44952a724fba9ca3205a3df99a33d1307a", - "sha256:32e5f3b7e511aa850829fbe5aa32eb455e5534eaa4b1ce93231d00e2f76e5654", - "sha256:344c780466b73095a72c616fac5ea9c4665add7fc129f285fbdbca3cccf4612a", - "sha256:460bd4237d2dbecc3b5ed57e122992f60188afe46e7319116da5eb8a9dfedba4", - "sha256:4c6efd824d44ae697814a2a85604d8e992b875462c6655da161ff18fd4f29f17", - "sha256:50aaad128e6ac62e7bf7bd1f0c0a24bc968a0c0590a726d5a955af193544bcec", - "sha256:6206a135d072f88da3e71cc501c59d5abffa9d0bb43269a6dcd28d66bfafdbdd", - "sha256:65f31b622af739a802ca6fd1a3076fd0ae523f8485c52924a89561ba10c49b48", - "sha256:ae55bac364c405caa23a4f2d6cfecc6a0daada500274ffca4a9230e7129eac59", - "sha256:b778ce0c909a2653741cb4b1ac7015b5c130ab9c897611df43ae6a58523cb965" + "sha256:02f46fc0e3c5ac58b80d4d56eb0a7c7d97fcef69ace9326289fb9f1955e65cfe", + "sha256:0563c1b3826945eecd62186f3f5c7d31abb7391fedc893b7e2b26303b5a9f3fe", + "sha256:114b281e4d68302a324dd33abb04778e8557d88947875cbf4e842c2c01a030c5", + "sha256:14762875b22d0055f05d12abc7f7d61d5fd4fe4642ce1a249abdf8c700bf1fd8", + "sha256:15492a6368d985b76a2a5fdd2166cddfea5d24e69eefed4630cbaae5c81d89bd", + "sha256:17c073de315745a1510393a96e680d20af8e67e324f70b42accbd4cb3315c9fb", + "sha256:209b4a8ee987eccc91e2bd3ac36adee0e53a5970b8ac52c273f7f8fd4872c94c", + "sha256:230a8f7e24298dea47659251abc0fd8b3c4e38a664c59d4b89cca7f6c09c9e87", + "sha256:2e19413bf84934d651344783c9f5e22dee452e251cfd220ebadbed2d9931dbf0", + "sha256:393f389841e8f2dfc86f774ad22f00923fdee66d238af89b70ea314c4aefd290", + "sha256:3cf75f7cdc2397ed4442594b935a11ed5569961333d49b7539ea741be2cc79d5", + "sha256:3d78619672183be860b96ed96f533046ec97ca067fd46ac1f6a09cd9b7484287", + "sha256:40eced07f07a9e60e825554a31f923e8d3997cfc7fb31dbc1328c70826e04cde", + "sha256:493d3299ebe5f5a7c66b9819eacdcfbbaaf1a8e84911ddffcdc48888497afecf", + "sha256:4b302b45040890cea949ad092479e01ba25911a15e648429c7c5aae9650c67a8", + "sha256:515dfef7f869a0feb2afee66b957cc7bbe9ad0cdee45aec7fdc623f4ecd4fb16", + "sha256:547da6cacac20666422d4882cfcd51298d45f7ccb60a04ec27424d2f36ba3eaf", + "sha256:5df68496d19f849921f05f14f31bd6ef53ad4b00245da3195048c69934521809", + "sha256:64322071e046020e8797117b3658b9c2f80e3267daec409b350b6a7a05041213", + "sha256:7615dab56bb07bff74bc865307aeb89a8bfd9941d2ef9d817b9436da3a0ea54f", + "sha256:79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013", + "sha256:7b18b97cf8ee5452fa5f4e3af95d01d84d86d32c5e2bfa260cf041749d66360b", + "sha256:932bb1ea39a54e9ea27fc9232163059a0b8855256f4052e776357ad9add6f1c9", + "sha256:a00bb73540af068ca7390e636c01cbc4f644961896fa9363154ff43fd37af2f5", + "sha256:a5ca29ee66f8343ed336816c553e82d6cade48a3ad702b9ffa6125d187e2dedb", + "sha256:af9aa9ef5ba1fd5b8c948bb11f44891968ab30356d65fd0cc6707d989cd521df", + "sha256:bb437315738aa441251214dad17428cafda9cdc9729499f1d6001748e1d432f4", + "sha256:bdb230b4943891321e06fc7def63c7aace16095be7d9cf3b1e01be2f10fba439", + "sha256:c6e9dcb4cb338d91a73f178d866d051efe7c62a7166653a91e7d9fb18274058f", + "sha256:cffe3ab27871bc3ea47df5d8f7013945712c46a3cc5a95b6bee15887f1675c22", + "sha256:d012ad7911653a906425d8473a1465caa9f8dea7fcf07b6d870397b774ea7c0f", + "sha256:d9e13b33afd39ddeb377eff2c1c4f00544e191e1d1dee5b6c51ddee8ea6f0cf5", + "sha256:e4b2b334e68b18ac9817d828ba44d8fcb391f6acb398bcc5062b14b2cbeac970", + "sha256:e54962802d4b8b18b6207d4a927032826af39395a3bd9196a5af43fc4e60b009", + "sha256:f705e12750171c0ab4ef2a3c76b9a4024a62c4103e3a55dd6f99265b9bc6fcfc", + "sha256:f881853d2643a29e643609da57b96d5f9c9b93f62429dcc1cbb413c7d07f0e1a", + "sha256:fe60131d21b31fd1a14bd43e6bb88256f69dfc3188b3a89d736d6c71ed43ec95" ], - "version": "==3.6.2" + "version": "==3.7.4.post0" + }, + "antlr4-python3-runtime": { + "hashes": [ + "sha256:15793f5d0512a372b4e7d2284058ad32ce7dd27126b105fb0b2245130445db33" + ], + "markers": "python_version >= '3'", + "version": "==4.8" }, "async-timeout": { "hashes": [ @@ -181,72 +216,108 @@ ], "version": "==3.0.1" }, + "attackcti": { + "hashes": [ + "sha256:60059c597f39074db979482931c8771c31581c76e0ae6451c04214a1330a5d2f", + "sha256:a0c44c7065d2568b728e62a8325b0c5fde9d6901e4e0199bde7a9bab974bdcb9" + ], + "index": "pypi", + "version": "==0.3.4.3" + }, "attrs": { "hashes": [ - "sha256:08a96c641c3a74e44eb59afb61a24f2cb9f4d7188748e76ba4bb5edfa3cb7d1c", - "sha256:f7b7ce16570fe9965acd6d30101a28f62fb4a7f9e926b3bbc9b61f8b04247e72" + "sha256:149e90d6d8ac20db7a955ad60cf0e6881a3f20d37096140088356da6c716b0b1", + "sha256:ef6aaac3ca6cd92904cdd0d83f629a15f18053ec84e6432106f7a4d04ae4f5fb" ], - "version": "==19.3.0" + "version": "==21.2.0" + }, + "certifi": { + "hashes": [ + "sha256:2bbf76fd432960138b3ef6dda3dde0544f27cbf8546c458e60baf371917ba9ee", + "sha256:50b1e4f8446b06f41be7dd6338db18e0990601dce795c2b1686458aa7e8fa7d8" + ], + "version": "==2021.5.30" }, "chardet": { "hashes": [ - "sha256:84ab92ed1c4d4f16916e05906b6b75a6c0fb5db821cc65e70cbd64a3e2a5eaae", - "sha256:fc323ffcaeaed0e0a02bf4d117757b98aed530d9ed4531e3e15460124c106691" + "sha256:0d6f53a15db4120f2b08c94f11e7d93d2c911ee118b6b30a04ec3ee8310179fa", + "sha256:f864054d66fd9118f2e67044ac8981a54775ec5b67aed0441892edb553d21da5" ], - "version": "==3.0.4" + "version": "==4.0.0" }, "colorama": { "hashes": [ - "sha256:7d73d2a99753107a36ac6b455ee49046802e59d9d076ef8e47b61499fa29afff", - "sha256:e96da0d330793e2cb9485e9ddfd918d456036c7149416295932478192f4436a1" + "sha256:5941b2b48a20143d2267e95b1c2a7603ce057ee39fd88e7329b0c292aa16869b", + "sha256:9f47eda37229f68eee03b24b9748937c7dc3868f906e8ba69fbcbdd3bc5dc3e2" ], "index": "pypi", - "version": "==0.4.3" + "version": "==0.4.4" }, "coverage": { "hashes": [ - "sha256:03f630aba2b9b0d69871c2e8d23a69b7fe94a1e2f5f10df5049c0df99db639a0", - "sha256:046a1a742e66d065d16fb564a26c2a15867f17695e7f3d358d7b1ad8a61bca30", - "sha256:0a907199566269e1cfa304325cc3b45c72ae341fbb3253ddde19fa820ded7a8b", - "sha256:165a48268bfb5a77e2d9dbb80de7ea917332a79c7adb747bd005b3a07ff8caf0", - "sha256:1b60a95fc995649464e0cd48cecc8288bac5f4198f21d04b8229dc4097d76823", - "sha256:1f66cf263ec77af5b8fe14ef14c5e46e2eb4a795ac495ad7c03adc72ae43fafe", - "sha256:2e08c32cbede4a29e2a701822291ae2bc9b5220a971bba9d1e7615312efd3037", - "sha256:3844c3dab800ca8536f75ae89f3cf566848a3eb2af4d9f7b1103b4f4f7a5dad6", - "sha256:408ce64078398b2ee2ec08199ea3fcf382828d2f8a19c5a5ba2946fe5ddc6c31", - "sha256:443be7602c790960b9514567917af538cac7807a7c0c0727c4d2bbd4014920fd", - "sha256:4482f69e0701139d0f2c44f3c395d1d1d37abd81bfafbf9b6efbe2542679d892", - "sha256:4a8a259bf990044351baf69d3b23e575699dd60b18460c71e81dc565f5819ac1", - "sha256:513e6526e0082c59a984448f4104c9bf346c2da9961779ede1fc458e8e8a1f78", - "sha256:5f587dfd83cb669933186661a351ad6fc7166273bc3e3a1531ec5c783d997aac", - "sha256:62061e87071497951155cbccee487980524d7abea647a1b2a6eb6b9647df9006", - "sha256:641e329e7f2c01531c45c687efcec8aeca2a78a4ff26d49184dce3d53fc35014", - "sha256:65a7e00c00472cd0f59ae09d2fb8a8aaae7f4a0cf54b2b74f3138d9f9ceb9cb2", - "sha256:6ad6ca45e9e92c05295f638e78cd42bfaaf8ee07878c9ed73e93190b26c125f7", - "sha256:73aa6e86034dad9f00f4bbf5a666a889d17d79db73bc5af04abd6c20a014d9c8", - "sha256:7c9762f80a25d8d0e4ab3cb1af5d9dffbddb3ee5d21c43e3474c84bf5ff941f7", - "sha256:85596aa5d9aac1bf39fe39d9fa1051b0f00823982a1de5766e35d495b4a36ca9", - "sha256:86a0ea78fd851b313b2e712266f663e13b6bc78c2fb260b079e8b67d970474b1", - "sha256:8a620767b8209f3446197c0e29ba895d75a1e272a36af0786ec70fe7834e4307", - "sha256:922fb9ef2c67c3ab20e22948dcfd783397e4c043a5c5fa5ff5e9df5529074b0a", - "sha256:9fad78c13e71546a76c2f8789623eec8e499f8d2d799f4b4547162ce0a4df435", - "sha256:a37c6233b28e5bc340054cf6170e7090a4e85069513320275a4dc929144dccf0", - "sha256:c3fc325ce4cbf902d05a80daa47b645d07e796a80682c1c5800d6ac5045193e5", - "sha256:cda33311cb9fb9323958a69499a667bd728a39a7aa4718d7622597a44c4f1441", - "sha256:db1d4e38c9b15be1521722e946ee24f6db95b189d1447fa9ff18dd16ba89f732", - "sha256:eda55e6e9ea258f5e4add23bcf33dc53b2c319e70806e180aecbff8d90ea24de", - "sha256:f372cdbb240e09ee855735b9d85e7f50730dcfb6296b74b95a3e5dea0615c4c1" + "sha256:004d1880bed2d97151facef49f08e255a20ceb6f9432df75f4eef018fdd5a78c", + "sha256:01d84219b5cdbfc8122223b39a954820929497a1cb1422824bb86b07b74594b6", + "sha256:040af6c32813fa3eae5305d53f18875bedd079960822ef8ec067a66dd8afcd45", + "sha256:06191eb60f8d8a5bc046f3799f8a07a2d7aefb9504b0209aff0b47298333302a", + "sha256:13034c4409db851670bc9acd836243aeee299949bd5673e11844befcb0149f03", + "sha256:13c4ee887eca0f4c5a247b75398d4114c37882658300e153113dafb1d76de529", + "sha256:184a47bbe0aa6400ed2d41d8e9ed868b8205046518c52464fde713ea06e3a74a", + "sha256:18ba8bbede96a2c3dde7b868de9dcbd55670690af0988713f0603f037848418a", + "sha256:1aa846f56c3d49205c952d8318e76ccc2ae23303351d9270ab220004c580cfe2", + "sha256:217658ec7187497e3f3ebd901afdca1af062b42cfe3e0dafea4cced3983739f6", + "sha256:24d4a7de75446be83244eabbff746d66b9240ae020ced65d060815fac3423759", + "sha256:2910f4d36a6a9b4214bb7038d537f015346f413a975d57ca6b43bf23d6563b53", + "sha256:2949cad1c5208b8298d5686d5a85b66aae46d73eec2c3e08c817dd3513e5848a", + "sha256:2a3859cb82dcbda1cfd3e6f71c27081d18aa251d20a17d87d26d4cd216fb0af4", + "sha256:2cafbbb3af0733db200c9b5f798d18953b1a304d3f86a938367de1567f4b5bff", + "sha256:2e0d881ad471768bf6e6c2bf905d183543f10098e3b3640fc029509530091502", + "sha256:30c77c1dc9f253283e34c27935fded5015f7d1abe83bc7821680ac444eaf7793", + "sha256:3487286bc29a5aa4b93a072e9592f22254291ce96a9fbc5251f566b6b7343cdb", + "sha256:372da284cfd642d8e08ef606917846fa2ee350f64994bebfbd3afb0040436905", + "sha256:41179b8a845742d1eb60449bdb2992196e211341818565abded11cfa90efb821", + "sha256:44d654437b8ddd9eee7d1eaee28b7219bec228520ff809af170488fd2fed3e2b", + "sha256:4a7697d8cb0f27399b0e393c0b90f0f1e40c82023ea4d45d22bce7032a5d7b81", + "sha256:51cb9476a3987c8967ebab3f0fe144819781fca264f57f89760037a2ea191cb0", + "sha256:52596d3d0e8bdf3af43db3e9ba8dcdaac724ba7b5ca3f6358529d56f7a166f8b", + "sha256:53194af30d5bad77fcba80e23a1441c71abfb3e01192034f8246e0d8f99528f3", + "sha256:5fec2d43a2cc6965edc0bb9e83e1e4b557f76f843a77a2496cbe719583ce8184", + "sha256:6c90e11318f0d3c436a42409f2749ee1a115cd8b067d7f14c148f1ce5574d701", + "sha256:74d881fc777ebb11c63736622b60cb9e4aee5cace591ce274fb69e582a12a61a", + "sha256:7501140f755b725495941b43347ba8a2777407fc7f250d4f5a7d2a1050ba8e82", + "sha256:796c9c3c79747146ebd278dbe1e5c5c05dd6b10cc3bcb8389dfdf844f3ead638", + "sha256:869a64f53488f40fa5b5b9dcb9e9b2962a66a87dab37790f3fcfb5144b996ef5", + "sha256:8963a499849a1fc54b35b1c9f162f4108017b2e6db2c46c1bed93a72262ed083", + "sha256:8d0a0725ad7c1a0bcd8d1b437e191107d457e2ec1084b9f190630a4fb1af78e6", + "sha256:900fbf7759501bc7807fd6638c947d7a831fc9fdf742dc10f02956ff7220fa90", + "sha256:92b017ce34b68a7d67bd6d117e6d443a9bf63a2ecf8567bb3d8c6c7bc5014465", + "sha256:970284a88b99673ccb2e4e334cfb38a10aab7cd44f7457564d11898a74b62d0a", + "sha256:972c85d205b51e30e59525694670de6a8a89691186012535f9d7dbaa230e42c3", + "sha256:9a1ef3b66e38ef8618ce5fdc7bea3d9f45f3624e2a66295eea5e57966c85909e", + "sha256:af0e781009aaf59e25c5a678122391cb0f345ac0ec272c7961dc5455e1c40066", + "sha256:b6d534e4b2ab35c9f93f46229363e17f63c53ad01330df9f2d6bd1187e5eaacf", + "sha256:b7895207b4c843c76a25ab8c1e866261bcfe27bfaa20c192de5190121770672b", + "sha256:c0891a6a97b09c1f3e073a890514d5012eb256845c451bd48f7968ef939bf4ae", + "sha256:c2723d347ab06e7ddad1a58b2a821218239249a9e4365eaff6649d31180c1669", + "sha256:d1f8bf7b90ba55699b3a5e44930e93ff0189aa27186e96071fac7dd0d06a1873", + "sha256:d1f9ce122f83b2305592c11d64f181b87153fc2c2bbd3bb4a3dde8303cfb1a6b", + "sha256:d314ed732c25d29775e84a960c3c60808b682c08d86602ec2c3008e1202e3bb6", + "sha256:d636598c8305e1f90b439dbf4f66437de4a5e3c31fdf47ad29542478c8508bbb", + "sha256:deee1077aae10d8fa88cb02c845cfba9b62c55e1183f52f6ae6a2df6a2187160", + "sha256:ebe78fe9a0e874362175b02371bdfbee64d8edc42a044253ddf4ee7d3c15212c", + "sha256:f030f8873312a16414c0d8e1a1ddff2d3235655a2174e3648b4fa66b3f2f1079", + "sha256:f0b278ce10936db1a37e6954e15a3730bea96a0997c26d7fee88e6c396c2086d", + "sha256:f11642dddbb0253cc8853254301b51390ba0081750a8ac03f20ea8103f0c56b6" ], "index": "pypi", - "version": "==5.0.4" + "version": "==5.5" }, "elasticsearch": { "hashes": [ - "sha256:d228b2d37ac0865f7631335268172dbdaa426adec1da3ed006dddf05134f89c8", - "sha256:f4bb05cfe55cf369bdcb4d86d0129d39d66a91fd9517b13cd4e4231fbfcf5c81" + "sha256:9a77172be02bc4855210d83f0f1346a1e7d421e3cb2ca47ba81ac0c5a717b3a0", + "sha256:c67b0f6541eda6de9f92eaea319c070aa2710c5d4d4ee5e3dfa3c21bd95aa378" ], "index": "pypi", - "version": "==7.6.0" + "version": "==7.12.0" }, "elasticsearch-async": { "hashes": [ @@ -258,68 +329,73 @@ }, "idna": { "hashes": [ - "sha256:7588d1c14ae4c77d74036e8c22ff447b26d0fde8f007354fd48a7814db15b7cb", - "sha256:a068a21ceac8a4d63dbfd964670474107f541babbd2250d61922f029858365fa" + "sha256:b307872f855b18632ce0c21c5e45be78c0ea7ae4c15c828c20788b26921eb3f6", + "sha256:b97d804b1e9b523befed77c48dacec60e6dcb0b5391d57af6a65a312a90648c0" ], - "version": "==2.9" - }, - "idna-ssl": { - "hashes": [ - "sha256:a933e3bb13da54383f9e8f35dc4f9cb9eb9b3b78c6b36f311254d6d0d92c6c7c" - ], - "markers": "python_version < '3.7'", - "version": "==1.1.0" - }, - "importlib-metadata": { - "hashes": [ - "sha256:2a688cbaa90e0cc587f1df48bdc97a6eadccdcd9c35fb3f976a09e3b5016d90f", - "sha256:34513a8a0c4962bc66d35b359558fd8a5e10cd472d37aec5f66858addef32c1e" - ], - "markers": "python_version < '3.8'", - "version": "==1.6.0" + "version": "==2.10" }, "more-itertools": { "hashes": [ - "sha256:5dd8bcf33e5f9513ffa06d5ad33d78f31e1931ac9a18f33d37e77a180d393a7c", - "sha256:b1ddb932186d8a6ac451e1d95844b382f55e12686d51ca0c68b6f61f2ab7a507" + "sha256:2cf89ec599962f2ddc4d568a05defc40e0a587fbc10d5989713638864c36be4d", + "sha256:83f0308e05477c68f56ea3a888172c78ed5d5b3c282addb67508e7ba6c8f813a" ], - "version": "==8.2.0" + "version": "==8.8.0" }, "multidict": { "hashes": [ - "sha256:317f96bc0950d249e96d8d29ab556d01dd38888fbe68324f46fd834b430169f1", - "sha256:42f56542166040b4474c0c608ed051732033cd821126493cf25b6c276df7dd35", - "sha256:4b7df040fb5fe826d689204f9b544af469593fb3ff3a069a6ad3409f742f5928", - "sha256:544fae9261232a97102e27a926019100a9db75bec7b37feedd74b3aa82f29969", - "sha256:620b37c3fea181dab09267cd5a84b0f23fa043beb8bc50d8474dd9694de1fa6e", - "sha256:6e6fef114741c4d7ca46da8449038ec8b1e880bbe68674c01ceeb1ac8a648e78", - "sha256:7774e9f6c9af3f12f296131453f7b81dabb7ebdb948483362f5afcaac8a826f1", - "sha256:85cb26c38c96f76b7ff38b86c9d560dea10cf3459bb5f4caf72fc1bb932c7136", - "sha256:a326f4240123a2ac66bb163eeba99578e9d63a8654a59f4688a79198f9aa10f8", - "sha256:ae402f43604e3b2bc41e8ea8b8526c7fa7139ed76b0d64fc48e28125925275b2", - "sha256:aee283c49601fa4c13adc64c09c978838a7e812f85377ae130a24d7198c0331e", - "sha256:b51249fdd2923739cd3efc95a3d6c363b67bbf779208e9f37fd5e68540d1a4d4", - "sha256:bb519becc46275c594410c6c28a8a0adc66fe24fef154a9addea54c1adb006f5", - "sha256:c2c37185fb0af79d5c117b8d2764f4321eeb12ba8c141a95d0aa8c2c1d0a11dd", - "sha256:dc561313279f9d05a3d0ffa89cd15ae477528ea37aa9795c4654588a3287a9ab", - "sha256:e439c9a10a95cb32abd708bb8be83b2134fa93790a4fb0535ca36db3dda94d20", - "sha256:fc3b4adc2ee8474cb3cd2a155305d5f8eda0a9c91320f83e55748e1fcb68f8e3" + "sha256:018132dbd8688c7a69ad89c4a3f39ea2f9f33302ebe567a879da8f4ca73f0d0a", + "sha256:051012ccee979b2b06be928a6150d237aec75dd6bf2d1eeeb190baf2b05abc93", + "sha256:05c20b68e512166fddba59a918773ba002fdd77800cad9f55b59790030bab632", + "sha256:07b42215124aedecc6083f1ce6b7e5ec5b50047afa701f3442054373a6deb656", + "sha256:0e3c84e6c67eba89c2dbcee08504ba8644ab4284863452450520dad8f1e89b79", + "sha256:0e929169f9c090dae0646a011c8b058e5e5fb391466016b39d21745b48817fd7", + "sha256:1ab820665e67373de5802acae069a6a05567ae234ddb129f31d290fc3d1aa56d", + "sha256:25b4e5f22d3a37ddf3effc0710ba692cfc792c2b9edfb9c05aefe823256e84d5", + "sha256:2e68965192c4ea61fff1b81c14ff712fc7dc15d2bd120602e4a3494ea6584224", + "sha256:2f1a132f1c88724674271d636e6b7351477c27722f2ed789f719f9e3545a3d26", + "sha256:37e5438e1c78931df5d3c0c78ae049092877e5e9c02dd1ff5abb9cf27a5914ea", + "sha256:3a041b76d13706b7fff23b9fc83117c7b8fe8d5fe9e6be45eee72b9baa75f348", + "sha256:3a4f32116f8f72ecf2a29dabfb27b23ab7cdc0ba807e8459e59a93a9be9506f6", + "sha256:46c73e09ad374a6d876c599f2328161bcd95e280f84d2060cf57991dec5cfe76", + "sha256:46dd362c2f045095c920162e9307de5ffd0a1bfbba0a6e990b344366f55a30c1", + "sha256:4b186eb7d6ae7c06eb4392411189469e6a820da81447f46c0072a41c748ab73f", + "sha256:54fd1e83a184e19c598d5e70ba508196fd0bbdd676ce159feb412a4a6664f952", + "sha256:585fd452dd7782130d112f7ddf3473ffdd521414674c33876187e101b588738a", + "sha256:5cf3443199b83ed9e955f511b5b241fd3ae004e3cb81c58ec10f4fe47c7dce37", + "sha256:6a4d5ce640e37b0efcc8441caeea8f43a06addace2335bd11151bc02d2ee31f9", + "sha256:7df80d07818b385f3129180369079bd6934cf70469f99daaebfac89dca288359", + "sha256:806068d4f86cb06af37cd65821554f98240a19ce646d3cd24e1c33587f313eb8", + "sha256:830f57206cc96ed0ccf68304141fec9481a096c4d2e2831f311bde1c404401da", + "sha256:929006d3c2d923788ba153ad0de8ed2e5ed39fdbe8e7be21e2f22ed06c6783d3", + "sha256:9436dc58c123f07b230383083855593550c4d301d2532045a17ccf6eca505f6d", + "sha256:9dd6e9b1a913d096ac95d0399bd737e00f2af1e1594a787e00f7975778c8b2bf", + "sha256:ace010325c787c378afd7f7c1ac66b26313b3344628652eacd149bdd23c68841", + "sha256:b47a43177a5e65b771b80db71e7be76c0ba23cc8aa73eeeb089ed5219cdbe27d", + "sha256:b797515be8743b771aa868f83563f789bbd4b236659ba52243b735d80b29ed93", + "sha256:b7993704f1a4b204e71debe6095150d43b2ee6150fa4f44d6d966ec356a8d61f", + "sha256:d5c65bdf4484872c4af3150aeebe101ba560dcfb34488d9a8ff8dbcd21079647", + "sha256:d81eddcb12d608cc08081fa88d046c78afb1bf8107e6feab5d43503fea74a635", + "sha256:dc862056f76443a0db4509116c5cd480fe1b6a2d45512a653f9a855cc0517456", + "sha256:ecc771ab628ea281517e24fd2c52e8f31c41e66652d07599ad8818abaad38cda", + "sha256:f200755768dc19c6f4e2b672421e0ebb3dd54c38d5a4f262b872d8cfcc9e93b5", + "sha256:f21756997ad8ef815d8ef3d34edd98804ab5ea337feedcd62fb52d22bf531281", + "sha256:fc13a9524bc18b6fb6e0dbec3533ba0496bbed167c56d0aabefd965584557d80" ], - "version": "==4.7.5" + "version": "==5.1.0" }, "packaging": { "hashes": [ - "sha256:3c292b474fda1671ec57d46d739d072bfd495a4f51ad01a055121d81e952b7a3", - "sha256:82f77b9bee21c1bafbf35a84905d604d5d1223801d639cf3ed140bd651c08752" + "sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5", + "sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a" ], - "version": "==20.3" + "version": "==20.9" }, "pathspec": { "hashes": [ - "sha256:163b0632d4e31cef212976cf57b43d9fd6b0bac6e67c26015d611a647d5e7424", - "sha256:562aa70af2e0d434367d9790ad37aed893de47f1693e4201fd1d3dca15d19b96" + "sha256:86379d6b86d75816baba717e64b1a3a3469deb93bb76d613c9ce79edc5cb68fd", + "sha256:aa0cb481c4041bf52ffa7b0d8fa6cd3e88a2ca4879c533c9153882ee2556790d" ], - "version": "==0.7.0" + "version": "==0.8.1" }, "pluggy": { "hashes": [ @@ -330,110 +406,227 @@ }, "py": { "hashes": [ - "sha256:5e27081401262157467ad6e7f851b7aa402c5852dbcb3dae06768434de5752aa", - "sha256:c20fdd83a5dbc0af9efd622bee9a5564e278f6380fffcacc43ba6f43db2813b0" + "sha256:21b81bda15b66ef5e1a777a21c4dcd9c20ad3efd0b3f817e7a809035269e1bd3", + "sha256:3b80836aa6d1feeaa108e046da6423ab8f6ceda6468545ae8d02d9d58d18818a" ], - "version": "==1.8.1" + "version": "==1.10.0" }, "pyparsing": { "hashes": [ - "sha256:4c830582a84fb022400b85429791bc551f1f4871c33f23e44f353119e92f969f", - "sha256:c342dccb5250c08d45fd6f8b4a559613ca603b57498511740e65cd11a2e7dcec" + "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1", + "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b" ], - "version": "==2.4.6" + "version": "==2.4.7" }, "pytest": { "hashes": [ - "sha256:0e5b30f5cb04e887b91b1ee519fa3d89049595f428c1db76e73bd7f17b09b172", - "sha256:84dde37075b8805f3d1f392cc47e38a0e59518fb46a431cfdaf7cf1ce805f970" + "sha256:5c0db86b698e8f170ba4582a492248919255fcd4c79b1ee64ace34301fb589a1", + "sha256:7979331bfcba207414f5e1263b5a0f8f521d0f457318836a7355531ed1a4c7d8" + ], + "index": "pypi", + "version": "==5.4.3" + }, + "pytz": { + "hashes": [ + "sha256:83a4a90894bf38e243cf052c8b58f381bfe9a7a483f6a9cab140bc7f702ac4da", + "sha256:eb10ce3e7736052ed3623d49975ce333bcd712c7bb19a58b9e2089d4057d0798" + ], + "version": "==2021.1" + }, + "pyyaml": { + "hashes": [ + "sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf", + "sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696", + "sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393", + "sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77", + "sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922", + "sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5", + "sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8", + "sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10", + "sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc", + "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018", + "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e", + "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253", + "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347", + "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183", + "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541", + "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb", + "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185", + "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc", + "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db", + "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa", + "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46", + "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122", + "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b", + "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63", + "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df", + "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc", + "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247", + "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6", + "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0" ], "index": "pypi", "version": "==5.4.1" }, - "pyyaml": { + "requests": { "hashes": [ - "sha256:1adecc22f88d38052fb787d959f003811ca858b799590a5eaa70e63dca50308c", - "sha256:436bc774ecf7c103814098159fbb84c2715d25980175292c648f2da143909f95", - "sha256:460a5a4248763f6f37ea225d19d5c205677d8d525f6a83357ca622ed541830c2", - "sha256:5a22a9c84653debfbf198d02fe592c176ea548cccce47553f35f466e15cf2fd4", - "sha256:7a5d3f26b89d688db27822343dfa25c599627bc92093e788956372285c6298ad", - "sha256:9372b04a02080752d9e6f990179a4ab840227c6e2ce15b95e1278456664cf2ba", - "sha256:a5dcbebee834eaddf3fa7366316b880ff4062e4bcc9787b78c7fbb4a26ff2dd1", - "sha256:aee5bab92a176e7cd034e57f46e9df9a9862a71f8f37cad167c6fc74c65f5b4e", - "sha256:c51f642898c0bacd335fc119da60baae0824f2cde95b0330b56c0553439f0673", - "sha256:c68ea4d3ba1705da1e0d85da6684ac657912679a649e8868bd850d2c299cce13", - "sha256:e23d0cc5299223dcc37885dae624f382297717e459ea24053709675a976a3e19" + "sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804", + "sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e" ], "index": "pypi", - "version": "==5.1" + "version": "==2.25.1" + }, + "simplejson": { + "hashes": [ + "sha256:034550078a11664d77bc1a8364c90bb7eef0e44c2dbb1fd0a4d92e3997088667", + "sha256:05b43d568300c1cd43f95ff4bfcff984bc658aa001be91efb3bb21df9d6288d3", + "sha256:0dd9d9c738cb008bfc0862c9b8fa6743495c03a0ed543884bf92fb7d30f8d043", + "sha256:10fc250c3edea4abc15d930d77274ddb8df4803453dde7ad50c2f5565a18a4bb", + "sha256:2862beabfb9097a745a961426fe7daf66e1714151da8bb9a0c430dde3d59c7c0", + "sha256:292c2e3f53be314cc59853bd20a35bf1f965f3bc121e007ab6fd526ed412a85d", + "sha256:2d3eab2c3fe52007d703a26f71cf649a8c771fcdd949a3ae73041ba6797cfcf8", + "sha256:2e7b57c2c146f8e4dadf84977a83f7ee50da17c8861fd7faf694d55e3274784f", + "sha256:311f5dc2af07361725033b13cc3d0351de3da8bede3397d45650784c3f21fbcf", + "sha256:344e2d920a7f27b4023c087ab539877a1e39ce8e3e90b867e0bfa97829824748", + "sha256:3fabde09af43e0cbdee407555383063f8b45bfb52c361bc5da83fcffdb4fd278", + "sha256:42b8b8dd0799f78e067e2aaae97e60d58a8f63582939af60abce4c48631a0aa4", + "sha256:4b3442249d5e3893b90cb9f72c7d6ce4d2ea144d2c0d9f75b9ae1e5460f3121a", + "sha256:55d65f9cc1b733d85ef95ab11f559cce55c7649a2160da2ac7a078534da676c8", + "sha256:5c659a0efc80aaaba57fcd878855c8534ecb655a28ac8508885c50648e6e659d", + "sha256:72d8a3ffca19a901002d6b068cf746be85747571c6a7ba12cbcf427bfb4ed971", + "sha256:75ecc79f26d99222a084fbdd1ce5aad3ac3a8bd535cd9059528452da38b68841", + "sha256:76ac9605bf2f6d9b56abf6f9da9047a8782574ad3531c82eae774947ae99cc3f", + "sha256:7d276f69bfc8c7ba6c717ba8deaf28f9d3c8450ff0aa8713f5a3280e232be16b", + "sha256:7f10f8ba9c1b1430addc7dd385fc322e221559d3ae49b812aebf57470ce8de45", + "sha256:8042040af86a494a23c189b5aa0ea9433769cc029707833f261a79c98e3375f9", + "sha256:813846738277729d7db71b82176204abc7fdae2f566e2d9fcf874f9b6472e3e6", + "sha256:845a14f6deb124a3bcb98a62def067a67462a000e0508f256f9c18eff5847efc", + "sha256:869a183c8e44bc03be1b2bbcc9ec4338e37fa8557fc506bf6115887c1d3bb956", + "sha256:8acf76443cfb5c949b6e781c154278c059b09ac717d2757a830c869ba000cf8d", + "sha256:8f713ea65958ef40049b6c45c40c206ab363db9591ff5a49d89b448933fa5746", + "sha256:934115642c8ba9659b402c8bdbdedb48651fb94b576e3b3efd1ccb079609b04a", + "sha256:9551f23e09300a9a528f7af20e35c9f79686d46d646152a0c8fc41d2d074d9b0", + "sha256:9a2b7543559f8a1c9ed72724b549d8cc3515da7daf3e79813a15bdc4a769de25", + "sha256:a55c76254d7cf8d4494bc508e7abb993a82a192d0db4552421e5139235604625", + "sha256:ad8f41c2357b73bc9e8606d2fa226233bf4d55d85a8982ecdfd55823a6959995", + "sha256:af4868da7dd53296cd7630687161d53a7ebe2e63814234631445697bd7c29f46", + "sha256:afebfc3dd3520d37056f641969ce320b071bc7a0800639c71877b90d053e087f", + "sha256:b59aa298137ca74a744c1e6e22cfc0bf9dca3a2f41f51bc92eb05695155d905a", + "sha256:bc00d1210567a4cdd215ac6e17dc00cb9893ee521cee701adfd0fa43f7c73139", + "sha256:c1cb29b1fced01f97e6d5631c3edc2dadb424d1f4421dad079cb13fc97acb42f", + "sha256:c94dc64b1a389a416fc4218cd4799aa3756f25940cae33530a4f7f2f54f166da", + "sha256:ceaa28a5bce8a46a130cd223e895080e258a88d51bf6e8de2fc54a6ef7e38c34", + "sha256:cff6453e25204d3369c47b97dd34783ca820611bd334779d22192da23784194b", + "sha256:d0b64409df09edb4c365d95004775c988259efe9be39697d7315c42b7a5e7e94", + "sha256:d4813b30cb62d3b63ccc60dd12f2121780c7a3068db692daeb90f989877aaf04", + "sha256:da3c55cdc66cfc3fffb607db49a42448785ea2732f055ac1549b69dcb392663b", + "sha256:e058c7656c44fb494a11443191e381355388443d543f6fc1a245d5d238544396", + "sha256:fed0f22bf1313ff79c7fc318f7199d6c2f96d4de3234b2f12a1eab350e597c06", + "sha256:ffd4e4877a78c84d693e491b223385e0271278f5f4e1476a4962dca6824ecfeb" + ], + "version": "==3.17.2" }, "six": { "hashes": [ - "sha256:236bdbdce46e6e6a3d61a337c0f8b763ca1e8717c03b369e87a7ec7ce1319c0a", - "sha256:8f3cd2e254d8f793e7f3d6d9df77b92252b52637291d0f0da013c76ea2724b6c" + "sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926", + "sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254" ], - "version": "==1.14.0" + "version": "==1.16.0" + }, + "stix2": { + "hashes": [ + "sha256:15c9cf599f5c43124e76fe71b883e4918f6f4cf65b084c58ec64b6180f45c938", + "sha256:3ab60082e4bffb39f75ea9ddc338b64126ff1cd086e6173d39b860191ac26ff4" + ], + "index": "pypi", + "version": "==2.1.0" + }, + "stix2-patterns": { + "hashes": [ + "sha256:174fe5302d2c3223205033af987754132a9ea45a9f8e08aefafbe0549c889ea4", + "sha256:bc46cc4eba44b76a17eab7a3ff67f35203543cdb918ab24c1ebd58403fa27992" + ], + "version": "==1.3.2" + }, + "taxii2-client": { + "hashes": [ + "sha256:b4212b8a8bab170cd5dc386ca3ea36bc44b53932f1da30db150abeef00bce7b9", + "sha256:fb3bf895e2eaff3cd08bb7aad75c9d30682ffc00b9f3add77de3a67dc6b895a3" + ], + "version": "==2.3.0" }, "typing-extensions": { "hashes": [ - "sha256:091ecc894d5e908ac75209f10d5b4f118fbdb2eb1ede6a63544054bb1edb41f2", - "sha256:910f4656f54de5993ad9304959ce9bb903f90aadc7c67a0bef07e678014e892d", - "sha256:cf8b63fedea4d89bab840ecbb93e75578af28f76f66c35889bd7065f5af88575" + "sha256:0ac0f89795dd19de6b97debb0c6af1c70987fd80a2d62d1958f7e56fcc31b497", + "sha256:50b6f157849174217d0656f99dc82fe932884fb250826c18350e159ec6cdf342", + "sha256:779383f6086d90c99ae41cf0ff39aac8a7937a9283ce0a414e5dd782f4c94a84" ], - "markers": "python_version < '3.7'", - "version": "==3.7.4.1" + "version": "==3.10.0.0" }, "urllib3": { "hashes": [ - "sha256:2f3db8b19923a873b3e5256dc9c2dedfa883e33d87c690d9c7913e1f40673cdc", - "sha256:87716c2d2a7121198ebcb7ce7cccf6ce5e9ba539041cfbaeecfb641dc0bf6acc" + "sha256:753a0374df26658f99d826cfe40394a686d05985786d946fbe4165b5148f5a7c", + "sha256:a7acd0977125325f516bda9735fa7142b909a8d01e8b2e4c8108d0984e6e0098" ], "index": "pypi", - "version": "==1.25.8" + "version": "==1.26.5" }, "wcwidth": { "hashes": [ - "sha256:cafe2186b3c009a04067022ce1dcd79cb38d8d65ee4f4791b8888d6599d1bbe1", - "sha256:ee73862862a156bf77ff92b09034fc4825dd3af9cf81bc5b360668d425f3c5f1" + "sha256:beb4802a9cebb9144e99086eff703a642a13d6a0052920003a230f3294bbe784", + "sha256:c4d647b99872929fdb7bdcaa4fbe7f01413ed3d98077df798530e5b04f116c83" ], - "version": "==0.1.9" + "version": "==0.2.5" }, "yamllint": { "hashes": [ - "sha256:09d554bafc57beb22b01619c94e1ba0e8fbb016fa9c1b35ddc68d7bfc16d177f", - "sha256:7e1e698b3d344b64bc46cbe8c4df7dfdfe7c00ed1a8d1c851ecd5b552d93d193" + "sha256:8a5f8e442f49309eaf3e9d7232ce76f2fc8026f5c0c0b164b83f33fed1399637", + "sha256:b0e4c89985c7f5f8451c2eb8c67d804d10ac13a4abe031cbf49bdf3465d01087" ], "index": "pypi", - "version": "==1.21.0" + "version": "==1.26.0" }, "yarl": { "hashes": [ - "sha256:0c2ab325d33f1b824734b3ef51d4d54a54e0e7a23d13b86974507602334c2cce", - "sha256:0ca2f395591bbd85ddd50a82eb1fde9c1066fafe888c5c7cc1d810cf03fd3cc6", - "sha256:2098a4b4b9d75ee352807a95cdf5f10180db903bc5b7270715c6bbe2551f64ce", - "sha256:25e66e5e2007c7a39541ca13b559cd8ebc2ad8fe00ea94a2aad28a9b1e44e5ae", - "sha256:26d7c90cb04dee1665282a5d1a998defc1a9e012fdca0f33396f81508f49696d", - "sha256:308b98b0c8cd1dfef1a0311dc5e38ae8f9b58349226aa0533f15a16717ad702f", - "sha256:3ce3d4f7c6b69c4e4f0704b32eca8123b9c58ae91af740481aa57d7857b5e41b", - "sha256:58cd9c469eced558cd81aa3f484b2924e8897049e06889e8ff2510435b7ef74b", - "sha256:5b10eb0e7f044cf0b035112446b26a3a2946bca9d7d7edb5e54a2ad2f6652abb", - "sha256:6faa19d3824c21bcbfdfce5171e193c8b4ddafdf0ac3f129ccf0cdfcb083e462", - "sha256:944494be42fa630134bf907714d40207e646fd5a94423c90d5b514f7b0713fea", - "sha256:a161de7e50224e8e3de6e184707476b5a989037dcb24292b391a3d66ff158e70", - "sha256:a4844ebb2be14768f7994f2017f70aca39d658a96c786211be5ddbe1c68794c1", - "sha256:c2b509ac3d4b988ae8769901c66345425e361d518aecbe4acbfc2567e416626a", - "sha256:c9959d49a77b0e07559e579f38b2f3711c2b8716b8410b320bf9713013215a1b", - "sha256:d8cdee92bc930d8b09d8bd2043cedd544d9c8bd7436a77678dd602467a993080", - "sha256:e15199cdb423316e15f108f51249e44eb156ae5dba232cb73be555324a1d49c2" + "sha256:00d7ad91b6583602eb9c1d085a2cf281ada267e9a197e8b7cae487dadbfa293e", + "sha256:0355a701b3998dcd832d0dc47cc5dedf3874f966ac7f870e0f3a6788d802d434", + "sha256:15263c3b0b47968c1d90daa89f21fcc889bb4b1aac5555580d74565de6836366", + "sha256:2ce4c621d21326a4a5500c25031e102af589edb50c09b321049e388b3934eec3", + "sha256:31ede6e8c4329fb81c86706ba8f6bf661a924b53ba191b27aa5fcee5714d18ec", + "sha256:324ba3d3c6fee56e2e0b0d09bf5c73824b9f08234339d2b788af65e60040c959", + "sha256:329412812ecfc94a57cd37c9d547579510a9e83c516bc069470db5f75684629e", + "sha256:4736eaee5626db8d9cda9eb5282028cc834e2aeb194e0d8b50217d707e98bb5c", + "sha256:4953fb0b4fdb7e08b2f3b3be80a00d28c5c8a2056bb066169de00e6501b986b6", + "sha256:4c5bcfc3ed226bf6419f7a33982fb4b8ec2e45785a0561eb99274ebbf09fdd6a", + "sha256:547f7665ad50fa8563150ed079f8e805e63dd85def6674c97efd78eed6c224a6", + "sha256:5b883e458058f8d6099e4420f0cc2567989032b5f34b271c0827de9f1079a424", + "sha256:63f90b20ca654b3ecc7a8d62c03ffa46999595f0167d6450fa8383bab252987e", + "sha256:68dc568889b1c13f1e4745c96b931cc94fdd0defe92a72c2b8ce01091b22e35f", + "sha256:69ee97c71fee1f63d04c945f56d5d726483c4762845400a6795a3b75d56b6c50", + "sha256:6d6283d8e0631b617edf0fd726353cb76630b83a089a40933043894e7f6721e2", + "sha256:72a660bdd24497e3e84f5519e57a9ee9220b6f3ac4d45056961bf22838ce20cc", + "sha256:73494d5b71099ae8cb8754f1df131c11d433b387efab7b51849e7e1e851f07a4", + "sha256:7356644cbed76119d0b6bd32ffba704d30d747e0c217109d7979a7bc36c4d970", + "sha256:8a9066529240171b68893d60dca86a763eae2139dd42f42106b03cf4b426bf10", + "sha256:8aa3decd5e0e852dc68335abf5478a518b41bf2ab2f330fe44916399efedfae0", + "sha256:97b5bdc450d63c3ba30a127d018b866ea94e65655efaf889ebeabc20f7d12406", + "sha256:9ede61b0854e267fd565e7527e2f2eb3ef8858b301319be0604177690e1a3896", + "sha256:b2e9a456c121e26d13c29251f8267541bd75e6a1ccf9e859179701c36a078643", + "sha256:b5dfc9a40c198334f4f3f55880ecf910adebdcb2a0b9a9c23c9345faa9185721", + "sha256:bafb450deef6861815ed579c7a6113a879a6ef58aed4c3a4be54400ae8871478", + "sha256:c49ff66d479d38ab863c50f7bb27dee97c6627c5fe60697de15529da9c3de724", + "sha256:ce3beb46a72d9f2190f9e1027886bfc513702d748047b548b05dab7dfb584d2e", + "sha256:d26608cf178efb8faa5ff0f2d2e77c208f471c5a3709e577a7b3fd0445703ac8", + "sha256:d597767fcd2c3dc49d6eea360c458b65643d1e4dbed91361cf5e36e53c1f8c96", + "sha256:d5c32c82990e4ac4d8150fd7652b972216b204de4e83a122546dce571c1bdf25", + "sha256:d8d07d102f17b68966e2de0e07bfd6e139c7c02ef06d3a0f8d2f0f055e13bb76", + "sha256:e46fba844f4895b36f4c398c5af062a9808d1f26b2999c58909517384d5deda2", + "sha256:e6b5460dc5ad42ad2b36cca524491dfcaffbfd9c8df50508bddc354e787b8dc2", + "sha256:f040bcc6725c821a4c0665f3aa96a4d0805a7aaf2caf266d256b8ed71b9f041c", + "sha256:f0b059678fd549c66b89bed03efcabb009075bd131c248ecdf087bdb6faba24a", + "sha256:fcbb48a93e8699eae920f8d92f7160c03567b421bc17362a9ffbbd706a816f71" ], - "version": "==1.4.2" - }, - "zipp": { - "hashes": [ - "sha256:aa36550ff0c0b7ef7fa639055d797116ee891440eac1a56f378e2d3179e0320b", - "sha256:c599e4d75c98f6798c509911d08a22e6c021d074469042177c8c86fb92eefd96" - ], - "version": "==3.1.0" + "version": "==1.6.3" } } } diff --git a/README.md b/README.md index 3677591e9..bcf458e06 100644 --- a/README.md +++ b/README.md @@ -32,7 +32,7 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec # Use Cases -* Describe your detection method in Sigma to make it sharable +* Describe your detection method in Sigma to make it shareable * Write your SIEM searches in Sigma to avoid a vendor lock-in * Share the signature in the appendix of your analysis along with IOCs and YARA rules * Share the signature in threat intel communities - e.g. via MISP @@ -40,9 +40,9 @@ The SANS webcast on Sigma contains a very good 20 min introduction to the projec # Why Sigma -Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. +Today, everyone collects log data for analysis. People start working on their own, processing numerous white papers, blog posts and log analysis guidelines, extracting the necessary information and build their own searches and dashboard. Some of their searches and correlations are great and very useful but they lack a standardized format in which they can share their work with others. -Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. +Others provide excellent analyses, include IOCs and YARA rules to detect the malicious files and network connections, but have no way to describe a specific or generic detection method in log events. Sigma is meant to be an open standard in which such detection mechanisms can be defined, shared and collected in order to improve the detection capabilities for everyone. ## Slides @@ -52,7 +52,7 @@ See the first slide deck that I prepared for a private conference in mid January # Specification -The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). +The specifications can be found in the [Wiki](https://github.com/Neo23x0/sigma/wiki/Specification). The current specification is a proposal. Feedback is requested. @@ -62,9 +62,9 @@ The current specification is a proposal. Feedback is requested. Florian wrote a short [rule creation tutorial](https://www.nextron-systems.com/2018/02/10/write-sigma-rules/) that can help you getting started. -## Rule Usage +## Rule Usage -1. Download or clone the respository +1. Download or clone the repository 2. Check the `./rules` sub directory for an overview on the rule base 3. Run `python sigmac --help` in folder `./tools` to get a help on the rule converter 4. Convert a rule of your choice with `sigmac` like `./sigmac -t splunk -c tools/config/generic/sysmon.yml ./rules/windows/process_creation/win_susp_whoami.yml` @@ -106,7 +106,7 @@ merges multiple YAML documents of a Sigma rule collection into simple Sigma rule ```bash usage: sigmac [-h] [--recurse] [--filter FILTER] - [--target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,ee-outliers}] + [--target {sqlite,netwitness-epl,logpoint,graylog,netwitness,arcsight,carbonblack,es-rule,ala,elastalert-dsl,splunkxml,fieldlist,sysmon,arcsight-esm,kibana,csharp,qualys,powershell,es-qs,mdatp,humio,grep,qradar,logiq,sql,sumologic,ala-rule,limacharlie,elastalert,splunk,stix,xpack-watcher,crowdstrike,es-dsl,ee-outliers}] [--target-list] [--config CONFIG] [--output OUTPUT] [--backend-option BACKEND_OPTION] [--defer-abort] [--ignore-backend-errors] [--verbose] [--debug] @@ -131,13 +131,13 @@ optional arguments: tag that must appear in the rules tag list, case- insensitive matching. Multiple log source specifications are AND linked. - --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp} + --target {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo}, -t {arcsight,es-qs,es-dsl,kibana,xpack-watcher,elastalert,graylog,limacharlie,logpoint,grep,netwitness,powershell,qradar,qualys,splunk,splunkxml,sumologic,fieldlist,mdatp,devo} Output target format --target-list, -l List available output target formats --config CONFIG, -c CONFIG Configurations with field name and index mapping for target environment. Multiple configurations are merged - into one. Last config is authorative in case of + into one. Last config is authoritative in case of conflicts. --output OUTPUT, -o OUTPUT Output file or filename prefix if multiple files are @@ -172,13 +172,13 @@ Translate a whole rule directory and ignore backend errors (`-I`) in rule conver ``` tools/sigmac -I -t splunk -c splunk-windows -f 'level>=high' -r rules/windows/sysmon/ ``` -#### Rule Set Translation with Custom Config +#### Rule Set Translation with Custom Config Apply your own config file (`-c ~/my-elk-winlogbeat.yml`) during conversion, which can contain you custom field and source mappings ``` tools/sigmac -t es-qs -c ~/my-elk-winlogbeat.yml -r rules/windows/sysmon ``` #### Generic Rule Set Translation -Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) +Use a config file for `process_creation` rules (`-r rules/windows/process_creation`) that instructs sigmac to create queries for a Sysmon log source (`-c tools/config/generic/sysmon.yml`) and the ElasticSearch target backend (`-t es-qs`) ``` tools/sigmac -t es-qs -c tools/config/generic/sysmon.yml -r rules/windows/process_creation ``` @@ -209,7 +209,9 @@ tools/sigmac -t splunk -c ~/my-splunk-mapping.yml -c tools/config/generic/window * [LimaCharlie](https://limacharlie.io) * [ee-outliers](https://github.com/NVISO-BE/ee-outliers) * [Structured Threat Information Expression (STIX)](https://oasis-open.github.io/cti-documentation/stix/intro.html) +* [LOGIQ](https://www.logiq.ai) * [uberAgent ESA](https://uberagent.com/) +* [Devo](https://devo.com) Current work-in-progress * [Splunk Data Models](https://docs.splunk.com/Documentation/Splunk/7.1.0/Knowledge/Aboutdatamodels) @@ -228,16 +230,18 @@ It's available on PyPI. Install with: pip3 install sigmatools ``` -Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with: +Alternatively, if used from the Sigma Github repository, the Python dependencies can be installed with [Pipenv](https://pypi.org/project/pipenv/). +Run the following command to get a shell with the installed requirements: ```bash -pip3 install -r tools/requirements.txt +pipenv shell ``` For development (e.g. execution of integration tests with `make` and packaging), further dependencies are required and can be installed with: ```bash -pip3 install -r tools/requirements-devel.txt +pipenv install --dev +pipenv shell ``` ## Sigma2MISP @@ -251,7 +255,7 @@ Example: *misp.conf*: ``` url https://host -key foobarfoobarfoobarfoobarfoobarfoobarfoo +key foobarfoobarfoobarfoobarfoobarfoobarfoo ``` Load Sigma rule into MISP event 1234: @@ -266,7 +270,7 @@ sigma2misp @misp.conf --same-event --info "Test Event" -r sigma_rules/ ## Evt2Sigma -[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. +[Evt2Sigma](https://github.com/Neo23x0/evt2sigma) helps you with the rule creation. It generates a Sigma rule from a log entry. ## Sigma2attack @@ -291,7 +295,7 @@ Result once imported in the MITRE ATT&CK® Navigator ([online version](https://m ## S2AN -Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules. +Similar to **Sigma2attack**, [S2AN](https://github.com/3CORESec/S2AN) is a pre-compiled binary for both Windows and GNU/Linux that generates [MITRE ATT&CK® Navigator](https://github.com/mitre/attack-navigator/) layers from a directory of Sigma rules. S2AN was developed to be used as a standalone tool or as part of a CI/CD pipeline where it can be quickly downloaded and executed without external dependencies. @@ -317,11 +321,15 @@ These tools are not part of the main toolchain and maintained separately by thei * [uncoder.io](https://uncoder.io/) - Online Translator for SIEM Searches * [THOR](https://www.nextron-systems.com/2018/06/28/spark-applies-sigma-rules-in-eventlog-scan/) - Scan with Sigma rules on endpoints * [Joe Sandbox](https://www.joesecurity.org/) -* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing +* [ypsilon](https://github.com/P4T12ICK/ypsilon) - Automated Use Case Testing * [RANK VASA](https://globenewswire.com/news-release/2019/03/04/1745907/0/en/RANK-Software-to-Help-MSSPs-Scale-Cybersecurity-Offerings.html) * [TA-Sigma-Searches](https://github.com/dstaulcu/TA-Sigma-Searches) (Splunk App) * [TimeSketch](https://github.com/google/timesketch/commit/0c6c4b65a6c0f2051d074e87bbb2da2424fa6c35) -* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion +* [SIΣGMA](https://github.com/3CORESec/SIEGMA) - SIEM consumable generator that utilizes Sigma for query conversion + +Sigma is available in some Linux distribution repositories: + +[![Packaging status](https://repology.org/badge/vertical-allrepos/sigma.svg)](https://repology.org/project/sigma/versions) # Contribution @@ -329,10 +337,10 @@ If you want to contribute, you are more then welcome. There are numerous ways to ## Use it and provide feedback -If you use it, let us know what works and what does not work. +If you use it, let us know what works and what does not work. E.g. -- Tell us about false positives (issues section) +- Tell us about false positives (issues section) - Try to provide an improved rule (new filter) via [pull request](https://help.github.com/en/articles/editing-files-in-another-users-repository) on that rule ## Work on open issues @@ -341,7 +349,7 @@ The github issue tracker is a good place to start tackling some issues others ra ## Provide Backends / Backend Features / Bugfixes -Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. +Various requests for sigmac (sigma converter) backends exist. Some backends are very limited and need features. We are working on a documentation on how to write new backends but our time for this project is currently mostly spent for issue resolutions. ## Spread the word diff --git a/contrib/sigma2sumologic.py b/contrib/sigma2sumologic.py index 2180b5eb2..76453a230 100644 --- a/contrib/sigma2sumologic.py +++ b/contrib/sigma2sumologic.py @@ -218,7 +218,7 @@ for file in glob.iglob(globpath, recursive=True): except Exception as e: if args.debug: traceback.print_exc() - logger.exception("error seaching sumo " + str(file) + "----" + str(e)) + logger.exception("error searching sumo " + str(file) + "----" + str(e)) with open(os.path.join(args.outdir, "sigma-" + file_basename + '-error.txt'), "w") as f: # f.write(json.dumps(r, indent=4, sort_keys=True) + " ERROR: %s\n\nQUERY: %s" % (e, sumo_query)) f.write(" ERROR: %s\n\nQUERY: %s" % (e, sumo_query)) diff --git a/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml new file mode 100644 index 000000000..bcd2772a3 --- /dev/null +++ b/rules-unsupported/sysmon_always_install_elevated_parent_child_correlated.yml @@ -0,0 +1,42 @@ +title: Always Install Elevated Parent Child Correlated +id: 078235c5-6ec5-48e7-94b2-f8b5474379ea +description: This rule will looks any process with low privilege launching Windows Installer service (msiexec.exe) that tries to install MSI packages with SYSTEM privilege +#look for MSI start by low privilege user, write the process guid to the suspicious_guid variable +#look for child process from the suspicious_guid, alert if it's Windows Installer trying to install package with SYSTEM privilege +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + system_integrity: + IntegrityLevel: 'System' + system_user: + User: 'NT AUTHORITY\SYSTEM' + image_1: + Image|contains|all: + - '\Windows\Installer\' + - 'msi' + Image|endswith: + - 'tmp' + image_2: + Image|endswith: '\msiexec.exe' + child_of_suspicious_guid: + ParentProcessGuid: '%suspicious_guid%' + condition: write ProcessGuid from (event_id and image_2 and not system_user) to %suspicious_guid%; then if (child_of_suspicious_guid and event_id and image_1 and system_user) or (suspicious_guid and event_id and image_2 and system_user and integrity_level) -> alert +fields: + - EventID + - IntegrityLevel + - User + - Image + ParentProcessGuid +falsepositives: + - System administrator usage + - Penetration test +level: high \ No newline at end of file diff --git a/rules-unsupported/win_access_fake_files_with_stored_credentials.yml b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml new file mode 100644 index 000000000..c8f95ed78 --- /dev/null +++ b/rules-unsupported/win_access_fake_files_with_stored_credentials.yml @@ -0,0 +1,29 @@ +title: Stored Credentials in Fake Files +id: 692b979c-f747-41dc-ad72-1f11c01b110e +description: Search for accessing of fake files with stored credentials +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/05 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-13-638.jpg +tags: + - attack.credential_access + - attack.t1555 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4663 + AccessList|contains: '%%4416' + ObjectName|endswith: + - '\%POLICY_ID%\Machine\Preferences\Groups\Groups.xml' + - '\%FOLDER_NAME%\Unattend.xml' + condition: selection +fields: + - EventID + - AccessList + - ObjectName +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules-unsupported/win_remote_schtask.yml b/rules-unsupported/win_remote_schtask.yml new file mode 100644 index 000000000..5730b930e --- /dev/null +++ b/rules-unsupported/win_remote_schtask.yml @@ -0,0 +1,44 @@ +title: Remote Schtasks Creation +id: cf349c4b-99af-40fa-a051-823aa2307a84 +status: experimental +description: Detects remote execution via scheduled task creation or update on the destination host +author: Jai Minton, oscd.community +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1053.005 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft).' +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + selection2: + EventID: + - 4698 + - 4702 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + filter2: + Source_Network_Address: '-' + timeframe: 30d + condition: (selection1 and not filter1) or selection2 and not filter2 + # where: + # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1 + # Rule should trigger where the SubjectLogonID from event 4698 or 4702 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host. + # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. + # This takes both field values (e.g. Logon_ID), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction. + # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. + # By having this you can group logon events to their remote schtask creation event (as it is searching for a logon followed by a schtask creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another. + # Rule logic is currently not supported by SIGMA. +falsepositives: + - Unknown +level: medium diff --git a/rules-unsupported/win_remote_service.yml b/rules-unsupported/win_remote_service.yml new file mode 100644 index 000000000..75654260c --- /dev/null +++ b/rules-unsupported/win_remote_service.yml @@ -0,0 +1,50 @@ +action: global +title: Remote Service Creation +id: 4a3a2b96-d7fc-4cb9-80e4-4a545fe95f46 +status: experimental +description: Detects remote execution via service creation on the destination host +author: Jai Minton, oscd.community +date: 2020/10/05 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.persistence + - attack.execution + - attack.t1543.003 +detection: + selection1: + EventID: 4624 + Logon_Type: 3 + filter1: + Source_Network_Address: + - '::1' + - '127.0.0.1' + timeframe: 30s + condition: (selection1 and not filter1) or selection2 + # where: + # selection1: TargetLogonID = selection2: SubjectLogonID, grouped by host over 30seconds | eventcount > 1 + # Rule should trigger where the SubjectLogonID from event 7045 is the same as the TargetLogonID from event 4624 with a Logon_Type of 3, in a 30second period, provided its from the same host. + # This logic would be similar to the Splunk 'Transaction' operator which groups related events over a timeframe. + # This takes both field values (e.g. host), and an expression provided (e.g. startswith=(EventCode=4624) maxspan=30s) which occurs over the raw event log to find events, at which point a Union based on the criteria provided occurs to merge these events into a single transaction. + # This is similar to stats as an aggregation function, but allows you to see the raw text of events rather than to calculate stats on then, and it retains the raw event to allow an eval expression to occur for grouping. This is beneficial as fields such as LogonIDs are reused over time. + # By having this you can group logon events to their remote service creation event (as it is searching for a logon followed by a service creation) even by using a search timeframe over a long period of time e.g. 30days without running the risk of incorrectly grouping a logonID at one time, to a task creation at another. + # Rule logic is currently not supported by SIGMA. + +falsepositives: + - Unknown +level: medium +--- + logsource: + product: windows + service: security + detection: + selection2: + EventID: 4697 +--- +logsource: + product: windows + service: system +detection: + selection2: + EventID: 7045 \ No newline at end of file diff --git a/rules/cloud/aws_ec2_startup_script_change.yml b/rules/cloud/aws_ec2_startup_script_change.yml index 15f39ba44..75e3eb5aa 100644 --- a/rules/cloud/aws_ec2_startup_script_change.yml +++ b/rules/cloud/aws_ec2_startup_script_change.yml @@ -1,7 +1,7 @@ title: AWS EC2 Startup Shell Script Change id: 1ab3c5ed-5baf-417b-bb6b-78ca33f6c3df status: experimental -description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM everytime the specific instances are booted up. +description: Detects changes to the EC2 instance startup script. The shell script will be executed as root/SYSTEM every time the specific instances are booted up. author: faloker date: 2020/02/12 modified: 2020/09/01 diff --git a/rules/cloud/aws_ec2_vm_export_failure.yml b/rules/cloud/aws_ec2_vm_export_failure.yml index 2d5a32657..dff7a078e 100644 --- a/rules/cloud/aws_ec2_vm_export_failure.yml +++ b/rules/cloud/aws_ec2_vm_export_failure.yml @@ -18,7 +18,7 @@ detection: errorCode: '*' filter3: eventName: 'ConsoleLogin' - responseElements: '*Failure*' + responseElements|contains: 'Failure' condition: selection and (filter1 or filter2 or filter3) level: low tags: diff --git a/rules/cloud/aws_snapshot_backup_exfiltration.yml b/rules/cloud/aws_snapshot_backup_exfiltration.yml new file mode 100644 index 000000000..e2f5b9e81 --- /dev/null +++ b/rules/cloud/aws_snapshot_backup_exfiltration.yml @@ -0,0 +1,24 @@ +title: AWS Snapshot Backup Exfiltration +id: abae8fec-57bd-4f87-aff6-6e3db989843d +status: test +description: Detects the modification of an EC2 snapshot's permissions to enable access from another account +author: Darin Smith +date: 2021/05/17 +references: + - https://www.justice.gov/file/1080281/download + - https://attack.mitre.org/techniques/T1537/ +logsource: + service: cloudtrail +detection: + selection_source: + - eventSource: cloudtrail.amazonaws.com + events: + - eventName: + - ModifySnapshotAttribute + condition: selection_source AND events +falsepositives: + - Valid change to a snapshot's permissions +level: medium +tags: + - attack.exfiltration + - attack.t1537 diff --git a/rules/cloud/aws_update_login_profile.yml b/rules/cloud/aws_update_login_profile.yml index ae796a534..f9654450a 100644 --- a/rules/cloud/aws_update_login_profile.yml +++ b/rules/cloud/aws_update_login_profile.yml @@ -23,7 +23,7 @@ fields: - errorMessage falsepositives: - Legit User Account Administration -level: High +level: high tags: - attack.persistence - attack.t1098 diff --git a/rules/compliance/cleartext_protocols.yml b/rules/compliance/cleartext_protocols.yml index cda779381..eb1acd9c9 100644 --- a/rules/compliance/cleartext_protocols.yml +++ b/rules/compliance/cleartext_protocols.yml @@ -81,7 +81,7 @@ detection: condition: selection --- logsource: - product: firewall + category: firewall detection: selection1: destination.port: diff --git a/rules/compliance/host_without_firewall.yml b/rules/compliance/host_without_firewall.yml index 264327142..cab122e0b 100644 --- a/rules/compliance/host_without_firewall.yml +++ b/rules/compliance/host_without_firewall.yml @@ -4,12 +4,13 @@ status: stable description: Host Without Firewall. Alert means not complied. Sigma for Qualys vulnerability scanner. Scan type - Vulnerability Management. author: Alexandr Yampolskyi, SOC Prime date: 2019/03/19 +modified: 2021/05/30 references: - https://www.cisecurity.org/controls/cis-controls-list/ - https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2-1.pdf - https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf logsource: - product: Qualys + product: qualys detection: selection: event.category: Security Policy diff --git a/rules/linux/at_command.yml b/rules/linux/at_command.yml new file mode 100644 index 000000000..81e3802ea --- /dev/null +++ b/rules/linux/at_command.yml @@ -0,0 +1,23 @@ +title: Scheduled Task/Job At +id: d2d642d7-b393-43fe-bae4-e81ed5915c4b +status: stable +description: Detects the use of at/atd +author: Ömer Günal, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.001/T1053.001.md +logsource: + product: linux + category: process_creation +detection: + selection: + ProcessName|endswith: + - '/at' + - '/atd' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence + - attack.t1053.001 diff --git a/rules/linux/auditd/lnx_auditd_create_account.yml b/rules/linux/auditd/lnx_auditd_create_account.yml index 872398f62..4c1d6f6ba 100644 --- a/rules/linux/auditd/lnx_auditd_create_account.yml +++ b/rules/linux/auditd/lnx_auditd_create_account.yml @@ -12,7 +12,7 @@ logsource: detection: selection: type: 'SYSCALL' - exe: '*/useradd' + exe|endswith: '/useradd' condition: selection falsepositives: - Admin activity @@ -20,4 +20,4 @@ level: medium tags: - attack.t1136 # an old one - attack.t1136.001 - - attack.persistence \ No newline at end of file + - attack.persistence diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index b0ca98ab8..2e9e33da2 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -2,7 +2,7 @@ title: Modification of ld.so.preload id: 4b3cb710-5e83-4715-8c45-8b2b5b3e5751 status: experimental description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index 0dfbfe404..c76769bc9 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -16,9 +16,9 @@ detection: a0: 'cp' a1: '-i' a2: '/bin/sh' - a3: '*/crond' + a3|endswith: '/crond' condition: selection level: medium tags: - attack.defense_evasion - - attack.t1036.003 \ No newline at end of file + - attack.t1036.003 diff --git a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml index 64175ef8a..4cbc91f86 100644 --- a/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml +++ b/rules/linux/auditd/lnx_auditd_susp_exe_folders.yml @@ -12,26 +12,26 @@ logsource: detection: selection: type: 'SYSCALL' - exe: + exe|startswith: # Temporary folder - - '/tmp/*' + - '/tmp/' # Web server - - '/var/www/*' # Standard - - '/home/*/public_html/*' # Per-user - - '/usr/local/apache2/*' # Classical Apache - - '/usr/local/httpd/*' # Old SuSE Linux 6.* Apache - - '/var/apache/*' # Solaris Apache - - '/srv/www/*' # SuSE Linux 9.* - - '/home/httpd/html/*' # Redhat 6 or older Apache - - '/srv/http/*' # ArchLinux standard - - '/usr/share/nginx/html/*' # ArchLinux nginx + - '/var/www/' # Standard + - '/home/*/public_html/' # Per-user + - '/usr/local/apache2/' # Classical Apache + - '/usr/local/httpd/' # Old SuSE Linux 6.* Apache + - '/var/apache/' # Solaris Apache + - '/srv/www/' # SuSE Linux 9.* + - '/home/httpd/html/' # Redhat 6 or older Apache + - '/srv/http/' # ArchLinux standard + - '/usr/share/nginx/html/' # ArchLinux nginx # Data dirs of typically exploited services (incomplete list) - - '/var/lib/pgsql/data/*' - - '/usr/local/mysql/data/*' - - '/var/lib/mysql/*' - - '/var/vsftpd/*' - - '/etc/bind/*' - - '/var/named/*' + - '/var/lib/pgsql/data/' + - '/usr/local/mysql/data/' + - '/var/lib/mysql/' + - '/var/vsftpd/' + - '/etc/bind/' + - '/var/named/' condition: selection falsepositives: - Admin activity (especially in /tmp folders) diff --git a/rules/linux/auditd/lnx_auditd_web_rce.yml b/rules/linux/auditd/lnx_auditd_web_rce.yml index 59ae6cd87..32b3c16f5 100644 --- a/rules/linux/auditd/lnx_auditd_web_rce.yml +++ b/rules/linux/auditd/lnx_auditd_web_rce.yml @@ -1,7 +1,7 @@ title: Webshell Remote Command Execution id: c0d3734d-330f-4a03-aae2-65dacc6a8222 status: experimental -description: Detects posible command execution by web application/web shell +description: Detects possible command execution by web application/web shell author: Ilyas Ochkov, Beyu Denis, oscd.community date: 2019/10/12 modified: 2019/11/04 diff --git a/rules/linux/lnx_base64_decode.yml b/rules/linux/lnx_base64_decode.yml new file mode 100644 index 000000000..62620cf4b --- /dev/null +++ b/rules/linux/lnx_base64_decode.yml @@ -0,0 +1,22 @@ +title: Decode Base64 Encoded Text +id: e2072cab-8c9a-459b-b63c-40ae79e27031 +status: experimental +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +logsource: + category: process_creation + product: linux +detection: + base64_execution: + Image|endswith: '/base64' + CommandLine|contains: '-d' + condition: base64_execution +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file diff --git a/rules/linux/lnx_binary_padding.yml b/rules/linux/lnx_binary_padding.yml new file mode 100644 index 000000000..cba357572 --- /dev/null +++ b/rules/linux/lnx_binary_padding.yml @@ -0,0 +1,35 @@ +title: 'Binary Padding' +id: c52a914f-3d8b-4b2a-bb75-b3991e75f8ba +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains|all: + - 'truncate' + - '-s' + selection2: + type: 'EXECVE' + keywords|contains|all: + - 'dd' + - 'if=' + filter: + keywords|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/lnx_buffer_overflows.yml b/rules/linux/lnx_buffer_overflows.yml index f92de840e..7a446e147 100644 --- a/rules/linux/lnx_buffer_overflows.yml +++ b/rules/linux/lnx_buffer_overflows.yml @@ -16,5 +16,5 @@ detection: - 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' condition: keywords falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/linux/lnx_change_file_time_attr.yml b/rules/linux/lnx_change_file_time_attr.yml new file mode 100644 index 000000000..22763a8cf --- /dev/null +++ b/rules/linux/lnx_change_file_time_attr.yml @@ -0,0 +1,33 @@ +title: 'File Time Attribute Change' +id: b3cec4e7-6901-4b0d-a02d-8ab2d8eb818b +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'touch' + selection2: + type: 'EXECVE' + keywords|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml new file mode 100644 index 000000000..39899711a --- /dev/null +++ b/rules/linux/lnx_clear_logs.yml @@ -0,0 +1,26 @@ +title: Clear Linux Logs +id: 80915f59-9b56-4616-9de0-fd0dea6c12fe +status: stable +description: Detects clear logs +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/rm' # covers /rmdir as well + - '/shred' + CommandLine|contains: + - '/var/log' + - '/var/spool/mail' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1070.002 diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml new file mode 100644 index 000000000..af52c7765 --- /dev/null +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -0,0 +1,29 @@ +title: File and Directory Discovery +id: d3feb4ee-ff1d-4d3d-bd10-5b28a238cc72 +status: experimental +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +logsource: + category: process_creation + product: linux +detection: + file_with_asterisk: + Image|endswith: '/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + recursive_ls: + Image|endswith: '/ls' + CommandLine|contains: '-R' + find_execution: + Image|endswith: '/find' + tree_execution: + Image|endswith: '/tree' + condition: 1 of them +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1083 \ No newline at end of file diff --git a/rules/linux/lnx_file_copy.yml b/rules/linux/lnx_file_copy.yml index 028476447..2a0509c6f 100644 --- a/rules/linux/lnx_file_copy.yml +++ b/rules/linux/lnx_file_copy.yml @@ -11,18 +11,20 @@ logsource: detection: keywords: - Scp|contains: - - 'scp * *@*:*' - - 'scp *@*:* *' + - 'scp' - Rsync|contains: - - 'rsync -r *@*:* *' - - 'rsync -r * *@*:*' + - 'rsync -r' - Sftp|contains: - - 'sftp *@*:* *' - condition: keywords + - 'sftp' + filter: + message|contains|all: + - '@' + - ':' + condition: keywords and filter falsepositives: - Legitimate administration activities level: low tags: - attack.command_and_control - attack.lateral_movement - - attack.t1105 \ No newline at end of file + - attack.t1105 diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml new file mode 100644 index 000000000..391975730 --- /dev/null +++ b/rules/linux/lnx_file_deletion.yml @@ -0,0 +1,23 @@ +title: File Deletion +id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 +status: stable +description: Detects file deletion commands +author: Ömer Günal, oscd.community +date: 2020/10/07 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/rm' # covers /rmdir as well + - '/shred' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml index 474ea08f6..0e806a84c 100644 --- a/rules/linux/lnx_file_or_folder_permissions.yml +++ b/rules/linux/lnx_file_or_folder_permissions.yml @@ -17,7 +17,7 @@ detection: - 'chown' condition: selection falsepositives: - - User interracting with files permissions (normal/daily behaviour) + - User interacting with files permissions (normal/daily behaviour) level: low tags: - attack.defense_evasion diff --git a/rules/linux/lnx_find_cred_in_files.yml b/rules/linux/lnx_find_cred_in_files.yml new file mode 100644 index 000000000..71b908273 --- /dev/null +++ b/rules/linux/lnx_find_cred_in_files.yml @@ -0,0 +1,29 @@ +title: 'Credentials In Files' +id: df3fcaea-2715-4214-99c5-0056ea59eb35 +status: experimental +description: 'Detecting attempts to extract passwords with grep' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: 'grep' + selection2: + type: 'EXECVE' + keywords|contains: 'password' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/lnx_install_root_certificate.yml b/rules/linux/lnx_install_root_certificate.yml new file mode 100644 index 000000000..b1a9f61ee --- /dev/null +++ b/rules/linux/lnx_install_root_certificate.yml @@ -0,0 +1,22 @@ +title: Install Root Certificate +id: 78a80655-a51e-4669-bc6b-e9d206a462ee +description: Detects installed new certificate +author: Ömer Günal, oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +date: 2020/10/05 +tags: + - attack.defense_evasion + - attack.t1553.004 +level: low +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/update-ca-certificates' + - '/update-ca-trust' + condition: selection +falsepositives: + - Legitimate administration activities diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..be1b937b7 --- /dev/null +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -0,0 +1,17 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keyword: + - '/etc/ld.so.preload' + condition: keyword +falsepositives: + - rare temporary workaround for library misconfiguration +level: high diff --git a/rules/linux/lnx_local_account.yml b/rules/linux/lnx_local_account.yml new file mode 100644 index 000000000..2e31f466d --- /dev/null +++ b/rules/linux/lnx_local_account.yml @@ -0,0 +1,39 @@ +title: Local System Accounts Discovery +id: b45e3d6f-42c6-47d8-a478-df6bd6cf534c +status: experimental +description: Detects enumeration of local systeam accounts +author: Alejandro Ortuno, oscd.community +date: 2020/10/08 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: + - '/lastlog' + selection_2: + CommandLine|contains: + - "'x:0:'" + selection_3: + Image|endswith: + - '/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_4: + Image|endswith: + - '/id' + selection_5: + Image|endswith: + - '/lsof' + CommandLine|contains: + - '-u' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/rules/linux/lnx_local_groups.yml b/rules/linux/lnx_local_groups.yml new file mode 100644 index 000000000..8df8a8157 --- /dev/null +++ b/rules/linux/lnx_local_groups.yml @@ -0,0 +1,27 @@ +title: Local Groups Discovery +id: 676381a6-15ca-4d73-a9c8-6a22e970b90d +status: experimental +description: Detects enumeration of local system groups +author: Ömer Günal, Alejandro Ortuno, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: + - '/groups' + selection_2: + Image|endswith: + - '/cat' + CommandLine|contains: + - '/etc/group' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1069.001 diff --git a/rules/linux/lnx_network_service_scanning.yml b/rules/linux/lnx_network_service_scanning.yml new file mode 100644 index 000000000..831c1dac9 --- /dev/null +++ b/rules/linux/lnx_network_service_scanning.yml @@ -0,0 +1,47 @@ +action: global +title: Linux Network Service Scanning +id: 3e102cd9-a70d-4a7a-9508-403963092f31 +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1046 +--- +logsource: + category: process_creation + product: linux + definition: 'Detect netcat and filter our listening mode' +detection: + netcat: + Image|endswith: + - '/nc' + - '/netcat' + network_scanning_tools: + Image|endswith: + - '/telnet' # could be wget, curl, ssh, many things. basically everything that is able to do network connection. consider fine tuning + - '/nmap' + netcat_listen_flag: + CommandLine|contains: 'l' + condition: (netcat and not netcat_listen_flag) or network_scanning_tools +--- +logsource: + product: linux + service: auditd + definition: 'Configure these rules https://github.com/Neo23x0/auditd/blob/master/audit.rules#L182-L183' +detection: + selection: + type: 'SYSCALL' + exe|endswith: + - '/telnet' + - '/nmap' + - '/netcat' + - '/nc' + key: 'network_connect_4' + condition: selection diff --git a/rules/linux/lnx_password_policy_discovery.yml b/rules/linux/lnx_password_policy_discovery.yml new file mode 100644 index 000000000..eccbff04f --- /dev/null +++ b/rules/linux/lnx_password_policy_discovery.yml @@ -0,0 +1,25 @@ +title: Password Policy Discovery +id: ca94a6db-8106-4737-9ed2-3e3bb826af0a +status: stable +description: Detects password policy discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md +logsource: + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/etc/pam.d/common-password' + - '/etc/security/pwquality.conf' + - '/etc/pam.d/system-auth' + - '/etc/login.defs' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1201 diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml new file mode 100644 index 000000000..1785e7ef8 --- /dev/null +++ b/rules/linux/lnx_process_discovery.yml @@ -0,0 +1,23 @@ +title: Process Discovery +id: 4e2f5868-08d4-413d-899f-dc2f1508627b +status: stable +description: Detects process discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md +logsource: + product: linux + category: process_creation +detection: + selection: + - Image|endswith: + - '/ps' + - '/top' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1057 diff --git a/rules/linux/lnx_remote_system_discovery.yml b/rules/linux/lnx_remote_system_discovery.yml new file mode 100644 index 000000000..218053e15 --- /dev/null +++ b/rules/linux/lnx_remote_system_discovery.yml @@ -0,0 +1,45 @@ +title: Linux Remote System Discovery +id: 11063ec2-de63-4153-935e-b1a8b9e616f1 +status: experimental +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +date: 2020/10/22 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +logsource: + category: process_creation + product: linux +detection: + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1018 diff --git a/rules/linux/lnx_schedule_task_job_cron.yml b/rules/linux/lnx_schedule_task_job_cron.yml new file mode 100644 index 000000000..cd2540f96 --- /dev/null +++ b/rules/linux/lnx_schedule_task_job_cron.yml @@ -0,0 +1,26 @@ +title: Scheduled Cron Task/Job +id: 6b14bac8-3e3a-4324-8109-42f0546a347f +status: experimental +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - 'crontab' + CommandLine|contains: + - '/tmp/' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/linux/lnx_security_software_discovery.yml b/rules/linux/lnx_security_software_discovery.yml new file mode 100644 index 000000000..37a7f7871 --- /dev/null +++ b/rules/linux/lnx_security_software_discovery.yml @@ -0,0 +1,31 @@ +title: Security Software Discovery +id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 +status: experimental +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +logsource: + category: process_creation + product: linux +detection: + grep_execution: + Image|endswith: '/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'cbagentd' # carbon black + - 'falcond' # crowdstrike falcon + condition: grep_execution and security_services_and_processes +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1518.001 \ No newline at end of file diff --git a/rules/linux/lnx_security_tools_disabling.yml b/rules/linux/lnx_security_tools_disabling.yml index 206c9a490..8d1f16177 100644 --- a/rules/linux/lnx_security_tools_disabling.yml +++ b/rules/linux/lnx_security_tools_disabling.yml @@ -1,34 +1,97 @@ +action: global title: Disabling Security Tools id: e3a8a052-111f-4606-9aee-f28ebeb76776 status: experimental description: Detects disabling security tools -author: Ömer Günal +author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 references: - - https://attack.mitre.org/techniques/T1089/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1089/T1089.md -logsource: - product: linux -detection: - keywords: - - Command|contains: - - 'service iptables stop' - - 'chkconfig off iptables' - - 'service ip6tables stop' - - 'chkconfig off ip6tables' - - CarbonBlack|contains: - - 'service cbdaemon stop' - - 'chkconfig off cbdaemon' - - 'systemctl stop cbdaemon' - - 'systemctl disable cbdaemon' - - SELinux: - - 'setenforce 0' - - Crowdstrike|contains: - - 'systemctl stop falcon-sensor.service' - - 'systemctl disable falcon-sensor.service' - condition: keywords + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md falsepositives: - Legitimate administration activities level: medium tags: - - attack.defense_evasion \ No newline at end of file + - attack.defense_evasion + - attack.t1562.004 + - attack.t1089 +--- +logsource: + category: process_creation + product: linux +detection: + iptables_1: + Image|endswith: '/service' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_2: + Image|endswith: '/service' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + iptables_3: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'iptables' + - 'stop' + iptables_4: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'ip6tables' + - 'stop' + firewall_1: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'stop' + firewall_2: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'firewalld' + - 'disable' + carbonblack_1: + Image|endswith: '/service' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_2: + Image|endswith: '/chkconfig' + CommandLine|contains|all: + - 'cbdaemon' + - 'off' + carbonblack_3: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'stop' + carbonblack_4: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'cbdaemon' + - 'disable' + selinux: + Image|endswith: '/setenforce' + CommandLine|contains: '0' + crowdstrike_1: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'stop' + - 'falcon-sensor' + crowdstrike_2: + Image|endswith: '/systemctl' + CommandLine|contains|all: + - 'disable' + - 'falcon-sensor' + condition: 1 of them +--- +logsource: + product: linux + service: syslog +detection: + keywords: + - '*stopping iptables*' + - '*stopping ip6tables*' + - '*stopping firewalld*' + - '*stopping cbdaemon*' + - '*stopping falcon-sensor*' + condition: keywords diff --git a/rules/linux/lnx_shell_susp_rev_shells.yml b/rules/linux/lnx_shell_susp_rev_shells.yml index 129707573..c643ac58b 100644 --- a/rules/linux/lnx_shell_susp_rev_shells.yml +++ b/rules/linux/lnx_shell_susp_rev_shells.yml @@ -1,7 +1,7 @@ title: Suspicious Reverse Shell Command Line id: 738d9bcf-6999-4fdb-b4ac-3033037db8ab status: experimental -description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell +description: Detects suspicious shell commands or program code that may be executed or used in command line to establish a reverse shell author: Florian Roth date: 2019/04/02 references: diff --git a/rules/linux/lnx_shellshock.yml b/rules/linux/lnx_shellshock.yml index 59a534cd3..ba7fc1bb7 100644 --- a/rules/linux/lnx_shellshock.yml +++ b/rules/linux/lnx_shellshock.yml @@ -4,14 +4,18 @@ status: experimental description: Detects shellshock expressions in log files author: Florian Roth date: 2017/03/14 +modified: 2021/04/28 references: - - http://rubular.com/r/zxBfjWfFYs + - https://owasp.org/www-pdf-archive/Shellshock_-_Tudor_Enache.pdf logsource: product: linux detection: - expression: - - /\(\)\s*\t*\{.*;\s*\}\s*;/ - condition: expression + keyword: + - '(){:;};' + - '() {:;};' + - '() { :;};' + - '() { :; };' + condition: keyword falsepositives: - Unknown level: high diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml new file mode 100644 index 000000000..36b1a82db --- /dev/null +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -0,0 +1,26 @@ +title: 'Split A File Into Pieces' +id: 2dad0cba-c62a-4a4f-949f-5f6ecd619769 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work execve auditing / file system auditing with "execute access" to specific binaries must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: linux + service: auditd +detection: + selection: + type: 'SYSCALL' + comm: 'split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: low +tags: + - attack.exfiltration + - attack.t1030 diff --git a/rules/linux/lnx_sudo_cve_2019_14287.yml b/rules/linux/lnx_sudo_cve_2019_14287.yml index ff20897bb..bbd9d785d 100644 --- a/rules/linux/lnx_sudo_cve_2019_14287.yml +++ b/rules/linux/lnx_sudo_cve_2019_14287.yml @@ -30,4 +30,4 @@ detection: USER: - '#-*' - '#*4294967295' - condition: selection_user \ No newline at end of file + condition: selection_user diff --git a/rules/linux/lnx_susp_histfile_operations.yml b/rules/linux/lnx_susp_histfile_operations.yml new file mode 100644 index 000000000..453bad916 --- /dev/null +++ b/rules/linux/lnx_susp_histfile_operations.yml @@ -0,0 +1,42 @@ +title: 'Suspicious History File Operations' +id: eae8ce9f-bde9-47a6-8e79-f20d18419910 +status: experimental +description: 'Detects commandline operations on shell history files' + # Rule detects presence of various shell history files in process commandline + # Normally user expected to view own history with dedicated 'history' command and not some other tools + # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Mikhail Larin, oscd.community' +date: 2020/10/17 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +logsource: + product: linux + service: auditd +detection: + selection: + type: EXECVE + keywords|contains: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: selection +fields: + - a0 + - a1 + - a2 + - a3 + - key +falsepositives: + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml index 2fc43980a..128300cc2 100644 --- a/rules/linux/lnx_susp_named.yml +++ b/rules/linux/lnx_susp_named.yml @@ -20,4 +20,4 @@ falsepositives: level: high tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/rules/linux/lnx_susp_ssh.yml b/rules/linux/lnx_susp_ssh.yml index b84992387..c5ea7448e 100644 --- a/rules/linux/lnx_susp_ssh.yml +++ b/rules/linux/lnx_susp_ssh.yml @@ -30,4 +30,4 @@ falsepositives: level: medium tags: - attack.initial_access - - attack.t1190 \ No newline at end of file + - attack.t1190 diff --git a/rules/linux/lnx_symlink_etc_passwd.yml b/rules/linux/lnx_symlink_etc_passwd.yml new file mode 100644 index 000000000..9d20a1896 --- /dev/null +++ b/rules/linux/lnx_symlink_etc_passwd.yml @@ -0,0 +1,18 @@ +title: Symlink Etc Passwd +id: c67fc22a-0be5-4b4f-aad5-2b32c4b69523 +status: experimental +description: Detects suspicious command lines that look as if they would create symbolic links to /etc/passwd +author: Florian Roth +date: 2019/04/05 +references: + - https://www.qualys.com/2021/05/04/21nails/21nails.txt +logsource: + product: linux +detection: + keywords: + - 'ln -s -f /etc/passwd' + - 'ln -s /etc/passwd' + condition: keywords +falsepositives: + - Unknown +level: high diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml new file mode 100644 index 000000000..892f10d76 --- /dev/null +++ b/rules/linux/lnx_system_info_discovery.yml @@ -0,0 +1,49 @@ +action: global +title: System Information Discovery +id: 42df45e7-e6e9-43b5-8f26-bec5b39cc239 +status: stable +description: Detects system information discovery commands +author: Ömer Günal, oscd.community +date: 2020/10/08 +modified: 2020/05/30 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1082 +--- +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' + condition: selection +--- +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/sys/class/dmi/id/bios_version' + - '/sys/class/dmi/id/product_name' + - '/sys/class/dmi/id/chassis_vendor' + - '/proc/scsi/scsi' + - '/proc/ide/hd0/model' + - '/proc/version' + - '/etc/*version' + - '/etc/*release' + - '/etc/issue' + condition: selection diff --git a/rules/linux/lnx_system_network_connections_discovery.yml b/rules/linux/lnx_system_network_connections_discovery.yml new file mode 100644 index 000000000..5f9642370 --- /dev/null +++ b/rules/linux/lnx_system_network_connections_discovery.yml @@ -0,0 +1,26 @@ +title: System Network Connections Discovery +id: 4c519226-f0cd-4471-bd2f-6fbb2bb68a79 +status: experimental +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/who' + - '/w' + - '/last' + - '/lsof' + - '/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.discovery + - attack.t1049 \ No newline at end of file diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml new file mode 100644 index 000000000..fa5c6f748 --- /dev/null +++ b/rules/linux/lnx_system_network_discovery.yml @@ -0,0 +1,32 @@ +title: System Network Discovery - Linux +id: e7bd1cfa-b446-4c88-8afb-403bcd79e3fa +status: experimental +description: Detects enumeration of local network configuration +author: Ömer Günal and remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + category: process_creation + product: linux +detection: + selection1: + Image|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1016 diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml new file mode 100644 index 000000000..88c476d4b --- /dev/null +++ b/rules/linux/lnx_system_shutdown_reboot.yml @@ -0,0 +1,40 @@ +title: 'System Shutdown/Reboot' +id: 4cb57c2f-1f29-41f8-893d-8bed8e1c1d2f +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work execve auditing must be configured + # Example config (place it at the bottom of audit.rules) + # -a always,exit -F arch=b32 -S execve -k execve + # -a always,exit -F arch=b64 -S execve -k execve +author: 'Igor Fits, oscd.community' +date: 2020/10/15 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: linux + service: auditd +detection: + selection1: + type: 'EXECVE' + keywords|contains: + - 'shutdown' + - 'reboot' + - 'halt' + - 'poweroff' + selection2: + type: 'EXECVE' + keywords|contains: + - 'init' + - 'telinit' + selection3: + type: 'EXECVE' + keywords|contains: + - '0' + - '6' + condition: selection1 or (selection2 and selection3) +falsepositives: + - 'Legitimate administrative activity' +level: informational +tags: + - attack.impact + - attack.t1529 diff --git a/rules/linux/macos_applescript.yml b/rules/linux/macos_applescript.yml new file mode 100644 index 000000000..38daf676a --- /dev/null +++ b/rules/linux/macos_applescript.yml @@ -0,0 +1,24 @@ +title: MacOS Scripting Interpreter AppleScript +id: 1bc2e6c5-0885-472b-bed6-be5ea8eace55 +status: experimental +description: Detects execution of AppleScript of the macOS scripting language AppleScript. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: + - '/osascript' + CommandLine|contains|all: + - '-e' + condition: selection +falsepositives: + - Application installers might contain scripts as part of the installation process. +level: medium +tags: + - attack.execution + - attack.t1059.002 diff --git a/rules/linux/macos_base64_decode.yml b/rules/linux/macos_base64_decode.yml new file mode 100644 index 000000000..4afeec596 --- /dev/null +++ b/rules/linux/macos_base64_decode.yml @@ -0,0 +1,22 @@ +title: Decode Base64 Encoded Text +id: 719c22d7-c11a-4f2c-93a6-2cfdd5412f68 +status: experimental +description: Detects usage of base64 utility to decode arbitrary base64-encoded text +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md +logsource: + category: process_creation + product: macos +detection: + base64_execution: + Image: '/usr/bin/base64' + CommandLine|contains: '-d' + condition: base64_execution +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1027 \ No newline at end of file diff --git a/rules/linux/macos_binary_padding.yml b/rules/linux/macos_binary_padding.yml new file mode 100644 index 000000000..843b2aa61 --- /dev/null +++ b/rules/linux/macos_binary_padding.yml @@ -0,0 +1,33 @@ +title: 'Binary Padding' +id: 95361ce5-c891-4b0a-87ca-e24607884a96 +status: experimental +description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: + - '/truncate' + CommandLine|contains: + - '-s' + selection2: + Image|endswith: + - '/dd' + CommandLine|contains: + - 'if=' + filter: + CommandLine|contains: 'of=' + condition: selection1 or (selection2 and not filter) +falsepositives: + - 'Legitimate script work' +level: high +tags: + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/linux/macos_change_file_time_attr.yml b/rules/linux/macos_change_file_time_attr.yml new file mode 100644 index 000000000..f4a0ca2d7 --- /dev/null +++ b/rules/linux/macos_change_file_time_attr.yml @@ -0,0 +1,29 @@ +title: 'File Time Attribute Change' +id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 +status: experimental +description: 'Detect file time attribute change to hide new or changes to existing files.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: '/touch' + selection2: + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection1 and selection2 +falsepositives: + - 'Unknown' +level: medium +tags: + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml new file mode 100644 index 000000000..33ce525a3 --- /dev/null +++ b/rules/linux/macos_clear_system_logs.yml @@ -0,0 +1,27 @@ +title: Indicator Removal on Host - Clear Mac System Logs +id: acf61bd8-d814-4272-81f0-a7a269aa69aa +status: experimental +description: Detects deletion of local audit logs +author: remotephone, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.002/T1070.002.md +logsource: + product: macos + category: process_creation +detection: + selection1: + - Image|endswith: '/rm' + selection2: + CommandLine|contains: '/var/log' + selection3: + Commandline|contains|all: + - '/Users/' + - '/Library/Logs/' + condition: selection1 and (selection2 or selection3) +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1070.002 diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml new file mode 100644 index 000000000..42d1d4931 --- /dev/null +++ b/rules/linux/macos_create_account.yml @@ -0,0 +1,25 @@ +title: Creation Of A Local User Account +id: 51719bf5-e4fd-4e44-8ba8-b830e7ac0731 +status: experimental +description: Detects the creation of a new user account. Such accounts may be used for persistence that do not require persistent remote access tools to be deployed on the system. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: + - '/dscl' + CommandLine|contains: + - 'create' + condition: selection +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.t1136 # an old one + - attack.t1136.001 + - attack.persistence diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml new file mode 100644 index 000000000..56cf55fdf --- /dev/null +++ b/rules/linux/macos_create_hidden_account.yml @@ -0,0 +1,33 @@ +title: Hidden User Creation +id: b22a5b36-2431-493a-8be1-0bae56c28ef3 +status: experimental +description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/10 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.002/T1564.002.md +logsource: + category: process_creation + product: macos +detection: + dscl_create: + Image|endswith: '/dscl' + CommandLine|contains: 'create' + id_below_500: + CommandLine|contains: UniqueID + CommandLine|re: '([0-9]|[1-9][0-9]|[1-4][0-9]{2})' + ishidden_option_declaration: + CommandLine|contains: 'IsHidden' + ishidden_option_confirmation: + CommandLine|contains: + - 'true' + - 'yes' + - '1' + condition: dscl_create and id_below_500 or + dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1564.002 \ No newline at end of file diff --git a/rules/linux/macos_creds_from_keychain.yml b/rules/linux/macos_creds_from_keychain.yml new file mode 100644 index 000000000..e8d3d1302 --- /dev/null +++ b/rules/linux/macos_creds_from_keychain.yml @@ -0,0 +1,29 @@ +title: Credentials from Password Stores - Keychain +id: b120b587-a4c2-4b94-875d-99c9807d6955 +status: experimental +description: Detects passwords dumps from Keychain +author: Tim Ismilyaev, oscd.community, Florian Roth +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.001/T1555.001.md + - https://gist.github.com/Capybara/6228955 +logsource: + category: process_creation + product: macos +detection: + selection1: + Image: '/usr/bin/security' + CommandLine|contains: + - 'find-certificate' + - ' export ' + selection2: + CommandLine|contains: + - ' dump-keychain ' + - ' login-keychain ' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.credential_access + - attack.t1555.001 diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml new file mode 100644 index 000000000..0f843c789 --- /dev/null +++ b/rules/linux/macos_disable_security_tools.yml @@ -0,0 +1,42 @@ +title: Disable Security Tools +id: ff39f1a6-84ac-476f-a1af-37fcdf53d7c0 +status: experimental +description: Detects disabling security tools +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +logsource: + category: process_creation + product: macos +detection: + launchctl_unload: + Image: '/bin/launchctl' + CommandLine|contains: 'unload' + security_plists: + CommandLine|contains: + - 'com.objective-see.lulu.plist' # Objective-See firewall management utility + - 'com.objective-see.blockblock.plist' # Objective-See persistence locations watcher/blocker + - 'com.google.santad.plist' # google santa + - 'com.carbonblack.defense.daemon.plist' # carbon black + - 'com.carbonblack.daemon.plist' # carbon black + - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility + - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus + - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella + - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon + - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon + - 'osquery' # facebook osquery + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'packetbeat' # elastic network logger/shipper + - 'td-agent' # fluentd log shipper + disable_gatekeeper: + Image: '/usr/sbin/spctl' + CommandLine|contains: 'disable' + condition: (launchctl_unload and security_plists) or disable_gatekeeper +falsepositives: + - Legitimate activities +level: medium +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file diff --git a/rules/linux/macos_emond_launch_daemon.yml b/rules/linux/macos_emond_launch_daemon.yml new file mode 100644 index 000000000..1c904a61b --- /dev/null +++ b/rules/linux/macos_emond_launch_daemon.yml @@ -0,0 +1,26 @@ +title: MacOS Emond Launch Daemon +id: 23c43900-e732-45a4-8354-63e4a6c187ce +status: experimental +description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. +author: Alejandro Ortuno, oscd.community +date: 2020/10/23 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md + - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: '/etc/emond.d/rules/' + TargetFilename|endswith: '.plist' + selection_2: + TargetFilename|contains: '/private/var/db/emondClients/' + condition: selection_1 or selection_2 +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.014 diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml new file mode 100644 index 000000000..025babc38 --- /dev/null +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -0,0 +1,31 @@ +title: File and Directory Discovery +id: 089dbdf6-b960-4bcc-90e3-ffc3480c20f6 +status: experimental +description: Detects usage of system utilities to discover files and directories +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md +logsource: + category: process_creation + product: macos +detection: + file_with_asterisk: + Image: '/usr/bin/file' + CommandLine|re: '(.){200,}' # execution of the 'file */* *>> /tmp/output.txt' will produce huge commandline + recursive_ls: + Image: '/bin/ls' + CommandLine|contains: '-R' + find_execution: + Image: '/usr/bin/find' + mdfind_execution: + Image: '/usr/bin/mdfind' + tree_execution|endswith: + Image: '/tree' + condition: 1 of them +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1083 \ No newline at end of file diff --git a/rules/linux/macos_find_cred_in_files.yml b/rules/linux/macos_find_cred_in_files.yml new file mode 100644 index 000000000..a0b2a0cbd --- /dev/null +++ b/rules/linux/macos_find_cred_in_files.yml @@ -0,0 +1,28 @@ +title: 'Credentials In Files' +id: 53b1b378-9b06-4992-b972-dde6e423d2b4 +status: experimental +description: 'Detecting attempts to extract passwords with grep and laZagne' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: macos + category: process_creation +detection: + selection1: + Image|endswith: + - '/grep' + CommandLine|contains: + - 'password' + selection2: + CommandLine|contains: 'laZagne' + condition: selection1 or selection2 +falsepositives: + - 'Unknown' +level: high +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/macos_gui_input_capture.yml b/rules/linux/macos_gui_input_capture.yml new file mode 100644 index 000000000..22b42e1c4 --- /dev/null +++ b/rules/linux/macos_gui_input_capture.yml @@ -0,0 +1,39 @@ +title: GUI Input Capture - macOS +id: 60f1ce20-484e-41bd-85f4-ac4afec2c541 +status: experimental +description: Detects attempts to use system dialog prompts to capture user credentials +author: remotephone, oscd.community +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md + - https://scriptingosx.com/2018/08/user-interaction-from-bash-scripts/ +logsource: + product: macos + category: process_creation +detection: + selection1: + Image: + - '/usr/sbin/osascript' + selection2: + Commandline|contains|all: + - '-e' + - 'display' + - 'dialog' + - 'answer' + selection3: + Commandline|contains: + - 'admin' + - 'administrator' + - 'authenticate' + - 'authentication' + - 'credentials' + - 'pass' + - 'password' + - 'unlock' + condition: all of them +falsepositives: + - Legitimate administration tools and activities +level: low +tags: + - attack.credential_access + - attack.t1056.002 diff --git a/rules/linux/macos_local_account.yml b/rules/linux/macos_local_account.yml new file mode 100644 index 000000000..638fb1ba9 --- /dev/null +++ b/rules/linux/macos_local_account.yml @@ -0,0 +1,48 @@ +title: Local System Accounts Discovery +id: ddf36b67-e872-4507-ab2e-46bda21b842c +status: experimental +description: Detects enumeration of local systeam accounts on MacOS +author: Alejandro Ortuno, oscd.community +date: 2020/10/08 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1087.001/T1087.001.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: + - '/dscl' + CommandLine|contains|all: + - 'list' + - '/users' + selection_2: + Image|endswith: + - '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'user' + selection_3: + CommandLine|contains: + - "'x:0:'" + selection_4: + Image|endswith: + - '/cat' + CommandLine|contains: + - '/etc/passwd' + - '/etc/sudoers' + selection_5: + Image|endswith: + - '/id' + selection_6: + Image|endswith: + - '/lsof' + CommandLine|contains: + - '-u' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1087.001 diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml new file mode 100644 index 000000000..7cffce09d --- /dev/null +++ b/rules/linux/macos_local_groups.yml @@ -0,0 +1,36 @@ +title: Local Groups Discovery +id: 89bb1f97-c7b9-40e8-b52b-7d6afbd67276 +status: experimental +description: Detects enumeration of local system groups +author: Ömer Günal, Alejandro Ortuno, oscd.community +date: 2020/10/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: + - '/dscacheutil' + CommandLine|contains|all: + - '-q' + - 'group' + selection_2: + Image|endswith: + - '/cat' + CommandLine|contains: + - '/etc/group' + selection_3: + Image|endswith: + - '/dscl' + CommandLine|contains|all: + - '-list' + - '/groups' + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1069.001 diff --git a/rules/linux/macos_network_service_scanning.yml b/rules/linux/macos_network_service_scanning.yml new file mode 100644 index 000000000..8faa5b721 --- /dev/null +++ b/rules/linux/macos_network_service_scanning.yml @@ -0,0 +1,29 @@ +title: MacOS Network Service Scanning +id: 84bae5d4-b518-4ae0-b331-6d4afd34d00f +status: experimental +description: Detects enumeration of local or remote network services. +author: Alejandro Ortuno, oscd.community +date: 2020/10/21 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: + - '/nc' + - '/netcat' + selection_2: + Image|endswith: + - '/nmap' + - '/telnet' + filter: + CommandLine|contains: 'l' + condition: (selection_1 and not filter) or selection_2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.discovery + - attack.t1046 diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml new file mode 100644 index 000000000..ef95ea36d --- /dev/null +++ b/rules/linux/macos_network_sniffing.yml @@ -0,0 +1,24 @@ +title: Network Sniffing +id: adc9bcc4-c39c-4f6b-a711-1884017bf043 +status: experimental +description: Detects the usage of tooling to sniff network traffic. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. +author: Alejandro Ortuno, oscd.community +date: 2020/10/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: + - '/tcpdump' + - '/tshark' + condition: selection +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml new file mode 100644 index 000000000..fd5867314 --- /dev/null +++ b/rules/linux/macos_remote_system_discovery.yml @@ -0,0 +1,48 @@ +title: Macos Remote System Discovery +id: 10227522-8429-47e6-a301-f2b2d014e7ad +status: experimental +description: Detects the enumeration of other remote systems. +author: Alejandro Ortuno, oscd.community +date: 2020/10/22 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md +logsource: + category: process_creation + product: macos +detection: + selection_1: + Image|endswith: + - '/arp' + CommandLine|contains: + - '-a' + selection_2: + Image|endswith: + - '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of them +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1018 diff --git a/rules/linux/macos_schedule_task_job_cron.yml b/rules/linux/macos_schedule_task_job_cron.yml new file mode 100644 index 000000000..c757d014f --- /dev/null +++ b/rules/linux/macos_schedule_task_job_cron.yml @@ -0,0 +1,26 @@ +title: Scheduled Cron Task/Job +id: 7c3b43d8-d794-47d2-800a-d277715aa460 +status: experimental +description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. +author: Alejandro Ortuno, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: + - '/crontab' + CommandLine|contains: + - '/tmp/' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/linux/macos_screencapture.yml b/rules/linux/macos_screencapture.yml new file mode 100644 index 000000000..18fb1bf32 --- /dev/null +++ b/rules/linux/macos_screencapture.yml @@ -0,0 +1,22 @@ +title: Screen Capture - macOS +id: 0877ed01-da46-4c49-8476-d49cdd80dfa7 +status: experimental +description: Detects attempts to use screencapture to collect macOS screenshots +author: remotephone, oscd.community +date: 2020/10/13 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md + - https://github.com/BC-SECURITY/Empire/blob/master/lib/modules/python/collection/osx/screenshot.py +logsource: + product: macos + category: process_creation +detection: + selection: + Image: '/usr/sbin/screencapture' + condition: selection +falsepositives: + - Legitimate user activity taking screenshots +level: low +tags: + - attack.collection + - attack.t1113 diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml new file mode 100644 index 000000000..ae896a953 --- /dev/null +++ b/rules/linux/macos_security_software_discovery.yml @@ -0,0 +1,39 @@ +title: Security Software Discovery +id: 0ed75b9c-c73b-424d-9e7d-496cd565fbe0 +status: experimental +description: Detects usage of system utilities (only grep for now) to discover security software discovery +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md +logsource: + category: process_creation + product: macos +detection: + grep_execution: + Image: '/usr/bin/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'santad' # google santa + - 'CbDefense' # carbon black + - 'falcond' # crowdstrike falcon + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'BlockBlock' # Objective-See persistence locations watcher/blocker + - 'LuLu' # Objective-See firewall management utility + little_snitch_process: # Objective Development Software firewall management utility + CommandLine|contains|all: + - 'Little' + - 'Snitch' + condition: grep_execution and security_services_and_processes or + grep_execution and little_snitch_process +falsepositives: + - Legitimate activities +level: medium +tags: + - attack.discovery + - attack.t1518.001 \ No newline at end of file diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml new file mode 100644 index 000000000..f65d96dee --- /dev/null +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -0,0 +1,23 @@ +title: 'Split A File Into Pieces' +id: 7f2bb9d5-6395-4de5-969c-70c11fbe6b12 +status: experimental +description: 'Detection use of the command "split" to split files into parts and possible transfer.' + # For this rule to work you must enable audit of process execution in OpenBSM, see link + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/15 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1030/T1030.md +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: '/split' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: low +tags: + - attack.exfiltration + - attack.t1030 diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml new file mode 100644 index 000000000..89102e3ff --- /dev/null +++ b/rules/linux/macos_startup_items.yml @@ -0,0 +1,24 @@ +title: Startup Items +id: dfe8b941-4e54-4242-b674-6b613d521962 +status: experimental +description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. +author: Alejandro Ortuno, oscd.community +date: 2020/10/14 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md +logsource: + category: file_event + product: macos +detection: + selection_1: + TargetFilename|contains: '/Library/StartupItems/' + selection_2: + TargetFilename|endswith: '.plist' + condition: selection_1 and selection_2 +falsepositives: + - Legitimate administration activities +level: low +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 diff --git a/rules/linux/macos_susp_histfile_operations.yml b/rules/linux/macos_susp_histfile_operations.yml new file mode 100644 index 000000000..b643bfbb3 --- /dev/null +++ b/rules/linux/macos_susp_histfile_operations.yml @@ -0,0 +1,33 @@ +title: 'Suspicious History File Operations' +id: 508a9374-ad52-4789-b568-fc358def2c65 +status: experimental +description: 'Detects commandline operations on shell history files' + # Rule detects presence of various shell history files in process commandline + # Normally user expected to view own history with dedicated 'history' command and not some other tools + # There is a possibility for rule to trigger, when T1070.003 techinuque is used (history file cleared) + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Mikhail Larin, oscd.community' +date: 2020/10/17 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.003/T1552.003.md +logsource: + product: macos + category: process_creation +detection: + selection: + CommandLine|contains: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: selection +falsepositives: + - 'Legitimate administrative activity' + - 'Ligitimate software, cleaning hist file' +level: medium +tags: + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml new file mode 100644 index 000000000..1a3fb7d41 --- /dev/null +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -0,0 +1,26 @@ +title: System Network Connections Discovery +id: 9a7a0393-2144-4626-9bf1-7c2f5a7321db +status: experimental +description: Detects usage of system utilities to discover system network connections +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image: + - '/usr/bin/who' + - '/usr/bin/w' + - '/usr/bin/last' + - '/usr/sbin/lsof' + - '/usr/sbin/netstat' + condition: selection +falsepositives: + - Legitimate activities +level: informational +tags: + - attack.discovery + - attack.t1049 \ No newline at end of file diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml new file mode 100644 index 000000000..40b2f33d5 --- /dev/null +++ b/rules/linux/macos_system_network_discovery.yml @@ -0,0 +1,32 @@ +title: System Network Discovery - macOS +id: 58800443-f9fc-4d55-ae0c-98a3966dfb97 +status: experimental +description: Detects enumeration of local network configuration +author: remotephone, oscd.community +date: 2020/10/06 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md +logsource: + product: macos + category: process_creation +detection: + selection1: + Image: + - '/usr/sbin/netstat' + - '/sbin/ifconfig' + - '/usr/sbin/ipconfig' + - '/usr/libexec/ApplicationFirewall/socketfilterfw' + - '/usr/sbin/networksetup' + - '/usr/sbin/arp' + selection2: + Image: '/usr/bin/defaults' + Commandline|contains|all: + - 'read' + - '/Library/Preferences/com.apple.alf' + condition: selection1 or selection2 +falsepositives: + - Legitimate administration activities +level: informational +tags: + - attack.discovery + - attack.t1016 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml new file mode 100644 index 000000000..fe4d4b645 --- /dev/null +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -0,0 +1,26 @@ +title: 'System Shutdown/Reboot' +id: 40b1fbe2-18ea-4ee7-be47-0294285811de +status: experimental +description: 'Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems.' + # For this rule to work you must enable audit of process execution in OpenBSM, see + # https://osquery.readthedocs.io/en/stable/deployment/process-auditing/#macos-process-socket-auditing +author: 'Igor Fits, Mikhail Larin, oscd.community' +date: 2020/10/19 +references: + - hhttps://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1529/T1529.md +logsource: + product: macos + category: process_creation +detection: + selection: + Image|endswith: + - '/shutdown' + - '/reboot' + - '/halt' + condition: selection +falsepositives: + - 'Legitimate administrative activity' +level: informational +tags: + - attack.impact + - attack.t1529 diff --git a/rules/linux/macos_xattr_gatekeeper_bypass.yml b/rules/linux/macos_xattr_gatekeeper_bypass.yml new file mode 100644 index 000000000..8c4ac76c2 --- /dev/null +++ b/rules/linux/macos_xattr_gatekeeper_bypass.yml @@ -0,0 +1,24 @@ +title: Gatekeeper Bypass via Xattr +id: f5141b6d-9f42-41c6-a7bf-2a780678b29b +status: experimental +description: Detects macOS Gatekeeper bypass via xattr utility +author: Daniil Yugoslavskiy, oscd.community +date: 2020/10/19 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.001/T1553.001.md +logsource: + category: process_creation + product: macos +detection: + selection: + Image|endswith: '/xattr' + CommandLine|contains|all: + - '-r' + - 'com.apple.quarantine' + condition: selection +falsepositives: + - Legitimate activities +level: low +tags: + - attack.defense_evasion + - attack.t1553.001 \ No newline at end of file diff --git a/rules/network/net_mal_dns_cobaltstrike.yml b/rules/network/net_mal_dns_cobaltstrike.yml index 666f7c72b..3775bc795 100644 --- a/rules/network/net_mal_dns_cobaltstrike.yml +++ b/rules/network/net_mal_dns_cobaltstrike.yml @@ -4,20 +4,21 @@ status: experimental description: Detects suspicious DNS queries known from Cobalt Strike beacons author: Florian Roth date: 2018/05/10 -modified: 2020/08/27 +modified: 2021/03/24 references: - https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns + - https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/ logsource: category: dns detection: selection: - query: - - 'aaa.stage.*' - - 'post.1*' + query|startswith: + - 'aaa.stage.' + - 'post.1' condition: selection falsepositives: - Unknown -level: high +level: critical tags: - attack.command_and_control - attack.t1071 # an old one diff --git a/rules/network/net_susp_dns_b64_queries.yml b/rules/network/net_susp_dns_b64_queries.yml index 8af84a946..6031ac587 100644 --- a/rules/network/net_susp_dns_b64_queries.yml +++ b/rules/network/net_susp_dns_b64_queries.yml @@ -11,8 +11,8 @@ logsource: category: dns detection: selection: - query: - - '*==.*' + query|contains: + - '==.' condition: selection falsepositives: - Unknown @@ -23,4 +23,4 @@ tags: - attack.t1048.003 - attack.command_and_control - attack.t1071 # an old one - - attack.t1071.004 \ No newline at end of file + - attack.t1071.004 diff --git a/rules/network/net_susp_dns_txt_exec_strings.yml b/rules/network/net_susp_dns_txt_exec_strings.yml index 7632d31f3..4e97c3493 100644 --- a/rules/network/net_susp_dns_txt_exec_strings.yml +++ b/rules/network/net_susp_dns_txt_exec_strings.yml @@ -13,10 +13,10 @@ logsource: detection: selection: record_type: 'TXT' - answer: - - '*IEX*' - - '*Invoke-Expression*' - - '*cmd.exe*' + answer|contains: + - 'IEX' + - 'Invoke-Expression' + - 'cmd.exe' condition: selection falsepositives: - Unknown @@ -24,4 +24,4 @@ level: high tags: - attack.command_and_control - attack.t1071 # an old one - - attack.t1071.004 \ No newline at end of file + - attack.t1071.004 diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml new file mode 100644 index 000000000..dfa15acba --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -0,0 +1,23 @@ +title: First Time Seen Remote Named Pipe - Zeek +id: bae2865c-5565-470d-b505-9496c87d0c30 +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +author: OTR (Open Threat Research) +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +tags: + - attack.lateral_movement + - attack.t1021.002 +date: 2018/11/28 +logsource: + product: zeek + service: smb_files +detection: + selection: + path: \\*\IPC$ + name: spoolss + condition: selection +falsepositives: + - 'Domain Controllers acting as printer servers too? :)' +level: medium \ No newline at end of file diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml new file mode 100644 index 000000000..85306e0ae --- /dev/null +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -0,0 +1,68 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +date: 2021/05/04 +modified: 2021/05/24 +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1094 + - attack.t1043 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + exclude_responses: + answers|endswith: '\\x00' + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) +falsepositives: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid diff --git a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml index a625e2078..9fe207555 100644 --- a/rules/network/zeek/zeek_http_executable_download_from_webdav.yml +++ b/rules/network/zeek/zeek_http_executable_download_from_webdav.yml @@ -15,11 +15,11 @@ date: 2020/05/01 modified: 2020/09/02 detection: selection_webdav: - - c-useragent: '*WebDAV*' - - c-uri: '*webdav*' + - c-useragent|contains: 'WebDAV' + - c-uri|contains: 'webdav' selection_executable: - - resp_mime_types: '*dosexec*' - - c-uri: '*.exe' + - resp_mime_types|contains: 'dosexec' + - c-uri|endswith: '.exe' condition: selection_webdav AND selection_executable falsepositives: - unknown diff --git a/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml b/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml new file mode 100644 index 000000000..d1d19bb68 --- /dev/null +++ b/rules/network/zeek/zeek_http_exfiltration_compressed_files.yml @@ -0,0 +1,30 @@ +title: Potential Exfiltration of Compressed Files +id: 0d47e3f6-357f-4534-928c-202631d065fa +description: This rule detects potential exfiltration by looking for a few compression extensions in the uri and signs of compression in the mime type, file type, and http body +date: 2020/04/05 +author: Greg Howell, OTR (Open Threat Research) +tags: + - attack.exfiltration + - attack.t1560.001 + - attack.t1005 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 +logsource: + product: zeek + service: http +detection: + selection1: + uri|endswith: + - '.7z' + - '.zip' + - '.rar' + mime_types|endswith: 'compressed' + selection3: + filetype|endswith: 'compressed' + selection4: + http.bodyMagic|endswith: 'compressed' + http.method: PUT + condition: selection1 or selection3 or selection4 +falsepositives: + - Legitimate upload/download of archives +level: medium diff --git a/rules/network/zeek/zeek_http_webdav_put_request.yml b/rules/network/zeek/zeek_http_webdav_put_request.yml new file mode 100644 index 000000000..c4eb70960 --- /dev/null +++ b/rules/network/zeek/zeek_http_webdav_put_request.yml @@ -0,0 +1,27 @@ +title: WebDav Put Request +id: 705072a5-bb6f-4ced-95b6-ecfa6602090b +status: experimental +description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration. +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.exfiltration + - attack.t1048.003 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 +logsource: + product: zeek + service: http +detection: + selection: + user_agent|contains: 'WebDAV' + method: 'PUT' + filter: + id_resp_h: + - 192.168.0.0/16 + - 172.16.0.0/12 + - 10.0.0.0/8 + condition: selection and not filter +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml index 48a607a55..44d812ee7 100644 --- a/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml +++ b/rules/network/zeek/zeek_smb_converted_win_impacket_secretdump.yml @@ -16,8 +16,11 @@ logsource: service: smb_files detection: selection: - path: '\\*ADMIN$' - name: '*SYSTEM32\\*.tmp' + path|contains|all: + - '\' + - 'ADMIN$' + name|contains: 'SYSTEM32\' + name|endswith: '.tmp' condition: selection falsepositives: - 'unknown' diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml index 2f29807f8..34da2addf 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_psexec.yml @@ -14,14 +14,18 @@ logsource: service: smb_files detection: selection1: - path: \\*\IPC$ - name: - - '*-stdin' - - '*-stdout' - - '*-stderr' + path|contains|all: + - '\\' + - '\IPC$' + name|endswith: + - '-stdin' + - '-stdout' + - '-stderr' selection2: - name: \\*\IPC$ - path: 'PSEXESVC*' + name|contains|all: + - '\\' + - '\IPC$' + path|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: - nothing observed so far diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index 7e5880e00..5604b7171 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -12,19 +12,19 @@ logsource: service: smb_files detection: selection: - name: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' + name|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' condition: selection fields: - ComputerName diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 75c4cc801..c5b85768e 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -17,7 +17,7 @@ detection: request_type: 'TGS' cipher: 'rc4-hmac' computer_acct: - service: '$*' + service|startswith: '$' condition: selection and not computer_acct falsepositives: - normal enterprise SPN requests activity diff --git a/rules/proxy/proxy_apt_domestic_kitten.yml b/rules/proxy/proxy_apt_domestic_kitten.yml new file mode 100644 index 000000000..963c9efe7 --- /dev/null +++ b/rules/proxy/proxy_apt_domestic_kitten.yml @@ -0,0 +1,26 @@ +title: Domestic Kitten FurBall Malware Pattern +id: 6c939dfa-c710-4e12-a4dd-47e1f10e68e1 +status: experimental +description: Detects specific malware patterns used by FurBall malware linked to Iranian Domestic Kitten APT group +author: Florian Roth +references: + - https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/ +date: 2021/02/08 +tags: + - attack.command_and_control +logsource: + category: proxy +detection: + selection: + c-uri|contains: + - 'Get~~~AllBrowser' + - 'Get~~~HardwareInfo' + - 'Take~~RecordCall' + - 'Reset~~~AllCommand' + condition: selection +fields: + - c-ip + - c-uri +falsepositives: + - Unlikely +level: high diff --git a/rules/proxy/proxy_baby_shark.yml b/rules/proxy/proxy_baby_shark.yml new file mode 100644 index 000000000..8fc52699c --- /dev/null +++ b/rules/proxy/proxy_baby_shark.yml @@ -0,0 +1,20 @@ +title: BabyShark Agent Pattern +id: 304810ed-8853-437f-9e36-c4975c3dfd7e +status: experimental +description: Detects Baby Shark C2 Framework communcation patterns +author: Florian Roth +date: 2021/06/09 +references: + - https://nasbench.medium.com/understanding-detecting-c2-frameworks-babyshark-641be4595845 +logsource: + category: proxy +detection: + selection: + c-uri|contains: 'momyshark?key=' + condition: selection +falsepositives: + - Unknown +level: critical +tags: + - attack.command_and_control + - attack.t1071.001 \ No newline at end of file diff --git a/rules/proxy/proxy_chafer_malware.yml b/rules/proxy/proxy_chafer_malware.yml index 9a4e0ecd0..5fd9a8641 100644 --- a/rules/proxy/proxy_chafer_malware.yml +++ b/rules/proxy/proxy_chafer_malware.yml @@ -10,7 +10,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/asp.asp?ui=*' + c-uri|contains: '/asp.asp?ui=' condition: selection fields: - ClientIP @@ -22,4 +22,4 @@ level: critical tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_amazon.yml b/rules/proxy/proxy_cobalt_amazon.yml index 9bbaedc7e..e604589b8 100644 --- a/rules/proxy/proxy_cobalt_amazon.yml +++ b/rules/proxy/proxy_cobalt_amazon.yml @@ -16,7 +16,7 @@ detection: cs-method: 'GET' c-uri: '/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books' cs-host: 'www.amazon.com' - cs-cookie: '*=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' + cs-cookie|endswith: '=csm-hit=s-24KU11BB82RZSYGJ3BDK|1419899012996' selection2: c-useragent: "Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko" cs-method: 'POST' @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_malformed_uas.yml b/rules/proxy/proxy_cobalt_malformed_uas.yml new file mode 100644 index 000000000..419c0f120 --- /dev/null +++ b/rules/proxy/proxy_cobalt_malformed_uas.yml @@ -0,0 +1,25 @@ +title: CobaltStrike Malformed UAs in Malleable Profiles +id: 41b42a36-f62c-4c34-bd40-8cb804a34ad8 +status: experimental +description: Detects different malformed user agents used in Malleable Profiles used with Cobalt Strike +author: Florian Roth +date: 2021/05/06 +references: + - https://github.com/yeyintminthuhtut/Malleable-C2-Profiles-Collection/ +logsource: + category: proxy +detection: + selection: + c-useragent: + - "Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)" + - "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E )" + - "Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 5.2) Java/1.5.0_08" + condition: selection +falsepositives: + - Unknown +level: critical +tags: + - attack.defense_evasion + - attack.command_and_control + - attack.t1071.001 + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_cobalt_ocsp.yml b/rules/proxy/proxy_cobalt_ocsp.yml index e57a85e6a..d657963aa 100644 --- a/rules/proxy/proxy_cobalt_ocsp.yml +++ b/rules/proxy/proxy_cobalt_ocsp.yml @@ -16,7 +16,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/oscp/*' + c-uri|contains: '/oscp/' cs-host: 'ocsp.verisign.com' condition: selection diff --git a/rules/proxy/proxy_cobalt_onedrive.yml b/rules/proxy/proxy_cobalt_onedrive.yml index 08457c817..30975e58a 100644 --- a/rules/proxy/proxy_cobalt_onedrive.yml +++ b/rules/proxy/proxy_cobalt_onedrive.yml @@ -4,7 +4,7 @@ status: experimental description: Detects Malleable OneDrive Profile author: Markus Neis date: 2019/11/12 -modified: 2020/09/02 +modified: 2020/11/28 references: - https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/onedrive_getonly.profile logsource: @@ -12,10 +12,11 @@ logsource: detection: selection: cs-method: 'GET' - c-uri: '*?manifest=wac' + c-uri|endswith: '?manifest=wac' cs-host: 'onedrive.live.com' filter: - c-uri: 'http*://onedrive.live.com/*' + c-uri|startswith: 'http' + c-uri|contains: '://onedrive.live.com/' condition: selection and not filter falsepositives: - Unknown @@ -24,4 +25,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_download_susp_dyndns.yml b/rules/proxy/proxy_download_susp_dyndns.yml index 708beca24..4a73e87b4 100644 --- a/rules/proxy/proxy_download_susp_dyndns.yml +++ b/rules/proxy/proxy_download_susp_dyndns.yml @@ -30,77 +30,77 @@ detection: - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns: - - '*.hopto.org' - - '*.no-ip.org' - - '*.no-ip.info' - - '*.no-ip.biz' - - '*.no-ip.com' - - '*.noip.com' - - '*.ddns.name' - - '*.myftp.org' - - '*.myftp.biz' - - '*.serveblog.net' - - '*.servebeer.com' - - '*.servemp3.com' - - '*.serveftp.com' - - '*.servequake.com' - - '*.servehalflife.com' - - '*.servehttp.com' - - '*.servegame.com' - - '*.servepics.com' - - '*.myvnc.com' - - '*.ignorelist.com' - - '*.jkub.com' - - '*.dlinkddns.com' - - '*.jumpingcrab.com' - - '*.ddns.info' - - '*.mooo.com' - - '*.dns-dns.com' - - '*.strangled.net' - - '*.adultdns.net' - - '*.craftx.biz' - - '*.ddns01.com' - - '*.dns53.biz' - - '*.dnsapi.info' - - '*.dnsd.info' - - '*.dnsdynamic.com' - - '*.dnsdynamic.net' - - '*.dnsget.org' - - '*.fe100.net' - - '*.flashserv.net' - - '*.ftp21.net' - - '*.http01.com' - - '*.http80.info' - - '*.https443.com' - - '*.imap01.com' - - '*.kadm5.com' - - '*.mysq1.net' - - '*.ns360.info' - - '*.ntdll.net' - - '*.ole32.com' - - '*.proxy8080.com' - - '*.sql01.com' - - '*.ssh01.com' - - '*.ssh22.net' - - '*.tempors.com' - - '*.tftpd.net' - - '*.ttl60.com' - - '*.ttl60.org' - - '*.user32.com' - - '*.voip01.com' - - '*.wow64.net' - - '*.x64.me' - - '*.xns01.com' - - '*.dyndns.org' - - '*.dyndns.info' - - '*.dyndns.tv' - - '*.dyndns-at-home.com' - - '*.dnsomatic.com' - - '*.zapto.org' - - '*.webhop.net' - - '*.25u.com' - - '*.slyip.net' + r-dns|endswith: + - '.hopto.org' + - '.no-ip.org' + - '.no-ip.info' + - '.no-ip.biz' + - '.no-ip.com' + - '.noip.com' + - '.ddns.name' + - '.myftp.org' + - '.myftp.biz' + - '.serveblog.net' + - '.servebeer.com' + - '.servemp3.com' + - '.serveftp.com' + - '.servequake.com' + - '.servehalflife.com' + - '.servehttp.com' + - '.servegame.com' + - '.servepics.com' + - '.myvnc.com' + - '.ignorelist.com' + - '.jkub.com' + - '.dlinkddns.com' + - '.jumpingcrab.com' + - '.ddns.info' + - '.mooo.com' + - '.dns-dns.com' + - '.strangled.net' + - '.adultdns.net' + - '.craftx.biz' + - '.ddns01.com' + - '.dns53.biz' + - '.dnsapi.info' + - '.dnsd.info' + - '.dnsdynamic.com' + - '.dnsdynamic.net' + - '.dnsget.org' + - '.fe100.net' + - '.flashserv.net' + - '.ftp21.net' + - '.http01.com' + - '.http80.info' + - '.https443.com' + - '.imap01.com' + - '.kadm5.com' + - '.mysq1.net' + - '.ns360.info' + - '.ntdll.net' + - '.ole32.com' + - '.proxy8080.com' + - '.sql01.com' + - '.ssh01.com' + - '.ssh22.net' + - '.tempors.com' + - '.tftpd.net' + - '.ttl60.com' + - '.ttl60.org' + - '.user32.com' + - '.voip01.com' + - '.wow64.net' + - '.x64.me' + - '.xns01.com' + - '.dyndns.org' + - '.dyndns.info' + - '.dyndns.tv' + - '.dyndns-at-home.com' + - '.dnsomatic.com' + - '.zapto.org' + - '.webhop.net' + - '.25u.com' + - '.slyip.net' condition: selection fields: - cs-ip @@ -112,4 +112,4 @@ tags: - attack.defense_evasion - attack.command_and_control - attack.t1105 - - attack.t1568 \ No newline at end of file + - attack.t1568 diff --git a/rules/proxy/proxy_download_susp_tlds_blacklist.yml b/rules/proxy/proxy_download_susp_tlds_blacklist.yml index 26fb1c0eb..76081c8d8 100644 --- a/rules/proxy/proxy_download_susp_tlds_blacklist.yml +++ b/rules/proxy/proxy_download_susp_tlds_blacklist.yml @@ -33,73 +33,73 @@ detection: - 'sct' - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ - r-dns: + r-dns|endswith: # Symantec / Chris Larsen analysis - - '*.country' - - '*.stream' - - '*.gdn' - - '*.mom' - - '*.xin' - - '*.kim' - - '*.men' - - '*.loan' - - '*.download' - - '*.racing' - - '*.online' - - '*.science' - - '*.ren' - - '*.gb' - - '*.win' - - '*.top' - - '*.review' - - '*.vip' - - '*.party' - - '*.tech' - - '*.xyz' - - '*.date' - - '*.faith' - - '*.zip' - - '*.cricket' - - '*.space' + - '.country' + - '.stream' + - '.gdn' + - '.mom' + - '.xin' + - '.kim' + - '.men' + - '.loan' + - '.download' + - '.racing' + - '.online' + - '.science' + - '.ren' + - '.gb' + - '.win' + - '.top' + - '.review' + - '.vip' + - '.party' + - '.tech' + - '.xyz' + - '.date' + - '.faith' + - '.zip' + - '.cricket' + - '.space' # McAfee report - - '*.info' - - '*.vn' - - '*.cm' - - '*.am' - - '*.cc' - - '*.asia' - - '*.ws' - - '*.tk' - - '*.biz' - - '*.su' - - '*.st' - - '*.ro' - - '*.ge' - - '*.ms' - - '*.pk' - - '*.nu' - - '*.me' - - '*.ph' - - '*.to' - - '*.tt' - - '*.name' - - '*.tv' - - '*.kz' - - '*.tc' - - '*.mobi' + - '.info' + - '.vn' + - '.cm' + - '.am' + - '.cc' + - '.asia' + - '.ws' + - '.tk' + - '.biz' + - '.su' + - '.st' + - '.ro' + - '.ge' + - '.ms' + - '.pk' + - '.nu' + - '.me' + - '.ph' + - '.to' + - '.tt' + - '.name' + - '.tv' + - '.kz' + - '.tc' + - '.mobi' # Spamhaus - - '*.study' - - '*.click' - - '*.link' - - '*.trade' - - '*.accountant' + - '.study' + - '.click' + - '.link' + - '.trade' + - '.accountant' # Spamhaus 2018 https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ - - '*.cf' - - '*.gq' - - '*.ml' - - '*.ga' + - '.cf' + - '.gq' + - '.ml' + - '.ga' # Custom - - '*.pw' + - '.pw' condition: selection fields: - ClientIP @@ -113,4 +113,4 @@ tags: - attack.execution - attack.t1203 - attack.t1204.002 - - attack.t1204 # an old one \ No newline at end of file + - attack.t1204 # an old one diff --git a/rules/proxy/proxy_download_susp_tlds_whitelist.yml b/rules/proxy/proxy_download_susp_tlds_whitelist.yml index 9b66a43ad..9b9200c5d 100644 --- a/rules/proxy/proxy_download_susp_tlds_whitelist.yml +++ b/rules/proxy/proxy_download_susp_tlds_whitelist.yml @@ -29,25 +29,25 @@ detection: - 'zip' # If you want to add more extensions - see https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/ filter: - r-dns: - - '*.com' - - '*.org' - - '*.net' - - '*.edu' - - '*.gov' - - '*.uk' - - '*.ca' - - '*.de' - - '*.jp' - - '*.fr' - - '*.au' - - '*.us' - - '*.ch' - - '*.it' - - '*.nl' - - '*.se' - - '*.no' - - '*.es' + r-dns|endswith: + - '.com' + - '.org' + - '.net' + - '.edu' + - '.gov' + - '.uk' + - '.ca' + - '.de' + - '.jp' + - '.fr' + - '.au' + - '.us' + - '.ch' + - '.it' + - '.nl' + - '.se' + - '.no' + - '.es' # Extend this list as needed condition: selection and not filter fields: diff --git a/rules/proxy/proxy_downloadcradle_webdav.yml b/rules/proxy/proxy_downloadcradle_webdav.yml index 472ec041d..c1a8bf30f 100644 --- a/rules/proxy/proxy_downloadcradle_webdav.yml +++ b/rules/proxy/proxy_downloadcradle_webdav.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-useragent: 'Microsoft-WebDAV-MiniRedir/*' + c-useragent|startswith: 'Microsoft-WebDAV-MiniRedir/' cs-method: 'GET' condition: selection fields: @@ -27,4 +27,4 @@ level: high tags: - attack.command_and_control - attack.t1071.001 - - attack.t1043 # an old one \ No newline at end of file + - attack.t1043 # an old one diff --git a/rules/proxy/proxy_ios_implant.yml b/rules/proxy/proxy_ios_implant.yml index 9501f8f1f..a1f1ee1a0 100644 --- a/rules/proxy/proxy_ios_implant.yml +++ b/rules/proxy/proxy_ios_implant.yml @@ -12,7 +12,7 @@ logsource: category: proxy detection: selection: - c-uri: '*/list/suc?name=*' + c-uri|contains: '/list/suc?name=' condition: selection fields: - ClientIP @@ -30,4 +30,4 @@ tags: - attack.credential_access - attack.t1528 - attack.t1552.001 - - attack.t1081 # an old one \ No newline at end of file + - attack.t1081 # an old one diff --git a/rules/proxy/proxy_powershell_ua.yml b/rules/proxy/proxy_powershell_ua.yml index c03e2182a..f3d91771e 100644 --- a/rules/proxy/proxy_powershell_ua.yml +++ b/rules/proxy/proxy_powershell_ua.yml @@ -11,7 +11,7 @@ logsource: category: proxy detection: selection: - c-useragent: '* WindowsPowerShell/*' + c-useragent|contains: ' WindowsPowerShell/' condition: selection fields: - ClientIP @@ -24,4 +24,4 @@ level: medium tags: - attack.defense_evasion - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/rules/proxy/proxy_susp_flash_download_loc.yml b/rules/proxy/proxy_susp_flash_download_loc.yml index 402bcb514..521ab197a 100644 --- a/rules/proxy/proxy_susp_flash_download_loc.yml +++ b/rules/proxy/proxy_susp_flash_download_loc.yml @@ -4,17 +4,17 @@ status: experimental description: Detects a flashplayer update from an unofficial location author: Florian Roth date: 2017/10/25 +modified: 2020/11/28 references: - https://gist.github.com/roycewilliams/a723aaf8a6ac3ba4f817847610935cfb logsource: category: proxy detection: selection: - c-uri-query: - - '*/install_flash_player.exe' - - '*/flash_install.php*' + - c-uri-query|contains: '/flash_install.php' + - c-uri-query|endswith: '/install_flash_player.exe' filter: - c-uri-stem: '*.adobe.com/*' + c-uri-stem|contains: '.adobe.com/' condition: selection and not filter falsepositives: - Unknown flash download locations @@ -27,4 +27,4 @@ tags: - attack.t1204 # an old one - attack.defense_evasion - attack.t1036.005 - - attack.t1036 # an old one \ No newline at end of file + - attack.t1036 # an old one diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index a4a79014f..eda3a5ef9 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -16,10 +16,10 @@ detection: r-dns: - 'api.telegram.org' # Often used by Bots filter: - c-useragent: + c-useragent|contains: # Used https://core.telegram.org/bots/samples for this list - - '*Telegram*' - - '*Bot*' + - 'Telegram' + - 'Bot' condition: selection and not filter fields: - ClientIP diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 272c4e9f8..0c51fd035 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -44,11 +44,12 @@ detection: - 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details - 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o - 'Mozilla/5.0 (Windows NT 9; *' # Suspicious 'Windows NT 9' user agent - used by APT33 malware in 2018 - - 'hots scot' # Unkown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20 + - 'hots scot' # Unknown iOS zero-day implant https://twitter.com/craiu/status/1176437994288484352?s=20 - 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT)' # https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/ - 'Mozilla/5.0 (Windows NT 6.1; WOW64) Chrome/28.0.1500.95 Safari/537.36' # Hidden Cobra malware - 'Mozilla/5.0 (Windows NT 6.2; Win32; rv:47.0)' # Strong Pity loader https://twitter.com/VK_Intel/status/1264185981118406657 - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ + - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ condition: selection fields: - ClientIP diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index f31994036..d0c169d4e 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -9,13 +9,13 @@ logsource: category: proxy detection: selection: - c-useragent: - - 'Microsoft BITS/*' + c-useragent|startswith: + - 'Microsoft BITS/' falsepositives: - r-dns: - - '*.com' - - '*.net' - - '*.org' + r-dns|endswith: + - '.com' + - '.net' + - '.org' condition: selection and not falsepositives fields: - ClientIP @@ -30,4 +30,4 @@ tags: - attack.defense_evasion - attack.persistence - attack.t1197 - - attack.s0190 \ No newline at end of file + - attack.s0190 diff --git a/rules/proxy/proxy_ua_cryptominer.yml b/rules/proxy/proxy_ua_cryptominer.yml index d1d0b763d..ea4a3bd26 100644 --- a/rules/proxy/proxy_ua_cryptominer.yml +++ b/rules/proxy/proxy_ua_cryptominer.yml @@ -12,11 +12,11 @@ logsource: category: proxy detection: selection: - c-useragent: + c-useragent|startswith: # XMRig - - 'XMRig *' + - 'XMRig ' # CCMiner - - 'ccminer*' + - 'ccminer' condition: selection fields: - ClientIP @@ -27,4 +27,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/rules/proxy/proxy_ua_frameworks.yml b/rules/proxy/proxy_ua_frameworks.yml index 0c9f3e6dc..5d81546aa 100644 --- a/rules/proxy/proxy_ua_frameworks.yml +++ b/rules/proxy/proxy_ua_frameworks.yml @@ -1,7 +1,7 @@ title: Exploit Framework User Agent id: fdd1bfb5-f60b-4a35-910e-f36ed3d0b32f status: experimental -description: Detects suspicious user agent strings used by exploit / pentest framworks like Metasploit in proxy logs +description: Detects suspicious user agent strings used by exploit / pentest frameworks like Metasploit in proxy logs author: Florian Roth date: 2017/07/08 modified: 2020/09/03 diff --git a/rules/proxy/proxy_ua_hacktool.yml b/rules/proxy/proxy_ua_hacktool.yml index e39c0d2ef..1e2f96537 100644 --- a/rules/proxy/proxy_ua_hacktool.yml +++ b/rules/proxy/proxy_ua_hacktool.yml @@ -12,58 +12,58 @@ logsource: category: proxy detection: selection: - c-useragent: - # Vulnerbility scanner and brute force tools - - '*(hydra)*' - - '* arachni/*' - - '* BFAC *' - - '* brutus *' - - '* cgichk *' - - '*core-project/1.0*' - - '* crimscanner/*' - - '*datacha0s*' - - '*dirbuster*' - - '*domino hunter*' - - '*dotdotpwn*' - - 'FHScan Core' - - '*floodgate*' - - '*get-minimal*' - - '*gootkit auto-rooter scanner*' - - '*grendel-scan*' - - '* inspath *' - - '*internet ninja*' - - '*jaascois*' - - '* zmeu *' - - '*masscan*' - - '* metis *' - - '*morfeus fucking scanner*' - - '*n-stealth*' - - '*nsauditor*' - - '*pmafind*' - - '*security scan*' - - '*springenwerk*' - - '*teh forest lobster*' - - '*toata dragostea*' - - '* vega/*' - - '*voideye*' - - '*webshag*' - - '*webvulnscan*' - - '* whcc/*' + c-useragent|contains: + # Vulnerbility scanner and brute force tools + - '(hydra)' + - ' arachni/' + - ' BFAC ' + - ' brutus ' + - ' cgichk ' + - 'core-project/1.0' + - ' crimscanner/' + - 'datacha0s' + - 'dirbuster' + - 'domino hunter' + - 'dotdotpwn' + - 'FHScan Core' + - 'floodgate' + - 'get-minimal' + - 'gootkit auto-rooter scanner' + - 'grendel-scan' + - ' inspath ' + - 'internet ninja' + - 'jaascois' + - ' zmeu ' + - 'masscan' + - ' metis ' + - 'morfeus fucking scanner' + - 'n-stealth' + - 'nsauditor' + - 'pmafind' + - 'security scan' + - 'springenwerk' + - 'teh forest lobster' + - 'toata dragostea' + - ' vega/' + - 'voideye' + - 'webshag' + - 'webvulnscan' + - ' whcc/' - # SQL Injection - - '* Havij' - - '*absinthe*' - - '*bsqlbf*' - - '*mysqloit*' - - '*pangolin*' - - '*sql power injector*' - - '*sqlmap*' - - '*sqlninja*' - - '*uil2pn*' + # SQL Injection + - ' Havij' + - 'absinthe' + - 'bsqlbf' + - 'mysqloit' + - 'pangolin' + - 'sql power injector' + - 'sqlmap' + - 'sqlninja' + - 'uil2pn' - # Hack tool - - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ - - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper + # Hack tool + - 'ruler' # https://www.crowdstrike.com/blog/using-outlook-forms-lateral-movement-persistence/ + - 'Mozilla/5.0 (Windows; U; Windows NT 5.1; pt-PT; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET CLR 3.5.30729)' # SQLi Dumper condition: selection fields: - ClientIP @@ -76,4 +76,4 @@ tags: - attack.initial_access - attack.t1190 - attack.credential_access - - attack.t1110 \ No newline at end of file + - attack.t1110 diff --git a/rules/proxy/proxy_ursnif_malware.yml b/rules/proxy/proxy_ursnif_malware.yml index 682ff4b72..1445ed4f3 100644 --- a/rules/proxy/proxy_ursnif_malware.yml +++ b/rules/proxy/proxy_ursnif_malware.yml @@ -4,12 +4,15 @@ status: stable description: Detects download of Ursnif malware done by dropper documents. author: Thomas Patzke date: 2019/12/19 -modified: 2020/09/03 +modified: 2020/11/28 logsource: category: proxy detection: selection: - c-uri: '*/*.php?l=*.cab' + c-uri|contains|all: + - '/' + - '.php?l=' + c-uri|endswith: '.cab' sc-status: 200 condition: selection fields: @@ -32,13 +35,13 @@ logsource: category: proxy detection: b64encoding: - c-uri: - - "*_2f*" - - "*_2b*" + c-uri|contains: + - "_2f" + - "_2b" urlpatterns: - c-uri|all: - - "*.avi" - - "*/images/*" + c-uri|contains|all: + - ".avi" + - "/images/" condition: b64encoding and urlpatterns fields: - c-ip @@ -56,4 +59,4 @@ tags: - attack.t1204.002 - attack.t1204 # an old one - attack.command_and_control - - attack.t1071.001 \ No newline at end of file + - attack.t1071.001 diff --git a/rules/web/web_cve_2021_26814_wzuh_rce.yml b/rules/web/web_cve_2021_26814_wzuh_rce.yml new file mode 100644 index 000000000..672226f45 --- /dev/null +++ b/rules/web/web_cve_2021_26814_wzuh_rce.yml @@ -0,0 +1,25 @@ +title: Exploitation of CVE-2021-26814 in Wazuh +id: b9888738-29ed-4c54-96a4-f38c57b84bb3 +status: experimental +description: Detects the exploitation of the Wazuh RCE vulnerability described in CVE-2021-26814 +author: Florian Roth +date: 2021/05/22 +references: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-26814 + - https://github.com/WickdDavid/CVE-2021-26814/blob/main/PoC.py +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/manager/files?path=etc/lists/../../../../..' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - None +level: high +tags: + - attack.initial_access + - attack.t1190 + - cve.2021-21978 \ No newline at end of file diff --git a/rules/web/web_exchange_exploitation_hafnium.yml b/rules/web/web_exchange_exploitation_hafnium.yml new file mode 100644 index 000000000..cb06e1d0f --- /dev/null +++ b/rules/web/web_exchange_exploitation_hafnium.yml @@ -0,0 +1,62 @@ +title: Exchange Exploitation Used by HAFNIUM +id: 67bce556-312f-4c81-9162-c3c9ff2599b2 +status: experimental +description: Detects exploitation attempts in Exchange server logs as described in blog posts reporting on HAFNIUM group activity +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +author: Florian Roth +date: 2021/03/03 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection1: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/themes/resources/' + selection2: + cs-method: 'POST' + c-uri|contains: '/owa/auth/Current/' + c-useragent: + - 'DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)' + - 'facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + - 'Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)' + - 'Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html' + - 'Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)' + - 'Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)' + - 'Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)' + - 'Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36' + selection3: + c-uri|contains: '/ecp/' + cs-method: 'POST' + c-useragent: + - 'ExchangeServicesClient/0.0.0.0' + - 'python-requests/2.19.1' + - 'python-requests/2.25.1' + selection4: + c-uri|contains: + - '/aspnet_client/' + - '/owa/' + cs-method: 'POST' + c-useragent: + - 'antSword/v2.1' + - 'Googlebot/2.1+(+http://www.googlebot.com/bot.html)' + - 'Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)' + selection5: + c-uri|contains: + - '/owa/auth/Current/' + - '/ecp/default.flt' + - '/ecp/main.css' + cs-method: 'POST' + selection6: + cs-method: 'POST' + c-uri|contains|all: + - '/ecp/' + - '.js' + condition: 1 of them +falsepositives: + - Legitimate access to other web applications that use the same folder names as Exchange (e.g. owa, ecp) but are not Microsoft Exchange related +level: high \ No newline at end of file diff --git a/rules/web/web_expl_exchange_cve_2021_28480.yml b/rules/web/web_expl_exchange_cve_2021_28480.yml new file mode 100644 index 000000000..62cd6efd5 --- /dev/null +++ b/rules/web/web_expl_exchange_cve_2021_28480.yml @@ -0,0 +1,23 @@ +title: Exchange Exploitation CVE-2021-28480 +id: a2a9d722-0acb-4096-bccc-daaf91a5037b +status: experimental +description: Detects successfull exploitation of Exchange vulnerability as reported in CVE-2021-28480 +references: + - https://twitter.com/GossiTheDog/status/1392965209132871683?s=20 +author: Florian Roth +date: 2021/05/14 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/owa/calendar/a' + cs-method: 'POST' + filter: + sc-status: 503 + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/web/web_nginx_core_dump.yml b/rules/web/web_nginx_core_dump.yml new file mode 100644 index 000000000..578db765e --- /dev/null +++ b/rules/web/web_nginx_core_dump.yml @@ -0,0 +1,20 @@ +title: Nginx Core Dump +id: 59ec40bb-322e-40ab-808d-84fa690d7e56 +description: Detects a core dump of a creashing Nginx worker process, which could be a signal of a serious problem or exploitation attempts +author: Florian Roth +date: 2021/05/31 +references: + - https://docs.nginx.com/nginx/admin-guide/monitoring/debugging/#enabling-core-dumps + - https://www.x41-dsec.de/lab/advisories/x41-2021-002-nginx-resolver-copy/ +logsource: + product: apache +detection: + keywords: + - 'exited on signal 6 (core dumped)' + condition: keywords +falsepositives: + - Serious issues with a configuration or plugin +level: high +tags: + - attack.impact + - attack.t1499.004 \ No newline at end of file diff --git a/rules/web/web_sonicwall_jarrewrite_exploit.yml b/rules/web/web_sonicwall_jarrewrite_exploit.yml new file mode 100644 index 000000000..b96b9bd73 --- /dev/null +++ b/rules/web/web_sonicwall_jarrewrite_exploit.yml @@ -0,0 +1,27 @@ +title: SonicWall SSL/VPN Jarrewrite Exploit +id: 6f55f047-112b-4101-ad32-43913f52db46 +status: experimental +description: Detects exploitation attempts of the SonicWall Jarrewrite Exploit +author: Florian Roth +date: 2021/01/25 +tags: + - attack.t1190 + - attack.initial_access +references: + - https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/ +logsource: + category: webserver +detection: + selection: + c-uri|contains: '/cgi-bin/jarrewrite.sh' + c-useragent|contains: + - ':;' + - '() {' + - '/bin/bash -c' + condition: selection +fields: + - c-ip + - c-dns +falsepositives: + - Unknown +level: high diff --git a/rules/web/web_unc2546_dewmode_php_webshell.yml b/rules/web/web_unc2546_dewmode_php_webshell.yml new file mode 100644 index 000000000..5bb939af3 --- /dev/null +++ b/rules/web/web_unc2546_dewmode_php_webshell.yml @@ -0,0 +1,31 @@ +title: DEWMODE Webshell Access +id: fdf96c90-42d5-4406-8a9c-14a2c9a016b5 +status: experimental +description: Detects access to DEWMODE webshell as described in FIREEYE report +author: Florian Roth +date: 2021/02/22 +references: + - https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html +tags: + - attack.persistence + - attack.t1505.003 +logsource: + category: webserver +detection: + selection1: + c-uri|contains|all: + - '?dwn=' + - '&fn=' + - '.html?' + selection2: + c-uri|contains|all: + - '&dwn=' + - '?fn=' + - '.html?' + condition: 1 of them +fields: + - client_ip + - response +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/web/win_powershell_snapins_hafnium.yml b/rules/web/win_powershell_snapins_hafnium.yml new file mode 100644 index 000000000..11ffd7891 --- /dev/null +++ b/rules/web/win_powershell_snapins_hafnium.yml @@ -0,0 +1,30 @@ +title: Exchange PowerShell Snap-Ins Used by HAFNIUM +id: 25676e10-2121-446e-80a4-71ff8506af47 +status: experimental +description: Detects adding and using Exchange PowerShell snap-ins to export mailbox data by HAFNIUM +author: FPT.EagleEye +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +tags: + - attack.execution + - attack.t1086 + - attack.t1059.005 + - attack.collection + - attack.t1114 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\powershell.exe' + CommandLine: + - '*add-pssnapin microsoft.exchange.powershell.snapin*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index fc068bf4e..b4ccdb5c3 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -13,11 +13,11 @@ logsource: detection: selection: uri_query|contains: - - '*cmd=read*' - - '*connect&target*' - - '*cmd=connect*' - - '*cmd=disconnect*' - - '*cmd=forward*' + - 'cmd=read' + - 'connect&target' + - 'cmd=connect' + - 'cmd=disconnect' + - 'cmd=forward' filter: referer: null useragent: null diff --git a/rules/windows/builtin/win_GPO_scheduledtasks.yml b/rules/windows/builtin/win_GPO_scheduledtasks.yml index b44e64c24..669bcdaa5 100644 --- a/rules/windows/builtin/win_GPO_scheduledtasks.yml +++ b/rules/windows/builtin/win_GPO_scheduledtasks.yml @@ -19,8 +19,10 @@ detection: selection: EventID: 5145 ShareName: \\*\SYSVOL - RelativeTargetName: '*ScheduledTasks.xml' - Accesses: '*WriteData*' + RelativeTargetName|endswith: 'ScheduledTasks.xml' + Accesses|contains: + - 'WriteData' + - '%%4417' condition: selection falsepositives: - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks diff --git a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml index b273c7b17..a5caf16d8 100644 --- a/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/win_account_backdoor_dcsync_rights.yml @@ -25,5 +25,5 @@ detection: - '89e95b76-444d-4c62-991a-0facbeda640c' condition: selection falsepositives: - - New Domain Controller computer account, check user SIDs witin the value attribute of event 5136 and verify if it's a regular user or DC computer account. + - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. level: critical diff --git a/rules/windows/builtin/win_account_discovery.yml b/rules/windows/builtin/win_account_discovery.yml index d7d9b1ce6..a6705cb88 100644 --- a/rules/windows/builtin/win_account_discovery.yml +++ b/rules/windows/builtin/win_account_discovery.yml @@ -21,18 +21,20 @@ detection: ObjectType: - 'SAM_USER' - 'SAM_GROUP' - ObjectName: - - '*-512' - - '*-502' - - '*-500' - - '*-505' - - '*-519' - - '*-520' - - '*-544' - - '*-551' - - '*-555' - - '*admin*' - condition: selection + selection_object: + - ObjectName|endswith: + - '-512' + - '-502' + - '-500' + - '-505' + - '-519' + - '-520' + - '-544' + - '-551' + - '-555' + - ObjectName|contains: + - 'admin' + condition: selection and selection_object falsepositives: - if source account name is not an admin then its super suspicious level: high diff --git a/rules/windows/builtin/win_ad_object_writedac_access.yml b/rules/windows/builtin/win_ad_object_writedac_access.yml index 60a4c5974..b3ebbc942 100644 --- a/rules/windows/builtin/win_ad_object_writedac_access.yml +++ b/rules/windows/builtin/win_ad_object_writedac_access.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1222_file_permissions_modification/ad_replication_user_backdoor.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190101151110.html tags: - attack.defense_evasion - attack.t1222 # an old one diff --git a/rules/windows/builtin/win_ad_replication_non_machine_account.yml b/rules/windows/builtin/win_ad_replication_non_machine_account.yml index fcdb3ee67..2fe27687b 100644 --- a/rules/windows/builtin/win_ad_replication_non_machine_account.yml +++ b/rules/windows/builtin/win_ad_replication_non_machine_account.yml @@ -6,7 +6,7 @@ date: 2019/07/26 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/ad_replication_non_machine_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-180815210510.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_admin_rdp_login.yml b/rules/windows/builtin/win_admin_rdp_login.yml index c276804b0..99aa6af16 100644 --- a/rules/windows/builtin/win_admin_rdp_login.yml +++ b/rules/windows/builtin/win_admin_rdp_login.yml @@ -23,7 +23,7 @@ detection: EventID: 4624 LogonType: 10 AuthenticationPackageName: Negotiate - AccountName: 'Admin-*' + AccountName|startswith: 'Admin-' condition: selection falsepositives: - Legitimate administrative activity diff --git a/rules/windows/builtin/win_admin_share_access.yml b/rules/windows/builtin/win_admin_share_access.yml index 22919f3bc..33ea11512 100644 --- a/rules/windows/builtin/win_admin_share_access.yml +++ b/rules/windows/builtin/win_admin_share_access.yml @@ -18,7 +18,7 @@ detection: EventID: 5140 ShareName: Admin$ filter: - SubjectUserName: '*$' + SubjectUserName|endswith: '$' condition: selection and not filter falsepositives: - Legitimate administrative activity diff --git a/rules/windows/builtin/win_alert_active_directory_user_control.yml b/rules/windows/builtin/win_alert_active_directory_user_control.yml index 882bda89c..078f02eb0 100644 --- a/rules/windows/builtin/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/win_alert_active_directory_user_control.yml @@ -17,8 +17,8 @@ detection: selection: EventID: 4704 keywords: - Message: - - '*SeEnableDelegationPrivilege*' + Message|contains: + - 'SeEnableDelegationPrivilege' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_enable_weak_encryption.yml b/rules/windows/builtin/win_alert_enable_weak_encryption.yml index ad1a2174c..c0904ce53 100644 --- a/rules/windows/builtin/win_alert_enable_weak_encryption.yml +++ b/rules/windows/builtin/win_alert_enable_weak_encryption.yml @@ -18,13 +18,13 @@ detection: selection: EventID: 4738 keywords: - Message: - - '*DES*' - - '*Preauth*' - - '*Encrypted*' + Message|contains: + - 'DES' + - 'Preauth' + - 'Encrypted' filters: - Message: - - '*Enabled*' + Message|contains: + - 'Enabled' condition: selection and keywords and filters falsepositives: - Unknown diff --git a/rules/windows/builtin/win_alert_lsass_access.yml b/rules/windows/builtin/win_alert_lsass_access.yml index 3c6ec77fc..a2cddf48a 100644 --- a/rules/windows/builtin/win_alert_lsass_access.yml +++ b/rules/windows/builtin/win_alert_lsass_access.yml @@ -17,7 +17,7 @@ logsource: detection: selection: EventID: 1121 - Path: '*\lsass.exe' + Path|endswith: '\lsass.exe' condition: selection falsepositives: - Google Chrome GoogleUpdate.exe diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 34f43994a..1280bd767 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -19,17 +19,17 @@ logsource: product: windows detection: keywords: - Message: - - "* mimikatz *" - - "* mimilib *" - - "* <3 eo.oe *" - - "* eo.oe.kiwi *" - - "* privilege::debug *" - - "* sekurlsa::logonpasswords *" - - "* lsadump::sam *" - - "* mimidrv.sys *" - - "* p::d *" - - "* s::l *" + Message|contains: + - "mimikatz" + - "mimilib" + - "<3 eo.oe" + - "eo.oe.kiwi" + - "privilege::debug" + - "sekurlsa::logonpasswords" + - "lsadump::sam" + - "mimidrv.sys" + - " p::d " + - " s::l " condition: keywords falsepositives: - Naughty administrators diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 4d07c3077..1d61e8bfe 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -17,7 +17,7 @@ detection: selection: EventID: 7045 ServiceName: NtsSrv - ServiceFileName: '* LocalService' + ServiceFileName|endswith: ' LocalService' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml new file mode 100644 index 000000000..49d00cae7 --- /dev/null +++ b/rules/windows/builtin/win_arbitrary_shell_execution_via_settingcontent.yml @@ -0,0 +1,30 @@ +title: Arbitrary Shell Command Execution Via Settingcontent-Ms +id: 24de4f3b-804c-4165-b442-5a06a2302c7e +description: The .SettingContent-ms file type was introduced in Windows 10 and allows a user to create "shortcuts" to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries. +author: Sreeman +date: 2020/13/03 +modified: 2021/06/11 +references: + - https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39 +tags: + - attack.t1204 + - attack.t1193 + - attack.execution + - attack.initial_access +logsource: + product: windows + service: security +detection: + selection: + CommandLine|contains: '.SettingContent-ms' + filter: + FilePath|contains: + - 'immersivecontrolpanel' + condition: selection and not filter +falsepositives: + - unknown +fields: + - ParentProcess + - CommandLine + - ParentCommandLine +level: medium diff --git a/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml new file mode 100644 index 000000000..09845cc87 --- /dev/null +++ b/rules/windows/builtin/win_asr_bypass_via_appvlp_re.yml @@ -0,0 +1,25 @@ +title: Using AppVLP To Circumvent ASR File Path Rule +id: 9c7e131a-0f2c-4ae0-9d43-b04f4e266d43 +status: experimental +description: 'Application Virtualization Utility is included with Microsoft Office.We are able to abuse “AppVLP” to execute shell commands. Normally, this binary is used for Application Virtualization, but we can use it as an abuse binary to circumvent the ASR file path rule folder or to mark a file as a system file' +author: Sreeman +date: 2020/13/03 +modified: 2021/06/11 +tags: + - attack.t1218 + - attack.defense_evasion + - attack.execution +logsource: + product: windows + service: security +detection: + selection: + CommandLine|re: '(?i).*appvlp.exe.*(cmd.exe|powershell.exe).*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf)' + condition: selection +falsepositives: + - unknown +fields: + - ParentProcess + - CommandLine + - ParentCommandLine +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_atsvc_task.yml b/rules/windows/builtin/win_atsvc_task.yml index 037db2528..c0f68564f 100644 --- a/rules/windows/builtin/win_atsvc_task.yml +++ b/rules/windows/builtin/win_atsvc_task.yml @@ -21,7 +21,7 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: atsvc - Accesses: '*WriteData*' + Accesses|contains: 'WriteData' condition: selection falsepositives: - pentesting diff --git a/rules/windows/builtin/win_av_relevant_match.yml b/rules/windows/builtin/win_av_relevant_match.yml index 14191d944..cbf84be0e 100644 --- a/rules/windows/builtin/win_av_relevant_match.yml +++ b/rules/windows/builtin/win_av_relevant_match.yml @@ -9,34 +9,32 @@ logsource: service: application detection: keywords: - Message: - - "*HTool*" - - "*Hacktool*" - - "*ASP/Backdoor*" - - "*JSP/Backdoor*" - - "*PHP/Backdoor*" - - "*Backdoor.ASP*" - - "*Backdoor.JSP*" - - "*Backdoor.PHP*" - - "*Webshell*" - - "*Portscan*" - - "*Mimikatz*" - - "*WinCred*" - - "*PlugX*" - - "*Korplug*" - - "*Pwdump*" - - "*Chopper*" - - "*WmiExec*" - - "*Xscan*" - - "*Clearlog*" - - "*ASPXSpy*" - - "*Seatbelt*" - - "*sbelt*" - filters: - Message: - - "*Keygen*" - - "*Crack*" - condition: keywords and not 1 of filters + Message|contains: + - "HTool" + - "Hacktool" + - "ASP/Backdoor" + - "JSP/Backdoor" + - "PHP/Backdoor" + - "Backdoor.ASP" + - "Backdoor.JSP" + - "Backdoor.PHP" + - "Webshell" + - "Portscan" + - "Mimikatz" + - "WinCred" + - "PlugX" + - "Korplug" + - "Pwdump" + - "Chopper" + - "WmiExec" + - "Xscan" + - "Clearlog" + - "ASPXSpy" + filter: + Message|contains: + - "Keygen" + - "Crack" + condition: keywords and not filter falsepositives: - Some software piracy tools (key generators, cracks) are classified as hack tools level: high diff --git a/rules/windows/builtin/win_camera_microphone_access.yml b/rules/windows/builtin/win_camera_microphone_access.yml new file mode 100644 index 000000000..66ffcb1e2 --- /dev/null +++ b/rules/windows/builtin/win_camera_microphone_access.yml @@ -0,0 +1,29 @@ +title: Processes Accessing the Microphone and Webcam +id: 8cd538a4-62d5-4e83-810b-12d41e428d6e +description: Potential adversaries accessing the microphone and webcam in an endpoint. +status: experimental +date: 2020/06/07 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.collection + - attack.t1123 +references: + - https://twitter.com/duzvik/status/1269671601852813320 + - https://medium.com/@7a616368/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 +logsource: + product: windows + service: security +detection: + selection1: + EventID: + - 4657 + - 4656 + - 4663 + selection2: + ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone\NonPackaged' + selection3: + ObjectName|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\webcam\NonPackaged' + condition: selection1 and (selection2 or selection3) +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml new file mode 100644 index 000000000..9834aee86 --- /dev/null +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -0,0 +1,34 @@ +title: CobaltStrike Service Installations +id: 5a105d34-05fc-401e-8553-272b45c1522d +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement +author: Florian Roth, Wojciech Lesicki +references: + - https://www.sans.org/webcasts/119395 +date: 2021/05/26 +modified: 2021/06/03 +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection1: + EventID: 7045 + selection2: + ServiceFileName|contains|all: + - 'ADMIN$' + - '.exe' + selection3: + ServiceFileName|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + condition: selection1 and (selection2 or selection3) +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml new file mode 100644 index 000000000..040b921f8 --- /dev/null +++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -0,0 +1,25 @@ +title: DCERPC SMB Spoolss Named Pipe +id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +tags: + - attack.lateral_movement + - attack.t1021.002 +date: 2018/11/28 +author: OTR (Open Threat Research) +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: spoolss + condition: selection +falsepositives: + - 'Domain Controllers acting as printer servers too? :)' +level: medium diff --git a/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..dc76cad1b --- /dev/null +++ b/rules/windows/builtin/win_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,25 @@ +title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack +id: c39f0c81-7348-4965-ab27-2fde35a1b641 +description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network for a DCOM InternetExplorer DLL Hijack scenario. +status: experimental +date: 2020/10/12 +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + RelativeTargetName|endswith: '\Internet Explorer\iertutil.dll' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_dcsync.yml b/rules/windows/builtin/win_dcsync.yml index cfe2bd114..d4406838c 100644 --- a/rules/windows/builtin/win_dcsync.yml +++ b/rules/windows/builtin/win_dcsync.yml @@ -19,18 +19,21 @@ logsource: detection: selection: EventID: 4662 - Properties: - - '*Replicating Directory Changes All*' - - '*1131f6ad-9c07-11d1-f79f-00c04fc2dcd2*' + Properties|contains: + - 'Replicating Directory Changes All' + - '1131f6ad-9c07-11d1-f79f-00c04fc2dcd2' filter1: SubjectDomainName: 'Window Manager' filter2: - SubjectUserName: - - 'NT AUTHORITY*' - - '*$' - - 'MSOL_*' - condition: selection and not filter1 and not filter2 + SubjectUserName|startswith: + - 'NT AUTHORITY' + - 'MSOL_' + filter3: + SubjectUserName|endswith: + - '$' + condition: selection and not filter1 and not filter2 and not filter3 falsepositives: - Valid DC Sync that is not covered by the filters; please report + - Local Domain Admin account used for Azure AD Connect level: high diff --git a/rules/windows/builtin/win_disable_event_logging.yml b/rules/windows/builtin/win_disable_event_logging.yml index 52ef34e3f..e1ea29ef1 100644 --- a/rules/windows/builtin/win_disable_event_logging.yml +++ b/rules/windows/builtin/win_disable_event_logging.yml @@ -16,7 +16,9 @@ logsource: detection: selection: EventID: 4719 - AuditPolicyChanges: 'removed' + AuditPolicyChanges|contains: + - '%%8448' # This is "Success removed" + - '%%8450' # This is "Failure removed" condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml index b9d52b7e5..f913f7531 100644 --- a/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml +++ b/rules/windows/builtin/win_dpapi_domain_backupkey_extraction.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/06/20 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml index a5a89c445..c65a24252 100644 --- a/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml +++ b/rules/windows/builtin/win_dpapi_domain_masterkey_backup_attempt.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.credential_access - attack.t1003 # an old one diff --git a/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml new file mode 100644 index 000000000..cb606839c --- /dev/null +++ b/rules/windows/builtin/win_exploit_cve_2021_1675_printspooler.yml @@ -0,0 +1,38 @@ +title: Possible CVE-2021-1675 Print Spooler Exploitation +id: 4e64668a-4da1-49f5-a8df-9e2d5b866718 +description: Detects events of driver load errors in print service logs that could be a sign of successful exploitation attempts of print spooler vulnerability CVE-2021-1675 +author: Florian Roth, KevTheHermit, fuzzyf10w +status: experimental +level: high +references: + - https://github.com/hhlxf/PrintNightmare + - https://github.com/afwu/PrintNightmare + - https://twitter.com/fuzzyf10w/status/1410202370835898371 +date: 2021/06/30 +tags: + - attack.execution + - cve.2021-1675 +logsource: + product: windows + service: printservice-admin +detection: + selection: + EventID: + - 808 # old id + - 4909 # new id + ErrorCode: '0x45A' + keywords: + - 'The print spooler failed to load a plug-in module' + # default file names used in PoC codes + - 'MyExploit.dll' + - 'evil.dll' + - '\addCube.dll' + - '\rev.dll' + - '\rev2.dll' + - '\main64.dll' + - '\mimilib.dll' + condition: selection or keywords +fields: + - PluginDllName +falsepositives: + - Problems with printer drivers diff --git a/rules/windows/builtin/win_global_catalog_enumeration.yml b/rules/windows/builtin/win_global_catalog_enumeration.yml index 284ede4ed..c87885a43 100644 --- a/rules/windows/builtin/win_global_catalog_enumeration.yml +++ b/rules/windows/builtin/win_global_catalog_enumeration.yml @@ -1,16 +1,18 @@ title: Enumeration via the Global Catalog -description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Treshhold according to domain width. +description: Detects enumeration of the global catalog (that can be performed using BloodHound or others AD reconnaissance tools). Adjust Threshold according to domain width. author: Chakib Gzenayi (@Chak092), Hosni Mribah id: 619b020f-0fd7-4f23-87db-3f51ef837a34 date: 2020/05/11 -modified: 2020/08/23 +modified: 2021/06/01 +references: + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-5156 tags: - attack.discovery - attack.t1087 # an old one - attack.t1087.002 logsource: product: windows - service: system + service: security definition: 'The advanced audit policy setting "Windows Filtering Platform > Filtering Platform Connection" must be configured for Success' detection: selection: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 0140cbe32..9a1d9139f 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -20,7 +20,7 @@ detection: service_installation: EventID: 7045 ServiceName: 'BTOBTO' - ServiceFileName: '*\execute.bat' + ServiceFileName|endswith: '\execute.bat' condition: service_installation fields: - ServiceName diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml new file mode 100644 index 000000000..8dee8a7c3 --- /dev/null +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -0,0 +1,25 @@ +title: Hidden Local User Creation +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. +status: experimental +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 +author: Christian Burkard +date: 2021/05/03 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4720 + TargetUserName|endswith: '$' + condition: selection +fields: + - EventCode + - AccountName +falsepositives: + - unkown +level: high diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml new file mode 100644 index 000000000..8731d1f9a --- /dev/null +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_installation.yml @@ -0,0 +1,23 @@ +title: HybridConnectionManager Service Installation +id: 0ee4d8a5-4e67-4faf-acfa-62a78457d1f2 +description: Rule to detect the Hybrid Connection Manager service installation. +status: experimental +date: 2021/04/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.persistence +references: + - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4697 + ServiceName: HybridConnectionManager + ServiceFileName|contains: HybridConnectionManager + condition: selection +falsepositives: + - Legitimate use of Hybrid Connection Manager via Azure function apps. +level: high diff --git a/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml new file mode 100644 index 000000000..7b0329fbe --- /dev/null +++ b/rules/windows/builtin/win_hybridconnectionmgr_svc_running.yml @@ -0,0 +1,28 @@ +title: HybridConnectionManager Service Running +id: b55d23e5-6821-44ff-8a6e-67218891e49f +description: Rule to detect the Hybrid Connection Manager service running on an endpoint. +status: experimental +date: 2021/04/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.persistence +references: + - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +logsource: + product: windows + service: Microsoft-ServiceBus-Client +detection: + selection: + EventID: + - 40300 + - 40301 + - 40302 + Message|contains: + - 'HybridConnection' + - 'sb://' + - 'servicebus.windows.net' + - 'HybridConnectionManage' + condition: selection +falsepositives: + - Legitimate use of Hybrid Connection Manager via Azure function apps. +level: high diff --git a/rules/windows/builtin/win_impacket_secretdump.yml b/rules/windows/builtin/win_impacket_secretdump.yml index 720c99ed8..7706d4ee1 100644 --- a/rules/windows/builtin/win_impacket_secretdump.yml +++ b/rules/windows/builtin/win_impacket_secretdump.yml @@ -1,8 +1,9 @@ title: Possible Impacket SecretDump Remote Activity id: 252902e3-5830-4cf6-bf21-c22083dfd5cf description: Detect AD credential dumping using impacket secretdump HKTL -author: Samir Bousseaden +author: Samir Bousseaden, wagga date: 2019/04/03 +modified: 2021/06/27 references: - https://blog.menasec.net/2019/02/threat-huting-10-impacketsecretdump.html tags: @@ -19,7 +20,9 @@ detection: selection: EventID: 5145 ShareName: \\*\ADMIN$ - RelativeTargetName: 'SYSTEM32\\*.tmp' + RelativeTargetName|contains|all: + - 'SYSTEM32\' + - '.tmp' condition: selection falsepositives: - pentesting diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml new file mode 100644 index 000000000..b33bf0cb8 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_clip+_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation CLIP+ Launcher +id: f7385ee2-0e0c-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +modified: 2020/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml index e02bb5d05..b76bdade5 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -31,14 +31,14 @@ detection: --- logsource: product: windows - service: sysmon + category: driver_load detection: selection: EventID: 6 --- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml new file mode 100644 index 000000000..3e8313bf7 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin+_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation STDIN+ Launcher +id: 72862bf2-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml new file mode 100644 index 000000000..317760bda --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_var+_services.yml @@ -0,0 +1,40 @@ +action: global +title: Invoke-Obfuscation VAR+ Launcher +id: 8ca7004b-e620-4ecb-870e-86129b5b8e75 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +modified: 2021/06/10 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: all of them +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: process_creation +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml new file mode 100644 index 000000000..9664661b0 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 175997c5-803c-4b08-8bb0-70b099f47595 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - unknown +level: medium +detection: + selection: + - ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml new file mode 100644 index 000000000..fcf7920ee --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 11b52f18-aaec-4d60-9143-5dd8cc4706b9 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: medium +detection: + selection: + - ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml new file mode 100644 index 000000000..df37801a0 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation Via Stdin +id: 487c7524-f892-4054-b263-8a0ace63fc25 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml new file mode 100644 index 000000000..2bb42aec1 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation Via Use Clip +id: 63e3365d-4824-42d8-8b82-e56810fefa0c +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml new file mode 100644 index 000000000..9ba4f8960 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation Via Use MSHTA +id: 7e9c7999-0f9b-4d4a-a6ed-af6d553d4af4 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml new file mode 100644 index 000000000..84bf36fd0 --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -0,0 +1,43 @@ +action: global +title: Invoke-Obfuscation Via Use Rundll32 +id: 641a4bfb-c017-44f7-800c-2aee0184ce9b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +modified: 2021/05/27 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml new file mode 100644 index 000000000..aaa51e80b --- /dev/null +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var++_services.yml @@ -0,0 +1,42 @@ +action: global +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: 14bcba49-a428-42d9-b943-e2ce0f0f7ae6 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +falsepositives: + - Unknown +level: high +detection: + selection: + - ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection and selection_eventid +--- +logsource: + product: windows + service: system +detection: + selection_eventid: + EventID: 7045 +--- +logsource: + product: windows + category: driver_load +detection: + selection_eventid: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + selection_eventid: + EventID: 4697 diff --git a/rules/windows/builtin/win_iso_mount.yml b/rules/windows/builtin/win_iso_mount.yml new file mode 100644 index 000000000..40796d9e7 --- /dev/null +++ b/rules/windows/builtin/win_iso_mount.yml @@ -0,0 +1,27 @@ +title: ISO Image Mount +id: 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 +description: Detects the mount of ISO images on an endpoint +status: experimental +date: 2021/05/29 +author: Syed Hasan (@syedhasan009) +references: + - https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/malicious-spam-campaign-uses-iso-image-files-to-deliver-lokibot-and-nanocore + - https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages + - https://twitter.com/MsftSecIntel/status/1257324139515269121 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + product: windows + service: security + definition: 'The advanced audit policy setting "Object Access > Audit Removable Storage" must be configured for Success/Failure' +detection: + selection: + EventID: 4663 + ObjectServer: 'Security' + ObjectType: 'File' + ObjectName: '\Device\CdRom*' + condition: selection +falsepositives: + - Software installation ISO files +level: medium diff --git a/rules/windows/builtin/win_lsass_access_non_system_account.yml b/rules/windows/builtin/win_lsass_access_non_system_account.yml index 55bab5f3b..548473bb9 100644 --- a/rules/windows/builtin/win_lsass_access_non_system_account.yml +++ b/rules/windows/builtin/win_lsass_access_non_system_account.yml @@ -3,10 +3,10 @@ id: 962fe167-e48d-4fd6-9974-11e5b9a5d6d1 description: Detects potential mimikatz-like tools accessing LSASS from non system account status: experimental date: 2019/06/20 -modified: 2019/11/10 +modified: 2021/03/17 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/lsass_access_non_system_account.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-170105221010.html tags: - attack.credential_access - attack.t1003 # an old one @@ -19,11 +19,40 @@ detection: EventID: - 4663 - 4656 + AccessMask: + - '0x40' + - '0x1400' + - '0x1000' + - '0x100000' + - '0x1410' # car.2019-04-004 + - '0x1010' # car.2019-04-004 + - '0x1438' # car.2019-04-004 + - '0x143a' # car.2019-04-004 + - '0x1418' # car.2019-04-004 + - '0x1f0fff' + - '0x1f1fff' + - '0x1f2fff' + - '0x1f3fff' + - '40' + - '1400' + - '1000' + - '100000' + - '1410' # car.2019-04-004 + - '1010' # car.2019-04-004 + - '1438' # car.2019-04-004 + - '143a' # car.2019-04-004 + - '1418' # car.2019-04-004 + - '1f0fff' + - '1f1fff' + - '1f2fff' + - '1f3fff' ObjectType: 'Process' ObjectName|endswith: '\lsass.exe' - filter: + filter1: SubjectUserName|endswith: '$' - condition: selection and not filter + filter2: + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + condition: selection and not filter1 and not filter2 fields: - ComputerName - ObjectName diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index 5158c3966..6a71474a8 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -5,7 +5,7 @@ description: Detects well-known credential dumping tools execution via service e author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community id: 4976aa50-8f41-45c6-8b15-ab3fc10e79ed date: 2017/03/05 -modified: 2020/08/23 +modified: 2021/03/18 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -21,7 +21,7 @@ tags: - attack.t1569.002 - attack.s0005 detection: - selection_1: + selection: - ServiceName|contains: - 'fgexec' - 'wceservice' @@ -39,8 +39,7 @@ detection: - 'gsecdump' - 'servpw' - 'pwdump' - - ImagePath|re: '((\\\\.*\\.*|.*\\)([{]?[0-9A-Fa-f]{8}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{4}-[0-9A-Fa-f]{12}[}])?\.(exe|scr|cpl|bat|js|cmd|vbs).*)' - condition: selection and selection_1 + condition: selection falsepositives: - Legitimate Administrator using credential dumping tool for password recovery level: high @@ -54,10 +53,7 @@ detection: --- logsource: product: windows - service: sysmon -detection: - selection: - EventID: 6 + category: driver_load --- logsource: product: windows diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 4bee531c4..5e9adf31e 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,9 @@ title: Malicious Service Installations -id: 5a105d34-05fc-401e-8553-272b45c1522d +id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2019/11/01 +modified: 2021/05/27 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/builtin/win_mal_wceaux_dll.yml b/rules/windows/builtin/win_mal_wceaux_dll.yml index df16fe303..e188aa447 100644 --- a/rules/windows/builtin/win_mal_wceaux_dll.yml +++ b/rules/windows/builtin/win_mal_wceaux_dll.yml @@ -21,7 +21,7 @@ detection: - 4658 - 4660 - 4663 - ObjectName: '*\wceaux.dll' + ObjectName|endswith: '\wceaux.dll' condition: selection falsepositives: - Penetration testing diff --git a/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml new file mode 100644 index 000000000..833a13490 --- /dev/null +++ b/rules/windows/builtin/win_metasploit_or_impacket_smb_psexec_service_install.yml @@ -0,0 +1,45 @@ +title: Metasploit Or Impacket Service Installation Via SMB PsExec +id: 1a17ce75-ff0d-4f02-9709-2b7bb5618cf0 +description: Detects usage of Metasploit SMB PsExec (exploit/windows/smb/psexec) and Impacket psexec.py by triggering on specific service installation +author: Bartlomiej Czyz, Relativity +date: 2021/01/21 +action: global +references: + - https://bczyz1.github.io/2021/01/30/psexec.html +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1570 + - attack.execution + - attack.t1569.002 +detection: + selection_1: + ServiceFileName|re: '^.*\\[a-zA-Z]{8}\.exe$' + ServiceName|re: '(^[a-zA-Z]{4}$)|(^[a-zA-Z]{8}$)|(^[a-zA-Z]{16}$)' + filter: + ServiceName: 'PSEXESVC' + condition: selection and selection_1 and not filter +fields: + - ComputerName + - SubjectDomainName + - SubjectUserName + - ServiceName + - ServiceFileName +falsepositives: + - Highly unlikely +level: high +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 +--- + logsource: + product: windows + service: security + detection: + selection: + EventID: 4697 + diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index 222cec980..7e1183737 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -2,9 +2,9 @@ action: global title: Meterpreter or Cobalt Strike Getsystem Service Installation id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/08/23 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -14,7 +14,7 @@ tags: - attack.t1134.001 - attack.t1134.002 detection: - selection_1: + selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a - ServiceFileName|contains|all: - 'cmd' @@ -27,12 +27,18 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - ServiceFileName|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - ServiceFileName|contains|all: - 'rundll32' - '.dll,a' - '/p:' - condition: selection and selection_1 + condition: selection fields: - ComputerName - SubjectDomainName @@ -51,14 +57,11 @@ detection: --- logsource: product: windows - service: sysmon + category: driver_load +--- +logsource: + product: windows + service: security detection: selection: - EventID: 6 ---- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 + EventID: 4697 diff --git a/rules/windows/builtin/win_mmc20_lateral_movement.yml b/rules/windows/builtin/win_mmc20_lateral_movement.yml index 31b971d24..190dc1057 100644 --- a/rules/windows/builtin/win_mmc20_lateral_movement.yml +++ b/rules/windows/builtin/win_mmc20_lateral_movement.yml @@ -16,9 +16,9 @@ logsource: product: windows detection: selection: - ParentImage: '*\svchost.exe' - Image: '*\mmc.exe' - CommandLine: '*-Embedding*' + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mmc.exe' + CommandLine|contains: '-Embedding' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 2458d0c93..70636d9fa 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -5,6 +5,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's status: experimental author: Bhabesh Raj date: 2021/05/06 +modified: 2021/05/12 level: critical falsepositives: - None @@ -26,7 +27,7 @@ detection: --- logsource: product: windows - service: file_event + category: file_event detection: selection: TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' diff --git a/rules/windows/builtin/win_net_ntlm_downgrade.yml b/rules/windows/builtin/win_net_ntlm_downgrade.yml index be83d333a..4269933d4 100644 --- a/rules/windows/builtin/win_net_ntlm_downgrade.yml +++ b/rules/windows/builtin/win_net_ntlm_downgrade.yml @@ -4,9 +4,9 @@ id: d67572a0-e2ec-45d6-b8db-c100d14b8ef2 description: Detects NetNTLM downgrade attack references: - https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks -author: Florian Roth +author: Florian Roth, wagga date: 2018/03/20 -modified: 2020/08/23 +modified: 2021/06/27 tags: - attack.defense_evasion - attack.t1089 # an old one @@ -20,14 +20,18 @@ level: critical --- logsource: product: windows - service: sysmon + category: registry_event detection: selection1: - EventID: 13 - TargetObject: - - '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel' - - '*SYSTEM\\*ControlSet*\Control\Lsa*\NtlmMinClientSec' - - '*SYSTEM\\*ControlSet*\Control\Lsa*\RestrictSendingNTLMTraffic' + TargetObject|contains|all: + - 'SYSTEM\' + - 'ControlSet' + - '\Control\Lsa' + TargetObject|endswith: + - '\lmcompatibilitylevel' + - '\NtlmMinClientSec' + - '\RestrictSendingNTLMTraffic' + --- # Windows Security Eventlog: Process Creation with Full Command Line logsource: @@ -35,10 +39,17 @@ logsource: service: security definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)' detection: - selection2: + selection: EventID: 4657 - ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa*' + ObjectName|contains|all: + - '\REGISTRY\MACHINE\SYSTEM' + - 'ControlSet' + - '\Control\Lsa' ObjectValueName: - 'LmCompatibilityLevel' - 'NtlmMinClientSec' - 'RestrictSendingNTLMTraffic' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/builtin/win_net_use_admin_share.yml b/rules/windows/builtin/win_net_use_admin_share.yml new file mode 100644 index 000000000..e652c7c81 --- /dev/null +++ b/rules/windows/builtin/win_net_use_admin_share.yml @@ -0,0 +1,27 @@ +title: Mounted Windows Admin Shares with net.exe +id: 3abd6094-7027-475f-9630-8ab9be7b9725 +status: experimental +description: Detects when an admin share is mounted using net.exe +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga' +date: 2020/10/05 +modified: 2021/06/27 +tags: + - attack.lateral_movement + - attack.t1021.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - ' use ' + - '\\\*\\*$' # (Specs) If some wildcard after a backslash should be searched, the backslash has to be escaped: \\* + condition: selection +falsepositives: + - Administrators +level: medium diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 7dc8150b0..73c5c0166 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -23,5 +23,5 @@ fields: - UserName - SubjectAccountName falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/builtin/win_ntfs_vuln_exploit.yml b/rules/windows/builtin/win_ntfs_vuln_exploit.yml new file mode 100644 index 000000000..3efcaf886 --- /dev/null +++ b/rules/windows/builtin/win_ntfs_vuln_exploit.yml @@ -0,0 +1,22 @@ +title: NTFS Vulnerability Exploitation +id: f14719ce-d3ab-4e25-9ce6-2899092260b0 +description: This the exploitation of a NTFS vulnerability as reported without many details via Twitter +author: Florian Roth +date: 2021/01/11 +references: + - https://twitter.com/jonasLyk/status/1347900440000811010 + - https://twitter.com/wdormann/status/1347958161609809921 +logsource: + product: windows + service: system +detection: + selection: + EventID: 55 + Origin: 'File System Driver' + Description|contains|all: + - 'contains a corrupted file record' + - 'The name of the file is "\"' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/builtin/win_possible_dc_shadow.yml b/rules/windows/builtin/win_possible_dc_shadow.yml index f227cd538..280873fed 100644 --- a/rules/windows/builtin/win_possible_dc_shadow.yml +++ b/rules/windows/builtin/win_possible_dc_shadow.yml @@ -18,11 +18,11 @@ logsource: detection: selection1: EventID: 4742 - ServicePrincipalNames: '*GC/*' + ServicePrincipalNames|contains: 'GC/' selection2: EventID: 5136 LDAPDisplayName: servicePrincipalName - Value: 'GC/*' + Value|startswith: 'GC/' condition: selection1 OR selection2 falsepositives: - Exclude known DCs diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml new file mode 100644 index 000000000..01652c7c6 --- /dev/null +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -0,0 +1,43 @@ +action: global +title: PowerShell Scripts Installed as Services +id: a2e5019d-a658-4c6a-92bf-7197b54e2cae +description: Detects powershell script installed as a Service +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/05/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 +detection: + powershell_as_service: + ServiceFileName|contains: + - 'powershell' + - 'pwsh' + condition: service_creation and powershell_as_service +falsepositives: + - Unknown +level: high +--- +logsource: + product: windows + service: system +detection: + service_creation: + EventID: 7045 +--- +logsource: + product: windows + service: sysmon +detection: + service_creation: + EventID: 6 +--- +logsource: + product: windows + service: security +detection: + service_creation: + EventID: 4697 diff --git a/rules/windows/builtin/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/win_privesc_cve_2020_1472.yml new file mode 100644 index 000000000..25f9d8143 --- /dev/null +++ b/rules/windows/builtin/win_privesc_cve_2020_1472.yml @@ -0,0 +1,28 @@ +title: 'Possible Zerologon (CVE-2020-1472) Exploitation' +id: dd7876d8-0f09-11eb-adc1-0242ac120002 +status: experimental +description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) +references: + - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 + - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ +author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community' +date: 2020/10/15 +tags: + - attack.t1068 + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + SourceUserName: 'ANONYMOUS LOGON' + TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$' + filter: + ChangedAttributes|contains: + - 'Password Last Set: -' + condition: selection and not filter +falsepositives: + - automatic DC computer account password change + - legitimate DC computer account password change +level: high diff --git a/rules/windows/builtin/win_protected_storage_service_access.yml b/rules/windows/builtin/win_protected_storage_service_access.yml index 263de756b..cd0a8900a 100644 --- a/rules/windows/builtin/win_protected_storage_service_access.yml +++ b/rules/windows/builtin/win_protected_storage_service_access.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/06_credential_access/T1003_credential_dumping/domain_dpapi_backupkey_extraction.md + - https://threathunterplaybook.com/notebooks/windows/06_credential_access/WIN-190620024610.html tags: - attack.lateral_movement - attack.t1021 # an old one @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index 8d46f86a1..323fe260c 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -20,5 +20,5 @@ detection: LogonProcessName: 'User32LogonProcesss' condition: selection falsepositives: - - Unkown + - Unknown level: critical diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 9723914b0..3de3b459a 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,11 +1,12 @@ -title: Remote PowerShell Sessions +title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one diff --git a/rules/windows/builtin/win_root_certificate_installed.yml b/rules/windows/builtin/win_root_certificate_installed.yml new file mode 100644 index 000000000..d0f67207f --- /dev/null +++ b/rules/windows/builtin/win_root_certificate_installed.yml @@ -0,0 +1,47 @@ +action: global +title: Root Certificate Installed +id: 42821614-9264-4761-acfc-5772c3286f76 +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/10 +tags: + - attack.defense_evasion + - attack.t1553.004 +level: medium +falsepositives: + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP +detection: + condition: 1 of them +--- +logsource: + product: windows + service: powershell +detection: + selection1: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Move-Item' + - 'Cert:\LocalMachine\Root' + selection2: + EventID: 4104 + ScriptBlockText|contains|all: + - 'Import-Certificate' + - 'Cert:\LocalMachine\Root' +--- +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\certutil.exe' # Example: certutil -addstore -f -user ROOT CertificateFileName.der + CommandLine|contains|all: + - '-addstore' + - 'root' + selection2: + Image|endswith: '\CertMgr.exe' # Example: CertMgr.exe /add CertificateFileName.cer /s /r localMachine root /all + CommandLine|contains|all: + - '/add' + - 'root' diff --git a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml index f5d90abbb..da2eac46f 100644 --- a/rules/windows/builtin/win_sam_registry_hive_handle_request.yml +++ b/rules/windows/builtin/win_sam_registry_hive_handle_request.yml @@ -6,7 +6,7 @@ date: 2019/08/12 modified: 2020/08/23 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1012_query_registry/sam_registry_hive_access.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190725024610.html tags: - attack.discovery - attack.t1012 diff --git a/rules/windows/builtin/win_scheduled_task_deletion.yml b/rules/windows/builtin/win_scheduled_task_deletion.yml new file mode 100644 index 000000000..9150ab1a9 --- /dev/null +++ b/rules/windows/builtin/win_scheduled_task_deletion.yml @@ -0,0 +1,26 @@ +title: Scheduled Task Deletion +id: 4f86b304-3e02-40e3-aa5d-e88a167c9617 +description: Detects scheduled task deletion events. Scheduled tasks are likely to be deleted if not used for persistence. Malicious Software often creates tasks directly under the root node e.g. \TASKNAME +status: experimental +author: David Strassegger +date: 2021/01/22 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1053 # an old one + - car.2013-08-001 + - attack.t1053.005 +references: + - https://twitter.com/matthewdunwoody/status/1352356685982146562 + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 +logsource: + product: windows + service: security + definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' +detection: + selection: + EventID: 4699 + condition: selection +falsepositives: + - Software installation +level: medium diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 865cbc5b1..bf753fdca 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/12 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html tags: - attack.discovery logsource: @@ -17,8 +17,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' Keywords: "Audit Failure" + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9c9df1cb1..9501875ab 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -5,7 +5,7 @@ status: experimental date: 2019/08/15 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/07_discovery/T1000_local_admin_check/local_admin_remote_check_openscmanager.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html logsource: product: windows service: security @@ -15,8 +15,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical diff --git a/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml new file mode 100644 index 000000000..ea32b4b6a --- /dev/null +++ b/rules/windows/builtin/win_scrcons_remote_wmi_scripteventconsumer.yml @@ -0,0 +1,27 @@ +title: Remote WMI ActiveScriptEventConsumers +id: 9599c180-e3a8-4743-8f92-7fb96d3be648 +description: Detect potential adversaries leveraging WMI ActiveScriptEventConsumers remotely to move laterally in a network +status: experimental +date: 2020/09/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + LogonType: 3 + ProcessName|endswith: 'scrcons.exe' + filter: + TargetLogonId: '0x3e7' + condition: selection and not filter +falsepositives: + - SCCM +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml new file mode 100644 index 000000000..a00956dad --- /dev/null +++ b/rules/windows/builtin/win_set_oabvirtualdirectory_externalurl.yml @@ -0,0 +1,25 @@ +title: Set OabVirtualDirectory ExternalUrl Property +id: 9db37458-4df2-46a5-95ab-307e7f29e675 +description: Rule to detect an adversary setting OabVirtualDirectory External URL property to a script +author: Jose Rodriguez @Cyb3rPandaH +status: experimental +date: 2021/03/15 +references: + - https://twitter.com/OTR_Community/status/1371053369071132675 +tags: + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + service: msexchange-management +detection: + selection: + Message|contains|all: + - 'Set-OabVirtualDirectory' + - 'ExternalUrl' + - 'Page_Load' + - 'script' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml new file mode 100644 index 000000000..ad5a06218 --- /dev/null +++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml @@ -0,0 +1,26 @@ +title: SMB Create Remote File Admin Share +id: b210394c-ba12-4f89-9117-44a2464b9511 +description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). +status: experimental +date: 2020/08/06 +author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.t1021.002 +references: + - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml + - https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName|endswith: 'C$' + AccessMask: '0x2' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_software_discovery.yml b/rules/windows/builtin/win_software_discovery.yml new file mode 100644 index 000000000..d1c815ee1 --- /dev/null +++ b/rules/windows/builtin/win_software_discovery.yml @@ -0,0 +1,41 @@ +action: global +title: Detected Windows Software Discovery +id: 2650dd1a-eb2a-412d-ac36-83f06c4f2282 +description: Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable. +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/16 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md +tags: + - attack.discovery + - attack.t1518 +level: medium +falsepositives: + - Legitimate administration activities +detection: + condition: 1 of them +--- +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: # Example: Get-ItemProperty HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion, Publisher, InstallDate | Format-Table -Autosize + - 'get-itemProperty' + - '\software\' + - 'select-object' + - 'format-table' +--- +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\reg.exe' # Example: reg query "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer" /v svcVersion + CommandLine|contains|all: + - 'query' + - '\software\' + - '/v' + - 'svcversion' diff --git a/rules/windows/builtin/win_susp_eventlog_cleared.yml b/rules/windows/builtin/win_susp_eventlog_cleared.yml index 27c0f9238..1153dbc7e 100644 --- a/rules/windows/builtin/win_susp_eventlog_cleared.yml +++ b/rules/windows/builtin/win_susp_eventlog_cleared.yml @@ -14,12 +14,18 @@ tags: - car.2016-04-002 logsource: product: windows - service: system detection: - selection: + selection1: + service: security + EventID: + - 517 + - 1102 + selection2: + service: system EventID: 104 Source: Microsoft-Windows-Eventlog - condition: selection + condition: selection1 or selection2 falsepositives: - - Unknown -level: medium + - Rollout of log collection agents (the setup routine often includes a reset of the local Eventlog) + - System provisioning (system reset before the golden image creation) +level: high diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/builtin/win_susp_failed_guest_logon.yml new file mode 100644 index 000000000..938be568e --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml @@ -0,0 +1,26 @@ +title: Suspicious Rejected SMB Guest Logon From IP +id: 71886b70-d7b4-4dbf-acce-87d2ca135262 +description: +author: Florian Roth, KevTheHermit, fuzzyf10w +status: experimental +level: medium +references: + - https://twitter.com/KevTheHermit/status/1410203844064301056 + - https://github.com/hhlxf/PrintNightmare + - https://github.com/afwu/PrintNightmare +date: 2021/06/30 +logsource: + product: windows + service: smbclient-security +detection: + selection: + EventID: 31017 + Description|contains: 'Rejected an insecure guest logon' + UserName: '' + ServerName|startswith: '\1' + condition: selection +fields: + - Computer + - User +falsepositives: + - Account fallback reasons (after failed login with specific account) diff --git a/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml new file mode 100644 index 000000000..a64133d28 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_explicit_credentials.yml @@ -0,0 +1,26 @@ +title: Multiple Users Attempting To Authenticate Using Explicit Credentials +id: 196a29c2-e378-48d8-ba07-8a9e61f7fab9 +description: Detects a source user failing to authenticate with multiple users using explicit credentials on a host. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4648' + timeframe: 24h + condition: + - selection1 | count(Account_Name) by ComputerName > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_process.yml b/rules/windows/builtin/win_susp_failed_logons_single_process.yml new file mode 100644 index 000000000..716bc8ae6 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_process.yml @@ -0,0 +1,29 @@ +title: Multiple Users Failing to Authenticate from Single Process +id: fe563ab6-ded4-4916-b49f-a3a8445fe280 +description: Detects failed logins with multiple accounts from a single process on the system. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4625' + Logon_Type: '2' + filter: + Caller_Process_Name: '-' + timeframe: 24h + condition: + - selection1 and not filter | count(Account_Name) by Caller_Process_Name > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_logons_single_source.yml index d8727c314..dad0b88d8 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source.yml @@ -30,4 +30,4 @@ falsepositives: - Jump servers - Other multiuser systems like Citrix server farms - Workstations with frequently changing users -level: medium +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml new file mode 100644 index 000000000..17114308a --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -0,0 +1,30 @@ +title: Valid Users Failing to Authenticate From Single Source Using Kerberos +id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 +description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4771' + Failure_Code: '0x18' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml new file mode 100644 index 000000000..7da50919a --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -0,0 +1,30 @@ +title: Disabled Users Failing To Authenticate From Source Using Kerberos +id: 4b6fe998-b69c-46d8-901b-13677c9fb663 +description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4768' + Result_Code: '0x12' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml new file mode 100644 index 000000000..514ec94fd --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -0,0 +1,30 @@ +title: Invalid Users Failing To Authenticate From Source Using Kerberos +id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 +description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection: + EventID: '4768' + Result_Code: '0x6' + filter: + Account_Name: '*$' + timeframe: 24h + condition: + - selection and not filter | count(Account_Name) by Client_Address > 10 +falsepositives: + - Vulnerability scanners + - Missconfigured systems + - Remote administration tools + - VPN terminators + - Multiuser systems like Citrix server farms +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml new file mode 100644 index 000000000..b260bb585 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm.yml @@ -0,0 +1,30 @@ +title: Valid Users Failing to Authenticate from Single Source Using NTLM +id: f88bab7f-b1f4-41bb-bdb1-4b8af35b0470 +description: Detects failed logins with multiple valid domain accounts from a single source system using the NTLM protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4776' + action: 'failure' + Message: '*0xC000006A' + filter: + Logon_Account: '*$' + timeframe: 24h + condition: + - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml new file mode 100644 index 000000000..ba48c1b97 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_ntlm2.yml @@ -0,0 +1,30 @@ +title: Invalid Users Failing To Authenticate From Single Source Using NTLM +id: 56d62ef8-3462-4890-9859-7b41e541f8d5 +description: Detects failed logins with multiple invalid domain accounts from a single source system using the NTLM protocol. +author: Mauricio Velazco +date: 2021/06/01 +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4776' + action: 'failure' + Message: '*0xC0000064' + filter: + Logon_Account: '*$' + timeframe: 24h + condition: + - selection1 and not filter | count(Logon_Account) by Source_Workstation > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml new file mode 100644 index 000000000..1f574e942 --- /dev/null +++ b/rules/windows/builtin/win_susp_failed_remote_logons_single_source.yml @@ -0,0 +1,29 @@ +title: Multiple Users Remotely Failing To Authenticate From Single Source +id: add2ef8d-dc91-4002-9e7e-f2702369f53a +description: Detects a source system failing to authenticate against a remote host with multiple users. +author: Mauricio Velazco +references: + - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying +date: 2021/06/01 +tags: + - attack.t1110.003 + - attack.initial_access + - attack.privilege_escalation +logsource: + product: windows + service: security +detection: + selection1: + EventID: '4625' + Logon_Type: '3' + filter: + Source_Network_Address: '-' + timeframe: 24h + condition: + - selection1 and not filter | count(Account_Name) by Source_Network_Address > 10 +falsepositives: + - Terminal servers + - Jump servers + - Other multiuser systems like Citrix server farms + - Workstations with frequently changing users +level: medium diff --git a/rules/windows/builtin/win_susp_local_anon_logon_created.yml b/rules/windows/builtin/win_susp_local_anon_logon_created.yml index 2c8e93217..a5ebc9671 100644 --- a/rules/windows/builtin/win_susp_local_anon_logon_created.yml +++ b/rules/windows/builtin/win_susp_local_anon_logon_created.yml @@ -1,7 +1,7 @@ title: Suspicious Windows ANONYMOUS LOGON Local Account Created id: 1bbf25b9-8038-4154-a50b-118f2a32be27 status: experimental -description: Detects the creation of suspicious accounts simliar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. +description: Detects the creation of suspicious accounts similar to ANONYMOUS LOGON, such as using additional spaces. Created as an covering detection for exclusion of Logon Type 3 from ANONYMOUS LOGON accounts. references: - https://twitter.com/SBousseaden/status/1189469425482829824 author: James Pemberton / @4A616D6573 @@ -18,7 +18,9 @@ logsource: detection: selection: EventID: 4720 - SAMAccountName: '*ANONYMOUS*LOGON*' + SAMAccountName|contains|all: + - 'ANONYMOUS' + - 'LOGON' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/win_susp_logon_explicit_credentials.yml b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml new file mode 100644 index 000000000..142c6a7a7 --- /dev/null +++ b/rules/windows/builtin/win_susp_logon_explicit_credentials.yml @@ -0,0 +1,33 @@ +title: Suspicous Remote Logon with Explicit Credentials +id: 941e5c45-cda7-4864-8cea-bbb7458d194a +status: experimental +description: Detects suspicious processes logging on with explicit credentials +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' +date: 2020/10/05 +tags: + - attack.t1078 + - attack.lateral_movement +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4648 + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\winrs.exe' + - '\wmic.exe' + - '\net.exe' + - '\net1.exe' + - '\reg.exe' + filter: + Target_Server_Name: 'localhost' + condition: selection and not filter +falsepositives: + - Administrators that use the RunAS command or scheduled tasks +level: medium diff --git a/rules/windows/builtin/win_susp_lsass_dump.yml b/rules/windows/builtin/win_susp_lsass_dump.yml index a85cfa94e..fef8980b1 100644 --- a/rules/windows/builtin/win_susp_lsass_dump.yml +++ b/rules/windows/builtin/win_susp_lsass_dump.yml @@ -3,6 +3,7 @@ id: aa1697b7-d611-4f9a-9cb2-5125b4ccfd5c description: Detects process handle on LSASS process with certain access mask and object type SAM_DOMAIN status: experimental date: 2017/02/12 +modified: 2021/06/21 references: - https://twitter.com/jackcr/status/807385668833968128 tags: @@ -15,10 +16,10 @@ logsource: detection: selection: EventID: 4656 - ProcessName: 'C:\Windows\System32\lsass.exe' + ProcessName|endswith: '\lsass.exe' AccessMask: '0x705' ObjectType: 'SAM_DOMAIN' condition: selection falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/builtin/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/win_susp_lsass_dump_generic.yml index 849f04541..afe1ef752 100644 --- a/rules/windows/builtin/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2019/11/07 +modified: 2021/04/19 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment @@ -40,7 +40,7 @@ detection: AccessList|contains: - '4484' - '4416' - filter: + filter1: ProcessName|endswith: - '\wmiprvse.exe' - '\taskmgr.exe' @@ -51,8 +51,18 @@ detection: - '\wininit.exe' - '\vmtoolsd.exe' - '\minionhost.exe' # Cyberreason - - '\VsTskMgr.exe' # McAfee Enterprise - condition: selection_1 or selection_2 and not filter + - '\VsTskMgr.exe' # McAfee Enterprise + - '\thor64.exe' # THOR + ProcessName|startswith: + - C:\Windows\System32\ + - C:\Windows\SysWow64\ + - C:\Windows\SysNative\ + - C:\Program Files\ + - C:\Windows\Temp\asgard2-agent\ + filter2: + ProcessName|startswith: + - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + condition: selection_1 or selection_2 and not filter1 and not filter2 fields: - ComputerName - SubjectDomainName diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index 83b26c58d..cac81fb5b 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -22,15 +22,15 @@ falsepositives: level: high detection: selection1: - Image: '*\mshta.exe' - CommandLine: - - '*vbscript*' - - '*.jpg*' - - '*.png*' - - '*.lnk*' - # - '*.chm*' # could be prone to false positives - - '*.xls*' - - '*.doc*' - - '*.zip*' + Image|endswith: '\mshta.exe' + CommandLine|contains: + - 'vbscript' + - '.jpg' + - '.png' + - '.lnk' + # - '.chm' # could be prone to false positives + - '.xls' + - '.doc' + - '.zip' condition: selection1 diff --git a/rules/windows/builtin/win_susp_msmpeng_crash.yml b/rules/windows/builtin/win_susp_msmpeng_crash.yml index a33b52842..15b527e73 100644 --- a/rules/windows/builtin/win_susp_msmpeng_crash.yml +++ b/rules/windows/builtin/win_susp_msmpeng_crash.yml @@ -23,10 +23,10 @@ detection: Source: 'Windows Error Reporting' EventID: 1001 keywords: - Message: - - '*MsMpEng.exe*' - - '*mpengine.dll*' - condition: 1 of selection* and all of keywords + Message|contains: + - 'MsMpEng.exe' + - 'mpengine.dll' + condition: 1 of selection* and keywords falsepositives: - MsMpEng.exe can crash when C:\ is full level: high diff --git a/rules/windows/builtin/win_susp_net_recon_activity.yml b/rules/windows/builtin/win_susp_net_recon_activity.yml index c6a7653af..3fa612999 100644 --- a/rules/windows/builtin/win_susp_net_recon_activity.yml +++ b/rules/windows/builtin/win_susp_net_recon_activity.yml @@ -4,7 +4,7 @@ status: experimental description: Detects activity as "net user administrator /domain" and "net group domain admins /domain" references: - https://findingbad.blogspot.de/2017/01/hunting-what-does-it-look-like.html -author: Florian Roth (rule), Jack Croock (method) +author: Florian Roth (rule), Jack Croock (method), Jonhnathan Ribeiro (improvements), oscd.community date: 2017/03/07 modified: 2020/08/23 tags: @@ -20,15 +20,17 @@ logsource: definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommendations for server systems detection: selection: - - EventID: 4661 - ObjectType: 'SAM_USER' - ObjectName: 'S-1-5-21-*-500' + EventID: 4661 + ObjectType: + - 'SAM_USER' + - 'SAM_GROUP' + ObjectName|startswith: 'S-1-5-21-' AccessMask: '0x2d' - - EventID: 4661 - ObjectType: 'SAM_GROUP' - ObjectName: 'S-1-5-21-*-512' - AccessMask: '0x2d' - condition: selection + selection2: + ObjectName|endswith: + - '-500' + - '-512' + condition: selection and selection2 falsepositives: - Administrator activity - Penetration tests diff --git a/rules/windows/builtin/win_susp_ntlm_auth.yml b/rules/windows/builtin/win_susp_ntlm_auth.yml index 81aa4bf6a..f9e9df5a2 100644 --- a/rules/windows/builtin/win_susp_ntlm_auth.yml +++ b/rules/windows/builtin/win_susp_ntlm_auth.yml @@ -14,7 +14,7 @@ tags: logsource: product: windows service: ntlm - definition: Reqiures events from Microsoft-Windows-NTLM/Operational + definition: Requires events from Microsoft-Windows-NTLM/Operational detection: selection: EventID: 8002 diff --git a/rules/windows/builtin/win_susp_ntlm_rdp.yml b/rules/windows/builtin/win_susp_ntlm_rdp.yml index bed9e568a..96e1d00a8 100644 --- a/rules/windows/builtin/win_susp_ntlm_rdp.yml +++ b/rules/windows/builtin/win_susp_ntlm_rdp.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventID: 8001 - TargetName: TERMSRV* + TargetName|startswith: TERMSRV condition: selection fields: - Computer diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml new file mode 100644 index 000000000..e67638118 --- /dev/null +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -0,0 +1,24 @@ +title: ProcessHacker Privilege Elevation +id: c4ff1eac-84ad-44dd-a6fb-d56a92fc43a9 +description: Detects a ProcessHacker tool that elevated privileges to a very high level +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2021/05/27 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1543.003 + - attack.t1569.002 +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName|startswith: 'ProcessHacker' + AccountName: 'LocalSystem' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/builtin/win_susp_psexec.yml b/rules/windows/builtin/win_susp_psexec.yml index 84d8da0e7..f64f235f7 100644 --- a/rules/windows/builtin/win_susp_psexec.yml +++ b/rules/windows/builtin/win_susp_psexec.yml @@ -17,14 +17,14 @@ detection: selection1: EventID: 5145 ShareName: \\*\IPC$ - RelativeTargetName: - - '*-stdin' - - '*-stdout' - - '*-stderr' + RelativeTargetName|endswith: + - '-stdin' + - '-stdout' + - '-stderr' selection2: EventID: 5145 ShareName: \\*\IPC$ - RelativeTargetName: 'PSEXESVC*' + RelativeTargetName|startswith: 'PSEXESVC' condition: selection1 and not selection2 falsepositives: - nothing observed so far diff --git a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml index 16114b2be..66caa1f78 100644 --- a/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/win_susp_raccess_sensitive_fext.yml @@ -14,19 +14,19 @@ detection: selection: EventID: - 5145 - RelativeTargetName: - - '*.pst' - - '*.ost' - - '*.msg' - - '*.nst' - - '*.oab' - - '*.edb' - - '*.nsf' - - '*.bak' - - '*.dmp' - - '*.kirbi' - - '*\groups.xml' - - '*.rdp' + RelativeTargetName|endswith: + - '.pst' + - '.ost' + - '.msg' + - '.nst' + - '.oab' + - '.edb' + - '.nsf' + - '.bak' + - '.dmp' + - '.kirbi' + - '\groups.xml' + - '.rdp' condition: selection fields: - ComputerName diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml index 41a25dc72..496ed1524 100644 --- a/rules/windows/builtin/win_susp_rc4_kerberos.yml +++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml @@ -20,7 +20,7 @@ detection: TicketOptions: '0x40810000' TicketEncryptionType: '0x17' reduction: - - ServiceName: '$*' + - ServiceName|startswith: '$' condition: selection and not reduction falsepositives: - Service accounts used on legacy systems (e.g. NetApp) diff --git a/rules/windows/builtin/win_susp_sam_dump.yml b/rules/windows/builtin/win_susp_sam_dump.yml index 7c0894b6b..d014cb46e 100644 --- a/rules/windows/builtin/win_susp_sam_dump.yml +++ b/rules/windows/builtin/win_susp_sam_dump.yml @@ -15,8 +15,9 @@ logsource: detection: selection: EventID: 16 - Message: - - '*\AppData\Local\Temp\SAM-*.dmp *' + Message|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' condition: selection falsepositives: - Penetration testing diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 5bb8bd700..558a109e1 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -28,9 +28,9 @@ detection: - 4656 - 4663 - 4658 - ObjectName: - - '*.AAA' - - '*.ZZZ' + ObjectName|endswith: + - '.AAA' + - '.ZZZ' condition: selection falsepositives: - Legitime usage of SDelete diff --git a/rules/windows/builtin/win_susp_time_modification.yml b/rules/windows/builtin/win_susp_time_modification.yml index 5e7fd38a5..360e1a872 100644 --- a/rules/windows/builtin/win_susp_time_modification.yml +++ b/rules/windows/builtin/win_susp_time_modification.yml @@ -6,8 +6,9 @@ author: '@neu5ron' references: - Private Cuckoo Sandbox (from many years ago, no longer have hash, NDA as well) - Live environment caused by malware + - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4616 date: 2019/02/05 -midified: 2020/01/27 +modified: 2020/01/27 tags: - attack.defense_evasion - attack.t1099 # an old one diff --git a/rules/windows/builtin/win_susp_wmi_login.yml b/rules/windows/builtin/win_susp_wmi_login.yml index e9627a54e..98835de02 100644 --- a/rules/windows/builtin/win_susp_wmi_login.yml +++ b/rules/windows/builtin/win_susp_wmi_login.yml @@ -13,7 +13,7 @@ logsource: detection: selection: EventID: 4624 - ProcessName: "*\\WmiPrvSE.exe" + ProcessName|endswith: '\WmiPrvSE.exe' condition: selection falsepositives: - Monitoring tools diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index c975f68f7..6b172fb38 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -3,7 +3,7 @@ id: eca91c7c-9214-47b9-b4c5-cb1d7e4f2350 status: experimental description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. references: - - https://github.com/GhostPack/Rubeus8 + - https://github.com/GhostPack/Rubeus author: Ilyas Ochkov, oscd.community date: 2019/10/24 modified: 2019/11/13 diff --git a/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml b/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml new file mode 100644 index 000000000..ea907d4f1 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_werfault_connection_outbound.yml @@ -0,0 +1,44 @@ +title: Suspicious Werfault.exe Network Connection Outbound +id: e12c75f2-d09e-43f6-90e4-6a23842907af +status: experimental +description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. +references: + - https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/ +author: Sreeman +date: 2021/03/09 +modified: 2021/06/11 +tags: + - attack.command_and_control + - attack.t1571 +logsource: + product: windows + category: network_connection +detection: + selection: + Image: 'werfault.exe' + filter1: + ParentImage: 'svchost.exe' + filter2: + DestinationIp: + - '104.42.151.234' + - '104.43.193.48' + - '52.255.188.83' + - '13.64.90.137' + - '168.61.161.212' + - '13.88.21.125' + - '40.88.32.150' + - '52.147.198.201' + - '52.239.207.100' + - '52.176.224.96' + - '2607:7700:0:24:0:1:287e:1894' + - '10.*' + - '192.168.*' + - '127.*' + filter3: + DestinationHostname|contains: + - '*.windowsupdate.com' + - '*.microsoft.com' + condition: selection and not ( filter1 and filter2 and filter3 ) +falsepositives: + - Communication to other corporate systems that use IP addresses from public address spaces and Microsoft IP spaces +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_svcctl_remote_service.yml b/rules/windows/builtin/win_svcctl_remote_service.yml index bd8939a65..be19e9ffb 100644 --- a/rules/windows/builtin/win_svcctl_remote_service.yml +++ b/rules/windows/builtin/win_svcctl_remote_service.yml @@ -19,7 +19,7 @@ detection: EventID: 5145 ShareName: \\*\IPC$ RelativeTargetName: svcctl - Accesses: '*WriteData*' + Accesses|contains: 'WriteData' condition: selection falsepositives: - pentesting diff --git a/rules/windows/builtin/win_syskey_registry_access.yml b/rules/windows/builtin/win_syskey_registry_access.yml index ff56999a5..0c36525b1 100644 --- a/rules/windows/builtin/win_syskey_registry_access.yml +++ b/rules/windows/builtin/win_syskey_registry_access.yml @@ -6,7 +6,7 @@ date: 2019/08/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/master/playbooks/windows/07_discovery/T1012_query_registry/syskey_registry_keys_access.md + - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190625024610.html tags: - attack.discovery - attack.t1012 @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml new file mode 100644 index 000000000..040fe5a60 --- /dev/null +++ b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml @@ -0,0 +1,35 @@ +title: Sysmon Channel Reference Deletion +id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc +status: experimental +description: Potential threat actor tampering with Sysmon manifest and eventually disabling it +references: + - https://twitter.com/Flangvik/status/1283054508084473861 + - https://twitter.com/SecurityJosh/status/1283027365770276866 + - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html + - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/07/14 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + service: security +detection: + selection1: + EventID: 4657 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + ObjectValueName: 'Enabled' + NewValue: '0' + selection2: + EventID: 4663 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + AccessMask: 0x10000 + condition: selection1 or selection2 +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index 42d05509b..a5baba352 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -12,9 +12,9 @@ falsepositives: - Legitimate OpenVPN TAP insntallation level: medium detection: - selection_1: + selection: ImagePath|contains: 'tap0901' - condition: selection and selection_1 + condition: selection --- logsource: product: windows @@ -25,14 +25,11 @@ detection: --- logsource: product: windows - service: sysmon + category: driver_load +--- +logsource: + product: windows + service: security detection: selection: - EventID: 6 ---- - logsource: - product: windows - service: security - detection: - selection: - EventID: 4697 + EventID: 4697 diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index aacc72a24..693ad831f 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -1,6 +1,6 @@ -title: Transfering Files with Credential Data via Network Shares +title: Transferring Files with Credential Data via Network Shares id: 910ab938-668b-401b-b08c-b596e80fdca5 -description: Transfering files with well-known filenames (sensitive files with credential data) using network shares +description: Transferring files with well-known filenames (sensitive files with credential data) using network shares author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 references: @@ -28,6 +28,6 @@ detection: - '\security' condition: selection falsepositives: - - Transfering sensitive files for legitimate administration work by legitimate administrator + - Transferring sensitive files for legitimate administration work by legitimate administrator level: medium status: experimental diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml index 418b2bb86..0443447e9 100644 --- a/rules/windows/builtin/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml @@ -22,7 +22,7 @@ detection: selection_group2: GroupSid: 'S-1-5-32-544' filter: - SubjectUserName: '*$' + SubjectUserName|endswith: '$' condition: selection and (1 of selection_group*) and not filter falsepositives: - Legitimate administrative activity diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 407f8361b..f8d3b458b 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -21,5 +21,5 @@ detection: Keywords: '0x8010000000000000' #failure condition: selection falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index 5abc45e1f..7d1630089 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -20,19 +20,19 @@ detection: PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' selection_2: - ProcessName|contains: - - '*\Windows\System32\Dism.exe' - - '*\Windows\System32\rundll32.exe' - - '*\Windows\System32\fltMC.exe' - - '*\Windows\HelpPane.exe' - - '*\Windows\System32\mmc.exe' - - '*\Windows\System32\svchost.exe' - - '*\Windows\System32\wimserv.exe' - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' - - '*\Google\Chrome\Application\chrome.exe' + ProcessName|endswith: + - '\Windows\System32\Dism.exe' + - '\Windows\System32\rundll32.exe' + - '\Windows\System32\fltMC.exe' + - '\Windows\HelpPane.exe' + - '\Windows\System32\mmc.exe' + - '\Windows\System32\svchost.exe' + - '\Windows\System32\wimserv.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' + - '\Google\Chrome\Application\chrome.exe' condition: selection_1 and not selection_2 falsepositives: - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' diff --git a/rules/windows/builtin/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/win_volume_shadow_copy_mount.yml new file mode 100644 index 000000000..c7400389a --- /dev/null +++ b/rules/windows/builtin/win_volume_shadow_copy_mount.yml @@ -0,0 +1,23 @@ +title: Volume Shadow Copy Mount +id: f512acbf-e662-4903-843e-97ce4652b740 +description: Detects volume shadow copy mount +status: experimental +date: 2020/10/20 +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) +tags: + - attack.credential_access + - attack.t1003.002 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +logsource: + product: windows + service: system +detection: + selection: + Source: Microsoft-Windows-Ntfs + EventID: 98 + DeviceName|contains: HarddiskVolumeShadowCopy + condition: selection +falsepositives: + - Legitimate use of volume shadow copy mounts (backups maybe). +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml new file mode 100644 index 000000000..9216aad0a --- /dev/null +++ b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml @@ -0,0 +1,25 @@ +title: VSSAudit Security Event Source Registration +id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b +description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. +status: experimental +date: 2020/10/20 +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) +tags: + - attack.credential_access + - attack.t1003.002 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +logsource: + product: windows + service: security +detection: + selection_one: + EventID: 4904 + AuditSourceName: VSSAudit + selection_two: + EventID: 4905 + AuditSourceName: VSSAudit + condition: selection_one or selection_two +falsepositives: + - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_vul_cve_2020_0688.yml b/rules/windows/builtin/win_vul_cve_2020_0688.yml index 38b8e95e6..51a0902c7 100644 --- a/rules/windows/builtin/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/win_vul_cve_2020_0688.yml @@ -4,8 +4,10 @@ status: experimental description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 references: - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ -author: Florian Roth + - https://cyberpolygon.com/materials/okhota-na-ataki-ms-exchange-chast-2-cve-2020-0688-cve-2020-16875-cve-2021-24085/ +author: Florian Roth, wagga date: 2020/02/29 +modified: 2021/06/27 tags: - attack.initial_access - attack.t1190 @@ -18,7 +20,8 @@ detection: Source: MSExchange Control Panel Level: Error selection2: - - '*&__VIEWSTATE=*' + Message|contains: + - '&__VIEWSTATE=' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml new file mode 100644 index 000000000..83bf381a1 --- /dev/null +++ b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -0,0 +1,26 @@ +title: T1047 Wmiprvse Wbemcomn DLL Hijack +id: f6c68d5f-e101-4b86-8c84-7d96851fd65c +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network for a WMI DLL Hijack scenario. +status: experimental +date: 2020/10/12 +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1021.002 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + RelativeTargetName|endswith: '\wbem\wbemcomn.dll' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_cactustorch.yml b/rules/windows/create_remote_thread/sysmon_cactustorch.yml similarity index 74% rename from rules/windows/sysmon/sysmon_cactustorch.yml rename to rules/windows/create_remote_thread/sysmon_cactustorch.yml index 9b8b5ec95..1bd0ff71f 100644 --- a/rules/windows/sysmon/sysmon_cactustorch.yml +++ b/rules/windows/create_remote_thread/sysmon_cactustorch.yml @@ -10,17 +10,17 @@ date: 2019/02/01 modified: 2020/08/28 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: EventID: 8 - SourceImage: - - '*\System32\cscript.exe' - - '*\System32\wscript.exe' - - '*\System32\mshta.exe' - - '*\winword.exe' - - '*\excel.exe' - TargetImage: '*\SysWOW64\\*' + SourceImage|endswith: + - '\System32\cscript.exe' + - '\System32\wscript.exe' + - '\System32\mshta.exe' + - '\winword.exe' + - '\excel.exe' + TargetImage|contains: '\SysWOW64\' StartModule: null condition: selection tags: diff --git a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml similarity index 95% rename from rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml rename to rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml index e2b972247..fb0e4c916 100644 --- a/rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_cobaltstrike_process_injection.yml @@ -14,10 +14,9 @@ date: 2018/11/30 modified: 2020/08/28 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 TargetProcessAddress|endswith: - '0B80' - '0C7C' diff --git a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml similarity index 74% rename from rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml rename to rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index bf831b326..30b3da1b2 100644 --- a/rules/windows/sysmon/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -6,17 +6,16 @@ date: 2019/08/11 modified: 2020/08/28 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1055_process_injection/dll_injection_createremotethread_loadlibrary.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html tags: - attack.defense_evasion - attack.t1055 # an old one - attack.t1055.001 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 StartModule|endswith: '\kernel32.dll' StartFunction: 'LoadLibraryA' condition: selection diff --git a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml similarity index 85% rename from rules/windows/sysmon/sysmon_password_dumper_lsass.yml rename to rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml index a8d8db9b7..fbdb2e081 100644 --- a/rules/windows/sysmon/sysmon_password_dumper_lsass.yml +++ b/rules/windows/create_remote_thread/sysmon_password_dumper_lsass.yml @@ -6,13 +6,13 @@ references: status: stable author: Thomas Patzke date: 2017/02/19 +modified: 2021/06/21 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: - EventID: 8 - TargetImage: 'C:\Windows\System32\lsass.exe' + TargetImage|endswith: '\lsass.exe' StartModule: '' condition: selection tags: @@ -21,5 +21,5 @@ tags: - attack.s0005 - attack.t1003.001 falsepositives: - - unknown + - Antivirus products level: high diff --git a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml similarity index 82% rename from rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml rename to rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml index 652da06fa..d1262e1f7 100644 --- a/rules/windows/sysmon/sysmon_susp_powershell_rundll32.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_powershell_rundll32.yml @@ -8,12 +8,12 @@ references: date: 2018/06/25 logsource: product: windows - service: sysmon + category: create_remote_thread detection: selection: EventID: 8 - SourceImage: '*\powershell.exe' - TargetImage: '*\rundll32.exe' + SourceImage|endswith: '\powershell.exe' + TargetImage|endswith: '\rundll32.exe' condition: selection tags: - attack.defense_evasion @@ -23,5 +23,5 @@ tags: - attack.t1086 # an old one - attack.t1059.001 falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml similarity index 96% rename from rules/windows/sysmon/sysmon_suspicious_remote_thread.yml rename to rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml index fe2dee61a..e8bf963f8 100644 --- a/rules/windows/sysmon/sysmon_suspicious_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_suspicious_remote_thread.yml @@ -7,21 +7,20 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2020/08/28 +modified: 2021/06/27 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis - https://lolbas-project.github.io logsource: product: windows - service: sysmon + category: create_remote_thread tags: - attack.privilege_escalation - attack.defense_evasion - attack.t1055 detection: selection: - EventID: 8 SourceImage|endswith: - '\bash.exe' - '\cvtres.exe' @@ -65,7 +64,7 @@ detection: - '\userinit.exe' - '\vssadmin.exe' - '\vssvc.exe' - - '\w3wp.exe*' + - '\w3wp.exe' - '\winlogon.exe' - '\winscp.exe' - '\wmic.exe' diff --git a/rules/windows/sysmon/sysmon_ads_executable.yml b/rules/windows/create_stream_hash/sysmon_ads_executable.yml similarity index 88% rename from rules/windows/sysmon/sysmon_ads_executable.yml rename to rules/windows/create_stream_hash/sysmon_ads_executable.yml index 7eaed87c7..5a0995305 100644 --- a/rules/windows/sysmon/sysmon_ads_executable.yml +++ b/rules/windows/create_stream_hash/sysmon_ads_executable.yml @@ -14,16 +14,14 @@ date: 2018/06/03 modified: 2020/08/26 logsource: product: windows - service: sysmon + category: create_stream_hash definition: 'Requirements: Sysmon config with Imphash logging activated' detection: - selection: - EventID: 15 filter1: Imphash: '00000000000000000000000000000000' filter2: Imphash: null - condition: selection and not 1 of filter* + condition: not 1 of filter* fields: - TargetFilename - Image diff --git a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml new file mode 100644 index 000000000..34652dad4 --- /dev/null +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -0,0 +1,24 @@ +title: Exports Registry Key To an Alternate Data Stream +id: 0d7a9363-af70-4e7b-a3b7-1a176b7fbe84 +status: experimental +description: Exports the target Registry key and hides it in the specified alternate data stream. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.defense_evasion + - attack.t1564.004 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + product: windows + category: create_stream_hash +detection: + selection: + Image|endswith: '\regedit.exe' + condition: selection +fields: + - TargetFilename +falsepositives: + - Unknown +level: high diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index 55062f2fb..d94967e95 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -13,13 +13,13 @@ tags: - car.2019-04-004 author: Sherif Eldeeb date: 2017/10/18 +modified: 2021/06/21 logsource: product: windows - service: sysmon + category: process_access detection: selection: - EventID: 10 - TargetImage: 'C:\windows\system32\lsass.exe' + TargetImage|endswith: '\lsass.exe' GrantedAccess: - '0x1410' - '0x1010' diff --git a/rules/windows/dns_query/dns_mega_nz.yml b/rules/windows/dns_query/dns_mega_nz.yml new file mode 100644 index 000000000..dee549f28 --- /dev/null +++ b/rules/windows/dns_query/dns_mega_nz.yml @@ -0,0 +1,22 @@ +title: DNS Query for MEGA.io Upload Domain +id: 613c03ba-0779-4a53-8a1f-47f914a4ded3 +description: Detects DNS queries for subdomains used for upload to MEGA.io +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Mega upload +level: high +logsource: + product: windows + category: dns_query +detection: + dns_request: + EventID: 22 + QueryName|contains: userstorage.mega.co.nz + condition: dns_request \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml similarity index 97% rename from rules/windows/sysmon/sysmon_possible_dns_rebinding.yml rename to rules/windows/dns_query/sysmon_possible_dns_rebinding.yml index 5284ec125..bf301a32a 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/dns_query/sysmon_possible_dns_rebinding.yml @@ -12,10 +12,9 @@ tags: - attack.t1189 logsource: product: windows - service: sysmon + category: dns_query detection: dns_answer: - EventID: 22 QueryName: '*' QueryStatus: '0' filter_int_ip: diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml index 009665b75..083b9f7f5 100755 --- a/rules/windows/driver_load/sysmon_susp_driver_load.yml +++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml @@ -13,9 +13,9 @@ logsource: category: driver_load product: windows detection: - selection: - ImageLoaded: '*\Temp\\*' + selection: + ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment -level: medium +level: high diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml new file mode 100644 index 000000000..39517aa8b --- /dev/null +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -0,0 +1,30 @@ +title: Vulnerable Dell BIOS Update Driver Load +id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 +author: Florian Roth +date: 2021/05/05 +references: + - https://labs.sentinelone.com/cve-2021-21551-hundreds-of-millions-of-dell-computers-at-risk-due-to-multiple-bios-driver-privilege-escalation-flaws/ +logsource: + category: driver_load + product: windows +tags: + - cve.2021-21551 +detection: + selection_image: + ImageLoaded|contains: '\DBUtil_2_3.Sys' + selection_hash: + Hashes|contains: + - '0296e2ce999e67c76352613a718e11516fe1b0efc3ffdb8918fc999dd76a73a5' + - 'c948ae14761095e4d76b55d9de86412258be7afd' + - 'c996d7971c49252c582171d9380360f2' + - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' + - '10b30bdee43b3a2ec4aa63375577ade650269d25' + - 'd2fd132ab7bbc6bbb87a84f026fa0244' + + + + condition: selection_image or selection_hash +falsepositives: + - legitimate BIOS driver updates (should be rare) +level: high diff --git a/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml new file mode 100644 index 000000000..f376c51db --- /dev/null +++ b/rules/windows/file_delete/sysmon_sysinternals_sdelete_file_deletion.yml @@ -0,0 +1,24 @@ +title: Sysinternals SDelete File Deletion +id: 6ddab845-b1b8-49c2-bbf7-1a11967f64bc +description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1070.004 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html +logsource: + product: windows + category: file_delete +detection: + selection: + TargetFilename|endswith: + - '.AAA' + - '.ZZZ' + condition: selection +falsepositives: + - Legitime usage of SDelete +level: medium \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_creation_system_file.yml b/rules/windows/file_event/sysmon_creation_system_file.yml index bd723e0e8..7406f4e73 100755 --- a/rules/windows/file_event/sysmon_creation_system_file.yml +++ b/rules/windows/file_event/sysmon_creation_system_file.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the creation of a executable with a system process name in a suspicious folder author: Sander Wiebing date: 2020/05/26 -modified: 2020/08/23 +modified: 2021/05/16 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -14,40 +14,42 @@ logsource: product: windows detection: selection: - TargetFilename: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\runtimebroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' + TargetFilename|endswith: + - '\svchost.exe' + - '\rundll32.exe' + - '\services.exe' + - '\powershell.exe' + - '\regsvr32.exe' + - '\spoolsv.exe' + - '\lsass.exe' + - '\smss.exe' + - '\csrss.exe' + - '\conhost.exe' + - '\wininit.exe' + - '\lsm.exe' + - '\winlogon.exe' + - '\explorer.exe' + - '\taskhost.exe' + - '\Taskmgr.exe' + - '\taskmgr.exe' + - '\sihost.exe' + - '\RuntimeBroker.exe' + - '\runtimebroker.exe' + - '\smartscreen.exe' + - '\dllhost.exe' + - '\audiodg.exe' + - '\wlanext.exe' filter: - TargetFilename: - - 'C:\Windows\System32\\*' - - 'C:\Windows\system32\\*' - - 'C:\Windows\SysWow64\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\winsxs\\*' - - 'C:\Windows\WinSxS\\*' - - '\SystemRoot\System32\\*' + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWow64\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\winsxs\' + - 'C:\Windows\WinSxS\' + - '\SystemRoot\System32\' + Image|endswith: + - '\Windows\System32\dism.exe' condition: selection and not filter fields: - Image diff --git a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml index a82059024..3019ca420 100755 --- a/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml +++ b/rules/windows/file_event/sysmon_ghostpack_safetykatz.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - TargetFilename: '*\Temp\debug.bin' + TargetFilename|endswith: '\Temp\debug.bin' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/sysmon_non_priv_program_files_move.yml b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml new file mode 100644 index 000000000..b7440b4b6 --- /dev/null +++ b/rules/windows/file_event/sysmon_non_priv_program_files_move.yml @@ -0,0 +1,31 @@ +title: Files Dropped to Program Files by Non-Priviledged Process +id: d6d9f4fb-4c1c-4f53-b306-62a22c7c61e1 +description: Search for dropping of files to Windows/Program Files fodlers by non-priviledged processes +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/17 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-37-638.jpg +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1574 + - attack.t1574.010 +logsource: + category: file_event + product: windows +detection: + integrity: + IntegrityLevel: 'Medium' + program_files: + - TargetFilename|contains: + - '\Program Files\' + - '\Program Files (x86)\' + windows: + TargetFilename|startswith: '\Windows\' + temp: + TargetFilename|contains: 'temp' + condition: integrity and (program_files or windows and not temp) +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/file_event/sysmon_outlook_newform.yml b/rules/windows/file_event/sysmon_outlook_newform.yml new file mode 100644 index 000000000..0ee7b8be5 --- /dev/null +++ b/rules/windows/file_event/sysmon_outlook_newform.yml @@ -0,0 +1,24 @@ +title: Outlook Form Installation +id: c3edc6a5-d9d4-48d8-930e-aab518390917 +status: experimental +description: Detects the creation of new Outlook form which can contain malicious code +references: + - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 +tags: + - attack.persistence + - attack.t1137.003 +author: Tobias Michalski +date: 2021/06/10 +logsource: + product: windows + category: file_event +detection: + selection: + Image: '\outlook.exe' + TargetFilename|contains: '\appdata\local\microsoft\FORMS\' + condition: selection +fields: + - TargetFilename +falsepositives: + - unknown +level: high diff --git a/rules/windows/file_event/sysmon_pcre_net_temp_file.yml b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml new file mode 100644 index 000000000..f45d3e393 --- /dev/null +++ b/rules/windows/file_event/sysmon_pcre_net_temp_file.yml @@ -0,0 +1,23 @@ +title: PCRE.NET Package Temp Files +id: 6e90ae7a-7cd3-473f-a035-4ebb72d961da +description: Detects processes creating temp files related to PCRE.NET package +status: experimental +date: 2020/10/29 +modified: 2021/05/21 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059 +references: + - https://twitter.com/rbmaslen/status/1321859647091970051 + - https://twitter.com/tifkin_/status/1321916444557365248 +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml index 7ca774187..e446c5307 100755 --- a/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml +++ b/rules/windows/file_event/sysmon_powershell_exploit_scripts.yml @@ -15,102 +15,102 @@ logsource: product: windows detection: selection: - TargetFilename: - - '*\Invoke-DllInjection.ps1' - - '*\Invoke-WmiCommand.ps1' - - '*\Get-GPPPassword.ps1' - - '*\Get-Keystrokes.ps1' - - '*\Get-VaultCredential.ps1' - - '*\Invoke-CredentialInjection.ps1' - - '*\Invoke-Mimikatz.ps1' - - '*\Invoke-NinjaCopy.ps1' - - '*\Invoke-TokenManipulation.ps1' - - '*\Out-Minidump.ps1' - - '*\VolumeShadowCopyTools.ps1' - - '*\Invoke-ReflectivePEInjection.ps1' - - '*\Get-TimedScreenshot.ps1' - - '*\Invoke-UserHunter.ps1' - - '*\Find-GPOLocation.ps1' - - '*\Invoke-ACLScanner.ps1' - - '*\Invoke-DowngradeAccount.ps1' - - '*\Get-ServiceUnquoted.ps1' - - '*\Get-ServiceFilePermission.ps1' - - '*\Get-ServicePermission.ps1' - - '*\Invoke-ServiceAbuse.ps1' - - '*\Install-ServiceBinary.ps1' - - '*\Get-RegAutoLogon.ps1' - - '*\Get-VulnAutoRun.ps1' - - '*\Get-VulnSchTask.ps1' - - '*\Get-UnattendedInstallFile.ps1' - - '*\Get-WebConfig.ps1' - - '*\Get-ApplicationHost.ps1' - - '*\Get-RegAlwaysInstallElevated.ps1' - - '*\Get-Unconstrained.ps1' - - '*\Add-RegBackdoor.ps1' - - '*\Add-ScrnSaveBackdoor.ps1' - - '*\Gupt-Backdoor.ps1' - - '*\Invoke-ADSBackdoor.ps1' - - '*\Enabled-DuplicateToken.ps1' - - '*\Invoke-PsUaCme.ps1' - - '*\Remove-Update.ps1' - - '*\Check-VM.ps1' - - '*\Get-LSASecret.ps1' - - '*\Get-PassHashes.ps1' - - '*\Show-TargetScreen.ps1' - - '*\Port-Scan.ps1' - - '*\Invoke-PoshRatHttp.ps1' - - '*\Invoke-PowerShellTCP.ps1' - - '*\Invoke-PowerShellWMI.ps1' - - '*\Add-Exfiltration.ps1' - - '*\Add-Persistence.ps1' - - '*\Do-Exfiltration.ps1' - - '*\Start-CaptureServer.ps1' - - '*\Invoke-ShellCode.ps1' - - '*\Get-ChromeDump.ps1' - - '*\Get-ClipboardContents.ps1' - - '*\Get-FoxDump.ps1' - - '*\Get-IndexedItem.ps1' - - '*\Get-Screenshot.ps1' - - '*\Invoke-Inveigh.ps1' - - '*\Invoke-NetRipper.ps1' - - '*\Invoke-EgressCheck.ps1' - - '*\Invoke-PostExfil.ps1' - - '*\Invoke-PSInject.ps1' - - '*\Invoke-RunAs.ps1' - - '*\MailRaider.ps1' - - '*\New-HoneyHash.ps1' - - '*\Set-MacAttribute.ps1' - - '*\Invoke-DCSync.ps1' - - '*\Invoke-PowerDump.ps1' - - '*\Exploit-Jboss.ps1' - - '*\Invoke-ThunderStruck.ps1' - - '*\Invoke-VoiceTroll.ps1' - - '*\Set-Wallpaper.ps1' - - '*\Invoke-InveighRelay.ps1' - - '*\Invoke-PsExec.ps1' - - '*\Invoke-SSHCommand.ps1' - - '*\Get-SecurityPackages.ps1' - - '*\Install-SSP.ps1' - - '*\Invoke-BackdoorLNK.ps1' - - '*\PowerBreach.ps1' - - '*\Get-SiteListPassword.ps1' - - '*\Get-System.ps1' - - '*\Invoke-BypassUAC.ps1' - - '*\Invoke-Tater.ps1' - - '*\Invoke-WScriptBypassUAC.ps1' - - '*\PowerUp.ps1' - - '*\PowerView.ps1' - - '*\Get-RickAstley.ps1' - - '*\Find-Fruit.ps1' - - '*\HTTP-Login.ps1' - - '*\Find-TrustedDocuments.ps1' - - '*\Invoke-Paranoia.ps1' - - '*\Invoke-WinEnum.ps1' - - '*\Invoke-ARPScan.ps1' - - '*\Invoke-PortScan.ps1' - - '*\Invoke-ReverseDNSLookup.ps1' - - '*\Invoke-SMBScanner.ps1' - - '*\Invoke-Mimikittenz.ps1' + TargetFilename|endswith: + - '\Invoke-DllInjection.ps1' + - '\Invoke-WmiCommand.ps1' + - '\Get-GPPPassword.ps1' + - '\Get-Keystrokes.ps1' + - '\Get-VaultCredential.ps1' + - '\Invoke-CredentialInjection.ps1' + - '\Invoke-Mimikatz.ps1' + - '\Invoke-NinjaCopy.ps1' + - '\Invoke-TokenManipulation.ps1' + - '\Out-Minidump.ps1' + - '\VolumeShadowCopyTools.ps1' + - '\Invoke-ReflectivePEInjection.ps1' + - '\Get-TimedScreenshot.ps1' + - '\Invoke-UserHunter.ps1' + - '\Find-GPOLocation.ps1' + - '\Invoke-ACLScanner.ps1' + - '\Invoke-DowngradeAccount.ps1' + - '\Get-ServiceUnquoted.ps1' + - '\Get-ServiceFilePermission.ps1' + - '\Get-ServicePermission.ps1' + - '\Invoke-ServiceAbuse.ps1' + - '\Install-ServiceBinary.ps1' + - '\Get-RegAutoLogon.ps1' + - '\Get-VulnAutoRun.ps1' + - '\Get-VulnSchTask.ps1' + - '\Get-UnattendedInstallFile.ps1' + - '\Get-WebConfig.ps1' + - '\Get-ApplicationHost.ps1' + - '\Get-RegAlwaysInstallElevated.ps1' + - '\Get-Unconstrained.ps1' + - '\Add-RegBackdoor.ps1' + - '\Add-ScrnSaveBackdoor.ps1' + - '\Gupt-Backdoor.ps1' + - '\Invoke-ADSBackdoor.ps1' + - '\Enabled-DuplicateToken.ps1' + - '\Invoke-PsUaCme.ps1' + - '\Remove-Update.ps1' + - '\Check-VM.ps1' + - '\Get-LSASecret.ps1' + - '\Get-PassHashes.ps1' + - '\Show-TargetScreen.ps1' + - '\Port-Scan.ps1' + - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellWMI.ps1' + - '\Add-Exfiltration.ps1' + - '\Add-Persistence.ps1' + - '\Do-Exfiltration.ps1' + - '\Start-CaptureServer.ps1' + - '\Invoke-ShellCode.ps1' + - '\Get-ChromeDump.ps1' + - '\Get-ClipboardContents.ps1' + - '\Get-FoxDump.ps1' + - '\Get-IndexedItem.ps1' + - '\Get-Screenshot.ps1' + - '\Invoke-Inveigh.ps1' + - '\Invoke-NetRipper.ps1' + - '\Invoke-EgressCheck.ps1' + - '\Invoke-PostExfil.ps1' + - '\Invoke-PSInject.ps1' + - '\Invoke-RunAs.ps1' + - '\MailRaider.ps1' + - '\New-HoneyHash.ps1' + - '\Set-MacAttribute.ps1' + - '\Invoke-DCSync.ps1' + - '\Invoke-PowerDump.ps1' + - '\Exploit-Jboss.ps1' + - '\Invoke-ThunderStruck.ps1' + - '\Invoke-VoiceTroll.ps1' + - '\Set-Wallpaper.ps1' + - '\Invoke-InveighRelay.ps1' + - '\Invoke-PsExec.ps1' + - '\Invoke-SSHCommand.ps1' + - '\Get-SecurityPackages.ps1' + - '\Install-SSP.ps1' + - '\Invoke-BackdoorLNK.ps1' + - '\PowerBreach.ps1' + - '\Get-SiteListPassword.ps1' + - '\Get-System.ps1' + - '\Invoke-BypassUAC.ps1' + - '\Invoke-Tater.ps1' + - '\Invoke-WScriptBypassUAC.ps1' + - '\PowerUp.ps1' + - '\PowerView.ps1' + - '\Get-RickAstley.ps1' + - '\Find-Fruit.ps1' + - '\HTTP-Login.ps1' + - '\Find-TrustedDocuments.ps1' + - '\Invoke-Paranoia.ps1' + - '\Invoke-WinEnum.ps1' + - '\Invoke-ARPScan.ps1' + - '\Invoke-PortScan.ps1' + - '\Invoke-ReverseDNSLookup.ps1' + - '\Invoke-SMBScanner.ps1' + - '\Invoke-Mimikittenz.ps1' condition: selection falsepositives: - Penetration Tests diff --git a/rules/windows/file_event/sysmon_quarkspw_filedump.yml b/rules/windows/file_event/sysmon_quarkspw_filedump.yml index 2a582eaa3..66d153487 100755 --- a/rules/windows/file_event/sysmon_quarkspw_filedump.yml +++ b/rules/windows/file_event/sysmon_quarkspw_filedump.yml @@ -18,7 +18,9 @@ logsource: detection: selection: # Sysmon: File Creation (ID 11) - TargetFilename: '*\AppData\Local\Temp\SAM-*.dmp*' + TargetFilename|contains|all: + - '\AppData\Local\Temp\SAM-' + - '.dmp' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/sysmon_startup_folder_file_write.yml b/rules/windows/file_event/sysmon_startup_folder_file_write.yml new file mode 100644 index 000000000..d20ad26ed --- /dev/null +++ b/rules/windows/file_event/sysmon_startup_folder_file_write.yml @@ -0,0 +1,22 @@ +title: Startup Folder File Write +id: 2aa0a6b4-a865-495b-ab51-c28249537b75 +description: A General detection for files being created in the Windows startup directory. This could be an indicator of persistence. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.persistence + - attack.t1547.001 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/12 + - https://threathunterplaybook.com/evals/apt29/detections/5.B.1_611FCA99-97D0-4873-9E51-1C1BA2DBB40D.html +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: 'ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp' + condition: selection +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml index 204bb61c0..7ec9950cd 100755 --- a/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/sysmon_susp_adsi_cache_usage.yml @@ -18,7 +18,8 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\Local\Microsoft\Windows\SchCache\\*.sch' + TargetFilename|contains: '\Local\Microsoft\Windows\SchCache\' + TargetFilename|endswith: '.sch' selection_2: Image: - 'C:\windows\system32\svchost.exe' diff --git a/rules/windows/file_event/sysmon_susp_clr_logs.yml b/rules/windows/file_event/sysmon_susp_clr_logs.yml new file mode 100644 index 000000000..97fa03b0c --- /dev/null +++ b/rules/windows/file_event/sysmon_susp_clr_logs.yml @@ -0,0 +1,29 @@ +title: Suspcious CLR Logs Creation +id: e4b63079-6198-405c-abd7-3fe8b0ce3263 +description: Detects suspicious .NET assembly executions +references: + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +date: 2020/10/12 +tags: + - attack.execution + - attack.t1059.001 +status: experimental +author: omkar72, oscd.community +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains|all: + - '\AppData\Local\Microsoft\CLR' + - '\UsageLogs\' + TargetFilename|contains: + - 'mshta' + - 'cscript' + - 'wscript' + - 'regsvr32' + - 'wmic' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml new file mode 100644 index 000000000..e9e962736 --- /dev/null +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -0,0 +1,22 @@ +title: Suspicious PFX File Creation +id: dca1b3e8-e043-4ec8-85d7-867f334b5724 +description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.credential_access + - attack.t1552.004 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/14 + - https://threathunterplaybook.com/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.html +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '.pfx' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml index 2dac9fab7..a929366d2 100755 --- a/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml +++ b/rules/windows/file_event/sysmon_susp_procexplorer_driver_created_in_tmp_folder.yml @@ -15,13 +15,14 @@ logsource: category: file_event detection: selection_1: - TargetFilename: '*\AppData\Local\Temp\\*\PROCEXP152.sys' + TargetFilename|contains: '\AppData\Local\Temp\' + TargetFilename|endswith: 'PROCEXP152.sys' selection_2: Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' condition: selection_1 and not selection_2 falsepositives: - Other legimate tools using this driver and filename (like Sysinternals). Note - Clever attackers may easily bypass this detection by just renaming the driver filename. Therefore just Medium-level and don't rely on it. diff --git a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml index 194b75581..c171dcdfc 100755 --- a/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml +++ b/rules/windows/file_event/sysmon_tsclient_filewrite_startup.yml @@ -9,8 +9,8 @@ logsource: category: file_event detection: selection: - Image: '*\mstsc.exe' - TargetFilename: '*\Microsoft\Windows\Start Menu\Programs\Startup\\*' + Image|endswith: '\mstsc.exe' + TargetFilename|contains: '\Microsoft\Windows\Start Menu\Programs\Startup\' condition: selection falsepositives: - unknown diff --git a/rules/windows/file_event/sysmon_webshell_creation_detect.yml b/rules/windows/file_event/sysmon_webshell_creation_detect.yml index ffaae9605..49473f329 100755 --- a/rules/windows/file_event/sysmon_webshell_creation_detect.yml +++ b/rules/windows/file_event/sysmon_webshell_creation_detect.yml @@ -40,7 +40,7 @@ detection: - '\AppData\Local\Temp\' - '\Windows\Temp\' # kind of ugly but sigmac seems not to handle double parenthesis "((" - # we shold prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) + # we should prefer something like : selection_1 and not false_positives and ((selection_2 and selection_3) or (selection_4 and selection_5) or selection_6) condition: (selection_2 and selection_3 and not false_positives) or (selection_4 and selection_5 and not false_positives) or (selection_6 and not false_positives) falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder diff --git a/rules/windows/file_event/win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml new file mode 100644 index 000000000..5f99eafe3 --- /dev/null +++ b/rules/windows/file_event/win_cve_2021_1675_printspooler.yml @@ -0,0 +1,25 @@ +title: CVE-2021-1675 Print Spooler Exploitation Filename Pattern +id: 2131cfb3-8c12-45e8-8fa0-31f5924e9f07 +description: Detects the default filename used in PoC code against print spooler vulnerability CVE-2021-1675 +author: Florian Roth +status: experimental +level: critical +references: + - https://github.com/hhlxf/PrintNightmare + - https://github.com/afwu/PrintNightmare +date: 2021/06/29 +tags: + - attack.execution + - cve.2021-1675 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' + condition: selection +fields: + - ComputerName + - TargetFileName +falsepositives: + - Unknown diff --git a/rules/windows/file_event/win_outlook_c2_macro_creation.yml b/rules/windows/file_event/win_outlook_c2_macro_creation.yml new file mode 100644 index 000000000..e2b9f0c1e --- /dev/null +++ b/rules/windows/file_event/win_outlook_c2_macro_creation.yml @@ -0,0 +1,24 @@ +title: Outlook C2 Macro Creation +id: 8c31f563-f9a7-450c-bfa8-35f8f32f1f61 +status: experimental +description: Detects the creation of a macro file for Outlook. Goes with win_outlook_c2_registry_key. VbaProject.OTM is explicitly mentioned in T1137. Particularly interesting if both events Registry & File Creation happens at the same time. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: '\Microsoft\Outlook\VbaProject.OTM' + condition: selection +falsepositives: + - User genuinly creates a VB Macro for their email +level: medium diff --git a/rules/windows/file_event/win_rclone_exec_file.yml b/rules/windows/file_event/win_rclone_exec_file.yml new file mode 100644 index 000000000..fa47e3244 --- /dev/null +++ b/rules/windows/file_event/win_rclone_exec_file.yml @@ -0,0 +1,25 @@ +title: Rclone Config File Creation +id: 34986307-b7f4-49be-92f3-e7a4d01ac5db +description: Detects Rclone config file being created +status: experimental +date: 2021/05/26 +modified: 2021/06/27 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: file_event +detection: + file_selection: + EventID: 11 + TargetFilename|contains|all: + - ':\Users\' + - '\.config\rclone\' + condition: file_selection \ No newline at end of file diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml new file mode 100644 index 000000000..6304043ad --- /dev/null +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -0,0 +1,27 @@ +title: Suspicious Multiple File Rename Or Delete Occurred +id: 97919310-06a7-482c-9639-92b67ed63cf8 +status: experimental +description: Detects multiple file rename or delete events occurrence within a specified period of time by a same user (these events may signalize about ransomware activity). +tags: + - attack.impact + - attack.t1486 +author: Vasiliy Burov, oscd.community +date: 2020/10/16 +references: + - https://www.manageengine.com/data-security/how-to/how-to-detect-ransomware-attacks.html +logsource: + product: windows + service: security + definition: 'Requirements: Audit Policy : Policies/Windows Settings/Security Settings/Local Policies/Audit Policy/Audit object access, Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Object Access' +detection: + selection: + EventID: 4663 + ObjectType: 'File' + AccessList: '%%1537' + Keywords: '0x8020000000000000' + timeframe: 30s + condition: selection | count() by SubjectLogonId > 10 +falsepositives: + - Software uninstallation + - Files restore activities +level: medium diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml new file mode 100644 index 000000000..fa78485a0 --- /dev/null +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -0,0 +1,25 @@ +title: Alternate PowerShell Hosts +id: fe6e002f-f244-4278-9263-20e4b593827f +description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe +status: experimental +date: 2019/09/12 +modified: 2021/05/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html +logsource: + product: windows + category: image_load +detection: + selection: + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' + filter: + Image|endswith: '\powershell.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml b/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml index 98a012bc4..7d57896ef 100644 --- a/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml +++ b/rules/windows/image_load/sysmon_cve_2021_1675_print_nightmare.yml @@ -6,7 +6,6 @@ references: - https://github.com/hhlxf/PrintNightmare author: FPT.EagleEye date: 2021/06/29 -modified: 2021/07/01 tags: - attack.persistence - attack.defense_evasion @@ -21,9 +20,8 @@ detection: Image|endswith: - 'spoolsv.exe' ImageLoaded: - - 'C:\Windows\System32\spool\drivers\x64\3\old\*.dll' - - 'C:\Windows\System32\spool\drivers\x64\3\new\*.dll' + - 'Windows\System32\spool\drivers\x64\3\old\*.dll' condition: selection falsepositives: - Possible. Requires further testing. -level: high \ No newline at end of file +level: high diff --git a/rules/windows/image_load/sysmon_in_memory_powershell.yml b/rules/windows/image_load/sysmon_in_memory_powershell.yml index 7c077934c..d4f1dcd25 100755 --- a/rules/windows/image_load/sysmon_in_memory_powershell.yml +++ b/rules/windows/image_load/sysmon_in_memory_powershell.yml @@ -2,9 +2,9 @@ title: In-memory PowerShell id: 092bc4b9-3d1d-43b4-a6b4-8c8acd83522f status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. -author: Tom Kern, oscd.community +author: Tom Kern, oscd.community, Natalia Shornikova date: 2019/11/14 -modified: 2019/11/30 +modified: 2020/10/12 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -27,6 +27,12 @@ detection: - '\WINDOWS\System32\sdiagnhost.exe' - '\mscorsvw.exe' # c:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsw.exe for instance - '\WINDOWS\System32\RemoteFXvGPUDisablement.exe' # on win10 + - '\sqlps.exe' + - '\wsmprovhost.exe' + - '\winrshost.exe' + - '\syncappvpublishingserver.exe' + - '\runscripthelper.exe' + - '\ServerManager.exe' # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: diff --git a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml index 50568b560..d21584364 100755 --- a/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml +++ b/rules/windows/image_load/sysmon_mimikatz_inmemory_detection.yml @@ -18,9 +18,9 @@ detection: selector: Image: 'C:\Windows\System32\rundll32.exe' dllload1: - ImageLoaded: '*\vaultcli.dll' + ImageLoaded|endswith: '\vaultcli.dll' dllload2: - ImageLoaded: '*\wlanapi.dll' + ImageLoaded|endswith: '\wlanapi.dll' exclusion: ImageLoaded: - 'ntdsapi.dll' diff --git a/rules/windows/image_load/sysmon_pcre_net_load.yml b/rules/windows/image_load/sysmon_pcre_net_load.yml new file mode 100644 index 000000000..383a83b9d --- /dev/null +++ b/rules/windows/image_load/sysmon_pcre_net_load.yml @@ -0,0 +1,23 @@ +title: PCRE.NET Package Image Load +id: 84b0a8f3-680b-4096-a45b-e9a89221727c +description: Detects processes loading modules related to PCRE.NET package +status: experimental +date: 2020/10/29 +modified: 2021/05/21 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059 +references: + - https://twitter.com/rbmaslen/status/1321859647091970051 + - https://twitter.com/tifkin_/status/1321916444557365248 +logsource: + category: image_load + product: windows +detection: + selection: + - ImageLoaded|contains: \AppData\Local\Temp\ba9ea7344a4a5f591d6e5dc32a13494b\ + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index b0d0303f9..111759c39 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/hunters-forge/ThreatHunter-Playbook/blob/8869b7a58dba1cff63bae1d7ab923974b8c0539b/playbooks/WIN-190410151110.yaml + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' condition: selection fields: - ComputerName diff --git a/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml new file mode 100644 index 000000000..59f8621ed --- /dev/null +++ b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml @@ -0,0 +1,30 @@ +title: WMI Script Host Process Image Loaded +id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 +description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. +status: experimental +date: 2020/09/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 +references: + - https://twitter.com/HunterPlaybook/status/1301207718355759107 + - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\scrcons.exe' + ImageLoaded|endswith: + - '\vbscript.dll' + - '\wbemdisp.dll' + - '\wshom.ocx' + - '\scrrun.dll' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/image_load/sysmon_susp_image_load.yml b/rules/windows/image_load/sysmon_susp_image_load.yml index 5a2bc710f..5bf530559 100755 --- a/rules/windows/image_load/sysmon_susp_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_image_load.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - Image: - - '*\notepad.exe' - ImageLoaded: - - '*\samlib.dll' - - '*\WinSCard.dll' + Image|endswith: + - '\notepad.exe' + ImageLoaded|endswith: + - '\samlib.dll' + - '\WinSCard.dll' condition: selection falsepositives: - Very likely, needs more tuning diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml index a8c6f2ec5..c9d881196 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_assembly_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\assembly\\*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\assembly\' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml index 59b043baa..f75cce094 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_clr_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\clr.dll*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\clr.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml index a9f820194..fa0182796 100755 --- a/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dotnet_gac_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|startswith: + - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml index 9897408c6..f6297faef 100755 --- a/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_dsparse_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\dsparse.dll*' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|contains: + - '\dsparse.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml index 2ac8622f5..b42030734 100755 --- a/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/sysmon_susp_office_kerberos_dll_load.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\kerberos.dll' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\kerberos.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml new file mode 100644 index 000000000..ba7f3d7d4 --- /dev/null +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -0,0 +1,25 @@ +title: Python Py2Exe Image Load +id: cbb56d62-4060-40f7-9466-d8aaf3123f83 +description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. +status: experimental +date: 2020/05/03 +modified: 2021/05/12 +author: Patrick St. John, OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1027.002 +references: + - https://www.py2exe.org/ + - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ +logsource: + product: windows + category: image_load +detection: + selection: + Description: 'Python Core' + condition: selection +fields: + - Description +falsepositives: + - Legit Py2Exe Binaries +level: medium \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml new file mode 100644 index 000000000..701d372fa --- /dev/null +++ b/rules/windows/image_load/sysmon_susp_script_dotnet_clr_dll_load.yml @@ -0,0 +1,31 @@ +title: CLR DLL Loaded Via Scripting Applications +id: 4508a70e-97ef-4300-b62b-ff27992990ea +status: experimental +description: Detects CLR DLL being loaded by an scripting applications +references: + - https://github.com/tyranid/DotNetToJScript + - https://thewover.github.io/Introducing-Donut/ + - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html +author: omkar72, oscd.community +date: 2020/10/14 +tags: + - attack.execution + - attack.privilege_escalation + - attack.t1055 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + ImageLoaded|endswith: + - '\clr.dll' + - '\mscoree.dll' + - '\mscorlib.dll' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml new file mode 100644 index 000000000..771952fe7 --- /dev/null +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -0,0 +1,24 @@ +title: Suspicious System.Drawing Load +id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c +description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.collection + - attack.t1113 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://threathunterplaybook.com/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.html +logsource: + product: windows + category: image_load +detection: + selection: + ImageLoaded|endswith: '\System.Drawing.ni.dll' + filter: + Image|endswith: '\WmiPrvSE.exe' + condition: selection and not filter +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml index fedeecf64..262d9c7dc 100755 --- a/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_vbadll_load.yml @@ -16,15 +16,15 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\VBE7.DLL' - - '*\VBEUI.DLL' - - '*\VBE7INTL.DLL' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\VBE7.DLL' + - '\VBEUI.DLL' + - '\VBE7INTL.DLL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml index c2d9e429a..bdbbc5b27 100755 --- a/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml +++ b/rules/windows/image_load/sysmon_susp_winword_wmidll_load.yml @@ -1,4 +1,4 @@ -title: Windows Mangement Instrumentation DLL Loaded Via Microsoft Word +title: Windows Management Instrumentation DLL Loaded Via Microsoft Word id: a457f232-7df9-491d-898f-b5aabd2cbe2f status: experimental description: Detects DLL's Loaded Via Word Containing VBA Macros Executing WMI Commands @@ -16,17 +16,17 @@ logsource: product: windows detection: selection: - Image: - - '*\winword.exe' - - '*\powerpnt.exe' - - '*\excel.exe' - - '*\outlook.exe' - ImageLoaded: - - '*\wmiutils.dll' - - '*\wbemcomn.dll' - - '*\wbemprox.dll' - - '*\wbemdisp.dll' - - '*\wbemsvc.dll' + Image|endswith: + - '\winword.exe' + - '\powerpnt.exe' + - '\excel.exe' + - '\outlook.exe' + ImageLoaded|endswith: + - '\wmiutils.dll' + - '\wbemcomn.dll' + - '\wbemprox.dll' + - '\wbemdisp.dll' + - '\wbemsvc.dll' condition: selection falsepositives: - Possible. Requires further testing. diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 9d009c297..6247ee4f9 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -21,15 +21,15 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - ImageLoaded: - - '*\tsmsisrv.dll' - - '*\tsvipsrv.dll' - - '*\wlbsctrl.dll' + Image|endswith: + - '\svchost.exe' + ImageLoaded|endswith: + - '\tsmsisrv.dll' + - '\tsvipsrv.dll' + - '\wlbsctrl.dll' filter: - ImageLoaded: - - 'C:\Windows\WinSxS\\*' + ImageLoaded|startswith: + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/image_load/sysmon_tttracer_mod_load.yml b/rules/windows/image_load/sysmon_tttracer_mod_load.yml new file mode 100644 index 000000000..64f945e89 --- /dev/null +++ b/rules/windows/image_load/sysmon_tttracer_mod_load.yml @@ -0,0 +1,38 @@ +action: global +title: Time Travel Debugging Utility Usage +id: e76c8240-d68f-4773-8880-5c6f63595aaf +description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ + - https://twitter.com/mattifestation/status/1196390321783025666 + - https://twitter.com/oulusoyum/status/1191329746069655553 +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.credential_access + - attack.t1218 + - attack.t1003.001 +detection: + condition: 1 of them +falsepositives: + - Legitimate usage by software developers/testers +level: high +--- +logsource: + product: windows + category: image_load +detection: + selection1: + ImageLoaded|endswith: + - '\ttdrecord.dll' + - '\ttdwriter.dll' + - '\ttdloader.dll' +--- +logsource: + product: windows + category: process_creation +detection: + selection2: + ParentImage|endswith: + - '\tttracer.exe' diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml new file mode 100644 index 000000000..46200f57b --- /dev/null +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -0,0 +1,31 @@ +title: UAC Bypass With Fake DLL +id: a5ea83a7-05a5-44c1-be2e-addccbbd8c03 +status: experimental +description: Attempts to load dismcore.dll after dropping it +references: + - https://steemit.com/utopian-io/@ah101/uac-bypassing-utility +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 + - attack.t1574.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/06 +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: + - '\dism.exe' + ImageLoaded|endswith: + - '\dismcore.dll' + filter: + ImageLoaded: + - 'C:\Windows\System32\Dism\dismcore.dll' + condition: selection +falsepositives: + - Pentests + - Actions of a legitimate telnet client +level: high diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml new file mode 100644 index 000000000..92db1c231 --- /dev/null +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -0,0 +1,29 @@ +title: UIPromptForCredentials DLLs +id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 +description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. +status: experimental +date: 2020/10/20 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.credential_access + - attack.collection + - attack.t1056.002 +references: + - https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password + - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa +logsource: + category: image_load + product: windows +detection: + selection: + - ImageLoaded|endswith: + - '\credui.dll' + - '\wincredui.dll' + - OriginalFileName: + - 'credui.dll' + - 'wincredui.dll' + condition: selection +falsepositives: + - other legitimate processes loading those DLLs in your environment. +level: medium \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_wmi_module_load.yml b/rules/windows/image_load/sysmon_wmi_module_load.yml index 6b46e7b0f..e93309383 100755 --- a/rules/windows/image_load/sysmon_wmi_module_load.yml +++ b/rules/windows/image_load/sysmon_wmi_module_load.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_wmi_module_load.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190811201010.html tags: - attack.execution - attack.t1047 diff --git a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml new file mode 100644 index 000000000..91d711f5c --- /dev/null +++ b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -0,0 +1,26 @@ +title: WMIC Loading Scripting Libraries +id: 06ce37c2-61ab-4f05-9ff5-b1a96d18ae32 +description: Detects threat actors proxy executing code and bypassing application controls by leveraging wmic and the `/FORMAT` argument switch to download and execute an XSL file (i.e js, vbs, etc). +status: experimental +date: 2020/10/17 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1220 +references: + - https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html + - https://twitter.com/dez_/status/986614411711442944 + - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ +logsource: + category: image_load + product: windows +detection: + selection: + Image|endswith: '\wmic.exe' + ImageLoaded|endswith: + - '\jscript.dll' + - '\vbscript.dll' + condition: selection +falsepositives: + - Apparently, wmic os get lastboottuptime loads vbscript.dll +level: high \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml new file mode 100644 index 000000000..953e556e8 --- /dev/null +++ b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml @@ -0,0 +1,38 @@ +title: Suspicious WSMAN Provider Image Loads +id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 +description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. +status: experimental +date: 2020/06/24 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.003 +references: + - https://twitter.com/chadtilbury/status/1275851297770610688 + - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ + - https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture + - https://github.com/bohops/WSMan-WinRM +logsource: + category: image_load + product: windows +detection: + request_client: + - ImageLoaded|endswith: + - '\WsmSvc.dll' + - '\WsmAuto.dll' + - '\Microsoft.WSMan.Management.ni.dll' + - OriginalFileName: + - WsmSvc.dll + - WSMANAUTOMATION.DLL + - Microsoft.WSMan.Management.dll + filter_ps: + Image|endswith: '\powershell.exe' + respond_server: + Image|endswith: '\svchost.exe' + OriginalFileName: 'WsmWmiPl.dll' + condition: (request_client and not filter_ps) or respond_server +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/malware/av_exploiting.yml b/rules/windows/malware/av_exploiting.yml index cbdec2bcf..94ec45d72 100644 --- a/rules/windows/malware/av_exploiting.yml +++ b/rules/windows/malware/av_exploiting.yml @@ -15,16 +15,20 @@ logsource: product: antivirus detection: selection: - Signature: - - "*MeteTool*" - - "*MPreter*" - - "*Meterpreter*" - - "*Metasploit*" - - "*PowerSploit*" - - "*CobaltSrike*" - - "*Swrort*" - - "*Rozena*" - - "*Backdoor.Cobalt*" + Signature|contains: + - "MeteTool" + - "MPreter" + - "Meterpreter" + - "Metasploit" + - "PowerSploit" + - "CobaltSrike" + - "Swrort" + - "Rozena" + - "Backdoor.Cobalt" + - "CobaltStr" + - "COBEACON" + - "Cometer" + - "Razy" condition: selection fields: - FileName diff --git a/rules/windows/malware/av_password_dumper.yml b/rules/windows/malware/av_password_dumper.yml index 77cc9d433..dc75de349 100644 --- a/rules/windows/malware/av_password_dumper.yml +++ b/rules/windows/malware/av_password_dumper.yml @@ -17,17 +17,19 @@ logsource: product: antivirus detection: selection: - Signature: - - "*DumpCreds*" - - "*Mimikatz*" - - "*PWCrack*" + Signature|contains: + - "DumpCreds" + - "Mimikatz" + - "PWCrack" - "HTool/WCE" - - "*PSWtool*" - - "*PWDump*" - - "*SecurityTool*" - - "*PShlSpy*" - - "*Rubeus*" - - "*Kekeo*" + - "PSWtool" + - "PWDump" + - "SecurityTool" + - "PShlSpy" + - "Rubeus" + - "Kekeo" + - "LsassDump" + - "Outflank" condition: selection fields: - FileName diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 747bd494a..c200959a2 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -2,41 +2,70 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 -modified: 2019/10/04 -author: Florian Roth +modified: 2021/05/09 +author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ logsource: product: antivirus detection: selection: - FileName: - - 'C:\Windows\Temp\\*' - - 'C:\Temp\\*' - - '*\\Client\\*' - - 'C:\PerfLogs\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' - - '*.ps1' - - '*.vbs' - - '*.bat' - - '*.chm' - - '*.xml' - - '*.txt' - - '*.jsp' - - '*.jspx' - - '*.asp' - - '*.aspx' - - '*.php' - - '*.war' - - '*.hta' - - '*.lnk' - - '*.scf' - - '*.sct' - - '*.vbe' - - '*.wsf' - - '*.wsh' - condition: selection + - FileName|startswith: + - 'C:\Windows\' + - 'C:\Temp\' + - 'C:\PerfLogs\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - FileName|contains: + - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' + selection2: + Filename|endswith: + - '.ps1' + - '.psm1' + - '.vbs' + - '.bat' + - '.cmd' + - '.sh' + - '.chm' + - '.xml' + - '.txt' + - '.jsp' + - '.jspx' + - '.asp' + - '.aspx' + - '.ashx' + - '.asax' + - '.asmx' + - '.php' + - '.cfm' + - '.py' + - '.pyc' + - '.pl' + - '.rb' + - '.cgi' + - '.war' + - '.ear' + - '.hta' + - '.lnk' + - '.scf' + - '.sct' + - '.vbe' + - '.wsf' + - '.wsh' + - '.gif' + - '.png' + - '.jpg' + - '.jpeg' + - '.svg' + - '.dat' + condition: selection or selection2 fields: - Signature - User diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3290dba48..3d9cc3105 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,14 +1,19 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. date: 2018/09/09 -modified: 2001/01/07 +modified: 2021/05/08 author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 @@ -17,26 +22,49 @@ logsource: product: antivirus detection: selection: - Signature: - - "PHP/Backdoor*" - - "JSP/Backdoor*" - - "ASP/Backdoor*" - - "Backdoor?PHP*" - - "Backdoor?JSP*" - - "Backdoor?ASP*" - - "Backdoor?Java*" - - "*Webshell*" - - "*Chopper*" - - "*ASPXSpy*" - - "*Aspdoor*" - - "*PHP:*" - - "*PHPShell*" - - "*Trojan.PHP*" - - "*Trojan.ASP*" - - "*Trojan.JSP*" - - "*PHP?Agent*" - - "*ASP?Agent*" - - "*JSP?Agent*" + - Signature|startswith: + - "PHP/" + - "JSP/" + - "ASP/" + - "Perl/" + - "PHP." + - "JSP." + - "ASP." + - "Perl." + - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops + - "IIS/BackDoor" + - "JAVA/Backdoor" + - "Troj/ASP" + - "Troj/PHP" + - "Troj/JSP" + - Signature|contains: + - "Webshell" + - "Chopper" + - "SinoChoper" + - "ASPXSpy" + - "Aspdoor" + - "filebrowser" + - "PHP_" + - "JSP_" + - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops + - "PHP:" + - "JSP:" + - "ASP:" + - "Perl:" + - "PHPShell" + - "Trojan.PHP" + - "Trojan.ASP" + - "Trojan.JSP" + - "Trojan.VBS" + - "PHP?Agent" + - "ASP?Agent" + - "JSP?Agent" + - "VBS?Agent" + - "Backdoor?PHP" + - "Backdoor?JSP" + - "Backdoor?ASP" + - "Backdoor?VBS" + - "Backdoor?Java" condition: selection fields: - FileName diff --git a/rules/windows/malware/mal_azorult_reg.yml b/rules/windows/malware/mal_azorult_reg.yml index d99e7c471..987e7a7fe 100644 --- a/rules/windows/malware/mal_azorult_reg.yml +++ b/rules/windows/malware/mal_azorult_reg.yml @@ -1,4 +1,4 @@ -title: Registy Entries For Azorult Malware +title: Registry Entries For Azorult Malware id: f7f9ab88-7557-4a69-b30e-0a8f91b3a0e7 description: Detects the presence of a registry key created during Azorult execution status: experimental @@ -11,14 +11,14 @@ tags: - attack.t1112 logsource: product: windows - service: sysmon + category: registry_event detection: selection: EventID: - 12 - 13 - TargetObject: - - '*SYSTEM\\*\services\localNETService' + TargetObject|contains: 'SYSTEM\' + TargetObject|endswith: '\services\localNETService' condition: selection fields: - Image diff --git a/rules/windows/malware/win_mal_blue_mockingbird.yml b/rules/windows/malware/win_mal_blue_mockingbird.yml index c40f28d76..0752d9584 100644 --- a/rules/windows/malware/win_mal_blue_mockingbird.yml +++ b/rules/windows/malware/win_mal_blue_mockingbird.yml @@ -37,9 +37,8 @@ detection: --- logsource: product: windows - service: sysmon + category: registry_event detection: mod_reg: - EventID: 13 TargetObject|endswith: - '\CurrentControlSet\Services\wercplsupport\Parameters\ServiceDll' diff --git a/rules/windows/malware/win_mal_darkside.yml b/rules/windows/malware/win_mal_darkside.yml new file mode 100644 index 000000000..26d609be4 --- /dev/null +++ b/rules/windows/malware/win_mal_darkside.yml @@ -0,0 +1,28 @@ +title: DarkSide Ransomware Pattern +id: 965fff6c-1d7e-4e25-91fd-cdccd75f7d2c +author: Florian Roth +date: 2021/05/14 +description: Detects DarkSide Ransomware and helpers +status: experimental +references: + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://app.any.run/tasks/8b9a571b-bcc1-4783-ba32-df4ba623b9c0/ + - https://www.joesandbox.com/analysis/411752/0/html#7048BB9A06B8F2DD9D24C77F389D7B2B58D2 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - "=[char][byte]('0x'+" + - ' -work worker0 -path ' + selection2: + ParentCommandLine|contains: + - 'DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + Image|contains: + - '\AppData\Local\Temp\' + condition: 1 of them +falsepositives: + - Unknown + - UAC bypass method used by other malware +level: critical diff --git a/rules/windows/malware/win_mal_flowcloud.yml b/rules/windows/malware/win_mal_flowcloud.yml index 37e315f90..95a72af54 100644 --- a/rules/windows/malware/win_mal_flowcloud.yml +++ b/rules/windows/malware/win_mal_flowcloud.yml @@ -11,18 +11,20 @@ tags: date: 2020/06/09 logsource: product: windows - service: sysmon + category: registry_event detection: selection: EventID: - 12 # key create - 13 # value set - TargetObject: + selection2: + - TargetObject: - 'HKLM\HARDWARE\{804423C2-F490-4ac3-BFA5-13DEDE63A71A}' - 'HKLM\HARDWARE\{A5124AF5-DF23-49bf-B0ED-A18ED3DEA027}' - 'HKLM\HARDWARE\{2DB80286-1784-48b5-A751-B6ED1F490303}' - - 'HKLM\SYSTEM\Setup\PrintResponsor\\*' - condition: selection + - TargetObject|startswith: + - 'HKLM\SYSTEM\Setup\PrintResponsor\' + condition: selection and selection2 falsepositives: - Unknown level: critical diff --git a/rules/windows/malware/win_mal_lockergoga.yml b/rules/windows/malware/win_mal_lockergoga.yml new file mode 100644 index 000000000..c22d83ab7 --- /dev/null +++ b/rules/windows/malware/win_mal_lockergoga.yml @@ -0,0 +1,23 @@ +title: LockerGoga Ransomware +id: 74db3488-fd28-480a-95aa-b7af626de068 +author: Vasiliy Burov, oscd.community +date: 2020/10/18 +description: Detects LockerGoga Ransomware command line. +status: experimental +references: + - https://medium.com/@malwaredancer/lockergoga-input-arguments-ipc-communication-and-others-bd4e5a7ba80a + - https://blog.f-secure.com/analysis-of-lockergoga-ransomware/ + - https://www.carbonblack.com/blog/tau-threat-intelligence-notification-lockergoga-ransomware/ +tags: + - attack.impact + - attack.t1486 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: '-i SM-tgytutrc -s' + condition: selection +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/malware/win_mal_octopus_scanner.yml b/rules/windows/malware/win_mal_octopus_scanner.yml index 0c710eae5..a76955bea 100644 --- a/rules/windows/malware/win_mal_octopus_scanner.yml +++ b/rules/windows/malware/win_mal_octopus_scanner.yml @@ -11,15 +11,13 @@ author: NVISO date: 2020/06/09 logsource: product: windows - service: sysmon + category: file_event detection: - filecreate: - EventID: 11 selection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Cache134.dat' - '\AppData\Local\Microsoft\ExplorerSync.db' - condition: filecreate and selection + condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/malware/win_mal_ryuk.yml b/rules/windows/malware/win_mal_ryuk.yml index aa5977d23..02603871b 100644 --- a/rules/windows/malware/win_mal_ryuk.yml +++ b/rules/windows/malware/win_mal_ryuk.yml @@ -11,10 +11,15 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\net.exe stop "samss" *' - - '*\net.exe stop "audioendpointbuilder" *' - - '*\net.exe stop "unistoresvc_?????" *' + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'stop' + CommandLine|contains: + - 'samss' + - 'audioendpointbuilder' + - 'unistoresvc_?????' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/malware/win_mal_ursnif.yml b/rules/windows/malware/win_mal_ursnif.yml index 902d85ae3..ca934073f 100644 --- a/rules/windows/malware/win_mal_ursnif.yml +++ b/rules/windows/malware/win_mal_ursnif.yml @@ -12,11 +12,10 @@ author: megan201296 date: 2019/02/13 logsource: product: windows - service: sysmon + category: registry_event detection: selection: - EventID: 13 - TargetObject: '*\Software\AppDataLow\Software\Microsoft\\*' + TargetObject|contains: '\Software\AppDataLow\Software\Microsoft\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml new file mode 100644 index 000000000..ab68f0b04 --- /dev/null +++ b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml @@ -0,0 +1,26 @@ +title: Silenttrinity Stager Msbuild Activity +id: 50e54b8d-ad73-43f8-96a1-5191685b17a4 +description: Detects a possible remote connections to Silenttrinity c2 +references: + - https://www.blackhillsinfosec.com/my-first-joyride-with-silenttrinity/ +tags: + - attack.execution + - attack.t1127.001 +status: experimental +author: Kiran kumar s, oscd.community +date: 2020/10/11 +logsource: + category: network_connection + product: windows +detection: + selection: + ParentImage|endswith: '\msbuild.exe' + filter: + DestinationPort: + - '80' + - '443' + Initiated: 'true' + condition: selection and filter +falsepositives: + - unknown +level: high diff --git a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml index 48a2a8c46..e97176154 100644 --- a/rules/windows/network_connection/sysmon_dllhost_net_connections.yml +++ b/rules/windows/network_connection/sysmon_dllhost_net_connections.yml @@ -18,29 +18,29 @@ logsource: product: windows detection: selection: - Image: '*\dllhost.exe' + Image|endswith: '\dllhost.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml index a8dd264d6..6ab3c851a 100755 --- a/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml +++ b/rules/windows/network_connection/sysmon_malware_backconnect_ports.yml @@ -70,28 +70,28 @@ detection: - '4040' - '9943' filter1: - Image: '*\Program Files*' + Image|contains: '\Program Files' filter2: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' DestinationIsIpv6: 'false' condition: selection and not ( filter1 or filter2 ) falsepositives: diff --git a/rules/windows/network_connection/sysmon_notepad_network_connection.yml b/rules/windows/network_connection/sysmon_notepad_network_connection.yml index 857d1e7e5..0ab14bd51 100755 --- a/rules/windows/network_connection/sysmon_notepad_network_connection.yml +++ b/rules/windows/network_connection/sysmon_notepad_network_connection.yml @@ -18,7 +18,7 @@ date: 2020/05/14 modified: 2020/08/24 detection: selection: - Image: '*\notepad.exe' + Image|endswith: '\notepad.exe' filter: DestinationPort: '9100' condition: selection and not filter diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index 23d39f5bd..4a110b53e 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -16,28 +16,28 @@ logsource: product: windows detection: selection: - Image: '*\powershell.exe' + Image|endswith: '\powershell.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' - '127.0.0.1' DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index 77bde60a2..b42525448 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden date: 2019/02/16 -modified: 2020/08/24 +modified: 2021/05/11 tags: - attack.command_and_control - attack.t1572 @@ -19,13 +19,15 @@ logsource: product: windows detection: selection: - Image: '*\svchost.exe' + Image|endswith: '\svchost.exe' Initiated: 'true' SourcePort: 3389 - DestinationIp: - - '127.*' + selection2: + - DestinationIp|startswith: + - '127.' + - DestinationIp: - '::1' - condition: selection + condition: selection and selection2 falsepositives: - unknown level: high diff --git a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml index de8934dcb..f25bc0b42 100755 --- a/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/sysmon_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml index 3766fc091..75920a653 100755 --- a/rules/windows/network_connection/sysmon_rundll32_net_connections.yml +++ b/rules/windows/network_connection/sysmon_rundll32_net_connections.yml @@ -17,29 +17,29 @@ logsource: product: windows detection: selection: - Image: '*\rundll32.exe' + Image|endswith: '\rundll32.exe' Initiated: 'true' filter: - DestinationIp: - - '10.*' - - '192.168.*' - - '172.16.*' - - '172.17.*' - - '172.18.*' - - '172.19.*' - - '172.20.*' - - '172.21.*' - - '172.22.*' - - '172.23.*' - - '172.24.*' - - '172.25.*' - - '172.26.*' - - '172.27.*' - - '172.28.*' - - '172.29.*' - - '172.30.*' - - '172.31.*' - - '127.*' + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' condition: selection and not filter falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml index 9b152411f..b8c4544dc 100755 --- a/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/sysmon_susp_prog_location_network_connection.yml @@ -12,19 +12,21 @@ logsource: definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: selection: - Image: - # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - '*\Users\Contacts\\*' - - '*\Users\Searches\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' + - Image|contains: + # - '\ProgramData\\' # too many false positives, e.g. with Webex for Windows + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' condition: selection falsepositives: - unknown diff --git a/rules/windows/network_connection/sysmon_susp_rdp.yml b/rules/windows/network_connection/sysmon_susp_rdp.yml index 8955b940f..e12fde626 100755 --- a/rules/windows/network_connection/sysmon_susp_rdp.yml +++ b/rules/windows/network_connection/sysmon_susp_rdp.yml @@ -20,26 +20,26 @@ detection: DestinationPort: 3389 Initiated: 'true' filter: - Image: - - '*\mstsc.exe' - - '*\RTSApp.exe' - - '*\RTS2App.exe' - - '*\RDCMan.exe' - - '*\ws_TunnelService.exe' - - '*\RSSensor.exe' - - '*\RemoteDesktopManagerFree.exe' - - '*\RemoteDesktopManager.exe' - - '*\RemoteDesktopManager64.exe' - - '*\mRemoteNG.exe' - - '*\mRemote.exe' - - '*\Terminals.exe' - - '*\spiceworks-finder.exe' - - '*\FSDiscovery.exe' - - '*\FSAssessment.exe' - - '*\MobaRTE.exe' - - '*\chrome.exe' - - '*\thor.exe' - - '*\thor64.exe' + Image|endswith: + - '\mstsc.exe' + - '\RTSApp.exe' + - '\RTS2App.exe' + - '\RDCMan.exe' + - '\ws_TunnelService.exe' + - '\RSSensor.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RemoteDesktopManager.exe' + - '\RemoteDesktopManager64.exe' + - '\mRemoteNG.exe' + - '\mRemote.exe' + - '\Terminals.exe' + - '\spiceworks-finder.exe' + - '\FSDiscovery.exe' + - '\FSAssessment.exe' + - '\MobaRTE.exe' + - '\chrome.exe' + - '\thor.exe' + - '\thor64.exe' condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools diff --git a/rules/windows/network_connection/sysmon_win_binary_github_com.yml b/rules/windows/network_connection/sysmon_win_binary_github_com.yml index 1d197ab93..a63c8b1e0 100755 --- a/rules/windows/network_connection/sysmon_win_binary_github_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_github_com.yml @@ -21,10 +21,10 @@ logsource: detection: selection: Initiated: 'true' - DestinationHostname: - - '*.github.com' - - '*.githubusercontent.com' - Image: 'C:\Windows\\*' + DestinationHostname|endswith: + - '.github.com' + - '.githubusercontent.com' + Image|startswith: 'C:\Windows\' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml index 6e324b9cb..4422fc1e5 100755 --- a/rules/windows/network_connection/sysmon_win_binary_susp_com.yml +++ b/rules/windows/network_connection/sysmon_win_binary_susp_com.yml @@ -16,11 +16,11 @@ logsource: detection: selection: Initiated: 'true' - DestinationHostname: - - '*dl.dropboxusercontent.com' - - '*.pastebin.com' - - '*.githubusercontent.com' # includes both gists and github repositories - Image: 'C:\Windows\\*' + DestinationHostname|endswith: + - 'dl.dropboxusercontent.com' + - '.pastebin.com' + - '.githubusercontent.com' # includes both gists and github repositories + Image|startswith: 'C:\Windows\' condition: selection falsepositives: - 'Unknown' diff --git a/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml new file mode 100644 index 000000000..5407c0a6d --- /dev/null +++ b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml @@ -0,0 +1,21 @@ +title: Wuauclt Network Connection +id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. +status: experimental +date: 2020/10/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1218 +references: + - https://dtm.uk/wuauclt/ +logsource: + category: network_connection + product: windows +detection: + selection: + Image|contains: wuauclt + condition: selection +falsepositives: + - Legitimate use of wuauclt.exe over the network. +level: medium diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index e96a28233..6b0a4d4e3 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -1,15 +1,22 @@ +action: global title: Windows Defender Threat Detection Disabled id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 -author: Ján Trenčanský +modified: 2021/06/07 +author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md status: stable tags: - attack.defense_evasion - attack.t1089 # an old one - attack.t1562.001 +falsepositives: + - Administrator actions +level: high +--- logsource: product: windows service: windefend @@ -27,6 +34,13 @@ detection: - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Details: 'DWORD (0x00000001)' condition: 1 of them -falsepositives: - - Administrator actions -level: high +--- +logsource: + product: windows + category: registry_event +detection: + tamper_registry: + EventType: 'SetValue' + TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' + Details: 'DWORD (0x00000001)' + condition: tamper_registry diff --git a/rules/windows/other/win_defender_history_delete.yml b/rules/windows/other/win_defender_history_delete.yml index cbdaac309..21f32acef 100644 --- a/rules/windows/other/win_defender_history_delete.yml +++ b/rules/windows/other/win_defender_history_delete.yml @@ -6,12 +6,13 @@ author: Cian Heasley references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus date: 2020/08/13 +modified: 2021/05/30 tags: - attack.defense_evasion - attack.t1070.001 logsource: - category: windows - product: windef + product: windows + service: windefend detection: selection: EventID: 1013 diff --git a/rules/windows/other/win_exchange_TransportAgent_failed.yml b/rules/windows/other/win_exchange_TransportAgent_failed.yml new file mode 100644 index 000000000..9cad0aeae --- /dev/null +++ b/rules/windows/other/win_exchange_TransportAgent_failed.yml @@ -0,0 +1,24 @@ +title: Failed MSExchange Transport Agent Installation +id: c7d16cae-aaf3-42e5-9c1c-fb8553faa6fa +status: experimental +description: Detects a failed installation of a Exchange Transport Agent +references: + - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 +tags: + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski +date: 2021/06/08 +logsource: + service: msexchange-management + product: windows +detection: + selection: + Message|contains: 'Install-TransportAgent' + EventID: 6 + condition: selection +fields: + - AssemblyPath +falsepositives: + - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. +level: high diff --git a/rules/windows/other/win_lateral_movement_condrv.yml b/rules/windows/other/win_lateral_movement_condrv.yml new file mode 100644 index 000000000..737133055 --- /dev/null +++ b/rules/windows/other/win_lateral_movement_condrv.yml @@ -0,0 +1,28 @@ +title: Lateral Movement Indicator ConDrv +id: 29d31aee-30f4-4006-85a9-a4a02d65306c +status: stable +description: This event was observed on the target host during lateral movement. The process name within the event contains the process spawned post compromise. Account Name within the event contains the compromised user account name. This event should to be correlated with 4624 and 4688 for further intrusion context. +author: Janantha Marasinghe +date: 2021/04/27 +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/wmiexec-vbs.htm + - https://www.fireeye.com/blog/threat-research/2017/08/monitoring-windows-console-activity-part-one.html +tags: + - attack.lateral_movement + - attack.execution + - attack.t1021 + - attack.t1059 +logsource: + product: windows + service: security + definition: +detection: + selection: + EventID: 4674 + ObjectServer: 'Security' + ObjectType: 'File' + ObjectName: '\Device\ConDrv' + condition: selection +falsepositives: + - Penetration tests where lateral movement has occured. This event will be created on the target host. +level: high diff --git a/rules/windows/other/win_ldap_recon.yml b/rules/windows/other/win_ldap_recon.yml new file mode 100644 index 000000000..ee8ff3db5 --- /dev/null +++ b/rules/windows/other/win_ldap_recon.yml @@ -0,0 +1,76 @@ +title: LDAP Reconnaissance / Active Directory Enumeration +id: 31d68132-4038-47c7-8f8e-635a39a7c174 +status: experimental +description: Detects possible Active Directory enumeration via LDAP +author: Adeem Mawani +date: 2021/06/22 +references: + - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 + - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 + - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs +logsource: + category: ldap_query + product: windows + definition: 'Requires Microsoft-Windows-LDAP-Client/Debug ETW logging' +detection: + generic_search: + EventID: 30 + SearchFilter|contains: + - '(groupType:1.2.840.113556.1.4.803:=2147483648)' + - '(groupType:1.2.840.113556.1.4.803:=2147483656)' + - '(groupType:1.2.840.113556.1.4.803:=2147483652)' + - '(groupType:1.2.840.113556.1.4.803:=2147483650)' + - '(sAMAccountType=805306369)' + - '(sAMAccountType=805306368)' + - '(sAMAccountType=536870913)' + - '(sAMAccountType=536870912)' + - '(sAMAccountType=268435457)' + - '(sAMAccountType=268435456)' + - '(objectCategory=groupPolicyContainer)' + - '(objectCategory=organizationalUnit)' + - '(objectCategory=Computer)' + - '(objectCategory=nTDSDSA)' + - '(objectCategory=server)' + - '(objectCategory=domain)' + - '(objectCategory=person)' + - '(objectCategory=group)' + - '(objectCategory=user)' + - '(objectClass=trustedDomain)' + - '(objectClass=computer)' + - '(objectClass=server)' + - '(objectClass=group)' + - '(objectClass=user)' + - '(primaryGroupID=521)' + - '(primaryGroupID=516)' + - '(primaryGroupID=515)' + - '(primaryGroupID=512)' + - 'Domain Admins' + suspicious_flag: + EventID: 30 + SearchFilter|contains: + - '(userAccountControl:1.2.840.113556.1.4.803:=4194304)' + - '(userAccountControl:1.2.840.113556.1.4.803:=2097152)' + - '!(userAccountControl:1.2.840.113556.1.4.803:=1048574)' + - '(userAccountControl:1.2.840.113556.1.4.803:=524288)' + - '(userAccountControl:1.2.840.113556.1.4.803:=65536)' + - '(userAccountControl:1.2.840.113556.1.4.803:=8192)' + - '(userAccountControl:1.2.840.113556.1.4.803:=544)' + - '!(UserAccountControl:1.2.840.113556.1.4.803:=2)' + - 'msDS-AllowedToActOnBehalfOfOtherIdentity' + - 'msDS-AllowedToDelegateTo' + - '(accountExpires=9223372036854775807)' + - '(accountExpires=0)' + - '(adminCount=1)' + - 'ms-MCS-AdmPwd' + narrow_down_filter: + EventID: 30 + SearchFilter|contains: + - '(domainSid=*)' + - '(objectSid=*)' + condition: (generic_search and not narrow_down_filter) or (suspicious_flag) +level: medium +tags: + - attack.discovery + - attack.t1069.002 + - attack.t1087.002 + - attack.t1482 diff --git a/rules/windows/other/win_pcap_drivers.yml b/rules/windows/other/win_pcap_drivers.yml index c24d04104..eac2c43d1 100644 --- a/rules/windows/other/win_pcap_drivers.yml +++ b/rules/windows/other/win_pcap_drivers.yml @@ -12,20 +12,20 @@ tags: - attack.t1040 logsource: product: windows - service: system + service: security detection: selection: EventID: 4697 - ServiceFileName: - - '*pcap*' - - '*npcap*' - - '*npf*' - - '*nm3*' - - '*ndiscap*' - - '*nmnt*' - - '*windivert*' - - '*USBPcap*' - - '*pktmon*' + ServiceFileName|contains: + - 'pcap' + - 'npcap' + - 'npf' + - 'nm3' + - 'ndiscap' + - 'nmnt' + - 'windivert' + - 'USBPcap' + - 'pktmon' condition: selection fields: - EventID diff --git a/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml new file mode 100644 index 000000000..df5118234 --- /dev/null +++ b/rules/windows/other/win_possible_zerologon_exploitation_using_wellknown_tools.yml @@ -0,0 +1,28 @@ +title: Zerologon Exploitation Using Well-known Tools +id: 18f37338-b9bd-4117-a039-280c81f7a596 +status: stable +description: This rule is designed to detect attempts to exploit Zerologon (CVE-2020-1472) vulnerability using mimikatz zerologon module or other exploits from machine with "kali" hostname. +references: + - https://www.secura.com/blog/zero-logon + - https://bi-zone.medium.com/hunting-for-zerologon-f65c61586382 +author: 'Demyan Sokolin @_drd0c, Teymur Kheirkhabarov @HeirhabarovT, oscd.community' +date: 2020/10/13 +modified: 2021/05/30 +tags: + - attack.t1210 + - attack.lateral_movement +logsource: + service: system + product: windows +detection: + selection: + - EventID: '5805' + Message|contains: + - kali + - mimikatz + - EventID: '5723' + Message|contains: + - kali + - mimikatz + condition: selection +level: critical diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 211766129..3dee48d03 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2020/08/23 +modified: 2021/05/16 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -22,6 +22,8 @@ fields: - ParentCommandLine - ServiceName - ServiceFileName + - TargetFileName + - PipeName falsepositives: - unknown level: low @@ -33,7 +35,7 @@ detection: service_installation: EventID: 7045 ServiceName: 'PSEXESVC' - ServiceFileName: '*\PSEXESVC.exe' + ServiceFileName|endswith: '\PSEXESVC.exe' service_execution: EventID: 7036 ServiceName: 'PSEXESVC' @@ -43,5 +45,19 @@ logsource: product: windows detection: sysmon_processcreation: - Image: '*\PSEXESVC.exe' + Image|endswith: '\PSEXESVC.exe' User: 'NT AUTHORITY\SYSTEM' +--- +logsource: + category: pipe_created + product: windows +detection: + sysmon_pipecreated: + PipeName: '\PSEXESVC' +--- +logsource: + category: file_event + product: windows +detection: + sysmon_filecreation: + TargetFileName|endswith: '\PSEXESVC.exe' diff --git a/rules/windows/other/win_wmi_persistence.yml b/rules/windows/other/win_wmi_persistence.yml index dbb17a226..bf8e8a0f7 100644 --- a/rules/windows/other/win_wmi_persistence.yml +++ b/rules/windows/other/win_wmi_persistence.yml @@ -1,10 +1,11 @@ +action: global title: WMI Persistence id: 0b7889b4-5577-4521-a60a-3376ee7f9f7b status: experimental -description: Detects suspicious WMI event filter and command line event consumer based on event id 5861 and 5859 (Windows 10, 2012 and higher) -author: Florian Roth +description: Detects suspicious WMI event filter and command line event consumer based on WMI and Security Logs. +author: Florian Roth, Gleb Sukhodolskiy, Timur Zinniatullin oscd.community date: 2017/08/22 -modified: 2020/08/23 +modified: 2020/10/13 references: - https://twitter.com/mattifestation/status/899646620148539397 - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ @@ -13,21 +14,32 @@ tags: - attack.privilege_escalation - attack.t1084 # an old one - attack.t1546.003 -logsource: - product: windows - service: wmi -detection: - selection: - EventID: 5861 - keywords: - Message: - - '*ActiveScriptEventConsumer*' - - '*CommandLineEventConsumer*' - - '*CommandLineTemplate*' - # - 'Binding EventFilter' # too many false positive with HP Health Driver - selection2: - EventID: 5859 - condition: selection and 1 of keywords or selection2 falsepositives: - Unknown (data set is too small; further testing needed) level: medium +--- +logsource: + product: windows + service: wmi #native windows detection + definition: 'WMI Namespaces Auditing and SACL should be configured, EventID 5861 and 5859 detection requires Windows 10, 2012 and higher' +detection: + wmi_filter_to_consumer_binding: + EventID: 5861 + Message|contains: + - 'ActiveScriptEventConsumer' + - 'CommandLineEventConsumer' + - 'CommandLineTemplate' + # - 'Binding EventFilter' # too many false positive with HP Health Driver + wmi_filter_registration: + EventID: 5859 + condition: (wmi_filter_to_consumer_binding) OR (wmi_filter_registration) +--- +logsource: + product: windows + service: security +detection: + wmi_subscription: + EventID: 4662 + ObjectType: 'WMI Namespace' + ObjectName|contains: 'subscription' + condition: wmi_subscription \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml similarity index 80% rename from rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml rename to rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml index 4e064bc8e..742aaae95 100644 --- a/rules/windows/sysmon/sysmon_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/sysmon_alternate_powershell_hosts_pipe.yml @@ -6,17 +6,16 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1086 # an old one - attack.t1059.001 logsource: product: windows - service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|startswith: '\PSHost' filter: Image|endswith: diff --git a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml similarity index 92% rename from rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml rename to rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml index f3c3f24cf..313d3435a 100755 --- a/rules/windows/sysmon/sysmon_apt_turla_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_apt_turla_namedpipes.yml @@ -10,13 +10,10 @@ tags: author: Markus Neis logsource: product: windows - service: sysmon + category: pipe_created definition: 'Note that you have to configure logging for PipeEvents in Symson config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\atctl' # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection - '\userpipe' # ruag apt case @@ -26,6 +23,6 @@ detection: # - '\rpc' # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483 condition: selection falsepositives: - - Unkown + - Unknown level: critical diff --git a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml similarity index 95% rename from rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml rename to rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml index 393aa87b3..ad56fd69a 100644 --- a/rules/windows/sysmon/sysmon_cred_dump_tools_named_pipes.yml +++ b/rules/windows/pipe_created/sysmon_cred_dump_tools_named_pipes.yml @@ -15,10 +15,9 @@ tags: - attack.t1003.005 logsource: product: windows - service: sysmon + category: pipe_created detection: selection: - EventID: 17 PipeName|contains: - '\lsadump' - '\cachedump' diff --git a/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml new file mode 100644 index 000000000..3075d846d --- /dev/null +++ b/rules/windows/pipe_created/sysmon_mal_cobaltstrike.yml @@ -0,0 +1,36 @@ +title: CobaltStrike Named Pipe +id: d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 +status: experimental +description: Detects the creation of a named pipe as used by CobaltStrike +references: + - https://twitter.com/d4rksystem/status/1357010969264873472 + - https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis/ + - https://github.com/Neo23x0/sigma/issues/253 + - https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/ +date: 2021/05/25 +author: Florian Roth, Wojciech Lesicki +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1055 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). In the current popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config) this is not there, you have to add it yourself.' +detection: + selection_MSSE: + PipeName|contains|all: + - '\MSSE-' + - '-server' + selection_postex: + PipeName|startswith: '\postex_' + selection_postex_ssh: + PipeName|startswith: '\postex_ssh_' + selection_status: + PipeName|startswith: '\status_' + selection_msagent: + PipeName|startswith: '\msagent_' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_mal_namedpipes.yml b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml similarity index 74% rename from rules/windows/sysmon/sysmon_mal_namedpipes.yml rename to rules/windows/pipe_created/sysmon_mal_namedpipes.yml index 7a5f81216..e425bf51b 100644 --- a/rules/windows/sysmon/sysmon_mal_namedpipes.yml +++ b/rules/windows/pipe_created/sysmon_mal_namedpipes.yml @@ -5,16 +5,13 @@ description: Detects the creation of a named pipe used by known APT malware references: - Various sources date: 2017/11/06 -author: Florian Roth +author: Florian Roth, blueteam0ps logsource: product: windows - service: sysmon - definition: 'Note that you have to configure logging for PipeEvents in Symson config' + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Sysmon config' detection: selection: - EventID: - - 17 - - 18 PipeName: - '\isapi_http' # Uroburos Malware Named Pipe - '\isapi_dg' # Uroburos Malware Named Pipe @@ -29,14 +26,19 @@ detection: - '\rpchlp_3' # Project Sauron https://goo.gl/eFoP4A - Technical Analysis Input - '\NamePipe_MoreWindows' # Cloud Hopper Annex B https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf, US-CERT Alert - RedLeaves https://www.us-cert.gov/ncas/alerts/TA17-117A - '\pcheap_reuse' # Pipe used by Equation Group malware 77486bb828dba77099785feda0ca1d4f33ad0d39b672190079c508b3feb21fb0 - - '\msagent_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 - '\gruntsvc' # Covenant default named pipe # - '\status_*' # CS default named pipes https://github.com/Neo23x0/sigma/issues/253 + - '\583da945-62af-10e8-4902-a8f205c72b2e' # SolarWinds SUNBURST malware report https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html + - '\bizkaz' # Snatch Ransomware https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - '\svcctl' #Crackmapexec smbexec default named pipe + - '\Posh*' #PoshC2 default + - '\jaccdpqnvbrrxlaf' #PoshC2 default + - '\csexecsvc' #CSEXEC default condition: selection tags: - attack.defense_evasion - attack.privilege_escalation - attack.t1055 falsepositives: - - Unkown + - Unknown level: critical diff --git a/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml new file mode 100644 index 000000000..0546b2cdc --- /dev/null +++ b/rules/windows/pipe_created/sysmon_powershell_execution_pipe.yml @@ -0,0 +1,21 @@ +title: T1086 PowerShell Execution +id: ac7102b4-9e1e-4802-9b4f-17c5524c015c +description: Detects execution of PowerShell +status: experimental +date: 2019/09/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html +logsource: + product: windows + category: pipe_created +detection: + selection: + PipeName|startswith: '\PSHost' + condition: selection +falsepositives: + - Unknown +level: informational diff --git a/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml new file mode 100644 index 000000000..258a0a1d9 --- /dev/null +++ b/rules/windows/pipe_created/sysmon_psexec_pipes_artifacts.yml @@ -0,0 +1,26 @@ +title: PsExec Pipes Artifacts +id: 9e77ed63-2ecf-4c7b-b09d-640834882028 +status: experimental +description: Detecting use PsExec via Pipe Creation/Access to pipes +author: Nikita Nazarov, oscd.community +date: 2020/05/10 +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +tags: + - attack.lateral_movement + - attack.t1021.002 +logsource: + product: windows + category: pipe_created + definition: 'Note that you have to configure logging for PipeEvents in Symson config' +detection: + selection: + PipeName|startswith: + - 'psexec' + - 'paexec' + - 'remcom' + - 'csexec' + condition: selection +falsepositives: + - Legitimate Administrator activity +level: medium diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml new file mode 100644 index 000000000..4189204e1 --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Invocation.ps1 +id: 4cd29327-685a-460e-9dac-c3ab96e549dc +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml new file mode 100644 index 000000000..c8b63179e --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Invocation_LOLScript_v2.yml @@ -0,0 +1,28 @@ +title: Execution via CL_Invocation.ps1 (2 Lines) +id: f588e69b-0750-46bb-8f87-0e9320d57536 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml new file mode 100644 index 000000000..341b51f79 --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 39776c99-1c7b-4ba0-b5aa-641525eee1a4 +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml new file mode 100644 index 000000000..c4b47e1b8 --- /dev/null +++ b/rules/windows/powershell/powershell_CL_Mutexverifiers_LOLScript_v2.yml @@ -0,0 +1,28 @@ +title: Execution via CL_Mutexverifiers.ps1 (2 Lines) +id: 6609c444-9670-4eab-9636-fe4755a851ce +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + product: windows + service: powershell +detection: + selection2: + EventID: 4104 + ScriptBlockText|contains: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + condition: selection2 | count(ScriptBlockText) by Computer > 2 + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_accessing_win_api.yml b/rules/windows/powershell/powershell_accessing_win_api.yml new file mode 100644 index 000000000..862bbd69b --- /dev/null +++ b/rules/windows/powershell/powershell_accessing_win_api.yml @@ -0,0 +1,71 @@ +title: Accessing WinAPI in PowerShell +id: 03d83090-8cba-44a0-b02f-0b756a050306 +status: experimental +description: Detecting use WinAPI Functions in PowerShell +author: Nikita Nazarov, oscd.community +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 + - attack.t1106 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: + - 4104 + Message|contains: + - 'WaitForSingleObject' + - 'QueueUserApc' + - 'RtlCreateUserThread' + - 'OpenProcess' + - 'VirtualAlloc' + - 'VirtualFree' + - 'WriteProcessMemory' + - 'CreateUserThread' + - 'CloseHanlde' + - 'GetDelegateForFunctionPointer' + - 'CreateThread' + - 'memcpy' + - 'LoadLibrary' + - 'GetModuleHandle' + - 'GetProcAdress' + - 'VirtualProtect' + - 'FreeLibrary' + - 'ReadProcessMemory' + - 'CreateRemoteThread' + - 'AdjustTokenPrivileges' + - 'WriteByte' + - 'WriteInt32' + - 'OpenThreadToken' + - 'PtrToString' + - 'FreeHGlobal' + - 'ZeroFreeGlobalAllocUnicode' + - 'OpenProcessToken' + - 'GetTokenInformation' + - 'SetThreadToken' + - 'ImpersonateLoggedOnUser' + - 'RevertToSelf' + - 'GetLogonSessionData' + - 'CreateProcessWithToken' + - 'DuplicateRokenEx' + - 'OpenWindowStation' + - 'OpenDesktop' + - 'MiniDumpWrireDump' + - 'AddSecurityPackage' + - 'EnumerateSecurityPackages' + - 'GetProcessHandle' + - 'DangerousGetHandle' + - 'Kernel32' + - 'Advapi32' + - 'Msvcrt' + - 'ntdll' + - 'User32' + - 'Secur32' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml index abce9e6a3..6346854c7 100644 --- a/rules/windows/powershell/powershell_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_alternate_powershell_hosts.yml @@ -1,15 +1,31 @@ +action: global title: Alternate PowerShell Hosts id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/08/11 +modified: 2021/06/01 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/alternate_signed_powershell_hosts.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html tags: - attack.execution - attack.t1059.001 - attack.t1086 # an old one +falsepositives: + - Programs using PowerShell directly without invocation of a dedicated interpreter + - MSP Detection Searcher + - Citrix ConfigSync.ps1 +level: medium +detection: + filter: + - ContextInfo: 'powershell.exe' + - Message: 'powershell.exe' + # Both fields contain key=value pairs where the key HostApplication is relevant but + # can't be referred directly as event field. + condition: selection and not filter + +--- logsource: product: windows service: powershell @@ -17,16 +33,13 @@ detection: selection: EventID: - 4103 - - 400 ContextInfo: '*' - filter: - - ContextInfo: 'powershell.exe' - - Message: 'powershell.exe' - # Both fields contain key=value pairs where the key HostApplication ist relevant but - # can't be referred directly as event field. - condition: selection and not filter -falsepositives: - - Programs using PowerShell directly without invocation of a dedicated interpreter - - MSP Detection Searcher - - Citrix ConfigSync.ps1 -level: medium +--- +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: + - 400 + ContextInfo: '*' \ No newline at end of file diff --git a/rules/windows/powershell/powershell_bad_opsec_artifacts.yml b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml new file mode 100644 index 000000000..0479fcd14 --- /dev/null +++ b/rules/windows/powershell/powershell_bad_opsec_artifacts.yml @@ -0,0 +1,42 @@ +title: Bad Opsec Powershell Code Artifacts +id: 73e733cc-1ace-3212-a107-ff2523cc9fc3 +description: Focuses on trivial artifacts observed in variants of prevalent offensive ps1 payloads, including Cobalt Strike Beacon, PoshC2, Powerview, Letmein, Empire, Powersploit, and other attack payloads that often undergo minimal changes by attackers due to bad opsec. +status: experimental +references: + - https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/ + - https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ + - https://www.mdeditor.tw/pl/pgRt +author: 'ok @securonix invrep_de, oscd.community' +date: 2020/10/09 +modified: 2020/10/09 +tags: + - attack.execution + - attack.t1059.001 + - attack.t1086 +logsource: + product: windows + service: powershell + definition: 'Script block logging must be enabled' +detection: + selection_4104: + EventID: 4104 + ScriptBlockText|contains: + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' + selection_4103: + EventID: 4103 + Payload|contains: + - '$DoIt' + - 'harmj0y' + - 'mattifestation' + - '_RastaMouse' + - 'tifkin_' + - '0xdeadbeef' + condition: selection_4104 or selection_4103 +falsepositives: + - 'Moderate-to-low; Despite the shorter length/lower entropy for some of these, because of high specificity, fp appears to be fairly limited in many environments.' +level: critical diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml index b2249b79b..695c01d00 100644 --- a/rules/windows/powershell/powershell_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -3,7 +3,8 @@ id: dfba4ce1-e0ea-495f-986e-97140f31af2d status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -author: Ilyas Ochkov, oscd.community +modified: 2020/11/28 +author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a tags: @@ -14,12 +15,36 @@ logsource: product: windows service: powershell detection: - keywords: - - 'del (Get-PSReadlineOption).HistorySavePath' - - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' - - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' - - 'rm (Get-PSReadlineOption).HistorySavePath' - condition: keywords + selection_1: + EventID: 4104 + selection_2: + ScriptBlockText|contains: + - 'del' + - 'Remove-Item' + - 'rm' + ScriptBlockText|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' + selection_3: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + selection_4: + EventID: 4103 + selection_5: + Payload|contains: + - 'del' + - 'Remove-Item' + - 'rm' + Payload|contains|all: + - '(Get-PSReadlineOption).HistorySavePath' + selection_6: + Payload|contains|all: + - 'Set-PSReadlineOption' + - '–HistorySaveStyle' + - 'SaveNothing' + condition: selection_1 and ( selection_2 or selection_3 ) or + selection_4 and ( selection_5 or selection_6 ) falsepositives: - - some PS-scripts + - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_cmdline_reversed_strings.yml b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml new file mode 100644 index 000000000..a652304e2 --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_reversed_strings.yml @@ -0,0 +1,51 @@ +title: Suspicious PowerShell Cmdline +id: b6b49cd1-34d6-4ead-b1bf-176e9edba9a4 +description: Detects the PowerShell command lines with reversed strings +status: experimental +references: + - https://2019.offzone.moscow/ru/report/hunting-for-powershell-abuses/ + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=66 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +date: 2020/10/11 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'hctac' + - 'kearb' + - 'dnammoc' + - 'ekovn' + - 'eliFd' + - 'rahc' + - 'etirw' + - 'golon' + - 'tninon' + - 'eddih' + - 'tpircS' + - 'ssecorp' + - 'llehsrewop' + - 'esnopser' + - 'daolnwod' + - 'tneilCbeW' + - 'tneilc' + - 'ptth' + - 'elifotevas' + - '46esab' + - 'htaPpmeTteG' + - 'tcejbO' + - 'maerts' + - 'hcaerof' + - 'ekovni' + - 'retupmoc' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/powershell/powershell_cmdline_special_characters.yml b/rules/windows/powershell/powershell_cmdline_special_characters.yml new file mode 100644 index 000000000..d4c131fb2 --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_special_characters.yml @@ -0,0 +1,36 @@ +title: Suspicious PowerShell Command Line +id: d7bcd677-645d-4691-a8d4-7a5602b780d1 +description: Detects the PowerShell command lines with special characters +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +date: 2020/10/15 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + selection2: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + selection3: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*{.*{.*{.*{.*{.*' + selection4: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' + selection5: + Image|endswith: '\powershell.exe' + CommandLine|re: '.*`.*`.*`.*`.*`.*' + condition: selection1 or selection2 or selection3 or selection4 or selection5 +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml new file mode 100644 index 000000000..6bfa956ee --- /dev/null +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -0,0 +1,55 @@ +title: Encoded PowerShell Command Line +id: cdf05894-89e7-4ead-b2b0-0a5f97a90f2f +description: Detects specific combinations of encoding methods in the PowerShell command lines +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=65 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community +date: 2020/10/11 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'char' + - 'join' + selection2: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'ToInt' + - 'ToDecimal' + - 'ToByte' + - 'ToUint' + - 'ToSingle' + - 'ToSByte' + selection3: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'ToChar' + - 'ToString' + - 'String' + selection4: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'split' + - 'join' + selection5: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'ForEach' + - 'Xor' + selection6: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'cOnvErTTO-SECUreStRIng' + condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/powershell/powershell_code_injection.yml b/rules/windows/powershell/powershell_code_injection.yml new file mode 100644 index 000000000..829a9dba8 --- /dev/null +++ b/rules/windows/powershell/powershell_code_injection.yml @@ -0,0 +1,22 @@ +title: Accessing WinAPI in PowerShell. Code Injection. +id: eeb2e3dc-c1f4-40dd-9bd5-149ee465ad50 +status: experimental +description: Detecting Code injection with PowerShell in another process +author: Nikita Nazarov, oscd.community +date: 2020/10/06 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 +logsource: + product: windows + category: create_remote_thread + definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' +detection: + selection: + SourceImage|endswith: '\powershell.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_decompress_commands.yml b/rules/windows/powershell/powershell_decompress_commands.yml new file mode 100644 index 000000000..e5c17ef9c --- /dev/null +++ b/rules/windows/powershell/powershell_decompress_commands.yml @@ -0,0 +1,26 @@ +title: PowerShell Decompress Commands +id: 81fbdce6-ee49-485a-908d-1a728c5dcb09 +description: A General detection for specific decompress commands in PowerShell logs. This could be an adversary decompressing files. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1140 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/8 + - https://threathunterplaybook.com/evals/apt29/detections/4.A.3_09F29912-8E93-461E-9E89-3F06F6763383.html +logsource: + product: windows + service: powershell +detection: + selection1: + EventID: 4104 + ScriptBlockText|contains: 'Expand-Archive' + selection2: + EventID: 4103 + Payload|contains: 'Expand-Archive' + condition: selection1 or selection2 +falsepositives: + - unknown +level: informational \ No newline at end of file diff --git a/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml new file mode 100644 index 000000000..ed6e4d161 --- /dev/null +++ b/rules/windows/powershell/powershell_delete_volume_shadow_copies.yml @@ -0,0 +1,37 @@ +title: Delete Volume Shadow Copies Via WMI With PowerShell +id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1 +description: Shadow Copies deletion using operating systems utilities via PowerShell +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md + - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml + - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods +tags: + - attack.impact + - attack.t1490 +status: experimental +author: frack113 +date: 2021/06/03 +logsource: + product: windows + service: powershell-classic +detection: + selection_obj: + CommandLine|contains|all: + - 'Get-WmiObject' + - ' Win32_Shadowcopy' + selection_del: + CommandLine|contains: + - 'Delete()' + - 'Remove-WmiObject' + selection_eventid: + EventID: + - 400 + - 403 + - 600 + condition: selection_obj and selection_del and selection_eventid +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason +level: critical diff --git a/rules/windows/powershell/powershell_exe_calling_ps.yml b/rules/windows/powershell/powershell_exe_calling_ps.yml index 034b3d02d..4785ccf29 100644 --- a/rules/windows/powershell/powershell_exe_calling_ps.yml +++ b/rules/windows/powershell/powershell_exe_calling_ps.yml @@ -17,11 +17,11 @@ logsource: detection: selection1: EventID: 400 - EngineVersion: - - '2.*' - - '4.*' - - '5.*' - HostVersion: '3.*' + EngineVersion|startswith: + - '2.' + - '4.' + - '5.' + HostVersion|startswith: '3.' condition: selection1 falsepositives: - Penetration Tests diff --git a/rules/windows/powershell/powershell_get_clipboard.yml b/rules/windows/powershell/powershell_get_clipboard.yml new file mode 100644 index 000000000..46e8374c6 --- /dev/null +++ b/rules/windows/powershell/powershell_get_clipboard.yml @@ -0,0 +1,26 @@ +title: PowerShell Get Clipboard +id: 5486f63a-aa4c-488d-9a61-c9192853099f +description: A General detection for the Get-Clipboard commands in PowerShell logs. This could be an adversary capturing clipboard contents. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.collection + - attack.t1115 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://threathunterplaybook.com/evals/apt29/detections/7.A.2_F4609F7E-C4DB-4327-91D4-59A58C962A02.html +logsource: + product: windows + service: powershell +detection: + selection1: + EventID: 4104 + ScriptBlockText|contains: 'Get-Clipboard' + selection2: + EventID: 4103 + Payload|contains: 'Get-Clipboard' + condition: selection1 or selection2 +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_icmp_exfiltration.yml b/rules/windows/powershell/powershell_icmp_exfiltration.yml new file mode 100644 index 000000000..373f679aa --- /dev/null +++ b/rules/windows/powershell/powershell_icmp_exfiltration.yml @@ -0,0 +1,25 @@ +title: PowerShell ICMP Exfiltration +id: 4c4af3cd-2115-479c-8193-6b8bfce9001c +status: experimental +description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp +author: 'Bartlomiej Czyz @bczyz1, oscd.community' +date: 2020/10/10 +tags: + - attack.exfiltration + - attack.t1048.003 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains|all: + - 'New-Object' + - 'System.Net.NetworkInformation.Ping' + - '.Send(' + condition: selection +falsepositives: + - Legitimate usage of System.Net.NetworkInformation.Ping class +level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml new file mode 100644 index 000000000..7d9b4abc9 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: 73e67340-0d25-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + selection_2: + EventID: 4103 + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml new file mode 100644 index 000000000..7e2b0ef2d --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 779c8c12-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + selection_2: + EventID: 4103 + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..9c2ab871f --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 0adfbc14-0ed1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + selection_2: + EventID: 4103 + Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml new file mode 100644 index 000000000..365149a58 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 20e5497e-331c-4cd5-8d36-935f6e2a9a07 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + selection_2: + EventID: 4103 + Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: 1 of them +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml new file mode 100644 index 000000000..793dc3c14 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: e6cb92b4-b470-4eb8-8a9d-d63e8583aae0 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + selection_2: + EventID: 4103 + Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: 1 of them +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml new file mode 100644 index 000000000..ab358c642 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Stdin +id: 86b896ba-ffa1-4fea-83e3-ee28a4c915c7 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + selection_2: + EventID: 4103 + Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: 1 of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml new file mode 100644 index 000000000..5f514bc69 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use Clip +id: db92dd33-a3ad-49cf-8c2c-608c3e30ace0 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + selection_2: + EventID: 4103 + Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: 1 of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml new file mode 100644 index 000000000..45764546f --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: e55a5195-4724-480e-a77e-3ebe64bd3759 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + selection_2: + EventID: 4103 + Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: 1 of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..a0abb7616 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: a5a30a6e-75ca-4233-8b8c-42e0f2037d3b +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + selection_2: + EventID: 4103 + Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: 1 of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml new file mode 100644 index 000000000..6d19dc2e1 --- /dev/null +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_var++.yml @@ -0,0 +1,27 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: e54f5149-6ba3-49cf-b153-070d24679126 +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + product: windows + service: powershell +detection: + selection_1: + EventID: 4104 + ScriptBlockText|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c/c' # FPs with |\/r + selection_2: + EventID: 4103 + Payload|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection_1 or selection_2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_malicious_commandlets.yml index d75d512ae..ad4609d8d 100644 --- a/rules/windows/powershell/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_malicious_commandlets.yml @@ -8,112 +8,116 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -author: Sean Metcalf (source), Florian Roth (rule) +author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 +modified: 2020/10/11 logsource: product: windows service: powershell definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*Invoke-DllInjection*" - - "*Invoke-Shellcode*" - - "*Invoke-WmiCommand*" - - "*Get-GPPPassword*" - - "*Get-Keystrokes*" - - "*Get-TimedScreenshot*" - - "*Get-VaultCredential*" - - "*Invoke-CredentialInjection*" - - "*Invoke-Mimikatz*" - - "*Invoke-NinjaCopy*" - - "*Invoke-TokenManipulation*" - - "*Out-Minidump*" - - "*VolumeShadowCopyTools*" - - "*Invoke-ReflectivePEInjection*" - - "*Invoke-UserHunter*" - - "*Find-GPOLocation*" - - "*Invoke-ACLScanner*" - - "*Invoke-DowngradeAccount*" - - "*Get-ServiceUnquoted*" - - "*Get-ServiceFilePermission*" - - "*Get-ServicePermission*" - - "*Invoke-ServiceAbuse*" - - "*Install-ServiceBinary*" - - "*Get-RegAutoLogon*" - - "*Get-VulnAutoRun*" - - "*Get-VulnSchTask*" - - "*Get-UnattendedInstallFile*" - - "*Get-ApplicationHost*" - - "*Get-RegAlwaysInstallElevated*" - - "*Get-Unconstrained*" - - "*Add-RegBackdoor*" - - "*Add-ScrnSaveBackdoor*" - - "*Gupt-Backdoor*" - - "*Invoke-ADSBackdoor*" - - "*Enabled-DuplicateToken*" - - "*Invoke-PsUaCme*" - - "*Remove-Update*" - - "*Check-VM*" - - "*Get-LSASecret*" - - "*Get-PassHashes*" - - "*Show-TargetScreen*" - - "*Port-Scan*" - - "*Invoke-PoshRatHttp*" - - "*Invoke-PowerShellTCP*" - - "*Invoke-PowerShellWMI*" - - "*Add-Exfiltration*" - - "*Add-Persistence*" - - "*Do-Exfiltration*" - - "*Start-CaptureServer*" - - "*Get-ChromeDump*" - - "*Get-ClipboardContents*" - - "*Get-FoxDump*" - - "*Get-IndexedItem*" - - "*Get-Screenshot*" - - "*Invoke-Inveigh*" - - "*Invoke-NetRipper*" - - "*Invoke-EgressCheck*" - - "*Invoke-PostExfil*" - - "*Invoke-PSInject*" - - "*Invoke-RunAs*" - - "*MailRaider*" - - "*New-HoneyHash*" - - "*Set-MacAttribute*" - - "*Invoke-DCSync*" - - "*Invoke-PowerDump*" - - "*Exploit-Jboss*" - - "*Invoke-ThunderStruck*" - - "*Invoke-VoiceTroll*" - - "*Set-Wallpaper*" - - "*Invoke-InveighRelay*" - - "*Invoke-PsExec*" - - "*Invoke-SSHCommand*" - - "*Get-SecurityPackages*" - - "*Install-SSP*" - - "*Invoke-BackdoorLNK*" - - "*PowerBreach*" - - "*Get-SiteListPassword*" - - "*Get-System*" - - "*Invoke-BypassUAC*" - - "*Invoke-Tater*" - - "*Invoke-WScriptBypassUAC*" - - "*PowerUp*" - - "*PowerView*" - - "*Get-RickAstley*" - - "*Find-Fruit*" - - "*HTTP-Login*" - - "*Find-TrustedDocuments*" - - "*Invoke-Paranoia*" - - "*Invoke-WinEnum*" - - "*Invoke-ARPScan*" - - "*Invoke-PortScan*" - - "*Invoke-ReverseDNSLookup*" - - "*Invoke-SMBScanner*" - - "*Invoke-Mimikittenz*" - - "*Invoke-AllChecks*" + EventID: 4104 + ScriptBlockText|contains: + - "Invoke-DllInjection" + - "Invoke-Shellcode" + - "Invoke-WmiCommand" + - "Get-GPPPassword" + - "Get-Keystrokes" + - "Get-TimedScreenshot" + - "Get-VaultCredential" + - "Invoke-CredentialInjection" + - "Invoke-Mimikatz" + - "Invoke-NinjaCopy" + - "Invoke-TokenManipulation" + - "Out-Minidump" + - "VolumeShadowCopyTools" + - "Invoke-ReflectivePEInjection" + - "Invoke-UserHunter" + - "Find-GPOLocation" + - "Invoke-ACLScanner" + - "Invoke-DowngradeAccount" + - "Get-ServiceUnquoted" + - "Get-ServiceFilePermission" + - "Get-ServicePermission" + - "Invoke-ServiceAbuse" + - "Install-ServiceBinary" + - "Get-RegAutoLogon" + - "Get-VulnAutoRun" + - "Get-VulnSchTask" + - "Get-UnattendedInstallFile" + - "Get-ApplicationHost" + - "Get-RegAlwaysInstallElevated" + - "Get-Unconstrained" + - "Add-RegBackdoor" + - "Add-ScrnSaveBackdoor" + - "Gupt-Backdoor" + - "Invoke-ADSBackdoor" + - "Enabled-DuplicateToken" + - "Invoke-PsUaCme" + - "Remove-Update" + - "Check-VM" + - "Get-LSASecret" + - "Get-PassHashes" + - "Show-TargetScreen" + - "Port-Scan" + - "Invoke-PoshRatHttp" + - "Invoke-PowerShellTCP" + - "Invoke-PowerShellWMI" + - "Add-Exfiltration" + - "Add-Persistence" + - "Do-Exfiltration" + - "Start-CaptureServer" + - "Get-ChromeDump" + - "Get-ClipboardContents" + - "Get-FoxDump" + - "Get-IndexedItem" + - "Get-Screenshot" + - "Invoke-Inveigh" + - "Invoke-NetRipper" + - "Invoke-EgressCheck" + - "Invoke-PostExfil" + - "Invoke-PSInject" + - "Invoke-RunAs" + - "MailRaider" + - "New-HoneyHash" + - "Set-MacAttribute" + - "Invoke-DCSync" + - "Invoke-PowerDump" + - "Exploit-Jboss" + - "Invoke-ThunderStruck" + - "Invoke-VoiceTroll" + - "Set-Wallpaper" + - "Invoke-InveighRelay" + - "Invoke-PsExec" + - "Invoke-SSHCommand" + - "Get-SecurityPackages" + - "Install-SSP" + - "Invoke-BackdoorLNK" + - "PowerBreach" + - "Get-SiteListPassword" + - "Get-System" + - "Invoke-BypassUAC" + - "Invoke-Tater" + - "Invoke-WScriptBypassUAC" + - "PowerUp" + - "PowerView" + - "Get-RickAstley" + - "Find-Fruit" + - "HTTP-Login" + - "Find-TrustedDocuments" + - "Invoke-Paranoia" + - "Invoke-WinEnum" + - "Invoke-ARPScan" + - "Invoke-PortScan" + - "Invoke-ReverseDNSLookup" + - "Invoke-SMBScanner" + - "Invoke-Mimikittenz" + - "Invoke-AllChecks" false_positives: - - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + EventID: 4104 + ScriptBlockText|contains: + - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 condition: keywords and not false_positives falsepositives: - Penetration testing diff --git a/rules/windows/powershell/powershell_malicious_keywords.yml b/rules/windows/powershell/powershell_malicious_keywords.yml index bf8809959..f46ce60b3 100644 --- a/rules/windows/powershell/powershell_malicious_keywords.yml +++ b/rules/windows/powershell/powershell_malicious_keywords.yml @@ -16,27 +16,27 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' detection: keywords: - Message: - - "*AdjustTokenPrivileges*" - - "*IMAGE_NT_OPTIONAL_HDR64_MAGIC*" - - "*Microsoft.Win32.UnsafeNativeMethods*" - - "*ReadProcessMemory.Invoke*" - - "*SE_PRIVILEGE_ENABLED*" - - "*LSA_UNICODE_STRING*" - - "*MiniDumpWriteDump*" - - "*PAGE_EXECUTE_READ*" - - "*SECURITY_DELEGATION*" - - "*TOKEN_ADJUST_PRIVILEGES*" - - "*TOKEN_ALL_ACCESS*" - - "*TOKEN_ASSIGN_PRIMARY*" - - "*TOKEN_DUPLICATE*" - - "*TOKEN_ELEVATION*" - - "*TOKEN_IMPERSONATE*" - - "*TOKEN_INFORMATION_CLASS*" - - "*TOKEN_PRIVILEGES*" - - "*TOKEN_QUERY*" - - "*Metasploit*" - - "*Mimikatz*" + Message|contains: + - "AdjustTokenPrivileges" + - "IMAGE_NT_OPTIONAL_HDR64_MAGIC" + - "Microsoft.Win32.UnsafeNativeMethods" + - "ReadProcessMemory.Invoke" + - "SE_PRIVILEGE_ENABLED" + - "LSA_UNICODE_STRING" + - "MiniDumpWriteDump" + - "PAGE_EXECUTE_READ" + - "SECURITY_DELEGATION" + - "TOKEN_ADJUST_PRIVILEGES" + - "TOKEN_ALL_ACCESS" + - "TOKEN_ASSIGN_PRIMARY" + - "TOKEN_DUPLICATE" + - "TOKEN_ELEVATION" + - "TOKEN_IMPERSONATE" + - "TOKEN_INFORMATION_CLASS" + - "TOKEN_PRIVILEGES" + - "TOKEN_QUERY" + - "Metasploit" + - "Mimikatz" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index a08ba728c..21547f4dd 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -3,6 +3,7 @@ id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework date: 2019/05/16 +modified: 2021/04/23 references: - https://github.com/samratashok/nishang tags: @@ -13,7 +14,7 @@ author: Alec Costello logsource: product: windows service: powershell - definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 + definition: It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 detection: keywords: - Add-ConstrainedDelegationBackdoor @@ -78,9 +79,8 @@ detection: - DataToEncode - LoggedKeys - OUT-DNSTXT - - Jitter + # - Jitter # Prone to FPs - ExfilOption - - Tamper - DumpCerts - DumpCreds - Shellcode32 diff --git a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml index b2a3162fe..c442d4fae 100644 --- a/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_powerview_malicious_commandlets.yml @@ -38,7 +38,7 @@ detection: - Get-Forest - Get-ForestDomain - Get-ForestGlobalCatalog - - Find-DomainObjectPropertyOutlier- + - Find-DomainObjectPropertyOutlier - Get-DomainUser - New-DomainUser - Set-DomainUserPassword diff --git a/rules/windows/powershell/powershell_prompt_credentials.yml b/rules/windows/powershell/powershell_prompt_credentials.yml index f5601ce97..4513b1dd2 100644 --- a/rules/windows/powershell/powershell_prompt_credentials.yml +++ b/rules/windows/powershell/powershell_prompt_credentials.yml @@ -20,8 +20,8 @@ detection: selection: EventID: 4104 keyword: - Message: - - '*PromptForCredential*' + Message|contains: + - 'PromptForCredential' condition: all of them falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_remote_powershell_session.yml b/rules/windows/powershell/powershell_remote_powershell_session.yml index 710a4a931..80f74507d 100644 --- a/rules/windows/powershell/powershell_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_remote_powershell_session.yml @@ -6,7 +6,7 @@ date: 2019/08/10 modified: 2020/08/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index dcd835dcf..ba269aca2 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -13,7 +13,7 @@ tags: - attack.t1086 #an old one author: David Ledbetter (shellcode), Florian Roth (rule) date: 2018/11/17 -modified: 2020/08/24 +modified: 2020/12/01 logsource: product: windows service: powershell @@ -21,12 +21,12 @@ logsource: detection: selection: EventID: 4104 - keyword1: - - '*AAAAYInlM*' - keyword2: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' - condition: selection and keyword1 and keyword2 + ScriptBlockText|contains: 'AAAAYInlM' + selection2: + ScriptBlockText|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' + condition: selection and selection2 falsepositives: - Unknown level: critical diff --git a/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml new file mode 100644 index 000000000..ac4077fdb --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_export_pfxcertificate.yml @@ -0,0 +1,25 @@ +title: Suspicious Export-PfxCertificate +id: aa7a3fce-bef5-4311-9cc1-5f04bb8c308c +status: experimental +description: Detects Commandlet that is used to export certificates from the local certificate store and sometimes used by threat actors to steal provate keys from compromised machines +references: + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a + - https://docs.microsoft.com/en-us/powershell/module/pki/export-pfxcertificate +tags: + - attack.credential_access + - attack.t1552.004 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - "Export-PfxCertificate" + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml new file mode 100644 index 000000000..cb8754e21 --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -0,0 +1,24 @@ +title: PowerShell Get-Process LSASS in ScriptBlock +id: 84c174ab-d3ef-481f-9c86-a50d0b8e3edb +status: experimental +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +tags: + - attack.credential_access + - attack.t1003.001 +author: Florian Roth +date: 2021/04/23 +logsource: + product: windows + service: powershell + definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277' +detection: + keywords: + EventID: 4104 + ScriptBlockText|contains: + - 'Get-Process lsass' + condition: keywords +falsepositives: + - Legitimate certificate exports invoked by administrators or users (depends on processes in the environment - filter if unusable) +level: high diff --git a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml index 42b151a2c..97833fc3e 100644 --- a/rules/windows/powershell/powershell_suspicious_invocation_specific.yml +++ b/rules/windows/powershell/powershell_suspicious_invocation_specific.yml @@ -6,21 +6,57 @@ tags: - attack.execution - attack.t1059.001 - attack.t1086 #an old one -author: Florian Roth (rule) +author: Florian Roth (rule), Jonhnathan Ribeiro date: 2017/03/05 logsource: product: windows service: powershell detection: - keywords: - Message: - - '* -nop -w hidden -c * [Convert]::FromBase64String*' - - '* -w hidden -noni -nop -c "iex(New-Object*' - - '* -w hidden -ep bypass -Enc*' - - '*powershell.exe reg add HKCU\software\microsoft\windows\currentversion\run*' - - '*bypass -noprofile -windowstyle hidden (new-object system.net.webclient).download*' - - '*iex(New-Object Net.WebClient).Download*' - condition: keywords + convert_b64: + Message|contains|all: + - '-nop' + - ' -w ' + - 'hidden' + - ' -c ' + - '[Convert]::FromBase64String' + iex_selection: + Message|contains|all: + - ' -w ' + - 'hidden' + - '-noni' + - '-nop' + - ' -c ' + - 'iex' + - 'New-Object' + enc_selection: + Message|contains|all: + - ' -w ' + - 'hidden' + - '-ep' + - 'bypass' + - '-Enc' + reg_selection: + Message|contains|all: + - 'powershell' + - 'reg' + - 'add' + - 'HKCU\software\microsoft\windows\currentversion\run' + webclient_selection: + Message|contains|all: + - 'bypass' + - '-noprofile' + - '-windowstyle' + - 'hidden' + - 'new-object' + - 'system.net.webclient' + - '.download' + iex_webclient: + Message|contains|all: + - 'iex' + - 'New-Object' + - 'Net.WebClient' + - '.Download' + condition: 1 of them falsepositives: - Penetration tests level: high diff --git a/rules/windows/powershell/powershell_suspicious_keywords.yml b/rules/windows/powershell/powershell_suspicious_keywords.yml index 6803a85a8..c363bf387 100644 --- a/rules/windows/powershell/powershell_suspicious_keywords.yml +++ b/rules/windows/powershell/powershell_suspicious_keywords.yml @@ -3,11 +3,13 @@ id: 1f49f2ab-26bc-48b3-96cc-dcffbc93eadf status: experimental description: Detects keywords that could indicate the use of some PowerShell exploitation framework date: 2019/02/11 +modified: 2021/06/10 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1 + - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 tags: - attack.execution - attack.t1059.001 @@ -18,7 +20,7 @@ logsource: definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277. Monitor for EventID 4104' detection: keywords: - Message: + Message|contains: - "System.Reflection.Assembly.Load" - "[System.Reflection.Assembly]::Load" - "[Reflection.Assembly]::Load" @@ -26,6 +28,10 @@ detection: - "Reflection.Emit.AssemblyBuilderAccess" - "Runtime.InteropServices.DllImportAttribute" - "SuspendThread" + - "rundll32" + - "FromBase64" + - "Invoke-WMIMethod" + - "http://127.0.0.1" condition: keywords falsepositives: - Penetration tests diff --git a/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml new file mode 100644 index 000000000..f0ca3127e --- /dev/null +++ b/rules/windows/powershell/powershell_suspicious_mounted_share_deletion.yml @@ -0,0 +1,24 @@ +title: PowerShell Deleted Mounted Share +id: 66a4d409-451b-4151-94f4-a55d559c49b0 +status: experimental +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + product: windows + service: powershell +detection: + selection: + EventID: 4104 + ScriptBlockText|contains: + - 'Remove-SmbShare' + - 'Remove-FileShare' + condition: selection +falsepositives: + - Administrators or Power users may remove their shares via cmd line +level: medium diff --git a/rules/windows/powershell/powershell_suspicious_profile_create.yml b/rules/windows/powershell/powershell_suspicious_profile_create.yml index d1bb7343c..e07a660ad 100644 --- a/rules/windows/powershell/powershell_suspicious_profile_create.yml +++ b/rules/windows/powershell/powershell_suspicious_profile_create.yml @@ -9,10 +9,8 @@ date: 2019/10/24 modified: 2020/08/24 logsource: product: windows - service: sysmon + category: file_event detection: - event: - EventID: 11 target1: TargetFilename|contains|all: - '\My Documents\PowerShell\' @@ -21,7 +19,7 @@ detection: TargetFilename|contains|all: - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - '\profile.ps1' - condition: event and (target1 or target2) + condition: target1 or target2 falsepositives: - System administrator create Powershell profile manually level: high diff --git a/rules/windows/powershell/powershell_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml new file mode 100644 index 000000000..4e4e4dcc4 --- /dev/null +++ b/rules/windows/powershell/powershell_tamper_with_windows_defender.yml @@ -0,0 +1,29 @@ +title: Tamper Windows Defender +id: ec19ebab-72dc-40e1-9728-4c0b805d722c +description: Attempting to disable scheduled scanning and other parts of windows defender atp. +status: experimental +tags: + - attack.defense_evasion + - attack.t1562.001 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +author: frack113 +date: 2021/06/07 +falsepositives: + - Unknown +level: high +logsource: + product: windows + category: powershell-classic +detection: + select_EventID: + EventID: 600 + tamper_ps_action: + HostApplication|contains: 'Set-MpPreference' + tamper_ps_option: + HostApplication|contains: + - '-DisableRealtimeMonitoring 1' + - '-DisableBehaviorMonitoring 1' + - '-DisableScriptScanning 1' + - '-DisableBlockAtFirstSeen 1' + condition: select_EventID and tamper_ps_action and tamper_ps_option diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 87e162bd4..9555ba0d5 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -4,6 +4,7 @@ status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 +modified: 2020/12/01 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml logsource: @@ -13,12 +14,12 @@ logsource: detection: selection: EventID: 4104 - keyword1: - - '*Set-ItemProperty*' - - '*New-Item*' - keyword2: - - '*CurrentVersion\Winlogon*' - condition: selection and ( keyword1 and keyword2 ) + ScriptBlockText|contains: 'CurrentVersion\Winlogon' + selection2: + ScriptBlockText|contains: + - 'Set-ItemProperty' + - 'New-Item' + condition: selection and selection2 falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml new file mode 100644 index 000000000..b65954289 --- /dev/null +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -0,0 +1,28 @@ +title: Suspicious Non PowerShell WSMAN COM Provider +id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 +description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. +status: experimental +date: 2020/06/24 +modified: 2021/05/21 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.003 +references: + - https://twitter.com/chadtilbury/status/1275851297770610688 + - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ + - https://github.com/bohops/WSMan-WinRM +logsource: + product: windows + service: powershell +detection: + selection: + Message|contains: 'ProviderName=WSMan' + filter: + Message|contains: 'HostApplication=*powershell' + condition: selection and not filter +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_access/sysmon_cmstp_execution.yml b/rules/windows/process_access/sysmon_cmstp_execution.yml index 4a6f4f4bc..745d8b86d 100755 --- a/rules/windows/process_access/sysmon_cmstp_execution.yml +++ b/rules/windows/process_access/sysmon_cmstp_execution.yml @@ -14,7 +14,7 @@ tags: - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 -modified: 2020/12/23 +modified: 2021/06/27 references: - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ fields: @@ -30,5 +30,5 @@ logsource: detection: # Process Access Call Trace selection: - CallTrace: '*cmlua.dll*' + CallTrace|contains: 'cmlua.dll' condition: selection diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index ab1bd80de..dfaf68fcc 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2020/08/24 +modified: 2021/05/16 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -44,6 +44,7 @@ detection: - '\procexp64.exe' - '\procexp.exe' - '\lsm.exe' + - '\MsMpEng.exe' - '\csrss.exe' - '\wininit.exe' - '\vmtoolsd.exe' diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index 6606314d4..50b71bbea 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -7,8 +7,8 @@ description: Detects the access to processes by other suspicious processes which routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2020/08/24 -author: Perez Diego (@darkquassar), oscd.community +modified: 2021/05/16 +author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ tags: @@ -21,12 +21,19 @@ logsource: category: process_access product: windows detection: - selection1: - CallTrace: - - "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*|UNKNOWN(*)" - - "*UNKNOWN(*)|UNKNOWN(*)" - selection2: - CallTrace: "*UNKNOWN*" + selection1: + CallTrace|contains|all: + - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' + - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - '|UNKNOWN(' + - ')' + selection2: + CallTrace|contains|all: + - "UNKNOWN(" + - ")|UNKNOWN(" + CallTrace|endswith: ")" + selection3: + CallTrace|contains: "UNKNOWN" granted_access: GrantedAccess: - "0x1F0FFF" @@ -37,7 +44,10 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: selection1 OR (selection2 AND granted_access) + filter: + SourceImage|endswith: + - '\Windows\System32\sdiagnhost.exe' + condition: (selection1 or selection2) or (selection3 and granted_access) and not filter fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_invoke_phantom.yml b/rules/windows/process_access/sysmon_invoke_phantom.yml index bbcf116ae..f779354d6 100755 --- a/rules/windows/process_access/sysmon_invoke_phantom.yml +++ b/rules/windows/process_access/sysmon_invoke_phantom.yml @@ -17,10 +17,10 @@ logsource: product: windows detection: selection: - TargetImage: '*\windows\system32\svchost.exe' + TargetImage|endswith: '\windows\system32\svchost.exe' GrantedAccess: '0x1f3fff' - CallTrace: - - '*unknown*' + CallTrace|contains: + - 'unknown' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml index 2b57d3b48..bbeede229 100644 --- a/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_lazagne_cred_dump_lsass_access.yml @@ -3,7 +3,7 @@ id: 4b9a8556-99c4-470b-a40c-9c8d02c77ed0 description: Detects LSASS process access by LaZagne for credential dumping. status: stable date: 2020/09/09 -author: Bhabesh Raj +author: Bhabesh Raj, Jonhnathan Ribeiro references: - https://twitter.com/bh4b3sh/status/1303674603819081728 tags: @@ -15,8 +15,12 @@ logsource: product: windows detection: selection: - TargetImage: '*\lsass.exe' - CallTrace: "C:\\Windows\\SYSTEM32\\ntdll.dll+*|C:\\Windows\\System32\\KERNELBASE.dll+*_ctypes.pyd+*python27.dll+*" + TargetImage|endswith: '\lsass.exe' + CallTrace|contains|all: + - 'C:\\Windows\\SYSTEM32\\ntdll.dll+' + - '|C:\\Windows\\System32\\KERNELBASE.dll+' + - '_ctypes.pyd+' + - 'python27.dll+' GrantedAccess: "0x1FFFFF" condition: selection level: critical diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml new file mode 100644 index 000000000..703f86b32 --- /dev/null +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -0,0 +1,29 @@ +title: Load Undocumented Autoelevated COM Interface +id: fb3722e4-1a06-46b6-b772-253e2e7db933 +status: experimental +description: COM interface (EditionUpgradeManager) that is not used by standard executables. +references: + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/07 +logsource: + category: process_access + product: windows +detection: + selection: + CallTrace|contains: 'editionupgrademanagerobj.dll' + condition: selection +fields: + - ComputerName + - User + - SourceImage + - TargetImage + - CallTrace +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml new file mode 100755 index 000000000..fd893e140 --- /dev/null +++ b/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml @@ -0,0 +1,25 @@ +title: Lsass Memory Dump via Comsvcs DLL +id: a49fa4d5-11db-418c-8473-1e014a8dd462 +description: Detects adversaries leveraging the MiniDump export function from comsvcs.dll via rundll32 to perform a memory dump from lsass. +status: experimental +date: 2020/10/20 +modified: 2021/06/21 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.credential_access + - attack.t1003.001 +references: + - https://twitter.com/shantanukhande/status/1229348874298388484 + - https://modexp.wordpress.com/2019/08/30/minidumpwritedump-via-com-services-dll/ +logsource: + category: process_access + product: windows +detection: + selection: + TargetImage|endswith: '\lsass.exe' + SourceImage: 'C:\Windows\System32\rundll32.exe' + CallTrace|contains: 'comsvcs.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 778afd9bc..4eb8b34b2 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using procdump or taskmgr based on the CallTrace pointing to dbghelp.dll or dbgcore.dll for win10 author: Samir Bousseaden date: 2019/04/03 -modified: 2020/08/24 +modified: 2021/06/21 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html tags: @@ -17,11 +17,11 @@ logsource: product: windows detection: selection: - TargetImage: 'C:\windows\system32\lsass.exe' + TargetImage|endswith: '\lsass.exe' GrantedAccess: '0x1fffff' - CallTrace: - - '*dbghelp.dll*' - - '*dbgcore.dll*' + CallTrace|contains: + - 'dbghelp.dll' + - 'dbgcore.dll' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml index 2224ad19f..55855b3bc 100755 --- a/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml +++ b/rules/windows/process_access/sysmon_malware_verclsid_shellcode.yml @@ -16,13 +16,15 @@ logsource: definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: VBE7.DLLUNKNOWN' detection: selection: - TargetImage: '*\verclsid.exe' + TargetImage|endswith: '\verclsid.exe' GrantedAccess: '0x1FFFFF' combination1: - CallTrace: '*|UNKNOWN(*VBE7.DLL*' + CallTrace|contains|all: + - '|UNKNOWN(' + - 'VBE7.DLL' combination2: - SourceImage: '*\Microsoft Office\\*' - CallTrace: '*|UNKNOWN*' + SourceImage|contains: '\Microsoft Office\' + CallTrace|contains: '|UNKNOWN' condition: selection and 1 of combination* falsepositives: - unknown diff --git a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml index c679f7ab7..c433c22d6 100755 --- a/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/sysmon_mimikatz_trough_winrm.yml @@ -6,13 +6,13 @@ references: status: stable author: Patryk Prauze - ING Tech date: 2019/05/20 -modified: 2020/08/24 +modified: 2021/06/21 logsource: category: process_access product: windows detection: selection: - TargetImage: 'C:\windows\system32\lsass.exe' + TargetImage|endswith: '\lsass.exe' SourceImage: 'C:\Windows\system32\wsmprovhost.exe' condition: selection tags: diff --git a/rules/windows/process_access/sysmon_svchost_cred_dump.yml b/rules/windows/process_access/sysmon_svchost_cred_dump.yml new file mode 100644 index 000000000..f8d286354 --- /dev/null +++ b/rules/windows/process_access/sysmon_svchost_cred_dump.yml @@ -0,0 +1,23 @@ +title: SVCHOST Credential Dump +id: 174afcfa-6e40-4ae9-af64-496546389294 +description: Detects when a process, such as mimikatz, accesses the memory of svchost to dump credentials +date: 2021/04/30 +author: Florent Labouyrie +logsource: + product: windows + category: process_access +tags: + - attack.t1548 +detection: + selection_process: + TargetImage|endswith: '\svchost.exe' + selection_memory: + GrantedAccess: '0x143a' + filter_trusted_process_access: + SourceImage|endswith: + - '*\services.exe' + - '*\msiexec.exe' + condition: selection_process and selection_memory and not filter_trusted_process_access +falsepositives: + - Non identified legit exectubale +level: critical diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml new file mode 100644 index 000000000..44e421b35 --- /dev/null +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -0,0 +1,31 @@ +title: Suspicious Shells Spawn by WinRM +id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 +description: Detects suspicious shell spawn from WinRM host process +status: experimental +author: Andreas Hunkeler (@Karneades), Markus Neis +date: 2021/05/20 +modified: 2021/05/22 +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\wsmprovhost.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection +falsepositives: + - Legitimate WinRM usage +level: high diff --git a/rules/windows/process_creation/process_creation_SDelete.yml b/rules/windows/process_creation/process_creation_SDelete.yml new file mode 100644 index 000000000..78d444273 --- /dev/null +++ b/rules/windows/process_creation/process_creation_SDelete.yml @@ -0,0 +1,32 @@ +title: Sysinternals SDelete Delete File +id: a4824fca-976f-4964-b334-0621379e84c4 +status: experimental +author: frack113 +date: 2021/06/03 +description: Use of SDelete to erase a file not the free space +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md +tags: + - attack.impact + - attack.t1485 +logsource: + category: process_creation + product: windows +detection: + selection: + OriginalFileName: sdelete.exe + filter: + CommandLine|contains: + - ' -h' + - ' -c' + - ' -z' + - ' /?' + condition: selection and not filter +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage +level: medium diff --git a/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml new file mode 100644 index 000000000..5289718b6 --- /dev/null +++ b/rules/windows/process_creation/process_creation_c3_load_by_rundll32.yml @@ -0,0 +1,24 @@ +title: F-Secure C3 Load by Rundll32 +status: experimental +id: b18c9d4c-fac9-4708-bd06-dd5bfacf200f +author: Alfie Champion (ajpc500) +date: 2021/06/02 +description: F-Secure C3 produces DLLs with a default exported StartNodeRelay function. +references: + - https://github.com/FSecureLABS/C3/blob/master/Src/NodeRelayDll/NodeRelayDll.cpp#L12 +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartNodeRelay' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml new file mode 100644 index 000000000..580898f69 --- /dev/null +++ b/rules/windows/process_creation/process_creation_cobaltstrike_load_by_rundll32.yml @@ -0,0 +1,26 @@ +title: CobaltStrike Load by Rundll32 +status: experimental +id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 +author: Wojciech Lesicki +date: 2021/06/01 +description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. +references: + - https://www.cobaltstrike.com/help-windows-executable + - https://redcanary.com/threat-detection-report/ + - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - '.dll' + - 'StartW' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml new file mode 100644 index 000000000..1c7b2054c --- /dev/null +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -0,0 +1,33 @@ +title: Dotnet.exe Exec Dll and Execute Unsigned Code LOLBIN +status: experimental +id: d80d5c81-04ba-45b4-84e4-92eba40e0ad3 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: dotnet.exe will execute any DLL and execute unsigned code +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Dotnet.yml + - https://twitter.com/_felamos/status/1204705548668555264 + - https://bohops.com/2019/08/19/dotnet-core-a-vector-for-awl-bypass-defense-evasion/ +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: + - '.dll' + - '.csproj' + Image|endswith: + - '\dotnet.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml new file mode 100644 index 000000000..08b586762 --- /dev/null +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -0,0 +1,34 @@ +title: Execute Files with Msdeploy.exe +status: experimental +id: 646bc99f-6682-4b47-a73a-17b1b64c9d34 +author: Beyu Denis, oscd.community +date: 2020/10/18 +description: Detects file execution using the msdeploy.exe lolbin +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Msdeploy.yml + - https://twitter.com/pabraeken/status/995837734379032576 + - https://twitter.com/pabraeken/status/999090532839313408 +tags: + - attack.execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'verb:sync' + - '-source:RunCommand' + - '-dest:runCommand' + Image|endswith: + - '\msdeploy.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - System administrator Usage + - Penetration test +level: medium diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml new file mode 100644 index 000000000..399103d25 --- /dev/null +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -0,0 +1,44 @@ +title: Abused Debug Privilege by Arbitrary Parent Processes +id: d522eca2-2973-4391-a3e0-ef0374321dae +status: experimental +description: Detection of unusual child processes by different system processes +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-74-638.jpg +date: 2020/10/28 +tags: + - attack.privilege_escalation + - attack.t1548 +author: 'Semanur Guneysu @semanurtg, oscd.community' +logsource: + product: windows + category: process_creation +detection: + selection1: + ParentImage|endswith: + - '\winlogon.exe' + - '\services.exe' + - '\lsass.exe' + - '\csrss.exe' + - '\smss.exe' + - '\wininit.exe' + - '\spoolsv.exe' + - '\searchindexer.exe' + selection2: + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + selection3: + User: 'NT AUTHORITY\SYSTEM' + filter: + CommandLine|contains|all: + - ' route ' + - ' ADD ' + condition: selection1 and selection2 and selection3 and not filter +fields: + - ParentImage + - Image + - User + - CommandLine +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml new file mode 100644 index 000000000..0f53941d2 --- /dev/null +++ b/rules/windows/process_creation/sysmon_accesschk_usage_after_priv_escalation.yml @@ -0,0 +1,30 @@ +title: Accesschk Usage After Privilege Escalation +id: c625d754-6a3d-4f65-9c9a-536aea960d37 +description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify if a privilege escalation process succesfull or not +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-43-638.jpg +tags: + - attack.discovery + - attack.t1069.001 +logsource: + product: windows + category: process_creation +detection: + integrity_level: + IntegrityLevel: 'Medium' + product: + Product|endswith: 'AccessChk' + description: + Description|contains: 'Reports effective permissions' + condition: integrity_level and (product or description) +fields: + - IntegrityLevel + - Product + - Description +falsepositives: + - System administrator Usage + - Penetration test +level: high diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml new file mode 100644 index 000000000..73a21e295 --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -0,0 +1,32 @@ +title: Always Install Elevated MSI Spawned Cmd And Powershell +id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + image: + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + parent_image: + ParentImage|contains|all: + - '\Windows\Installer\' + - 'msi' + ParentImage|endswith: + - 'tmp' + condition: image and parent_image +fields: + - Image + - ParentImage +falsepositives: + - Penetration test +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml new file mode 100644 index 000000000..cd2d7a6d6 --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -0,0 +1,35 @@ +title: MSI Spawned Cmd and Powershell Spawned Processes +id: 38cf8340-461b-4857-bf99-23a41f772b18 +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell that spawned other processes +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + parent_image: + ParentImage|endswith: + - '\cmd.exe' + - '\powershell.exe' + parent_of_parent_image: + ParentOfParentImage|contains|all: + - '\Windows\Installer\' + - 'msi' + ParentOfParentImage|endswith: + - 'tmp' + condition: parent_image and parent_of_parent_image +fields: + - ParentImage + - ParentOfParentImage +falsepositives: + - Penetration test +level: high +enrichment: + - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x + - EN_0002_enrich_sysmon_event_id_1_with_parent_info # http://bit.ly/2KmSC0l diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml new file mode 100644 index 000000000..8d89e217b --- /dev/null +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -0,0 +1,37 @@ +title: Always Install Elevated Windows Installer +id: cd951fdc-4b2f-47f5-ba99-a33bf61e3770 +description: This rule will looks for Windows Installer service (msiexec.exe) when it tries to install MSI packages with SYSTEM privilege +status: experimental +author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community +date: 2020/10/13 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg +tags: + - attack.privilege_escalation + - attack.t1548.002 +logsource: + product: windows + category: process_creation +detection: + integrity_level: + IntegrityLevel: 'System' + user: + User: 'NT AUTHORITY\SYSTEM' + image_1: + Image|contains|all: + - '\Windows\Installer\' + - 'msi' + Image|endswith: + - 'tmp' + image_2: + Image|endswith: + - '\msiexec.exe' + condition: (image_1 and user) or (image_2 and user and integrity_level) +fields: + - IntegrityLevel + - User + - Image +falsepositives: + - System administrator Usage + - Penetration test +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/sysmon_cmstp_execution.yml similarity index 95% rename from rules/windows/process_creation/cmstp_execution.yml rename to rules/windows/process_creation/sysmon_cmstp_execution.yml index 7ec90b74e..7a27dc2f2 100644 --- a/rules/windows/process_creation/cmstp_execution.yml +++ b/rules/windows/process_creation/sysmon_cmstp_execution.yml @@ -27,5 +27,5 @@ logsource: detection: # CMSTP Spawning Child Process selection: - ParentImage: '*\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' condition: selection diff --git a/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml new file mode 100644 index 000000000..837cf20c1 --- /dev/null +++ b/rules/windows/process_creation/sysmon_high_integrity_sdclt.yml @@ -0,0 +1,24 @@ +title: High Integrity Sdclt Process +id: 40f9af16-589d-4984-b78d-8c2aec023197 +description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/6 + - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: 'sdclt.exe' + IntegrityLevel: 'High' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 2b158b3a3..365be7dcf 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -16,17 +16,17 @@ logsource: product: windows detection: exec_selection: - ParentImage: '*\userinit.exe' + ParentImage|endswith: '\userinit.exe' exec_exclusion1: - Image: '*\explorer.exe' + Image|endswith: '\explorer.exe' exec_exclusion2: CommandLine|contains: - 'netlogon.bat' - 'UsrLogon.cmd' create_keywords_cli: - CommandLine: '*UserInitMprLogonScript*' + CommandLine|contains: 'UserInitMprLogonScript' condition: ( exec_selection and not exec_exclusion1 and not exec_exclusion2 ) or create_keywords_cli falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml new file mode 100644 index 000000000..52ffcbc05 --- /dev/null +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -0,0 +1,28 @@ +title: Too Long PowerShell Commandlines +id: d0d28567-4b9a-45e2-8bbc-fb1b66a1f7f6 +description: Detects Too long PowerShell command lines +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1059.001 +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/05/21 +logsource: + category: process_creation + product: windows +detection: + Powershell_selection: + - CommandLine|contains: + - 'powershell' + - 'pwsh' + - Description: 'Windows Powershell' + - Product: 'PowerShell Core 6' + Length_selection: + CommandLine|re: '.{1000,}' + condition: all of them +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml new file mode 100644 index 000000000..439e99a78 --- /dev/null +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -0,0 +1,32 @@ +title: Proxy Execution via Wuauclt +id: af77cf95-c469-471c-b6a0-946c685c4798 +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +status: experimental +date: 2020/10/12 +modified: 2021/05/10 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), Florian Roth +tags: + - attack.defense_evasion + - attack.t1218 +references: + - https://dtm.uk/wuauclt/ +logsource: + category: process_creation + product: windows +detection: + selection_one: + - Image|contains: wuauclt + - OriginalFileName: wuauclt.exe + selection_two: + CommandLine|contains|all: + - 'UpdateDeploymentProvider' + - '.dll' + - 'RunHandlerComServer' + filter: + CommandLine|contains: + - ' /UpdateDeploymentProvider UpdateDeploymentProvider.dll ' + - ' wuaueng.dll ' + condition: selection_one and selection_two and not filter +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml index 6cf58dc45..3a0b7dfed 100644 --- a/rules/windows/process_creation/sysmon_rclone_execution.yml +++ b/rules/windows/process_creation/sysmon_rclone_execution.yml @@ -5,12 +5,14 @@ description: Detects execution of RClone utility for exfiltration as used by var tags: - attack.exfiltration - attack.t1567.002 -author: Bhabesh Raj +author: Bhabesh Raj, Sittikorn S date: 2021/05/10 +modified: 2021/06/29 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone + - https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html fields: - CommandLine - ParentCommandLine @@ -29,4 +31,16 @@ detection: - '--config ' - '--no-check-certificate ' - ' copy ' + selection3: + Image|endswith: + - '\rclone.exe' + CommandLine|contains: + - 'mega' + - 'pcloud' + - 'ftp' + - '--progress' + - '--ignore-existing' + - '--auto-confirm' + - '--transfers' + - '--multi-thread-streams' condition: 1 of them diff --git a/rules/windows/process_creation/sysmon_sdclt_child_process.yml b/rules/windows/process_creation/sysmon_sdclt_child_process.yml new file mode 100644 index 000000000..8e328a304 --- /dev/null +++ b/rules/windows/process_creation/sysmon_sdclt_child_process.yml @@ -0,0 +1,22 @@ +title: Sdclt Child Processes +id: da2738f2-fadb-4394-afa7-0a0674885afa +description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.privilege_escalation + - attack.t1548.002 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/6 + - https://threathunterplaybook.com/evals/apt29/detections/3.B.2_C36B49B5-DF58-4A34-9FE9-56189B9DEFEA.html +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\sdclt.exe' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml b/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml new file mode 100644 index 000000000..da9ca8e0b --- /dev/null +++ b/rules/windows/process_creation/sysmon_susp_plink_remote_forward.yml @@ -0,0 +1,25 @@ +title: Suspicious Plink Remote Forwarding +id: 48a61b29-389f-4032-b317-b30de6b95314 +status: experimental +description: Detects suspicious Plink tunnel remote forarding to a local port +references: + - https://www.real-sec.com/2019/04/bypassing-network-restrictions-through-rdp-tunneling/ + - https://medium.com/@informationsecurity/remote-ssh-tunneling-with-plink-exe-7831072b3d7d +author: Florian Roth +date: 2021/01/19 +tags: + - attack.command_and_control + - attack.t1572 + - attack.lateral_movement + - attack.t1021.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Command-line SSH, Telnet, and Rlogin client' + CommandLine|contains: ' -R ' + condition: selection +falsepositives: + - Administrative activity using a remote port forwarding to a local port +level: high diff --git a/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml new file mode 100644 index 000000000..6e66c04a3 --- /dev/null +++ b/rules/windows/process_creation/sysmon_susp_webdav_client_execution.yml @@ -0,0 +1,23 @@ +title: Suspicious WebDav Client Execution +id: 2dbd9d3d-9e27-42a8-b8df-f13825c6c3d5 +description: A General detection for svchost.exe spawning rundll32.exe with command arguments like C:\windows\system32\davclnt.dll,DavSetCookie. This could be an indicator of exfiltration or use of WebDav to launch code (hosted on WebDav Server). +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.exfiltration + - attack.t1048.003 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/17 + - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml new file mode 100644 index 000000000..04a8b5dd2 --- /dev/null +++ b/rules/windows/process_creation/win_CL_Invocation_LOLScript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Invocation.ps1 +id: a0459f02-ac51-4c09-b511-b8c9203fc429 +description: Detects Execution via SyncInvoke in CL_Invocation.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://twitter.com/bohops/status/948061991012327424 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml new file mode 100644 index 000000000..4fd2f44c7 --- /dev/null +++ b/rules/windows/process_creation/win_CL_Mutexverifiers_LOLScript.yml @@ -0,0 +1,26 @@ +title: Execution via CL_Mutexverifiers.ps1 +id: 99465c8f-f102-4157-b11c-b0cddd53b79a +description: Detects Execution via runAfterCancelProcess in CL_Mutexverifiers.ps1 module +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/14 +modified: 2021/05/21 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://twitter.com/pabraeken/status/995111125447577600 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1; runAfterCancelProcess c:\Evil.exe" + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_ad_find_discovery.yml b/rules/windows/process_creation/win_ad_find_discovery.yml new file mode 100644 index 000000000..2e6f5b93f --- /dev/null +++ b/rules/windows/process_creation/win_ad_find_discovery.yml @@ -0,0 +1,43 @@ +title: AdFind Usage Detection +id: 9a132afa-654e-11eb-ae93-0242ac130002 +description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +author: Janantha Marasinghe (https://github.com/blueteam0ps) +references: + - https://thedfirreport.com/2020/05/08/adfind-recon/ + - https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/ + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +date: 2021/02/02 +modified: 2021/02/02 +tags: + - attack.discovery + - attack.t1482 + - attack.t1018 +level: high +status: experimental +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'domainlist' + - 'trustdmp' + - 'dcmodes' + - 'adinfo' + - ' dclist ' + - 'computer_pwdnotreqd' + - 'objectcategory=' + - '-subnets -f' + - 'name="Domain Admins"' + - '-sc u:' + - 'domainncs' + - 'dompol' + - ' oudmp ' + - 'subnetdmp' + - 'gpodmp' + - 'fspdmp' + - 'users_noexpire' + - 'computers_active' + condition: selection +falsepositives: + - Admin activity diff --git a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml index 0e60a088c..69a911e44 100644 --- a/rules/windows/process_creation/win_apt_apt29_thinktanks.yml +++ b/rules/windows/process_creation/win_apt_apt29_thinktanks.yml @@ -17,7 +17,11 @@ logsource: product: windows detection: selection: - CommandLine: '*-noni -ep bypass $*' + CommandLine|contains|all: + - '-noni' + - '-ep' + - 'bypass' + - '$' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml index ec6dbff16..248e3d652 100644 --- a/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml +++ b/rules/windows/process_creation/win_apt_bear_activity_gtr19.yml @@ -17,11 +17,20 @@ logsource: product: windows detection: selection1: - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' + Image|endswith: '\xcopy.exe' + CommandLine|contains|all: + - '/S' + - '/E' + - '/C' + - '/Q' + - '/H' + - '\\' selection2: - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' + Image|endswith: '\adexplorer.exe' + CommandLine|contains|all: + - '-snapshot' + - '""' + - 'c:\users\' condition: selection1 or selection2 falsepositives: - unknown diff --git a/rules/windows/process_creation/win_apt_bluemashroom.yml b/rules/windows/process_creation/win_apt_bluemashroom.yml index ba271c720..dedb3b2d5 100644 --- a/rules/windows/process_creation/win_apt_bluemashroom.yml +++ b/rules/windows/process_creation/win_apt_bluemashroom.yml @@ -15,9 +15,12 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\regsvr32*\AppData\Local\\*' - - '*\AppData\Local\\*,DllEntry*' + - CommandLine|contains|all: + - '\regsvr32' + - '\AppData\Local\' + - CommandLine|contains|all: + - '\AppData\Local\' + - ',DllEntry' condition: selection falsepositives: - Unlikely diff --git a/rules/windows/process_creation/win_apt_chafer_mar18.yml b/rules/windows/process_creation/win_apt_chafer_mar18.yml index 1662eac37..a64f96298 100755 --- a/rules/windows/process_creation/win_apt_chafer_mar18.yml +++ b/rules/windows/process_creation/win_apt_chafer_mar18.yml @@ -19,7 +19,7 @@ tags: - attack.t1071.004 date: 2018/03/23 modified: 2020/08/26 -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community detection: condition: 1 of them falsepositives: @@ -47,33 +47,31 @@ detection: - 'UpdatMachine' --- logsource: + category: registry_event product: windows - service: sysmon detection: selection_reg1: - EventID: 13 - TargetObject: - - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' - - '*SOFTWARE\Microsoft\Windows\CurrentVersion\UT' - EventType: 'SetValue' - selection_reg2: - EventID: 13 - TargetObject: '*\Control\SecurityProviders\WDigest\UseLogonCredential' - EventType: 'SetValue' - Details: 'DWORD (0x00000001)' + TargetObject|endswith: + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UMe' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\UT' --- logsource: category: process_creation product: windows detection: + selection_process0: + CommandLine|contains: '\Service.exe' + CommandLine|endswith: + - 'i' + - 'u' selection_process1: - CommandLine: - - '*\Service.exe i' - - '*\Service.exe u' - - '*\microsoft\Taskbar\autoit3.exe' - - 'C:\wsc.exe*' + - CommandLine|endswith: '\microsoft\Taskbar\autoit3.exe' + - CommandLine|startswith: 'C:\wsc.exe' selection_process2: - Image: '*\Windows\Temp\DB\\*.exe' + Image|contains: '\Windows\Temp\DB\' + Image|endswith: '.exe' selection_process3: - CommandLine: '*\nslookup.exe -q=TXT*' - ParentImage: '*\Autoit*' + CommandLine|contains|all: + - '\nslookup.exe' + - '-q=TXT' + ParentImage|contains: '\Autoit' diff --git a/rules/windows/process_creation/win_apt_cloudhopper.yml b/rules/windows/process_creation/win_apt_cloudhopper.yml index f6cde4853..8c6538e18 100755 --- a/rules/windows/process_creation/win_apt_cloudhopper.yml +++ b/rules/windows/process_creation/win_apt_cloudhopper.yml @@ -15,8 +15,10 @@ logsource: product: windows detection: selection: - Image: '*\cscript.exe' - CommandLine: '*.vbs /shell *' + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - '.vbs' + - '/shell' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_apt_dragonfly.yml b/rules/windows/process_creation/win_apt_dragonfly.yml index 4c1593865..78c99ce92 100755 --- a/rules/windows/process_creation/win_apt_dragonfly.yml +++ b/rules/windows/process_creation/win_apt_dragonfly.yml @@ -13,8 +13,8 @@ logsource: product: windows detection: selection: - Image: - - '*\crackmapexec.exe' + Image|endswith: + - '\crackmapexec.exe' condition: selection falsepositives: - None diff --git a/rules/windows/process_creation/win_apt_elise.yml b/rules/windows/process_creation/win_apt_elise.yml index e392bbd7c..3758f698d 100755 --- a/rules/windows/process_creation/win_apt_elise.yml +++ b/rules/windows/process_creation/win_apt_elise.yml @@ -20,9 +20,9 @@ logsource: detection: selection1: Image: 'C:\Windows\SysWOW64\cmd.exe' - CommandLine: '*\Windows\Caches\NavShExt.dll *' + CommandLine|contains: '\Windows\Caches\NavShExt.dll ' selection2: - CommandLine: '*\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' + CommandLine|endswith: '\AppData\Roaming\MICROS~1\Windows\Caches\NavShExt.dll,Setting' condition: 1 of them falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml index 06a42220d..aae0f52a5 100644 --- a/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml +++ b/rules/windows/process_creation/win_apt_emissarypanda_sep19.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\sllauncher.exe' - Image: '*\svchost.exe' + ParentImage|endswith: '\sllauncher.exe' + Image|endswith: '\svchost.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_apt_empiremonkey.yml b/rules/windows/process_creation/win_apt_empiremonkey.yml index 4aa084419..55efdc512 100644 --- a/rules/windows/process_creation/win_apt_empiremonkey.yml +++ b/rules/windows/process_creation/win_apt_empiremonkey.yml @@ -22,13 +22,13 @@ logsource: product: windows detection: selection_cutil: - CommandLine: - - '*/i:%APPDATA%\logs.txt scrobj.dll' - Image: - - '*\cutil.exe' + CommandLine|endswith: + - '/i:%APPDATA%\logs.txt scrobj.dll' + Image|endswith: + - '\cutil.exe' selection_regsvr32: - CommandLine: - - '*/i:%APPDATA%\logs.txt scrobj.dll' + CommandLine|endswith: + - '/i:%APPDATA%\logs.txt scrobj.dll' Description: - Microsoft(C) Registerserver - \ No newline at end of file + diff --git a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml index 6eedefb4a..78748faa4 100755 --- a/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml +++ b/rules/windows/process_creation/win_apt_equationgroup_dll_u_load.yml @@ -18,10 +18,10 @@ logsource: product: windows detection: selection1: - Image: '*\rundll32.exe' - CommandLine: '*,dll_u' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: ',dll_u' selection2: - CommandLine: '* -export dll_u *' + CommandLine|contains: ' -export dll_u ' condition: 1 of them falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_apt_evilnum_jul20.yml b/rules/windows/process_creation/win_apt_evilnum_jul20.yml index da8c4c04f..df63be5a5 100644 --- a/rules/windows/process_creation/win_apt_evilnum_jul20.yml +++ b/rules/windows/process_creation/win_apt_evilnum_jul20.yml @@ -19,7 +19,8 @@ detection: selection: CommandLine|contains|all: - 'regsvr32' - - ' /s /i ' + - '/s' + - '/i' - '\AppData\Roaming\' - '.ocx' condition: selection diff --git a/rules/windows/process_creation/win_apt_greenbug_may20.yml b/rules/windows/process_creation/win_apt_greenbug_may20.yml index f56288f7f..ffae03271 100644 --- a/rules/windows/process_creation/win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/win_apt_greenbug_may20.yml @@ -23,7 +23,8 @@ logsource: detection: selection1: CommandLine|contains|all: - - 'bitsadmin /transfer' + - 'bitsadmin' + - '/transfer' - 'CSIDL_APPDATA' selection2: CommandLine|contains: diff --git a/rules/windows/process_creation/win_apt_hafnium.yml b/rules/windows/process_creation/win_apt_hafnium.yml new file mode 100644 index 000000000..042fe15aa --- /dev/null +++ b/rules/windows/process_creation/win_apt_hafnium.yml @@ -0,0 +1,72 @@ +title: Exchange Exploitation Activity +id: bbb2dedd-a0e3-46ab-ba6c-6c82ae7a9aa7 +description: Detects activity observed by different researchers to be HAFNIUM group acitivity (or related) on Exchange servers +author: Florian Roth +date: 2021/03/09 +modified: 2021/03/16 +status: experimental +references: + - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 + - https://twitter.com/GadixCRK/status/1369313704869834753?s=20 + - https://twitter.com/BleepinComputer/status/1372218235949617161 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'attrib' + - ' +h ' + - ' +s ' + - ' +r ' + - '.aspx' + selection2: + CommandLine|contains|all: + - 'schtasks' + - 'VSPerfMon' + selection3: + CommandLine|contains|all: + - 'vssadmin list shadows' + - 'Temp\__output' + selection4: + CommandLine|contains: '%TEMP%\execute.bat' + selection5: + Image|endswith: 'Users\Public\opera\Opera_browser.exe' + selection6: + Image|endswith: 'Opera_browser.exe' + ParentImage|endswith: + - '\services.exe' + - '\svchost.exe' + selection7: + Image|contains: '\ProgramData\VSPerfMon\' + selection8: + CommandLine|contains|all: + - ' -t7z ' + - 'C:\Programdata\pst' + - '\it.zip' + selection9: + Image|endswith: '\makecab.exe' + CommandLine|contains: + - 'Microsoft\Exchange Server\' + - 'inetpub\wwwroot' + selection10: + CommandLine|contains: + - '\Temp\xx.bat' + - 'Windows\WwanSvcdcs' + - 'Windows\Temp\cw.exe' + selection11: + CommandLine|contains|all: + - '\comsvcs.dll' + - 'Minidump' + - '\inetpub\wwwroot' + selection12: + CommandLine|contains|all: + - 'dsquery' + - ' -uco ' + - '\inetpub\wwwroot' + condition: 1 of them +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_apt_hurricane_panda.yml b/rules/windows/process_creation/win_apt_hurricane_panda.yml index 294a3484d..8f7f0eedd 100755 --- a/rules/windows/process_creation/win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/win_apt_hurricane_panda.yml @@ -15,9 +15,12 @@ logsource: product: windows detection: selection: - CommandLine: - - '* localgroup administrators admin /add' - - '*\Win64.exe*' + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '/add' + - CommandLine|contains: + - '\Win64.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml index ca9d2189e..c1fb93db5 100644 --- a/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml +++ b/rules/windows/process_creation/win_apt_judgement_panda_gtr19.yml @@ -20,15 +20,15 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\\*' + - CommandLine|endswith: 'eprod.ldf' + - CommandLine|contains: + - '\ldifde.exe -f -n ' + - '\7za.exe a 1.7z ' + - '\aaaa\procdump64.exe' + - '\aaaa\netsess.exe' + - '\aaaa\7za.exe' + - 'copy .\1.7z \' + - 'copy \\client\c$\aaaa\' selection2: Image: C:\Users\Public\7za.exe condition: selection1 or selection2 diff --git a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml index 1a7726dfe..ce489eb89 100644 --- a/rules/windows/process_creation/win_apt_ke3chang_regadd.yml +++ b/rules/windows/process_creation/win_apt_ke3chang_regadd.yml @@ -1,7 +1,7 @@ title: Ke3chang Registry Key Modifications id: 7b544661-69fc-419f-9a59-82ccc328f205 status: experimental -description: Detects Registry modifcations performaed by Ke3chang malware in campaigns running in 2019 and 2020 +description: Detects Registry modifications performed by Ke3chang malware in campaigns running in 2019 and 2020 references: - https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf - https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml index 47ee4dc41..c100e1b92 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_apr21.yml @@ -8,6 +8,7 @@ tags: - attack.g0032 author: Bhabesh Raj date: 2021/04/20 +modified: 2021/06/27 logsource: category: process_creation product: windows @@ -22,8 +23,8 @@ detection: Image: - 'C:\Windows\System32\mshta.exe' selection3: - ParentImage: - - 'C:\Users\Public\*' + ParentImage|contains: + - ':\Users\Public\' Image: - 'C:\Windows\System32\rundll32.exe' condition: 1 of them diff --git a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml index 30507fefd..9843b81e5 100644 --- a/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/win_apt_lazarus_activity_dec20.yml @@ -9,6 +9,7 @@ tags: - attack.g0032 author: Florian Roth date: 2020/12/23 +modified: 2021/06/27 logsource: category: process_creation product: windows @@ -30,7 +31,7 @@ detection: # Network share discovery selection4: CommandLine|contains: - - '.255 10 C:\ProgramData\\' + - '.255 10 C:\ProgramData\' condition: 1 of them falsepositives: - Overlap with legitimate process activity in some cases (especially selection 3 and 4) diff --git a/rules/windows/process_creation/win_apt_lazarus_loader.yml b/rules/windows/process_creation/win_apt_lazarus_loader.yml index f947bc97f..df3df1a4d 100644 --- a/rules/windows/process_creation/win_apt_lazarus_loader.yml +++ b/rules/windows/process_creation/win_apt_lazarus_loader.yml @@ -7,8 +7,9 @@ references: - https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/ tags: - attack.g0032 -author: Florian Roth +author: Florian Roth, wagga date: 2020/12/23 +modified: 2021/06/27 logsource: category: process_creation product: windows @@ -19,12 +20,12 @@ detection: - ' -p 0x' selection_cmd2: CommandLine|contains: - - 'C:\ProgramData\\' - - 'C:\RECYCLER\\' + - 'C:\ProgramData\' + - 'C:\RECYCLER\' selection_rundll1: CommandLine|contains|all: - 'rundll32.exe ' - - 'C:\ProgramData\\' + - 'C:\ProgramData\' selection_rundll2: CommandLine|contains: - '.bin,' diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index bf8fcd819..41edce51f 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -15,13 +15,13 @@ logsource: product: windows detection: selection: - Image: - - '*\msdtc.exe' - - '*\gpvc.exe' + Image|endswith: + - '\msdtc.exe' + - '\gpvc.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' condition: selection and not filter falsepositives: - unknown diff --git a/rules/windows/process_creation/win_apt_mustangpanda.yml b/rules/windows/process_creation/win_apt_mustangpanda.yml index 28fa66924..614745109 100644 --- a/rules/windows/process_creation/win_apt_mustangpanda.yml +++ b/rules/windows/process_creation/win_apt_mustangpanda.yml @@ -2,7 +2,7 @@ title: Mustang Panda Dropper id: 2d87d610-d760-45ee-a7e6-7a6f2a65de00 status: experimental description: Detects specific process parameters as used by Mustang Panda droppers -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/10/30 references: - https://app.any.run/tasks/7ca5661d-a67b-43ec-98c1-dd7a8103c256/ @@ -13,15 +13,18 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*Temp\wtask.exe /create*' - - '*%windir:~-3,1%%PUBLIC:~-9,1%*' - - '*/E:vbscript * C:\Users\\*.txt" /F' - - '*/tn "Security Script *' - - '*%windir:~-1,1%*' + - CommandLine|contains: + - 'Temp\wtask.exe /create' + - '%windir:~-3,1%%PUBLIC:~-9,1%' + - '/tn "Security Script ' + - '%windir:~-1,1%' + - CommandLine|contains|all: + - '/E:vbscript' + - 'C:\Users\' + - '.txt' + - '/F' selection2: - Image: - - '*Temp\winwsh.exe' + Image|endswith: 'Temp\winwsh.exe' condition: 1 of them fields: - CommandLine diff --git a/rules/windows/process_creation/win_apt_slingshot.yml b/rules/windows/process_creation/win_apt_slingshot.yml index 2588e6dd8..51589931e 100755 --- a/rules/windows/process_creation/win_apt_slingshot.yml +++ b/rules/windows/process_creation/win_apt_slingshot.yml @@ -25,7 +25,6 @@ detection: CommandLine|contains: - '/delete' - '/change' - selection2: CommandLine|contains|all: - '/TN' - '\Microsoft\Windows\Defrag\ScheduledDefrag' diff --git a/rules/windows/process_creation/win_apt_sofacy.yml b/rules/windows/process_creation/win_apt_sofacy.yml index 6daeed46b..ac8d9ae9b 100755 --- a/rules/windows/process_creation/win_apt_sofacy.yml +++ b/rules/windows/process_creation/win_apt_sofacy.yml @@ -1,9 +1,9 @@ title: Sofacy Trojan Loader Activity id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community status: experimental date: 2018/03/01 -modified: 2020/08/27 +modified: 2020/11/28 description: Detects Trojan loader acitivty as used by APT28 references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ @@ -22,11 +22,14 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - 'rundll32.exe %APPDATA%\\*.dat",*' - - 'rundll32.exe %APPDATA%\\*.dll",#1' - condition: selection + selection1: + CommandLine|contains|all: + - 'rundll32.exe' + - '%APPDATA%\' + selection2: + - CommandLine|contains: '.dat",' + - CommandLine|endswith: '.dll",#1' + condition: selection1 and selection2 falsepositives: - Unknown level: critical diff --git a/rules/windows/process_creation/win_apt_tropictrooper.yml b/rules/windows/process_creation/win_apt_tropictrooper.yml index 9cfbe54c6..70dcfd75e 100644 --- a/rules/windows/process_creation/win_apt_tropictrooper.yml +++ b/rules/windows/process_creation/win_apt_tropictrooper.yml @@ -16,6 +16,6 @@ logsource: product: windows detection: selection: - CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*' + CommandLine|contains: 'abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc' condition: selection level: high diff --git a/rules/windows/process_creation/win_apt_unc2452_cmds.yml b/rules/windows/process_creation/win_apt_unc2452_cmds.yml new file mode 100644 index 000000000..b1c081801 --- /dev/null +++ b/rules/windows/process_creation/win_apt_unc2452_cmds.yml @@ -0,0 +1,48 @@ +title: UNC2452 Process Creation Patterns +id: 9be34ad0-b6a7-4fbd-91cf-fc7ec1047f5f +description: Detects a specific process creation patterns as seen used by UNC2452 and provided by Microsoft as Microsoft Defender ATP queries +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +tags: + - attack.execution + - attack.t1059.001 + - sunburst + - unc2452 +author: Florian Roth +date: 2021/01/22 +modified: 2021/06/27 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - '7z.exe a -v500m -mx9 -r0 -p' + selection2: + ParentCommandLine|contains|all: + - 'wscript.exe' + - '.vbs' + CommandLine|contains|all: + - 'rundll32.exe' + - 'C:\Windows' + - '.dll,Tk_' + selection3: + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains: 'C:\Windows' + CommandLine|contains: 'cmd.exe /C ' + selection4: + CommandLine|contains|all: + - 'rundll32 c:\windows\' + - '.dll ' + specific1: + ParentImage|endswith: '\rundll32.exe' + Image|endswith: '\dllhost.exe' + filter1: + CommandLine: + - ' ' + - '' + condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_unc2452_ps.yml b/rules/windows/process_creation/win_apt_unc2452_ps.yml new file mode 100644 index 000000000..89de914d9 --- /dev/null +++ b/rules/windows/process_creation/win_apt_unc2452_ps.yml @@ -0,0 +1,31 @@ +title: UNC2452 PowerShell Pattern +id: b7155193-8a81-4d8f-805d-88de864ca50c +description: Detects a specific PowerShell command line pattern used by the UNC2452 actors as mentioned in Microsoft and Symantec reports +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware + - https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-7---create-a-process-using-wmi-query-and-an-encoded-command +tags: + - attack.execution + - attack.t1059.001 + - attack.t1047 + - sunburst +author: Florian Roth +date: 2021/01/20 +modified: 2021/01/22 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'Invoke-WMIMethod win32_process -name create -argumentlist' + - 'rundll32 c:\windows' + selection2: + CommandLine|contains|all: + - 'wmic /node:' + - 'process call create "rundll32 c:\windows' + condition: selection1 or selection2 +falsepositives: + - Unknown, unlikely, but possible +level: critical \ No newline at end of file diff --git a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml index b36bd2f40..20e60b324 100644 --- a/rules/windows/process_creation/win_apt_unidentified_nov_18.yml +++ b/rules/windows/process_creation/win_apt_unidentified_nov_18.yml @@ -22,14 +22,14 @@ logsource: product: windows detection: selection1: - CommandLine: '*cyzfc.dat, PointFunctionCall' + CommandLine|contains: 'cyzfc.dat,' + CommandLine|endswith: 'PointFunctionCall' --- # Sysmon: File Creation (ID 11) logsource: product: windows - service: sysmon + category: file_event detection: selection2: - EventID: 11 - TargetFilename: - - '*ds7002.lnk*' \ No newline at end of file + TargetFilename|contains: + - 'ds7002.lnk' diff --git a/rules/windows/process_creation/win_apt_winnti_pipemon.yml b/rules/windows/process_creation/win_apt_winnti_pipemon.yml index 20e369df9..fb055f88e 100644 --- a/rules/windows/process_creation/win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/win_apt_winnti_pipemon.yml @@ -9,7 +9,7 @@ tags: - attack.t1574.002 - attack.t1073 # an old one - attack.g0044 -author: Florian Roth +author: Florian Roth, oscd.community date: 2020/07/30 logsource: category: process_creation @@ -19,10 +19,12 @@ detection: CommandLine|contains: - 'setup0.exe -p' selection2: - CommandLine|endswith: - - 'setup.exe -x:0' - - 'setup.exe -x:1' - - 'setup.exe -x:2' + CommandLine|contains|all: + - 'setup.exe' + CommandLine|endswith: + - '-x:0' + - '-x:1' + - '-x:2' condition: 1 of them falsepositives: - Legitimate setups that use similar flags diff --git a/rules/windows/process_creation/win_apt_wocao.yml b/rules/windows/process_creation/win_apt_wocao.yml index 20307a723..6ddaacd92 100644 --- a/rules/windows/process_creation/win_apt_wocao.yml +++ b/rules/windows/process_creation/win_apt_wocao.yml @@ -32,7 +32,7 @@ detection: selection: EventID: 4799 GroupName: 'Administrators' - ProcessName: '*\checkadmin.exe' + ProcessName|endswith: '\checkadmin.exe' condition: selection --- logsource: @@ -51,4 +51,4 @@ detection: - 'type *keepass\KeePass.config.xml' - 'iie.exe iie.txt' - 'reg query HKEY_CURRENT_USER\Software\\*\PuTTY\Sessions\' - condition: selection \ No newline at end of file + condition: selection diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index fc17af95c..515d541e7 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -1,7 +1,7 @@ title: ZxShell Malware id: f0b70adb-0075-43b0-9745-e82a1c608fcc description: Detects a ZxShell start by the called and well-known function name -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2017/07/20 modified: 2020/08/26 references: @@ -20,9 +20,11 @@ logsource: product: windows detection: selection: + Image|endswith: + - '\rundll32.exe' CommandLine|contains: - - 'rundll32.exe *,zxFunction*' - - 'rundll32.exe *,RemoteDiskXXXXX' + - 'zxFunction' + - 'RemoteDiskXXXXX' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index 9e403128b..ca50c3bc1 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -10,12 +10,12 @@ logsource: product: windows detection: selection: - Image: '*\attrib.exe' - CommandLine: '* +h *' + Image|endswith: '\attrib.exe' + CommandLine|contains: ' +h ' ini: - CommandLine: '*\desktop.ini *' + CommandLine|contains: '\desktop.ini ' intel: - ParentImage: '*\cmd.exe' + ParentImage|endswith: '\cmd.exe' CommandLine: +R +H +S +A \\*.cui ParentCommandLine: C:\WINDOWS\system32\\*.bat condition: selection and not (ini or intel) diff --git a/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml new file mode 100644 index 000000000..4b9294d8c --- /dev/null +++ b/rules/windows/process_creation/win_bad_opsec_sacrificial_processes.yml @@ -0,0 +1,25 @@ +title: Bad Opsec Defaults Sacrificial Processes With Improper Arguments +id: a7c3d773-caef-227e-a7e7-c2f13c622329 +status: experimental +description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' +author: 'Oleg Kolesnikov @securonix invrep_de, oscd.community' +date: 2020/10/23 +references: + - https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/ + - https://www.cobaltstrike.com/help-opsec +tags: + - attack.defense_evasion + - attack.t1085 # legacy + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: + - '\WerFault.exe' + - '\rundll32.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index 4faa43bc4..2b54eecd1 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -3,7 +3,7 @@ id: 1444443e-6757-43e4-9ea4-c8fc705f79a2 description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 87c001abf..a5422e5f6 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -24,19 +24,18 @@ logsource: product: windows detection: selection1: - Image: - - '*\wmic.exe' - CommandLine: - - wmic * *format:\"http* - - wmic * /format:'http - - wmic * /format:http* + Image|endswith: + - '\wmic.exe' + CommandLine|contains|all: + - wmic + - format + - http selection2: Imphash: - 1B1A3F43BF37B5BFE60751F2EE2F326E - 37777A96245A3C74EB217308F3546F4C - 9D87C9D67CE724033C0B40CC4CA1B206 - CommandLine: - - '* *format:\"http*' - - '* /format:''http' - - '* /format:http*' + CommandLine|contains|all: + - 'format:' + - 'http' condition: 1 of them diff --git a/rules/windows/process_creation/win_class_exec_xwizard.yml b/rules/windows/process_creation/win_class_exec_xwizard.yml new file mode 100644 index 000000000..bb53e9173 --- /dev/null +++ b/rules/windows/process_creation/win_class_exec_xwizard.yml @@ -0,0 +1,22 @@ +title: Custom Class Execution via Xwizard +id: 53d4bb30-3f36-4e8a-b078-69d36c4a79ff +status: experimental +description: Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\xwizard.exe' + CommandLine|re: '{[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}}' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index ca801d0e6..bc9d89c74 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Image: '*\cmdkey.exe' - CommandLine: '* /list *' + Image|endswith: '\cmdkey.exe' + CommandLine|contains: ' /list ' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_commandline_path_traversal.yml b/rules/windows/process_creation/win_commandline_path_traversal.yml index 5a42c7f50..589a2a18d 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal.yml @@ -16,9 +16,11 @@ logsource: product: windows detection: selection: - ParentCommandLine|contains: 'cmd*/c' + ParentCommandLine|contains|all: + - 'cmd' + - '/c' CommandLine|contains: '/../../' condition: selection falsepositives: - (not much) some benign Java tools may product false-positive commandlines for loading libraries -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_control_panel_item.yml b/rules/windows/process_creation/win_control_panel_item.yml index 204190094..854f0f44e 100644 --- a/rules/windows/process_creation/win_control_panel_item.yml +++ b/rules/windows/process_creation/win_control_panel_item.yml @@ -14,24 +14,24 @@ tags: - attack.t1546 author: Kyaw Min Thein, Furkan Caliskan (@caliskanfurkan_) date: 2020/06/22 -modified: 2020/08/29 +modified: 2020/11/28 level: critical logsource: product: windows category: process_creation detection: selection1: - CommandLine: '*.cpl' + CommandLine|endswith: '.cpl' filter: - CommandLine: - - '*\System32\\*' - - '*%System%*' + CommandLine|contains: + - '\System32\' + - '%System%' selection2: - CommandLine: - - '*reg add*' + Image|endswith: '\reg.exe' + CommandLine|contains: 'add' selection3: - CommandLine: - - '*CurrentVersion\\Control Panel\\CPLs*' + CommandLine|contains: + - 'CurrentVersion\\Control Panel\\CPLs' condition: (selection1 and not filter) or (selection2 and selection3) falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_credential_access_via_password_filter.yml b/rules/windows/process_creation/win_credential_access_via_password_filter.yml new file mode 100644 index 000000000..2fda0365b --- /dev/null +++ b/rules/windows/process_creation/win_credential_access_via_password_filter.yml @@ -0,0 +1,26 @@ +title: Dropping Of Password Filter DLL +id: b7966f4a-b333-455b-8370-8ca53c229762 +description: Detects dropping of dll files in system32 that may be used to retrieve user credentials from LSASS +status: experimental +author: Sreeman +date: 2020/10/29 +modified: 2021/06/11 +references: + - https://pentestlab.blog/2020/02/10/credential-access-password-filter-dll/ + - https://github.com/3gstudent/PasswordFilter/tree/master/PasswordFilter +tags: + - attack.credential_access + - attack.t1174 +logsource: + category: process_creation + product: windows +detection: + selection_cmdline: + CommandLine|contains|all: + - 'HKLM\SYSTEM\CurrentControlSet\Control\Lsa' + - 'scecli\0*' + - 'reg add' + condition: selection_cmdline +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_crime_fireball.yml b/rules/windows/process_creation/win_crime_fireball.yml index c21b53e8e..53977514b 100755 --- a/rules/windows/process_creation/win_crime_fireball.yml +++ b/rules/windows/process_creation/win_crime_fireball.yml @@ -18,7 +18,9 @@ logsource: product: windows detection: selection: - CommandLine: '*\rundll32.exe *,InstallArcherSvc' + CommandLine|contains|all: + - 'rundll32.exe' + - 'InstallArcherSvc' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_crime_maze_ransomware.yml b/rules/windows/process_creation/win_crime_maze_ransomware.yml index 356fead64..c83f97404 100644 --- a/rules/windows/process_creation/win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/win_crime_maze_ransomware.yml @@ -8,7 +8,7 @@ references: - https://app.any.run/tasks/65a79440-373a-4725-8d74-77db9f2abda4/ author: Florian Roth date: 2020/05/08 -modified: 2020/08/29 +modified: 2021/06/27 tags: - attack.execution - attack.t1204.002 @@ -25,7 +25,7 @@ detection: ParentImage|endswith: - '\WINWORD.exe' Image|endswith: - - '*.tmp' + - '.tmp' # Binary Execution selection2: Image|endswith: '\wmic.exe' diff --git a/rules/windows/process_creation/win_crime_snatch_ransomware.yml b/rules/windows/process_creation/win_crime_snatch_ransomware.yml index a12ec84ea..4831c8582 100644 --- a/rules/windows/process_creation/win_crime_snatch_ransomware.yml +++ b/rules/windows/process_creation/win_crime_snatch_ransomware.yml @@ -24,5 +24,5 @@ fields: - User - Image falsepositives: - - Scripts that shutdown the system immediatly and reboot them in safe mode are unlikely + - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely level: critical diff --git a/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml new file mode 100644 index 000000000..62d9b1d86 --- /dev/null +++ b/rules/windows/process_creation/win_detecting_fake_instances_of_hxtsr.yml @@ -0,0 +1,22 @@ +title: Detecting Fake Instances Of Hxtsr.exe +id: 4e762605-34a8-406d-b72e-c1a089313320 +status: experimental +description: HxTsr.exe is a Microsoft compressed executable file called Microsoft Outlook Communications.HxTsr.exe is part of Outlook apps, because it resides in a hidden "WindowsApps" subfolder of "C:\Program Files". Its path includes a version number, e.g., "C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7466.41167.0_x64__8wekyb3d8bbwe\HxTsr.exe". Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe +author: Sreeman +date: 2020/04/17 +modified: 2021/06/11 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + product: windows + category: process_creation +detection: + selection: + Image: hxtsr.exe + filter: + FolderPath|re: '(?i)c:\\program files\\windowsapps\\microsoft\.windowscommunicationsapps_.*\\hxtsr\.exe' + condition: selection and not filter +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml index 1cd5cc9fb..478b80d63 100644 --- a/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/win_dns_exfiltration_tools_execution.yml @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - - Image|endswith: '*\iodine.exe' + - Image|endswith: '\iodine.exe' - Image|contains: '\dnscat2' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml index 33472ac55..b941e2f99 100644 --- a/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml +++ b/rules/windows/process_creation/win_dnscat2_powershell_implementation.yml @@ -19,9 +19,9 @@ logsource: product: windows detection: selection: - ParentImage|endswith: '*\powershell.exe' - Image|endswith: '*\nslookup.exe' - CommandLine|endswith: '*\nslookup.exe' + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\nslookup.exe' + CommandLine|endswith: '\nslookup.exe' condition: selection | count(Image) by ParentImage > 100 fields: - Image diff --git a/rules/windows/process_creation/win_etw_trace_evasion.yml b/rules/windows/process_creation/win_etw_trace_evasion.yml index fb7822601..6fef5224c 100644 --- a/rules/windows/process_creation/win_etw_trace_evasion.yml +++ b/rules/windows/process_creation/win_etw_trace_evasion.yml @@ -35,18 +35,18 @@ detection: - 'set-log' - '/e:false' selection_disable_3: #Autologger provider removal - Commandline|contains|all: + CommandLine|contains|all: - 'Remove-EtwTraceProvider' - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' selection_disable_4: #Provider “Enable” property modification - Commandline|contains|all: + CommandLine|contains|all: - 'Set-EtwTraceProvider' - '{1418ef04-b0b4-4623-bf7e-d74ab47bbdaa}' - 'EventLog-Microsoft-Windows-WMI-Activity-Trace' - '0x11' selection_disable_5: #ETW provider removal from a trace session - Commandline|contains|all: + CommandLine|contains|all: - "logman" - "update" - "trace" diff --git a/rules/windows/process_creation/win_exchange_transportagent.yml b/rules/windows/process_creation/win_exchange_transportagent.yml new file mode 100644 index 000000000..09bbd2022 --- /dev/null +++ b/rules/windows/process_creation/win_exchange_transportagent.yml @@ -0,0 +1,33 @@ +action: global +title: MSExchange Transport Agent Installation +id: 83809e84-4475-4b69-bc3e-4aad8568612f +status: experimental +description: Detects the Installation of a Exchange Transport Agent +references: + - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 +tags: + - attack.persistence + - attack.t1505.002 +author: Tobias Michalski +date: 2021/06/08 +detection: + condition: selection +fields: + - AssemblyPath +falsepositives: + - legitimate installations of exchange TransportAgents. AssemblyPath is a good indicator for this. +level: medium +--- +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: 'Install-TransportAgent' +--- +logsource: + product: windows + service: msexchange-management +detection: + selection: + Message|contains: 'Install-TransportAgent' diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index c2a463b9d..0a4f43d3b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\MicroScMgmt.exe' + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\MicroScMgmt.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index 1e17dad10..bdc45eabb 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\FLTLDR.exe*' + ParentImage|endswith: '\WINWORD.EXE' + Image|contains: '\FLTLDR.exe' condition: selection falsepositives: - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 02ea83404..a21fcfead 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -21,7 +21,7 @@ logsource: product: windows detection: selection: - ParentImage: '*\EQNEDT32.EXE' + ParentImage|endswith: '\EQNEDT32.EXE' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 337b97c0d..03801e753 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\csc.exe' + ParentImage|endswith: '\WINWORD.EXE' + Image|endswith: '\csc.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml index 33b575a86..a4593acf1 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1378.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1378.yml @@ -1,10 +1,10 @@ title: Exploiting SetupComplete.cmd CVE-2019-1378 id: 1c373b6d-76ce-4553-997d-8c1da9a6b5f5 status: experimental -description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd decribed in CVE-2019-1378 +description: Detects exploitation attempt of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 references: - https://www.embercybersecurity.com/blog/cve-2019-1378-exploiting-an-access-control-privilege-escalation-vulnerability-in-windows-10-update-assistant-wua -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/11/15 modified: 2020/08/29 tags: @@ -19,15 +19,19 @@ logsource: product: windows detection: selection: - ParentCommandLine: - - '*\cmd.exe /c C:\Windows\Setup\Scripts\SetupComplete.cmd' - - '*\cmd.exe /c C:\Windows\Setup\Scripts\PartnerSetupComplete.cmd' + ParentCommandLine|contains|all: + - '\cmd.exe' + - '/c' + - 'C:\Windows\Setup\Scripts\' + ParentCommandLine|endswith: + - 'SetupComplete.cmd' + - 'PartnerSetupComplete.cmd' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\WinSxS\\*' - - 'C:\Windows\Setup\\*' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + - 'C:\Windows\Setup\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index a882d4e9a..c93f2113b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -1,7 +1,7 @@ title: Exploiting CVE-2019-1388 id: 02e0b2ea-a597-428e-b04a-af6a1a403e5c status: experimental -description: Detects an explotation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM +description: Detects an exploitation attempt in which the UAC consent dialogue is used to invoke an Internet Explorer process running as LOCAL_SYSTEM references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1388 - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege @@ -15,9 +15,9 @@ logsource: product: windows detection: selection: - ParentImage: '*\consent.exe' - Image: '*\iexplore.exe' - CommandLine: '* http*' + ParentImage|endswith: '\consent.exe' + Image|endswith: '\iexplore.exe' + CommandLine|contains: ' http' rights1: IntegrityLevel: 'System' # for Sysmon users rights2: diff --git a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml index c23014f1f..10aaacd2b 100644 --- a/rules/windows/process_creation/win_exploit_cve_2020_10189.yml +++ b/rules/windows/process_creation/win_exploit_cve_2020_10189.yml @@ -25,9 +25,9 @@ detection: selection: ParentImage|endswith: 'DesktopCentral_Server\jre\bin\java.exe' Image|endswith: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\bitsadmin.exe' + - '\cmd.exe' + - '\powershell.exe' + - '\bitsadmin.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml index c49df6bc1..a0ae78a12 100644 --- a/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml +++ b/rules/windows/process_creation/win_grabbing_sensitive_hives_via_reg.yml @@ -19,7 +19,7 @@ logsource: product: windows detection: selection_1: - Image: '*\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains: - 'save' - 'export' diff --git a/rules/windows/process_creation/win_hack_koadic.yml b/rules/windows/process_creation/win_hack_koadic.yml index 26057c10f..6daa475f9 100644 --- a/rules/windows/process_creation/win_hack_koadic.yml +++ b/rules/windows/process_creation/win_hack_koadic.yml @@ -14,16 +14,19 @@ tags: - attack.t1059.007 - attack.t1064 # an old one date: 2020/01/12 -modified: 2020/09/01 -author: wagga +modified: 2020/11/28 +author: wagga, Jonhnathan Ribeiro, oscd.community logsource: category: process_creation product: windows detection: - selection1: - CommandLine: - - '*cmd.exe* /q /c chcp *' - condition: selection1 + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - '/q' + - '/c' + - 'chcp' + condition: selection fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 491c60ad3..4ce04049b 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -18,16 +18,19 @@ logsource: product: windows detection: selection: - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' + CommandLine|contains: + - ' asreproast ' + - ' dump /service:krbtgt ' + - ' kerberoast ' + - ' createnetonly /program:' + - ' ptt /ticket:' + - ' /impersonateuser:' + - ' renew /ticket:' + - ' asktgt /user:' + - ' harvest /interval:' + - ' s4u /user:' + - ' s4u /ticket:' + - ' hash /password:' condition: selection falsepositives: - unlikely diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d36b3844d..d8899df42 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -6,7 +6,7 @@ references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ date: 2018/12/19 -modified: 2020/09/01 +modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 @@ -21,7 +21,7 @@ detection: selection2: Image|endswith: 'PasswordDump.exe' selection3: - OriginalFilename|endswith: 'PasswordDump.exe' + OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of them falsepositives: - unlikely diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index c9179147a..62b856326 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -2,7 +2,7 @@ title: HH.exe Execution id: 68c8acb4-1b60-4890-8e82-3ddf7a6dba84 description: Identifies usage of hh.exe executing recently modified .chm files. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html diff --git a/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml new file mode 100644 index 000000000..811d34dc8 --- /dev/null +++ b/rules/windows/process_creation/win_hiding_malware_in_fonts_folder.yml @@ -0,0 +1,28 @@ +title: Writing Of Malicious Files To The Fonts Folder +id: ae9b0bd7-8888-4606-b444-0ed7410cb728 +description: Monitors for the hiding possible malicious files in the C:\Windows\Fonts\ location. This folder doesnt require admin privillege to be written and executed from. +references: + - https://thedfirreport.com/2020/04/20/sqlserver-or-the-miner-in-the-basement/ +date: 2020/21/04 +modified: 2021/06/11 +author: Sreeman +tags: + - attack.t1064 + - attack.t1211 + - attack.t1059 + - attack.defense_evasion + - attack.persistence +logsource: + product: windows + category: process_creation +detection: + selection1: + CommandLine|re: '(?i).*(echo|copy|type|file createnew|cacls).*C:\\Windows\\Fonts\\.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.msh|.reg|.scr|.ps|.vb|.jar|.pl|.inf|.cpl|.hta|.msi|.vbs).*' + condition: selection1 +fields: + - CommandLine + - ParentProcess + - CommandLine +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index e10dfac4e..821c3cd91 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -18,7 +18,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection1: Image|contains: '\CreateMiniDump.exe' selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' @@ -26,9 +26,9 @@ detection: --- logsource: product: windows - service: sysmon + category: file_event detection: selection: EventID: 11 - TargetFilename|contains: '*\lsass.dmp' + TargetFilename|endswith: '\lsass.dmp' condition: 1 of them diff --git a/rules/windows/process_creation/win_hwp_exploits.yml b/rules/windows/process_creation/win_hwp_exploits.yml index 206d5ab97..e21047809 100644 --- a/rules/windows/process_creation/win_hwp_exploits.yml +++ b/rules/windows/process_creation/win_hwp_exploits.yml @@ -25,8 +25,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\Hwp.exe' - Image: '*\gbb.exe' + ParentImage|endswith: '\Hwp.exe' + Image|endswith: '\gbb.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_impacket_lateralization.yml b/rules/windows/process_creation/win_impacket_lateralization.yml index ad6f147c2..a97030d7d 100644 --- a/rules/windows/process_creation/win_impacket_lateralization.yml +++ b/rules/windows/process_creation/win_impacket_lateralization.yml @@ -7,7 +7,7 @@ references: - https://github.com/SecureAuthCorp/impacket/blob/master/examples/atexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/smbexec.py - https://github.com/SecureAuthCorp/impacket/blob/master/examples/dcomexec.py -author: Ecco +author: Ecco, oscd.community, Jonhnathan Ribeiro date: 2019/09/03 modified: 2020/09/01 logsource: @@ -32,20 +32,27 @@ detection: # parent is services.exe # example: # C:\Windows\system32\cmd.exe /Q /c echo tasklist ^> \\127.0.0.1\C$\__output 2^>^&1 > C:\Windows\TEMP\execute.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\execute.bat & del C:\Windows\TEMP\execute.bat - ParentImage: - - '*\wmiprvse.exe' # wmiexec - - '*\mmc.exe' # dcomexec MMC - - '*\explorer.exe' # dcomexec ShellBrowserWindow - - '*\services.exe' # smbexec - CommandLine: - - '*cmd.exe* /Q /c * \\\\127.0.0.1\\*&1*' + ParentImage|endswith: + - '\wmiprvse.exe' # wmiexec + - '\mmc.exe' # dcomexec MMC + - '\explorer.exe' # dcomexec ShellBrowserWindow + - '\services.exe' # smbexec + CommandLine|contains|all: + - 'cmd.exe' + - '/Q' + - '/c' + - '\\\\127.0.0.1\' + - '&1' selection_atexec: - ParentCommandLine: - - '*svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") - - 'taskeng.exe*' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") + ParentCommandLine|contains: + - 'svchost.exe -k netsvcs' # atexec on win10 (parent is "C:\Windows\system32\svchost.exe -k netsvcs") + - 'taskeng.exe' # atexec on win7 (parent is "taskeng.exe {AFA79333-694C-4BEE-910E-E57D9A3518F6} S-1-5-18:NT AUTHORITY\System:Service:") # cmd.exe /C tasklist /m > C:\Windows\Temp\bAJrYQtL.tmp 2>&1 - CommandLine: - - 'cmd.exe /C *Windows\\Temp\\*&1' + CommandLine|contains|all: + - 'cmd.exe' + - '/C' + - 'Windows\Temp\' + - '&1' condition: (1 of selection_*) fields: - CommandLine diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 59302ee9b..1fcadb91c 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -2,7 +2,7 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html diff --git a/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml new file mode 100644 index 000000000..c560fbb4e --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd_compatibility_assistant.yml @@ -0,0 +1,29 @@ +title: Indirect Command Execution By Program Compatibility Wizard +id: b97cd4b1-30b8-4a9d-bd72-6293928d52bc +description: Detect indirect command execution via Program Compatibility Assistant pcwrun.exe +status: experimental +author: A. Sungurov , oscd.community +references: + - https://twitter.com/pabraeken/status/991335019833708544 + - https://lolbas-project.github.io/lolbas/Binaries/Pcwrun/ +date: 2020/10/12 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\pcwrun.exe' + condition: selection +fields: + - ComputerName + - User + - ParentCommandLine + - CommandLine +falsepositives: + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts +level: low diff --git a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml index b21725e19..166a4561b 100644 --- a/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/win_install_reg_debugger_backdoor.yml @@ -9,21 +9,23 @@ tags: - attack.privilege_escalation - attack.t1546.008 - attack.t1015 # an old one -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/09/06 logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*\CurrentVersion\Image File Execution Options\sethc.exe*' - - '*\CurrentVersion\Image File Execution Options\utilman.exe*' - - '*\CurrentVersion\Image File Execution Options\osk.exe*' - - '*\CurrentVersion\Image File Execution Options\magnify.exe*' - - '*\CurrentVersion\Image File Execution Options\narrator.exe*' - - '*\CurrentVersion\Image File Execution Options\displayswitch.exe*' - - '*\CurrentVersion\Image File Execution Options\atbroker.exe*' + CommandLine|contains|all: + - '\CurrentVersion\Image File Execution Options\' + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'magnify.exe' + - 'narrator.exe' + - 'displayswitch.exe' + - 'atbroker.exe' condition: selection falsepositives: - Penetration Tests diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index b13707346..8f93d2da0 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -2,7 +2,7 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc description: Detect an interactive AT job, which may be used as a form of privilege escalation status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml new file mode 100644 index 000000000..cc229f08e --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation CLIP+ Launcher +id: b222df08-0e07-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of Clip.exe to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml new file mode 100644 index 000000000..dbdb4cbaa --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation STDIN+ Launcher +id: 6c96fc76-0eb1-11eb-adc1-0242ac120002 +description: Detects Obfuscated use of stdin to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml new file mode 100644 index 000000000..63ae15f8c --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation VAR+ Launcher +id: 27aec9c9-dbb0-4939-8422-1742242471d0 +description: Detects Obfuscated use of Environment Variables to execute PowerShell +status: experimental +author: Jonathan Cheong, oscd.community +date: 2020/10/15 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml new file mode 100644 index 000000000..60a494a55 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation COMPRESS OBFUSCATION +id: 7eedcc9d-9fdb-4d94-9c54-474e8affc0c7 +description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml new file mode 100644 index 000000000..d8b91c93c --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation RUNDLL LAUNCHER +id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 +description: Detects Obfuscated Powershell via RUNDLL LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/18 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml new file mode 100644 index 000000000..71f178496 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Stdin +id: 9c14c9fa-1a63-4a64-8e57-d19280559490 +description: Detects Obfuscated Powershell via Stdin in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/12 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml new file mode 100644 index 000000000..ce8d6bfc8 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use Clip +id: e1561947-b4e3-4a74-9bdd-83baed21bdb5 +description: Detects Obfuscated Powershell via use Clip.exe in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/09 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml new file mode 100644 index 000000000..95f4633a1 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use MSHTA +id: ac20ae82-8758-4f38-958e-b44a3140ca88 +description: Detects Obfuscated Powershell via use MSHTA in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2020/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml new file mode 100644 index 000000000..169d86471 --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation Via Use Rundll32 +id: 36c5146c-d127-4f85-8e21-01bf62355d5a +description: Detects Obfuscated Powershell via use Rundll32 in Scripts +status: experimental +author: Nikita Nazarov, oscd.community +date: 2019/10/08 +references: + - https://github.com/Neo23x0/sigma/issues/1009 +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml new file mode 100644 index 000000000..dd02c69ae --- /dev/null +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -0,0 +1,23 @@ +title: Invoke-Obfuscation VAR++ LAUNCHER OBFUSCATION +id: e9f55347-2928-4c06-88e5-1a7f8169942e +description: Detects Obfuscated Powershell via VAR++ LAUNCHER +status: experimental +author: Timur Zinniatullin, oscd.community +date: 2020/10/13 +references: + - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) +tags: + - attack.defense_evasion + - attack.t1027 + - attack.execution + - attack.t1059.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 7fb6e101a..f3b83068d 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - ParentImage: '*\svchost.exe' - Image: '*\mshta.exe' + ParentImage|endswith: '\svchost.exe' + Image|endswith: '\mshta.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml new file mode 100644 index 000000000..ffe74da9f --- /dev/null +++ b/rules/windows/process_creation/win_lolbas_execution_of_wuauclt.yml @@ -0,0 +1,29 @@ +title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL +id: ba1bb0cb-73da-42de-ad3a-de10c643a5d0 +status: experimental +description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. +references: + - https://dtm.uk/wuauclt/ +author: Sreeman +date: 2020/10/29 +modified: 2021/06/11 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1085 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' + filter: + CommandLine|contains: + - 'wuaueng.dll' + - 'UpdateDeploymentProvider.dll /ClassId' + condition: selection and not filter +falsepositives: + - Wuaueng.dll which is a module belonging to Microsoft Wnidows Update. +fields: + - CommandLine +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_lolbin_execution_via_winget.yml b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml new file mode 100644 index 000000000..ff0ef78bf --- /dev/null +++ b/rules/windows/process_creation/win_lolbin_execution_via_winget.yml @@ -0,0 +1,26 @@ +title: Monitoring Winget For LOLbin Execution +id: 313d6012-51a0-4d93-8dfc-de8553239e25 +description: Adversaries can abuse winget to download payloads remotely and execute them without touching disk. Winget will be included by default in Windows 10 and is already available in Windows 10 insider programs. The manifest option enables you to install an application by passing in a YAML file directly to the client. Winget can be used to download and install exe's, msi, msix files later. +status: experimental +references: + - https://docs.microsoft.com/en-us/windows/package-manager/winget/install#local-install +author: Sreeman +date: 2020/21/04 +modified: 2021/06/11 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '.*(?i)winget install (--m|-m).*' + condition: selection +falsepositives: + - Admin activity installing packages not in the official Microsoft repo. Winget probably wont be used by most users. +fields: + - CommandLine +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 6183cca62..090c43bbd 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -2,7 +2,7 @@ title: LSASS Memory Dumping id: ffa6861c-4461-4f59-8a41-578c39f3f23e description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index 574c7e182..d88aa5e32 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -6,9 +6,9 @@ description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi +author: Florian Roth, Tom Ueltschi, Jonhnathan Ribeiro, oscd.community date: 2017/11/10 -modified: 2020/09/01 +modified: 2021/06/27 tags: - attack.execution - attack.t1059.005 @@ -23,25 +23,31 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\AppData\Roaming\Oracle*\java*.exe *' - - '*cscript.exe *Retrive*.vbs *' + - CommandLine|contains|all: + - '\AppData\Roaming\Oracle' + - '\java' + - '.exe ' + - CommandLine|contains|all: + - 'cscript.exe' + - 'Retrive' + - '.vbs ' --- logsource: + category: file_event product: windows - service: sysmon detection: selection: - EventID: 11 - TargetFilename: - - '*\AppData\Roaming\Oracle\bin\java*.exe' - - '*\Retrive*.vbs' + - TargetFilename|contains|all: + - '\AppData\Roaming\Oracle\bin\java' + - '.exe' + - TargetFilename|contains|all: + - '\Retrive' + - '.vbs' --- logsource: + category: registry_event product: windows - service: sysmon detection: selection: - EventID: 13 - TargetObject: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* - Details: '%AppData%\Roaming\Oracle\bin\\*' + TargetObject|startswith: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + Details|startswith: '%AppData%\Roaming\Oracle\bin\' diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 9040595c6..7d90d5575 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -4,7 +4,7 @@ status: experimental description: Detects typical Dridex process patterns references: - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/01/10 modified: 2020/09/01 tags: @@ -19,13 +19,21 @@ logsource: product: windows detection: selection1: - CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' + Image|endswith: '\svchost.exe' + CommandLine|contains|all: + - 'C:\Users\' + - '\Desktop\' selection2: - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' - condition: 1 of them + ParentImage|endswith: '\svchost.exe' + selection3: + Image|endswith: '\whoami.exe' + CommandLine|contains: 'all' + selection4: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' + condition: selection1 or selection2 and (selection3 or selection4) falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/win_malware_dtrack.yml b/rules/windows/process_creation/win_malware_dtrack.yml index 722a2781c..e5e429be7 100644 --- a/rules/windows/process_creation/win_malware_dtrack.yml +++ b/rules/windows/process_creation/win_malware_dtrack.yml @@ -13,7 +13,7 @@ logsource: product: windows detection: selection: - CommandLine: '* echo EEEE > *' + CommandLine|contains: ' echo EEEE > ' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_malware_emotet.yml b/rules/windows/process_creation/win_malware_emotet.yml index de9119227..aa1db398b 100644 --- a/rules/windows/process_creation/win_malware_emotet.yml +++ b/rules/windows/process_creation/win_malware_emotet.yml @@ -21,15 +21,15 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -e* PAA*' - - '*JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ*' # $env:userprofile - - '*QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA*' # $env:userprofile - - '*kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA*' # $env:userprofile - - '*IgAoACcAKgAnACkAOwAkA*' # "('*');$ - - '*IAKAAnACoAJwApADsAJA*' # "('*');$ - - '*iACgAJwAqACcAKQA7ACQA*' # "('*');$ - - '*JABGAGwAeAByAGgAYwBmAGQ*' + CommandLine|contains: + - ' -e* PAA' + - 'JABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQ' # $env:userprofile + - 'QAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUA' # $env:userprofile + - 'kAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlA' # $env:userprofile + - 'IgAoACcAKgAnACkAOwAkA' # "('*');$ + - 'IAKAAnACoAJwApADsAJA' # "('*');$ + - 'iACgAJwAqACcAKQA7ACQA' # "('*');$ + - 'JABGAGwAeAByAGgAYwBmAGQ' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_malware_formbook.yml b/rules/windows/process_creation/win_malware_formbook.yml index 6f5e41b32..d30851ea9 100644 --- a/rules/windows/process_creation/win_malware_formbook.yml +++ b/rules/windows/process_creation/win_malware_formbook.yml @@ -3,7 +3,7 @@ id: 032f5fb3-d959-41a5-9263-4173c802dc2b status: experimental description: Detects Formbook like process executions that inject code into a set of files in the System32 folder, which executes a special command command line to delete the dropper from the AppData Temp folder. We avoid false positives by excluding all parent process with command line parameters. -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/09/30 modified: 2019/10/31 references: @@ -19,14 +19,30 @@ detection: # Parent command line should not contain a space value # This avoids false positives not caused by process injection # e.g. wscript.exe /B sysmon-install.vbs - ParentCommandLine: - - 'C:\Windows\System32\\*.exe' - - 'C:\Windows\SysWOW64\\*.exe' - CommandLine: - - '* /c del "C:\Users\\*\AppData\Local\Temp\\*.exe' - - '* /c del "C:\Users\\*\Desktop\\*.exe' - - '* /C type nul > "C:\Users\\*\Desktop\\*.exe' - condition: selection + ParentCommandLine|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + ParentCommandLine|endswith: + - '.exe' + selection2: + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\AppData\Local\Temp\' + - CommandLine|contains|all: + - '/c' + - 'del' + - 'C:\Users\' + - '\Desktop\' + - CommandLine|contains|all: + - '/C' + - 'type nul >' + - 'C:\Users\' + - '\Desktop\' + selection3: + CommandLine|endswith: '.exe' + condition: selection and selection2 and selection3 fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 6604463a2..4f0d44bf2 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -24,12 +24,14 @@ logsource: product: windows detection: pipe_com: - CommandLine: '*\AppData\Local\Temp\\* \\.\pipe\\*' + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\.\pipe\\' rundll32_dash1: - Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' - perfc_keyword: - - '*\perfc.dat*' + Image|endswith: '\rundll32.exe' + CommandLine|endswith: '.dat,#1' + perfc_keyword|contains: + - '\perfc.dat' condition: 1 of them fields: - CommandLine @@ -37,3 +39,4 @@ fields: falsepositives: - Admin activity level: critical + diff --git a/rules/windows/process_creation/win_malware_qbot.yml b/rules/windows/process_creation/win_malware_qbot.yml index ecd1f0fb1..5e6554068 100644 --- a/rules/windows/process_creation/win_malware_qbot.yml +++ b/rules/windows/process_creation/win_malware_qbot.yml @@ -4,7 +4,7 @@ status: experimental description: Detects QBot like process executions author: Florian Roth date: 2019/10/01 -modified: 2020/09/01 +modified: 2021/01/25 tags: - attack.execution - attack.t1059.005 @@ -18,11 +18,16 @@ logsource: product: windows detection: selection1: - ParentImage: '*\WinRAR.exe' - Image: '*\wscript.exe' + ParentImage|endswith: '\WinRAR.exe' + Image|endswith: '\wscript.exe' selection2: - CommandLine: '* /c ping.exe -n 6 127.0.0.1 & type *' - condition: selection1 or selection2 + CommandLine|contains: ' /c ping.exe -n 6 127.0.0.1 & type ' + selection3: + CommandLine|contains|all: + - 'regsvr32.exe' + - 'C:\ProgramData' + - '.tmp' + condition: selection1 or selection2 or selection3 fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index d7a8819d3..45961cad4 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -2,7 +2,7 @@ title: WScript or CScript Dropper id: cea72823-df4d-4567-950c-0b579eaf0846 status: experimental description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (rule) +author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community date: 2019/01/16 modified: 2020/09/01 tags: @@ -15,24 +15,23 @@ logsource: category: process_creation product: windows detection: - selection: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '* C:\Users\\*.jse *' - - '* C:\Users\\*.vbe *' - - '* C:\Users\\*.js *' - - '* C:\Users\\*.vba *' - - '* C:\Users\\*.vbs *' - - '* C:\ProgramData\\*.jse *' - - '* C:\ProgramData\\*.vbe *' - - '* C:\ProgramData\\*.js *' - - '* C:\ProgramData\\*.vba *' - - '* C:\ProgramData\\*.vbs *' + selection1: + Image|endswith: + - '\wscript.exe' + - '\cscript.exe' + CommandLine|contains: + - 'C:\Users\' + - 'C:\ProgramData\' + selection2: + CommandLine|contains: + - '.jse' + - '.vbe' + - '.js' + - '.vba' + - '.vbs' falsepositive: - ParentImage: '*\winzip*' - condition: selection and not falsepositive + ParentImage|contains: '\winzip' + condition: selection1 and selection2 and not falsepositive fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml index 7610e73a2..fc271bf22 100644 --- a/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml @@ -25,4 +25,4 @@ detection: condition: selection falsepositives: - Rare System Admin Activity -level: critical \ No newline at end of file +level: critical diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 262ee8eee..815de36f2 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -4,7 +4,7 @@ status: experimental description: Detects WannaCry ransomware activity references: - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +author: Florian Roth (rule), Tom U. @c_APT_ure (collection), oscd.community, Jonhnathan Ribeiro date: 2019/01/16 modified: 2020/09/01 tags: @@ -23,25 +23,38 @@ logsource: product: windows detection: selection1: - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\@WanaDecryptor@*' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' - - '*\linuxnew.exe' - - '*\wannacry.exe' + - Image|endswith: + - '\tasksche.exe' + - '\mssecsvc.exe' + - '\taskdl.exe' + - '\taskhsvc.exe' + - '\taskse.exe' + - '\111.exe' + - '\lhdfrgui.exe' + - '\diskpart.exe' + - '\linuxnew.exe' + - '\wannacry.exe' + - Image|contains: 'WanaDecryptor' selection2: - CommandLine: - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - - '*@Please_Read_Me@.txt*' + - CommandLine|contains|all: + - 'icacls' + - '/grant' + - 'Everyone:F' + - '/T' + - '/C' + - '/Q' + - CommandLine|contains|all: + - 'bcdedit' + - '/set' + - '{default}' + - 'recoveryenabled' + - 'no' + - CommandLine|contains|all: + - 'wbadmin' + - 'delete' + - 'catalog' + - '-quiet' + - CommandLine|contains: '@Please_Read_Me@.txt' condition: 1 of them fields: - CommandLine diff --git a/rules/windows/process_creation/win_manage-bde_lolbas.yml b/rules/windows/process_creation/win_manage-bde_lolbas.yml new file mode 100644 index 000000000..384015178 --- /dev/null +++ b/rules/windows/process_creation/win_manage-bde_lolbas.yml @@ -0,0 +1,27 @@ +title: Suspicious Usage of the Manage-bde.wsf Script +id: c363385c-f75d-4753-a108-c1a8e28bdbda +description: Detects a usage of the manage-bde.wsf script that may indicate an attempt of proxy execution from script +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Manage-bde.yml + - https://gist.github.com/bohops/735edb7494fe1bd1010d67823842b712 + - https://twitter.com/bohops/status/980659399495741441 + - https://twitter.com/JohnLaTwC/status/1223292479270600706 +tags: + - attack.defense_evasion + - attack.t1216 +date: 2020/10/13 +modified: 2021/05/21 +author: oscd.community, Natalia Shornikova +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'cscript' + - 'manage-bde.wsf' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index 5fc53cdde..f99d8cfb9 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - CommandLine: '* /INJECTRUNNING *' + CommandLine|contains: ' /INJECTRUNNING ' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml index 633e060ec..cb775d882 100644 --- a/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml +++ b/rules/windows/process_creation/win_meterpreter_or_cobaltstrike_getsystem_service_start.yml @@ -1,9 +1,9 @@ title: Meterpreter or Cobalt Strike Getsystem Service Start id: 15619216-e993-4721-b590-4c520615a67d description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting -author: Teymur Kheirkhabarov, Ecco +author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2020/09/01 +modified: 2021/05/20 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -31,6 +31,12 @@ detection: - '/c' - 'echo' - '\pipe\' + # cobaltstrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a + - CommandLine|contains|all: + - 'cmd.exe' + - '/c' + - 'echo' + - '\pipe\' # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn - CommandLine|contains|all: - 'rundll32' diff --git a/rules/windows/process_creation/win_mmc_spawn_shell.yml b/rules/windows/process_creation/win_mmc_spawn_shell.yml index f5c4ef1a5..70641647f 100644 --- a/rules/windows/process_creation/win_mmc_spawn_shell.yml +++ b/rules/windows/process_creation/win_mmc_spawn_shell.yml @@ -16,18 +16,20 @@ logsource: product: windows detection: selection: - ParentImage: '*\mmc.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' - condition: selection + ParentImage|endswith: '\mmc.exe' + selection2: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - CommandLine - Image diff --git a/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml new file mode 100644 index 000000000..970b7c6d0 --- /dev/null +++ b/rules/windows/process_creation/win_modif_of_services_for_via_commandline.yml @@ -0,0 +1,27 @@ +title: Modification Of Existing Services For Persistence +id: 38879043-7e1e-47a9-8d46-6bec88e201df +description: Detects modification of an existing service on a compromised host in order to execute an arbitrary payload when the service is started or killed as a method of persistence. +references: + - https://pentestlab.blog/2020/01/22/persistence-modify-existing-service/ +status: experimental +tags: + - attack.persistence + - attack.t1031 + - attack.t1058 +author: Sreeman +date: 2020/09/29 +modified: 2021/06/11 +logsource: + category: process_creation + product: windows +detection: + selection_cmdline_1: + CommandLine|re: '(?i)sc config.*binpath=.*' + selection_cmdline_2: + CommandLine|re: '(?i)sc failure.*command=.*' + selection_cmdline_3: + CommandLine|re: '(?i).*reg add.*(FailureCommand|ImagePath).*(\.sh|\.exe|\.dll|\.bin^|\.bat|\.cmd|\.js|\.msh^|\.reg^|\.scr|\.ps|\.vb|\.jar|\.pl).*' + condition: selection_cmdline_1 or selection_cmdline_2 or selection_cmdline_3 +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml new file mode 100644 index 000000000..c601496c3 --- /dev/null +++ b/rules/windows/process_creation/win_monitoring_for_persistence_via_bits.yml @@ -0,0 +1,27 @@ +title: Monitoring For Persistence Via BITS +id: b9cbbc17-d00d-4e3d-a827-b06d03d2380d +description: BITS will allow you to schedule a command to execute after a successful download to notify you that the job is finished. When the job runs on the system the command specified in the BITS job will be executed. This can be abused by actors to create a backdoor within the system and for persistence. It will be chained in a BITS job to schedule the download of malware/additional binaries and execute the program after being downloaded +status: experimental +author: Sreeman +date: 2020/10/29 +modified: 2021/06/11 +tags: + - attack.defense_evasion +references: + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html + - http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html + - https://isc.sans.edu/diary/Wipe+the+drive+Stealthy+Malware+Persistence+Mechanism+-+Part+1/15394 +logsource: + product: windows + category: process_creation +detection: + selection_1: + CommandLine|re: '(?i).*bitsadmin.*/SetNotifyCmdLine.*(%COMSPEC%|cmd.exe|regsvr32.exe).*' + selection_2: + CommandLine|re: '(?i).*bitsadmin.*/Addfile.*(http|https|ftp|ftps):.*' + condition: selection_1 or selection_2 +falsepositives: + - None observed yet. +fields: + - CommandLine +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 8c3821626..1b2f0a940 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -2,7 +2,7 @@ title: Mshta JavaScript Execution id: 67f113fa-e23d-4271-befa-30113b3e08b1 description: Identifies suspicious mshta.exe commands status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2020/09/01 references: diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index fca0d99b9..ad6835d1a 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -12,18 +12,20 @@ logsource: product: windows detection: selection: - ParentImage: '*\mshta.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' - condition: selection + ParentImage|endswith: '\mshta.exe' + selection2: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\reg.exe' + - '\regsvr32.exe' + - Image|contains: + - '\BITSADMIN' + condition: selection and selection2 fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_netsh_fw_add.yml b/rules/windows/process_creation/win_netsh_fw_add.yml index cc440dc01..9fe41f4c9 100644 --- a/rules/windows/process_creation/win_netsh_fw_add.yml +++ b/rules/windows/process_creation/win_netsh_fw_add.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*netsh*' + Image|endswith: '\netsh.exe' selection2: - CommandLine: - - '*firewall add*' + CommandLine|contains|all: + - 'firewall' + - 'add' condition: selection1 and selection2 falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml index 601c36047..13f3ead73 100644 --- a/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/win_netsh_fw_add_susp_image.yml @@ -5,50 +5,56 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 date: 2020/05/25 -modified: 2020/09/01 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1089 # an old one - attack.t1562.004 status: experimental -author: Sander Wiebing +author: Sander Wiebing, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community logsource: category: process_creation product: windows detection: selection1: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'netsh' - - 'firewall add allowedprogram' + - 'firewall' + - 'add' + - 'allowedprogram' selection2: + Image|endswith: '\netsh.exe' CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - program= + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' susp_image: - CommandLine|contains: - - '*%TEMP%*' - - '*:\RECYCLER\\*' - - '*C:\$Recycle.bin\\*' - - '*:\SystemVolumeInformation\\*' - - 'C:\\Windows\\Tasks\\*' - - 'C:\\Windows\\debug\\*' - - 'C:\\Windows\\fonts\\*' - - 'C:\\Windows\\help\\*' - - 'C:\\Windows\\drivers\\*' - - 'C:\\Windows\\addins\\*' - - 'C:\\Windows\\cursors\\*' - - 'C:\\Windows\\system32\tasks\\*' - - '*C:\Windows\Temp\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - '*\Downloads\\*' - - '*\Temporary Internet Files\Content.Outlook\\*' - - '*\Local Settings\Temporary Internet Files\\*' + - CommandLine|contains: + - '%TEMP%' + - ':\RECYCLER\' + - 'C:\$Recycle.bin\' + - ':\SystemVolumeInformation\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + - CommandLine|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' + - '%Public%\' condition: (selection1 or selection2) and susp_image falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index ad6128419..41751f51d 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -1,25 +1,38 @@ title: Netsh Port Forwarding id: 322ed9ec-fcab-4f67-9a34-e7c6aef43614 -description: Detects netsh commands that configure a port forwarding +description: Detects netsh commands that configure a port forwarding (PortProxy) references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + - https://adepts.of0x.cc/netsh-portproxy-code/ + - https://www.dfirnotes.net/portproxy_detection/ date: 2019/01/29 -modified: 2020/09/01 +modified: 2021/06/22 tags: - attack.lateral_movement - attack.defense_evasion - attack.command_and_control - attack.t1090 status: experimental -author: Florian Roth +author: Florian Roth, omkar72, oscd.community logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - netsh interface portproxy add v4tov4 * - condition: selection + selection1: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'interface' + - 'portproxy' + - 'add' + - 'v4tov4' + selection2: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'connectp' + - 'listena' + - 'c=' + condition: selection1 or selection2 falsepositives: - Legitimate administration + - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) level: medium diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index 02124e93f..91f2c0488 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -4,20 +4,25 @@ description: Detects netsh commands that configure a port forwarding of port 338 references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 +modified: 2020/11/28 tags: - attack.lateral_movement - attack.defense_evasion - attack.command_and_control - attack.t1090 status: experimental -author: Florian Roth +author: Florian Roth, oscd.community logsource: category: process_creation product: windows detection: selection: - CommandLine: - - netsh i* p*=3389 c* + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'i' + - ' p' + - '=3389' + - ' c' condition: selection falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml index b34ae86ee..952ac4683 100644 --- a/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml +++ b/rules/windows/process_creation/win_netsh_wifi_credential_harvesting.yml @@ -4,9 +4,9 @@ status: experimental description: Detect the harvesting of wifi credentials using netsh.exe references: - https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/ -author: Andreas Hunkeler (@Karneades) +author: Andreas Hunkeler (@Karneades), oscd.community date: 2020/04/20 -modified: 2020/09/01 +modified: 2020/11/28 tags: - attack.discovery - attack.credential_access @@ -16,8 +16,13 @@ logsource: product: windows detection: selection: - CommandLine: - - 'netsh wlan s* p* k*=clear' + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'wlan' + - ' s' + - ' p' + - ' k' + - '=clear' condition: selection falsepositives: - Legitimate administrator or user uses netsh.exe wlan functionality for legitimate reason diff --git a/rules/windows/process_creation/win_nltest_query.yml b/rules/windows/process_creation/win_nltest_query.yml new file mode 100644 index 000000000..b42648cc4 --- /dev/null +++ b/rules/windows/process_creation/win_nltest_query.yml @@ -0,0 +1,24 @@ +title: Nltest Credential Hash Theft +id: 5cc90652-4cbd-4241-aa3b-4b462fa5a248 +description: Detects nltest query commands which may leak credential hashes +references: + - https://twitter.com/sysopfb/status/986799053668139009 + - https://github.com/LOLBAS-Project/LOLBAS/blob/94368c1e69a6ce5ce812f2b331c99b89a63791b9/yml/LOLUtilz/OSBinaries/Nltest.yml +date: 2018/04/18 +modified: 2021/01/05 +tags: + - attack.credential_access + - attack.t1003 +status: experimental +author: Craig Young, oscd.community +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\nltest.exe' + CommandLine|contains: '\query' + condition: selection +falsepositives: + - Legitimate administration +level: medium diff --git a/rules/windows/process_creation/win_non_interactive_powershell.yml b/rules/windows/process_creation/win_non_interactive_powershell.yml index 32caed855..68cb6815d 100644 --- a/rules/windows/process_creation/win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/win_non_interactive_powershell.yml @@ -3,10 +3,10 @@ id: f4bbd493-b796-416e-bbf2-121235348529 description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/10 author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/basic_powershell_execution.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html tags: - attack.execution - attack.t1086 # an old one @@ -18,8 +18,10 @@ detection: selection: Image|endswith: '\powershell.exe' filter: - ParentImage|endswith: '\explorer.exe' + ParentImage|endswith: + - '\explorer.exe' + - '\CompatTelRunner.exe' condition: selection and not filter falsepositives: - Legitimate programs executing PowerShell scripts -level: medium +level: low diff --git a/rules/windows/process_creation/win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml new file mode 100644 index 000000000..8ff4bf024 --- /dev/null +++ b/rules/windows/process_creation/win_non_priv_reg_or_ps.yml @@ -0,0 +1,45 @@ +title: Non-privileged Usage of Reg or Powershell +id: 8f02c935-effe-45b3-8fc9-ef8696a9e41d +description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry +status: experimental +author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community +date: 2020/10/05 +references: + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: process_creation + product: windows +detection: + integrity_level: + IntegrityLevel: 'Medium' + reg: + CommandLine|contains|all: + - 'reg' + - 'add' + powershell_1: + CommandLine|contains: 'powershell' + powershell_2: + CommandLine|contains: + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' + registry_folder: + CommandLine|contains|all: + - 'ControlSet' + - 'Services' + registry_key: + CommandLine|contains: + - 'ImagePath' + - 'FailureCommand' + - 'ServiceDLL' + condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key +fields: + - EventID + - IntegrityLevel + - CommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index a91b4bd97..e1f5ea7c3 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -17,36 +17,36 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - - '*\MSACCESS.EXE' - - '*\EQNEDT32.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' - - '*\regsvr32.exe' - - '*\hh.exe' - - '*\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\msiexec.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - - '*\mftrace.exe' - - '*\AppVLP.exe' - - '*\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html - - '*\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + - '\OUTLOOK.EXE' + - '\MSACCESS.EXE' + - '\EQNEDT32.EXE' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\sh.exe' + - '\bash.exe' + - '\scrcons.exe' + - '\schtasks.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + - '\svchost.exe' # https://www.vmray.com/analyses/2d2fa29185ad/report/overview.html + - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/main/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index 403ddd8a9..cf43685fc 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -11,24 +11,26 @@ tags: - attack.t1204.002 - FIN7 - car.2013-05-002 -author: Jason Lynch +author: Jason Lynch date: 2019/04/02 -modified: 2020/09/01 +modified: 2021/04/01 logsource: category: process_creation product: windows detection: selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - 'C:\users\\*.exe' - condition: selection + ParentImage|endswith: + - '\WINWORD.EXE' + - '\EXCEL.EXE' + - '\POWERPNT.exe' + - '\MSPUB.exe' + - '\VISIO.exe' + # - '\OUTLOOK.EXE' too many FPs + Image|startswith: 'C:\users\' + Image|endswith: '.exe' + filter: + Image|endswith: '\Teams.exe' + condition: selection and not filter fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 557ac9154..73522132f 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -7,6 +7,7 @@ references: - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ author: Florian Roth date: 2017/06/12 +modified: 2020/11/28 tags: - attack.s0013 - attack.defense_evasion @@ -17,75 +18,88 @@ logsource: product: windows detection: selection_cammute: - Image: '*\CamMute.exe' + Image|endswith: '\CamMute.exe' filter_cammute: - Image: '*\Lenovo\Communication Utility\\*' + Image|contains: + - '\Lenovo\Communication Utility\' + - '\Lenovo\Communications Utility\' selection_chrome_frame: - Image: '*\chrome_frame_helper.exe' + Image|endswith: '\chrome_frame_helper.exe' filter_chrome_frame: - Image: '*\Google\Chrome\application\\*' + Image|contains: '\Google\Chrome\application\' selection_devemu: - Image: '*\dvcemumanager.exe' + Image|endswith: '\dvcemumanager.exe' filter_devemu: - Image: '*\Microsoft Device Emulator\\*' + Image|contains: '\Microsoft Device Emulator\' selection_gadget: - Image: '*\Gadget.exe' + Image|endswith: '\Gadget.exe' filter_gadget: - Image: '*\Windows Media Player\\*' + Image|contains: '\Windows Media Player\' selection_hcc: - Image: '*\hcc.exe' + Image|endswith: '\hcc.exe' filter_hcc: - Image: '*\HTML Help Workshop\\*' + Image|contains: '\HTML Help Workshop\' selection_hkcmd: - Image: '*\hkcmd.exe' + Image|endswith: '\hkcmd.exe' filter_hkcmd: - Image: - - '*\System32\\*' - - '*\SysNative\\*' - - '*\SysWowo64\\*' + Image|contains: + - '\System32\' + - '\SysNative\' + - '\SysWowo64\' selection_mc: - Image: '*\Mc.exe' + Image|endswith: '\Mc.exe' filter_mc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' selection_msmpeng: - Image: '*\MsMpEng.exe' + Image|endswith: '\MsMpEng.exe' filter_msmpeng: - Image: - - '*\Microsoft Security Client\\*' - - '*\Windows Defender\\*' - - '*\AntiMalware\\*' + Image|contains: + - '\Microsoft Security Client\' + - '\Windows Defender\' + - '\AntiMalware\' selection_msseces: - Image: '*\msseces.exe' + Image|endswith: '\msseces.exe' filter_msseces: - Image: - - '*\Microsoft Security Center\\*' - - '*\Microsoft Security Client\\*' - - '*\Microsoft Security Essentials\\*' + Image|contains: + - '\Microsoft Security Center\' + - '\Microsoft Security Client\' + - '\Microsoft Security Essentials\' selection_oinfo: - Image: '*\OInfoP11.exe' + Image|endswith: '\OInfoP11.exe' filter_oinfo: - Image: '*\Common Files\Microsoft Shared\\*' + Image|contains: '\Common Files\Microsoft Shared\' selection_oleview: - Image: '*\OleView.exe' + Image|endswith: '\OleView.exe' filter_oleview: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' + - '\Windows Resource Kit\' selection_rc: - Image: '*\rc.exe' + Image|endswith: '\rc.exe' filter_rc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - '*\Microsoft.NET\\*' - condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview and not filter_oleview ) or ( selection_rc and not filter_rc ) + Image|contains: + - '\Microsoft Visual Studio' + - '\Microsoft SDK' + - '\Windows Kit' + - '\Windows Resource Kit\' + - '\Microsoft.NET\' + condition: ( selection_cammute and not filter_cammute ) or + ( selection_chrome_frame and not filter_chrome_frame ) or + ( selection_devemu and not filter_devemu ) or + ( selection_gadget and not filter_gadget ) or + ( selection_hcc and not filter_hcc ) or + ( selection_hkcmd and not filter_hkcmd ) or + ( selection_mc and not filter_mc ) or + ( selection_msmpeng and not filter_msmpeng ) or + ( selection_msseces and not filter_msseces ) or + ( selection_oinfo and not filter_oinfo ) or + ( selection_oleview and not filter_oleview ) or + ( selection_rc and not filter_rc ) fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 65fdeab05..39ac4e712 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -37,5 +37,5 @@ detection: condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - - Using installutil to add features for .NET applications (primarly would occur in developer environments) + - Using installutil to add features for .NET applications (primarily would occur in developer environments) level: low diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 3d1100239..23f128415 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -17,11 +17,11 @@ logsource: product: windows detection: selection1: - CommandLine: - - '*System.Management.Automation.AmsiUtils*' + CommandLine|contains: + - 'System.Management.Automation.AmsiUtils' selection2: - CommandLine: - - '*amsiInitFailed*' + CommandLine|contains: + - 'amsiInitFailed' condition: selection1 and selection2 falsepositives: - Potential Admin Activity diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index fed8a12b1..a349defdf 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -2,7 +2,7 @@ title: Audio Capture via PowerShell id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6 description: Detects audio capture via PowerShell Cmdlet status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml index 3ae30acca..48b87eab2 100644 --- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -15,11 +15,11 @@ logsource: product: windows detection: selection1: - CommandLine: '*AAAAYInlM*' + CommandLine|contains: 'AAAAYInlM' selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' + CommandLine|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_powershell_defender_exclusion.yml b/rules/windows/process_creation/win_powershell_defender_exclusion.yml new file mode 100644 index 000000000..2a6191fc0 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_defender_exclusion.yml @@ -0,0 +1,32 @@ +title: Powershell Defender Exclusion +id: 17769c90-230e-488b-a463-e05c08e9d48f +status: experimental +description: Detects requests to exclude files, folders or processes from Antivirus scanning using PowerShell cmdlets +references: + - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus +tags: + - attack.defense_evasion + - attack.t1562.001 +author: Florian Roth +date: 2021/04/29 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: 'Add-MpPreference' + selection2: + CommandLine|contains: + - ' -ExclusionPath ' + - ' -ExclusionExtension ' + - ' -ExclusionProcess ' + selection_encoded: + CommandLine|contains: + - 'QWRkLU1wUHJlZmVyZW5jZ' + - 'FkZC1NcFByZWZlcmVuY2' + - 'BZGQtTXBQcmVmZXJlbmNl' + condition: ( selection1 and selection2 ) or selection_encoded +falsepositives: + - Possible Admin Activity + - Other Cmdlets that may use the same parameters +level: high diff --git a/rules/windows/process_creation/win_powershell_disable_windef_av.yml b/rules/windows/process_creation/win_powershell_disable_windef_av.yml new file mode 100644 index 000000000..ebfb84ed8 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_disable_windef_av.yml @@ -0,0 +1,39 @@ +title: Powershell Used To Disable Windows Defender AV Security Monitoring +id: a7ee1722-c3c5-aeff-3212-c777e4733217 +status: experimental +description: Detects attackers attempting to disable Windows Defender using Powershell +author: 'ok @securonix invrep-de, oscd.community, frack113' +date: 2020/10/12 +modified: 2021/06/07 +references: + - https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/ + - https://rvsec0n.wordpress.com/2020/01/24/malwares-that-bypass-windows-defender/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +tags: + - attack.defense_evasion + - attack.t1089 # legacy + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - '-DisableBehaviorMonitoring $true' + - '-DisableRuntimeMonitoring $true' + tamper_cmd_stop: + CommandLine|contains|all: + - sc + - stop + - WinDefend + tamper_cmd_disabled: + CommandLine|contains|all: + - sc + - config + - WinDefend + - 'start=disabled' + condition: 1 of them +falsepositives: + - 'Minimal, for some older versions of dev tools, such as pycharm, developers were known to sometimes disable Windows Defender to improve performance, but this generally is not considered a good security practice.' +level: high diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 41dc3294d..4478fccdf 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -16,15 +16,15 @@ logsource: product: windows detection: selection1: - Image: - - '*\rundll32.exe' + Image|endswith: + - '\rundll32.exe' selection2: - Description: - - '*Windows-Hostprozess (Rundll32)*' + Description|contains: + - 'Windows-Hostprozess (Rundll32)' selection3: - CommandLine: - - '*Default.GetString*' - - '*FromBase64String*' + CommandLine|contains: + - 'Default.GetString' + - 'FromBase64String' condition: (selection1 or selection2) and selection3 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index e142a17d2..3db56ae97 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -2,7 +2,7 @@ title: PowerShell Download from URL id: 3b6ab547-8ec2-4991-b9d2-2b06702a48d7 status: experimental description: Detects a Powershell process that contains download commands in its command line string -author: Florian Roth +author: Florian Roth, oscd.community, Jonhnathan Ribeiro date: 2019/01/16 tags: - attack.t1086 # an old one @@ -13,12 +13,14 @@ logsource: product: windows detection: selection: - Image: '*\powershell.exe' - CommandLine: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' - - '*new-object net.webclient).downloadfile(*' + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'new-object' + - 'net.webclient).' + - 'download' + CommandLine|contains: + - 'string(' + - 'file(' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml new file mode 100644 index 000000000..b044d26ee --- /dev/null +++ b/rules/windows/process_creation/win_powershell_reverse_shell_connection.yml @@ -0,0 +1,29 @@ +title: Powershell Reverse Shell Connection +id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be +status: experimental +description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell +author: FPT.EagleEye, wagga +references: + - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ + - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ +date: 2021/03/03 +modified: 2021/06/27 +tags: + - attack.execution + - attack.t1086 + - attack.t1059.005 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: + - 'new-object system.net.sockets.tcpclient' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative might use this function for checking network connectivity +level: high diff --git a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml index 4509852b1..4f722ef26 100644 --- a/rules/windows/process_creation/win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/win_powersploit_empire_schtasks.yml @@ -12,15 +12,24 @@ logsource: product: windows category: process_creation detection: - selection: - ParentImage: - - '*\powershell.exe' - CommandLine: - - '*schtasks*/Create*/SC *ONLOGON*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *DAILY*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *ONIDLE*/TN *Updater*/TR *powershell*' - - '*schtasks*/Create*/SC *Updater*/TN *Updater*/TR *powershell*' - condition: selection + selection1: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + selection2: + CommandLine|contains: + - 'ONLOGON' + - 'DAILY' + - 'ONIDLE' + - 'Updater' + CommandLine|contains|all: + - '/TN' + - 'Updater' + - '/TR' + - 'powershell' + condition: selection1 and selection2 tags: - attack.execution - attack.persistence diff --git a/rules/windows/process_creation/win_proc_wrong_parent.yml b/rules/windows/process_creation/win_proc_wrong_parent.yml index ed200d806..f58e6cea4 100644 --- a/rules/windows/process_creation/win_proc_wrong_parent.yml +++ b/rules/windows/process_creation/win_proc_wrong_parent.yml @@ -9,7 +9,7 @@ references: - https://www.13cubed.com/downloads/windows_process_genealogy_v2.pdf - https://attack.mitre.org/techniques/T1036/ date: 2019/02/23 -modified: 2020/09/06 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -20,25 +20,29 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - - '*\taskhost.exe' - - '*\lsm.exe' - - '*\lsass.exe' - - '*\services.exe' - - '*\lsaiso.exe' - - '*\csrss.exe' - - '*\wininit.exe' - - '*\winlogon.exe' - filter: - ParentImage: - - '*\System32\\*' - - '*\SysWOW64\\*' - - '*\SavService.exe' - - '*\Windows Defender\\*\MsMpEng.exe' + Image|endswith: + - '\svchost.exe' + - '\taskhost.exe' + - '\lsm.exe' + - '\lsass.exe' + - '\services.exe' + - '\lsaiso.exe' + - '\csrss.exe' + - '\wininit.exe' + - '\winlogon.exe' + filter1: + - ParentImage|endswith: '\SavService.exe' + - ParentImage|contains: + - '\System32\' + - '\SysWOW64\' + filter2: + ParentImage|contains: + - '\Windows Defender\' + - '\Microsoft Security Client\' + ParentImage|endswith: '\MsMpEng.exe' filter_null: ParentImage: null - condition: selection and not filter and not filter_null + condition: selection and not filter1 and not filter2 and not filter_null falsepositives: - Some security products seem to spawn these level: low diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 96051f6f0..4cbadca4c 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -19,13 +19,13 @@ logsource: product: windows detection: selection1: - Image: - - '*\bitsadmin.exe' - CommandLine: - - '* /transfer *' + Image|endswith: + - '\bitsadmin.exe' + CommandLine|contains: + - ' /transfer ' selection2: - CommandLine: - - '*copy bitsadmin.exe*' + CommandLine|contains: + - 'copy bitsadmin.exe' condition: selection1 or selection2 fields: - CommandLine diff --git a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml index 7e1eb8cb6..d75fdc85a 100644 --- a/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml +++ b/rules/windows/process_creation/win_process_dump_rundll32_comsvcs.yml @@ -4,9 +4,10 @@ description: Detects a process memory dump performed via ordinal function 24 in status: experimental references: - https://twitter.com/shantanukhande/status/1229348874298388484 + - https://twitter.com/pythonresponder/status/1385064506049630211?s=21 author: Florian Roth date: 2020/02/18 -modified: 2020/09/06 +modified: 2021/04/23 tags: - attack.defense_evasion - attack.t1036 @@ -22,6 +23,7 @@ detection: CommandLine|contains: - 'comsvcs.dll,#24' - 'comsvcs.dll,MiniDump' + - 'comsvcs.dll MiniDump' condition: selection falsepositives: - Unlikely, because no one should dump the process memory in that way diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml new file mode 100644 index 000000000..503b7a656 --- /dev/null +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -0,0 +1,23 @@ +title: PurpleSharp Indicator +id: ff23ffbc-3378-435e-992f-0624dcf93ab4 +status: experimental +description: Detect +author: Florian Roth +date: 2021/06/18 +references: + - https://github.com/mvelazc0/PurpleSharp +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - xyz123456.exe + - PurpleSharp + selection2: + OriginalFilename: + - 'PurpleSharp.exe' + condition: selection1 or selection2 +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/process_creation/win_rasautou_dll_execution.yml b/rules/windows/process_creation/win_rasautou_dll_execution.yml new file mode 100644 index 000000000..fef616b20 --- /dev/null +++ b/rules/windows/process_creation/win_rasautou_dll_execution.yml @@ -0,0 +1,30 @@ +title: DLL Execution via Rasautou.exe +id: cd3d1298-eb3b-476c-ac67-12847de55813 +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ + - https://github.com/fireeye/DueDLLigence + - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +author: Julia Fomina, oscd.community +date: 2020/10/09 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: process_creation + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) +detection: + use_rasautou: + Image|endswith: '\rasautou.exe' + remaned_rasautou: + OriginalFileName: 'rasdlui.exe' + special_keys: + CommandLine|contains|all: + - '-d' + - '-p' + condition: (use_rasautou or remaned_rasautou) and special_keys +level: medium +falsepositives: + - Unlikely diff --git a/rules/windows/process_creation/win_reg_add_run_key.yml b/rules/windows/process_creation/win_reg_add_run_key.yml new file mode 100644 index 000000000..0cd6b8545 --- /dev/null +++ b/rules/windows/process_creation/win_reg_add_run_key.yml @@ -0,0 +1,22 @@ +title: Reg Add RUN Key +id: de587dce-915e-4218-aac4-835ca6af6f70 +description: Detects suspicious command line reg.exe tool adding key to RUN key in Registry +status: experimental +date: 2021/06/28 +author: Florian Roth +references: + - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ + - https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'reg' + - ' ADD ' + - 'Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_regedit_export_critical_keys.yml b/rules/windows/process_creation/win_regedit_export_critical_keys.yml new file mode 100644 index 000000000..472265a7c --- /dev/null +++ b/rules/windows/process_creation/win_regedit_export_critical_keys.yml @@ -0,0 +1,35 @@ +title: Exports Critical Registry Keys To a File +id: 82880171-b475-4201-b811-e9c826cd5eaa +status: experimental +description: Detects the export of a crital Registry key to a file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.exfiltration + - attack.t1012 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: ' /E ' + selection_2: + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + selection_3: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and selection_2 and selection_3 +fields: + - ParentImage + - CommandLine +falsepositives: + - Dumping hives for legitimate purpouse i.e. backup or forensic investigation +level: high diff --git a/rules/windows/process_creation/win_regedit_export_keys.yml b/rules/windows/process_creation/win_regedit_export_keys.yml new file mode 100644 index 000000000..e3454faf4 --- /dev/null +++ b/rules/windows/process_creation/win_regedit_export_keys.yml @@ -0,0 +1,35 @@ +title: Exports Registry Key To a File +id: f0e53e89-8d22-46ea-9db5-9d4796ee2f8a +status: experimental +description: Detects the export of the target Registry key to a file. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.exfiltration + - attack.t1012 +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: ' /E ' + filter_1: # filters to avoid intersection with critical keys rule + CommandLine|contains: + - 'hklm' + - 'hkey_local_machine' + filter_2: + CommandLine|endswith: + - '\system' + - '\sam' + - '\security' + condition: selection and not (filter_1 and filter_2) +fields: + - ParentImage + - CommandLine +falsepositives: + - Legitimate export of keys +level: low diff --git a/rules/windows/process_creation/win_regedit_import_keys.yml b/rules/windows/process_creation/win_regedit_import_keys.yml new file mode 100644 index 000000000..176da7f72 --- /dev/null +++ b/rules/windows/process_creation/win_regedit_import_keys.yml @@ -0,0 +1,35 @@ +title: Imports Registry Key From a File +id: 73bba97f-a82d-42ce-b315-9182e76c57b1 +status: experimental +description: Detects the import of the specified file to the registry with regedit.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + filter_2: + CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + condition: selection and not filter and not filter_2 +fields: + - ParentImage + - CommandLine +falsepositives: + - Legitimate import of keys +level: medium diff --git a/rules/windows/process_creation/win_regedit_import_keys_ads.yml b/rules/windows/process_creation/win_regedit_import_keys_ads.yml new file mode 100644 index 000000000..2d347763a --- /dev/null +++ b/rules/windows/process_creation/win_regedit_import_keys_ads.yml @@ -0,0 +1,35 @@ +title: Imports Registry Key From an ADS +id: 0b80ade5-6997-4b1d-99a1-71701778ea61 +status: experimental +description: Detects the import of a alternate datastream to the registry with regedit.exe. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.t1112 + - attack.defense_evasion +author: Oddvar Moe, Sander Wiebing, oscd.community +date: 2020/10/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + CommandLine|contains: + - ' /i ' + - '.reg' + selection_2: + CommandLine|re: ':[^ \\]' + filter: + CommandLine|contains: + - ' /e ' + - ' /a ' + - ' /c ' + condition: selection and selection_2 and not filter +fields: + - ParentImage + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_regini.yml b/rules/windows/process_creation/win_regini.yml new file mode 100644 index 000000000..3f1a340c1 --- /dev/null +++ b/rules/windows/process_creation/win_regini.yml @@ -0,0 +1,29 @@ +title: Modifies the Registry From a File +id: 5f60740a-f57b-4e76-82a1-15b6ff2cb134 +status: experimental +description: Detects the execution of regini.exe which can be used to modify registry keys, the changes are imported from one or more text files. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Eli Salem, Sander Wiebing, oscd.community +date: 2020/10/08 +modified: 2021/05/24 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + filter: + CommandLine|re: ':[^ \\]' # to avoid intersection with ADS rule + condition: selection and not filter +fields: + - ParentImage + - CommandLine +falsepositives: + - Legitimate modification of keys +level: low \ No newline at end of file diff --git a/rules/windows/process_creation/win_regini_ads.yml b/rules/windows/process_creation/win_regini_ads.yml new file mode 100644 index 000000000..9844421cd --- /dev/null +++ b/rules/windows/process_creation/win_regini_ads.yml @@ -0,0 +1,28 @@ +title: Modifies the Registry From a ADS +id: 77946e79-97f1-45a2-84b4-f37b5c0d8682 +status: experimental +description: Detects the import of an alternate data stream with regini.exe, regini.exe can be used to modify registry keys. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regini.yml + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regini +tags: + - attack.t1112 + - attack.defense_evasion +author: Eli Salem, Sander Wiebing, oscd.community +date: 2020/10/12 +modified: 2021/05/24 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regini.exe' + CommandLine|re: ':[^ \\]' + condition: selection +fields: + - ParentImage + - CommandLine +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 7490d9b6d..00a033cb0 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,12 +1,12 @@ -title: Remote PowerShell Session +title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html tags: - attack.execution - attack.t1086 # an old one diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml index 95f2d54e0..a679a6829 100644 --- a/rules/windows/process_creation/win_remote_time_discovery.yml +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -2,7 +2,7 @@ title: Discovery of a System Time id: b243b280-65fe-48df-ba07-6ddea7646427 description: "Identifies use of various commands to query a systems time. This technique may be used before executing a scheduled task or to discover the time zone of a target system." status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml index 9e4d26755..ec8c67dc1 100644 --- a/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml +++ b/rules/windows/process_creation/win_renamed_binary_highly_relevant.yml @@ -33,20 +33,20 @@ detection: - "cmstp.exe" - "msiexec.exe" filter: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' - - '*\psexec.exe' - - '*\psexec64.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\mshta.exe' - - '*\regsvr32.exe' - - '*\wmic.exe' - - '*\certutil.exe' - - '*\rundll32.exe' - - '*\cmstp.exe' - - '*\msiexec.exe' + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' + - '\psexec.exe' + - '\psexec64.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\wmic.exe' + - '\certutil.exe' + - '\rundll32.exe' + - '\cmstp.exe' + - '\msiexec.exe' condition: selection and not filter falsepositives: - Custom applications use renamed binaries adding slight change to binary name. Typically this is easy to spot and add to whitelist diff --git a/rules/windows/process_creation/win_renamed_megasync.yml b/rules/windows/process_creation/win_renamed_megasync.yml new file mode 100644 index 000000000..71cf3eae2 --- /dev/null +++ b/rules/windows/process_creation/win_renamed_megasync.yml @@ -0,0 +1,27 @@ +title: Renamed MegaSync +id: 643bdcac-8b82-49f4-9fd9-25a90b929f3b +status: experimental +description: Detects the execution of a renamed meg.exe of MegaSync during incident response engagements associated with ransomware families like Nefilim, Sodinokibi, Pysa, and Conti. +references: + - https://redcanary.com/blog/rclone-mega-extortion/ +author: Sittikorn S +date: 2021/06/22 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + product: windows + category: process_creation +detection: + selection_proc: + ParentImage|endswith: '\explorer.exe' + CommandLine|contains: 'C:\Windows\Temp\meg.exe' + selection_orig: + OriginalFileName: 'meg.exe' + filter: + Image|endswith: '\meg.exe' + condition: selection_proc or ( selection_orig and not filter ) +falsepositives: + - Software that illegaly integrates MegaSync in a renamed form + - Administrators that have renamed MegaSync +level: high diff --git a/rules/windows/process_creation/win_renamed_paexec.yml b/rules/windows/process_creation/win_renamed_paexec.yml index 04c1cbb3a..b062debd0 100644 --- a/rules/windows/process_creation/win_renamed_paexec.yml +++ b/rules/windows/process_creation/win_renamed_paexec.yml @@ -22,8 +22,8 @@ logsource: product: windows detection: selection1: - Product: - - '*PAExec*' + Product|contains: + - 'PAExec' selection2: Imphash: - 11D40A7B7876288F919AB819CC2D9802 @@ -31,5 +31,5 @@ detection: - dfd6aa3f7b2b1035b76b718f1ddc689f - 1a6cca4d5460b1710a12dea39e4a592c filter1: - Image: '*paexec*' + Image|contains: 'paexec' condition: (selection1 and selection2) and not filter1 diff --git a/rules/windows/process_creation/win_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml index 0b42596ed..84ff273fd 100644 --- a/rules/windows/process_creation/win_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -20,9 +20,9 @@ detection: Description: 'Windows PowerShell' Company: 'Microsoft Corporation' filter: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' + Image|endswith: + - '\powershell.exe' + - '\powershell_ise.exe' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml index fbcb1d6e5..8b9bad991 100644 --- a/rules/windows/process_creation/win_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump author: Florian Roth date: 2019/11/18 -modified: 2020/09/06 +modified: 2021/04/29 tags: - attack.defense_evasion - attack.t1036 # an old one @@ -15,13 +15,21 @@ logsource: product: windows category: process_creation detection: - selection: + selection1: OriginalFileName: 'procdump' - filter: - Image: - - '*\procdump.exe' - - '*\procdump64.exe' - condition: selection and not filter + filter1: + Image|endswith: + - '\procdump.exe' + - '\procdump64.exe' + selection2: + CommandLine|contains|all: + - ' -ma ' + - ' -accepteula ' + filter2: + CommandLine|contains: + - '\procdump.exe' + - '\procdump64.exe' + condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) falsepositives: - Procdump illegaly bundled with legitimate software - Weird admins who renamed binaries diff --git a/rules/windows/process_creation/win_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml index 4a1ab2244..d599d6e0e 100644 --- a/rules/windows/process_creation/win_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -20,9 +20,9 @@ detection: Description: 'Execute processes remotely' Product: 'Sysinternals PsExec' filter: - Image: - - '*\PsExec.exe' - - '*\PsExec64.exe' + Image|endswith: + - '\PsExec.exe' + - '\PsExec64.exe' condition: selection and not filter falsepositives: - Software that illegaly integrates PsExec in a renamed form diff --git a/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml new file mode 100644 index 000000000..e8bda9dfc --- /dev/null +++ b/rules/windows/process_creation/win_run_powershell_script_from_input_stream.yml @@ -0,0 +1,25 @@ +title: Run PowerShell Script from Redirected Input Stream +id: c83bf4b5-cdf0-437c-90fa-43d734f7c476 +status: experimental +description: Detects PowerShell script execution via input stream redirect +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OSBinaries/Powershell.yml + - https://twitter.com/Moriarty_Meng/status/984380793383370752 +author: Moriarty Meng (idea), Anton Kutepov (rule), oscd.community +date: 2020/10/17 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1059 +logsource: + category: process_creation + product: windows +detection: + powershell_started: + Image|endswith: '\powershell.exe' + redirect_to_input_stream: + CommandLine|re: '\s-\s*<' + condition: powershell_started and redirect_to_input_stream +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_run_virtualbox.yml b/rules/windows/process_creation/win_run_virtualbox.yml new file mode 100644 index 000000000..20c4e94b9 --- /dev/null +++ b/rules/windows/process_creation/win_run_virtualbox.yml @@ -0,0 +1,37 @@ +title: Detect Virtualbox Driver Installation OR Starting Of VMs +id: bab049ca-7471-4828-9024-38279a4c04da +status: experimental +description: Adversaries can carry out malicious operations using a virtual instance to avoid detection. This rule is built to detect the registration of the Virtualbox driver or start of a Virtualbox VM. +references: + - https://attack.mitre.org/techniques/T1564/006/ + - https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/ + - https://threatpost.com/maze-ransomware-ragnar-locker-virtual-machine/159350/ +author: Janantha Marasinghe +date: 2020/09/26 +modified: 2021/06/27 +tags: + - attack.defense_evasion + - attack.t1564.006 + - attack.t1564 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains: + - 'VBoxRT.dll,RTR3Init' + - 'VBoxC.dll' + - 'VBoxDrv.sys' + selection_2: + CommandLine|contains: + - 'startvm' + - 'controlvm' + condition: selection_1 or selection_2 +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - This may have false positives on hosts where Virtualbox is legitimately being used for operations +level: low diff --git a/rules/windows/process_creation/win_rundll32_without_parameters.yml b/rules/windows/process_creation/win_rundll32_without_parameters.yml new file mode 100644 index 000000000..e7802ec96 --- /dev/null +++ b/rules/windows/process_creation/win_rundll32_without_parameters.yml @@ -0,0 +1,30 @@ +title: Rundll32 Without Parameters +id: 5bb68627-3198-40ca-b458-49f973db8752 +status: experimental +description: Detects rundll32 execution without parameters as observed when running Metasploit windows/smb/psexec exploit module +author: Bartlomiej Czyz, Relativity +date: 2021/01/31 +references: + - https://bczyz1.github.io/2021/01/30/psexec.html +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1570 + - attack.execution + - attack.t1569.002 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: 'rundll32.exe' + condition: selection +fields: + - ComputerName + - SubjectUserName + - CommandLine + - Image + - ParentImage +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_script_event_consumer_spawn.yml b/rules/windows/process_creation/win_script_event_consumer_spawn.yml new file mode 100644 index 000000000..7c525990e --- /dev/null +++ b/rules/windows/process_creation/win_script_event_consumer_spawn.yml @@ -0,0 +1,38 @@ +title: Script Event Consumer Spawning Processs +id: f6d1dd2f-b8ce-40ca-bc23-062efb686b34 +status: experimental +description: Detects a suspicious child process of Script Event Consumer (scrcons.exe). +references: + - https://redcanary.com/blog/child-processes/ + - https://docs.paloaltonetworks.com/cortex/cortex-xdr/cortex-xdr-analytics-alert-reference/cortex-xdr-analytics-alert-reference/scrcons-exe-rare-child-process.html +author: Sittikorn S +date: 2021/06/21 +tags: + - attack.execution + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: + - '\scrcons.exe' + Image|endswith: + - '\svchost.exe' + - '\dllhost.exe' + - '\powershell.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\schtasks.exe' + - '\regsvr32.exe' + - '\mshta.exe' + - '\rundll32.exe' + - '\msiexec.exe' + - '\msbuild.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 3abe5ff23..66b939845 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -11,17 +11,20 @@ tags: - attack.t1138 # an old one author: Markus Neis date: 2019/01/16 -modified: 2020/09/06 +modified: 2021/04/01 logsource: category: process_creation product: windows detection: selection: - Image: - - '*\sdbinst.exe' - CommandLine: - - '*.sdb*' - condition: selection + Image|endswith: + - '\sdbinst.exe' + CommandLine|contains: + - '.sdb' + filter: + - CommandLine|contains: + - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + condition: selection and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_shadow_copies_deletion.yml b/rules/windows/process_creation/win_shadow_copies_deletion.yml index 43bdfd90c..45e71b95f 100644 --- a/rules/windows/process_creation/win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/win_shadow_copies_deletion.yml @@ -2,14 +2,17 @@ title: Shadow Copies Deletion Using Operating Systems Utilities id: c947b146-0abc-4c87-9c64-b17e9d7274a2 status: stable description: Shadow Copies deletion using operating systems utilities -author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community +author: Florian Roth, Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades) date: 2019/10/22 +modified: 2021/06/02 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - https://blog.talosintelligence.com/2017/05/wannacry.html - https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ - https://www.bleepingcomputer.com/news/security/why-everyone-should-disable-vssadmin-exe-now/ - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 + - https://github.com/Neo23x0/Raccine#the-process + - https://github.com/Neo23x0/Raccine/blob/main/yara/gen_ransomware_command_lines.yar tags: - attack.defense_evasion - attack.impact @@ -19,15 +22,23 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\powershell.exe' - '\wmic.exe' - '\vssadmin.exe' + - '\diskshadow.exe' CommandLine|contains|all: - - shadow # will mach "delete shadows" and "shadowcopy delete" + - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete - condition: selection + selection2: + Image|endswith: + - '\wbadmin.exe' + CommandLine|contains|all: + - delete + - catalog + - quiet # will match -quiet or /quiet + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_shell_spawn_mshta.yml b/rules/windows/process_creation/win_shell_spawn_mshta.yml new file mode 100644 index 000000000..d77e607c1 --- /dev/null +++ b/rules/windows/process_creation/win_shell_spawn_mshta.yml @@ -0,0 +1,33 @@ +title: Mshta Spawning Windows Shell +id: 772bb24c-8df2-4be0-9157-ae4dfa794037 +status: experimental +description: Detects a suspicious child process of a mshta.exe process +references: + - https://app.any.run/tasks/f0fac90f-84ac-4faa-b5b2-f4353c388969/# + - https://app.any.run/tasks/9c0f37bc-867a-4314-b685-e101566766d7/ +author: Florian Roth +date: 2021/06/28 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1064 # an old one + - attack.t1059.005 + - attack.t1059.001 + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\mshta.exe' + Image|endswith: + - '\powershell.exe' + - '\cmd.exe' + - '\WScript.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 326513aee..0463c67c6 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -19,22 +19,22 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\mshta.exe' - - '*\powershell.exe' + ParentImage|endswith: + - '\mshta.exe' + - '\powershell.exe' # - '*\cmd.exe' # too many false positives - - '*\rundll32.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\wmiprvse.exe' - Image: - - '*\schtasks.exe' - - '*\nslookup.exe' - - '*\certutil.exe' - - '*\bitsadmin.exe' - - '*\mshta.exe' + - '\rundll32.exe' + - '\cscript.exe' + - '\wscript.exe' + - '\wmiprvse.exe' + Image|endswith: + - '\schtasks.exe' + - '\nslookup.exe' + - '\certutil.exe' + - '\bitsadmin.exe' + - '\mshta.exe' falsepositives: - CurrentDirectory: '*\ccmcache\\*' + CurrentDirectory|contains: '\ccmcache\' condition: selection and not falsepositives fields: - CommandLine diff --git a/rules/windows/process_creation/win_silenttrinity_stage_use.yml b/rules/windows/process_creation/win_silenttrinity_stage_use.yml index 41e4e6cc1..66fa5a3f6 100644 --- a/rules/windows/process_creation/win_silenttrinity_stage_use.yml +++ b/rules/windows/process_creation/win_silenttrinity_stage_use.yml @@ -23,8 +23,5 @@ logsource: product: windows --- logsource: + category: image_load product: windows - service: sysmon -detection: - selection: - EventID: 7 diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index d529df422..35358d12e 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -2,7 +2,7 @@ title: Audio Capture via SoundRecorder id: 83865853-59aa-449e-9600-74b9d89a6d6e description: Detect attacker collecting audio via SoundRecorder application status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 16cf006fd..c71eae33f 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -15,11 +15,13 @@ logsource: product: windows detection: selection_image: - Image: '*\setspn.exe' + Image|endswith: '\setspn.exe' selection_desc: - Description: '*Query or reset the computer* SPN attribute*' + Description|contains|all: + - 'Query or reset the computer' + - 'SPN attribute' cmd: - CommandLine: '*-q*' + CommandLine|contains: '-q' condition: (selection_image or selection_desc) and cmd falsepositives: - Administrator Activity diff --git a/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml new file mode 100644 index 000000000..328318d1c --- /dev/null +++ b/rules/windows/process_creation/win_sticky_keys_unauthenticated_privileged_console_access.yml @@ -0,0 +1,27 @@ +title: Using Sticky-keys To Obtain Unauthenticated, Privileged Console Access +id: 1070db9a-3e5d-412e-8e7b-7183b616e1b3 +description: By replacing the sticky keys executable with the local admins CMD executable, an attacker is able to access a privileged windows console session without authenticating to the system. When the sticky keys are "activated" the privilleged shell is launched. +references: + - https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html + - https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign-v1.pdf +status: experimental +date: 2020/18/02 +modified: 2021/06/11 +author: Sreeman +tags: + - attack.t1015 + - attack.privilege_escalation +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine: + - "copy /y C:\\windows\\system32\\cmd.exe C:\\windows\\system32\\sethc.exe" + condition: selection +fields: + - CommandLine + - ParentProcess +falsepositives: + - Unknown +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_sus_auditpol_usage.yml b/rules/windows/process_creation/win_sus_auditpol_usage.yml new file mode 100644 index 000000000..e3ca336ed --- /dev/null +++ b/rules/windows/process_creation/win_sus_auditpol_usage.yml @@ -0,0 +1,27 @@ +title: Suspicious Auditpol Usage +id: 0a13e132-651d-11eb-ae93-0242ac130002 +description: Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +author: Janantha Marasinghe (https://github.com/blueteam0ps) +references: + - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ +date: 2021/02/02 +modified: 2021/02/02 +tags: + - attack.defense_evasion + - attack.t1562.002 +level: high +logsource: + category: process_creation + product: windows +detection: + selection_auditpol_binary: + Image|endswith: '\auditpol.exe' + selection_auditpol_command: + CommandLine|contains: + - 'disable' # disables a specific audit policy + - 'clear' # delete or clears audit policy + - 'remove' # removes an audit policy + - 'restore' # restores an audit policy + condition: selection_auditpol_binary and selection_auditpol_command +falsepositives: + - Admin activity diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index 503e79145..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -5,23 +5,28 @@ description: Detects the execution of a AdFind for Active Directory enumeration references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/master/fin6/Emulation_Plan/Phase1.md -author: FPT.EagleEye Team + - https://thedfirreport.com/2020/05/08/adfind-recon/ +author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 +modified: 2021/05/12 tags: - attack.discovery - - attack.t1016 - attack.t1018 + - attack.t1087.002 - attack.t1482 - #- attack.t1069.002 - #- attack.t1087.002 + - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: - ProcessCommandLine|contains: 'objectcategory' - Image: - - '*\adfind.exe' + CommandLine|contains: + - 'objectcategory' + - 'trustdmp' + - 'dcmodes' + - 'dclist' + - 'computers_pwdnotreqd' + Image|endswith: '\adfind.exe' condition: selection falsepositives: - Administrative activity diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml new file mode 100644 index 000000000..ac9584df3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -0,0 +1,53 @@ +title: Suspicious Atbroker Execution +id: f24bcaea-0cd1-11eb-adc1-0242ac120002 +description: Atbroker executing non-deafualt Assistive Technology applications +references: + - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ + - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ +status: experimental +author: Mateusz Wydra, oscd.community +date: 2020/10/12 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection1: + - Image|endswith: 'AtBroker.exe' + selection2: + - CommandLine|contains: 'start' + filter: + - CommandLine|contains: + - animations + - audiodescription + - caretbrowsing + - caretwidth + - colorfiltering + - cursorscheme + - filterkeys + - focusborderheight + - focusborderwidth + - highcontrast + - keyboardcues + - keyboardpref + - magnifierpane + - messageduration + - minimumhitradius + - mousekeys + - Narrator + - osk + - overlappedcontent + - showsounds + - soundsentry + - stickykeys + - togglekeys + - windowarranging + - windowtracking + - windowtrackingtimeout + - windowtrackingzorder + condition: selection1 and selection2 and not filter +falsepositives: + - Legitimate, non-default assistive technology applications execution +level: high diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index a852aa98f..b6c580934 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -4,8 +4,10 @@ status: experimental description: Detects, possibly, malicious unauthorized usage of bcdedit.exe references: - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set + - https://twitter.com/malwrhunterteam/status/1372536434125512712/photo/2 author: '@neu5ron' date: 2019/02/07 +modified: 2021/06/18 tags: - attack.defense_evasion - attack.t1070 @@ -17,10 +19,12 @@ logsource: product: windows detection: selection: - Image: '*\bcdedit.exe' - CommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' + Image|endswith: '\bcdedit.exe' + CommandLine|contains: + - 'delete' + - 'deletevalue' + - 'import' + - 'safeboot' + - 'network' condition: selection level: medium diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml index 01bc71137..b0e6ec94b 100644 --- a/rules/windows/process_creation/win_susp_calc.yml +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -14,11 +14,11 @@ logsource: product: windows detection: selection1: - CommandLine: '*\calc.exe *' + CommandLine|contains: '\calc.exe ' selection2: - Image: '*\calc.exe' + Image|endswith: '\calc.exe' filter2: - Image: '*\Windows\Sys*' + Image|contains: '\Windows\Sys' condition: selection1 or ( selection2 and not filter2 ) falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 03d13f669..b643eb4fc 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -5,11 +5,9 @@ description: Detects a suspicious Microsoft certutil execution with sub commands the built-in certutil utility author: Florian Roth, juju4, keepwatch date: 2019/01/16 -modified: 2020/09/05 +modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 @@ -18,23 +16,24 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - '* -decode *' - - '* /decode *' - - '* -decodehex *' - - '* /decodehex *' - - '* -urlcache *' - - '* /urlcache *' - - '* -verifyctl *' - - '* /verifyctl *' - - '* -encode *' - - '* /encode *' - - '*certutil* -URL*' - - '*certutil* /URL*' - - '*certutil* -ping*' - - '*certutil* /ping*' - condition: selection + parameters: + CommandLine|contains: + - ' -decode ' + - ' -decodehex ' + - ' -urlcache ' + - ' -verifyctl ' + - ' -encode ' + - ' /decode ' + - ' /decodehex ' + - ' /urlcache ' + - ' /verifyctl ' + - ' /encode ' + certutil: + Image|endswith: '\certutil.exe' + CommandLine|contains: + - 'URL' + - 'ping' + condition: parameters or certutil fields: - CommandLine - ParentCommandLine @@ -49,7 +48,7 @@ tags: - attack.g0045 - attack.g0049 - attack.g0075 - - attack.g0096 + - attack.g0096 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index b0d187ed0..3ab6f3319 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -5,9 +5,9 @@ description: Detects suspicious a certutil command that used to encode files, wh references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/02/24 -modified: 2020/09/05 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1027 @@ -16,11 +16,10 @@ logsource: product: windows detection: selection: - CommandLine: - - certutil -f -encode * - - certutil.exe -f -encode * - - certutil -encode -f * - - certutil.exe -encode -f * + Image|endswith: '\certutil.exe' + CommandLine|contains|all: + - '-f' + - '-encode' condition: selection falsepositives: - unknown diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index 019d2fcf8..d0efa1072 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -19,10 +19,10 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine|contains: # - # no TAB modifier in sigmac yet, so this matches (or TAB in elasticsearch backends without DSL queries) - - '*h^t^t^p*' - - '*h"t"t"p*' + - 'h^t^t^p' + - 'h"t"t"p' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index ddbf7dd1a..93c3f436f 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -5,9 +5,9 @@ description: Detects a suspicious command line execution that includes an URL an references: - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 -modified: 2020/09/05 +modified: 2020/11/20 tags: - attack.execution - attack.t1059.003 @@ -19,9 +19,11 @@ logsource: product: windows detection: selection: - CommandLine: - - cmd.exe /c *http://*%AppData% - - cmd.exe /c *https://*%AppData% + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - 'http' # captures both http and https + - '://' + - '%AppData%' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_codepage_switch.yml b/rules/windows/process_creation/win_susp_codepage_switch.yml index 6b68d66dc..09f0a7870 100644 --- a/rules/windows/process_creation/win_susp_codepage_switch.yml +++ b/rules/windows/process_creation/win_susp_codepage_switch.yml @@ -2,8 +2,9 @@ title: Suspicious Code Page Switch id: c7942406-33dd-4377-a564-0f62db0593a3 status: experimental description: Detects a code page switch in command line or batch scripts to a rare language -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/10/14 +modified: 2020/11/28 references: - https://docs.microsoft.com/en-us/windows/win32/intl/code-page-identifiers - https://twitter.com/cglyer/status/1183756892952248325 @@ -12,13 +13,14 @@ logsource: product: windows detection: selection: - CommandLine: - - 'chcp* 936' # Chinese - # - 'chcp* 1256' # Arabic - - 'chcp* 1258' # Vietnamese - # - 'chcp* 855' # Russian - # - 'chcp* 866' # Russian - # - 'chcp* 864' # Arabic + Image|endswith: '\chcp.com' + CommandLine|endswith: + - ' 936' # Chinese + # - ' 1256' # Arabic + - ' 1258' # Vietnamese + # - ' 855' # Russian + # - ' 866' # Russian + # - ' 864' # Arabic condition: selection fields: - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 8810516ab..1f1037f95 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -8,7 +8,7 @@ references: - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html author: Florian Roth, Markus Neis date: 2018/08/22 -modified: 2018/12/11 +modified: 2020/11/28 tags: - attack.discovery - attack.t1087 @@ -19,24 +19,25 @@ logsource: product: windows detection: selection: - CommandLine: + - CommandLine: - tasklist - net time - systeminfo - whoami - nbtstat - net start - - '*\net1 start' - qprocess - nslookup - hostname.exe - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - netstat -an + - 'netstat -an' + - CommandLine|endswith: + - '\net1 start' + - '\net1 user /domain' + - '\net1 group /domain' + - '\net1 group "domain admins" /domain' + - '\net1 group "Exchange Trusted Subsystem" /domain' + - '\net1 accounts /domain' + - '\net1 user net localgroup administrators' timeframe: 15s condition: selection | count() by CommandLine > 4 falsepositives: diff --git a/rules/windows/process_creation/win_susp_compression_params.yml b/rules/windows/process_creation/win_susp_compression_params.yml index e42122458..32655a9b0 100644 --- a/rules/windows/process_creation/win_susp_compression_params.yml +++ b/rules/windows/process_creation/win_susp_compression_params.yml @@ -22,15 +22,15 @@ detection: - '7z*.exe' - '*rar.exe' - '*Command*Line*RAR*' - CommandLine: - - '* -p*' - - '* -ta*' - - '* -tb*' - - '* -sdel*' - - '* -dw*' - - '* -hp*' + CommandLine|contains: + - ' -p' + - ' -ta' + - ' -tb' + - ' -sdel' + - ' -dw' + - ' -hp' falsepositive: - ParentImage: 'C:\Program*' + ParentImage|startswith: 'C:\Program' condition: selection and not falsepositive falsepositives: - unknown diff --git a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml index 56832c754..2879adff8 100644 --- a/rules/windows/process_creation/win_susp_comsvcs_procdump.yml +++ b/rules/windows/process_creation/win_susp_comsvcs_procdump.yml @@ -13,13 +13,14 @@ logsource: product: windows detection: rundll_image: - Image: '*\rundll32.exe' + Image|endswith: '\rundll32.exe' rundll_ofn: OriginalFileName: 'RUNDLL32.EXE' selection: - CommandLine: - - '*comsvcs*MiniDump*full*' - - '*comsvcs*MiniDumpW*full*' + CommandLine|contains|all: + - 'comsvcs' + - 'MiniDump' #Matches MiniDump and MinidumpW + - 'full' condition: (rundll_image or rundll_ofn) and selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_conhost.yml b/rules/windows/process_creation/win_susp_conhost.yml index 8f925d64a..02592026a 100644 --- a/rules/windows/process_creation/win_susp_conhost.yml +++ b/rules/windows/process_creation/win_susp_conhost.yml @@ -1,4 +1,4 @@ -title: Conhost Parent Proces Executions +title: Conhost Parent Process Executions id: 7dc2dedd-7603-461a-bc13-15803d132355 status: experimental description: Detects the conhost execution as parent process. Can be used to evaded defense mechanism. @@ -6,6 +6,7 @@ references: - http://www.hexacorn.com/blog/2020/05/25/how-to-con-your-host/ author: omkar72 date: 2020/10/25 +modified: 2021/06/27 tags: - attack.defense_evasion - attack.t1202 @@ -14,7 +15,7 @@ logsource: product: windows detection: selection: - ParentImage: '*\conhost.exe' + ParentImage|endswith: '\conhost.exe' condition: selection fields: - Image diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 7d8927d85..726bb7ce1 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -16,10 +16,10 @@ logsource: product: windows detection: selection: - ParentImage: '*\System32\control.exe' - CommandLine: '*\rundll32.exe *' + ParentImage|endswith: '\System32\control.exe' + Image|endswith: '\rundll32.exe ' filter: - CommandLine: '*Shell32.dll*' + CommandLine|contains: 'Shell32.dll' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml index 53841c573..7041aa9dc 100644 --- a/rules/windows/process_creation/win_susp_copy_lateral_movement.yml +++ b/rules/windows/process_creation/win_susp_copy_lateral_movement.yml @@ -1,28 +1,44 @@ title: Copy from Admin Share id: 855bc8b5-2ae8-402e-a9ed-b889e6df1900 status: experimental -description: Detects a suspicious copy command from a remote C$ or ADMIN$ share +description: Detects a suspicious copy command to or from an Admin share references: - https://twitter.com/SBousseaden/status/1211636381086339073 -author: Florian Roth + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: 'Florian Roth, oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st' date: 2019/12/30 -modified: 2020/09/05 +modified: 2020/11/28 tags: - attack.lateral_movement + - attack.collection + - attack.exfiltration + - attack.t1039 + - attack.t1105 # an old one + - attack.t1048 - attack.t1021.002 - - attack.command_and_control - - attack.t1105 - - attack.s0106 - - attack.t1077 # an old one logsource: category: process_creation product: windows detection: - selection: + selection1: + Image|endswith: + - '\robocopy.exe' + - '\xcopy.exe' + selection2: + Image|endswith: '\cmd.exe' + CommandLine|contains: 'copy' + selection3: + Image|contains: '\powershell' CommandLine|contains: - - 'copy *\c$' - - 'copy *\ADMIN$' - condition: selection + - 'copy-item' + - 'copy' + - 'cpi ' + - ' cp ' + selection4: + CommandLine|contains|all: + - '\\\\' + - '$' + condition: (selection1 or selection2 or selection3) and selection4 fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index 48de314d0..5a3535453 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -16,8 +16,10 @@ tags: detection: selection: CommandLine|contains: - - ' /c copy *\System32\' - - 'xcopy*\System32\' + - ' /c copy' + - 'xcopy' + CommandLine|contains|all: + - '\System32\' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_covenant.yml b/rules/windows/process_creation/win_susp_covenant.yml index d2440ff5c..0c323f1e7 100644 --- a/rules/windows/process_creation/win_susp_covenant.yml +++ b/rules/windows/process_creation/win_susp_covenant.yml @@ -4,7 +4,7 @@ description: Detects suspicious command lines used in Covenant luanchers status: experimental references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2020/06/04 tags: - attack.execution @@ -17,12 +17,19 @@ logsource: product: windows detection: selection: + CommandLine|contains|all: + - '-Sta' + - '-Nop' + - '-Window' + - 'Hidden' + CommandLine|contains: + - '-Command' + - '-EncodedCommand' + selection2: CommandLine|contains: - - ' -Sta -Nop -Window Hidden -Command ' - - ' -Sta -Nop -Window Hidden -EncodedCommand ' - 'sv o (New-Object IO.MemorySteam);sv d ' - 'mshta file.hta' - 'GruntHTTP' - '-EncodedCommand cwB2ACAAbwAgA' - condition: selection + condition: selection or selection2 level: high diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index b72016d49..9a5f1afb3 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -1,6 +1,6 @@ title: CrackMapExec Command Execution id: 058f4380-962d-40a5-afce-50207d36d7e2 -status: experimental +status: stable description: Detect various execution methods of the CrackMapExec pentesting framework references: - https://github.com/byt3bl33d3r/CrackMapExec @@ -8,7 +8,7 @@ tags: - attack.execution - attack.t1047 - attack.t1053 - - attack.t1059.003 + - attack.t1059.003 - attack.t1059.001 - attack.s0106 - attack.t1086 # an old one @@ -19,17 +19,18 @@ logsource: product: windows detection: selection: - CommandLine: + CommandLine|endswith: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - - '*cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' + - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:109 (fileless output via share) - - '*cmd.exe /C * > \\\\*\\*\\* 2>&1' + - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:111 (fileless output via share) - - '*cmd.exe /C * > *\\Temp\\* 2>&1' + - 'cmd.exe /C * > *\\Temp\\* 2>&1' + CommandLine|contains: # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' + - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) - - '*powershell.exe -noni -nop -w 1 -enc *' + - 'powershell.exe -noni -nop -w 1 -enc ' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 71cac8c15..28f543963 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1094924091256176641 author: Florian Roth date: 2019/02/11 -modified: 2020/09/05 +modified: 2020/11/28 tags: - attack.execution - attack.t1059.005 @@ -20,12 +20,12 @@ logsource: product: windows detection: selection: - Image: '*\csc.exe*' - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' + Image|endswith: '\csc.exe' + ParentImage|endswith: + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' condition: selection falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index c9cc8c996..ceff85403 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/gN3mes1s/status/1206874118282448897 author: Florian Roth date: 2019/08/24 -modified: 2020/09/05 +modified: 2021/02/01 tags: - attack.defense_evasion - attack.t1500 # an old one @@ -19,15 +19,17 @@ logsource: product: windows detection: selection: - Image: '*\csc.exe' - CommandLine: - - '*\AppData\\*' - - '*\Windows\Temp\\*' + Image|endswith: '\csc.exe' + CommandLine|contains: + - '\AppData\' + - '\Windows\Temp\' filter: - ParentImage: - - 'C:\Program Files*' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '*\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 - - '*\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 + - ParentImage|startswith: 'C:\Program Files' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - ParentImage|endswith: + - '\sdiagnhost.exe' # https://twitter.com/gN3mes1s/status/1206874118282448897 + - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 + - ParentCommandLine|contains: + - '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' condition: selection and not filter falsepositives: - https://twitter.com/gN3mes1s/status/1206874118282448897 diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml new file mode 100644 index 000000000..ee19fca90 --- /dev/null +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -0,0 +1,38 @@ +title: Suspicious Csi.exe Usage +id: 40b95d31-1afc-469e-8d34-9a3a667d058e +description: Csi.exe is a signed binary from Micosoft that comes with Visual Studio and provides C# interactive capabilities. It can be used to run C# code from a file passed as a parameter in command line. Early version of this utility provided with Microsoft “Roslyn” Community Technology Preview was named 'rcsi.exe' +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/17 +modified: 2021/05/11 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml + - https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/ + - https://twitter.com/Z3Jpa29z/status/1317545798981324801 +tags: + - attack.execution + - attack.t1072 + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + basic: + - Image|endswith: '\csi.exe' + - Image|endswith: '\rcsi.exe' + renamed: + - OriginalFileName: 'csi.exe' + - OriginalFileName: 'rcsi.exe' + selection: + Company: 'Microsoft Corporation' + condition: (basic or renamed) and selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate usage by software developers +level: medium diff --git a/rules/windows/process_creation/win_susp_curl_start_combo.yml b/rules/windows/process_creation/win_susp_curl_start_combo.yml index 57092fbb0..94584f795 100644 --- a/rules/windows/process_creation/win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/win_susp_curl_start_combo.yml @@ -18,7 +18,9 @@ logsource: detection: condition: selection selection: - CommandLine|contains: 'curl* start ' + CommandLine|contains|all: + - 'curl' + - ' start ' falsepositives: - Administrative scripts (installers) fields: diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 2737be5c0..810f8be98 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection_1: - Image|endswith: '*\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains: 'add' # to avoid intersection with discovery tactic rules selection_2: CommandLine|contains: # need to improve this list, there are plenty of ASEP reg keys diff --git a/rules/windows/process_creation/win_susp_disable_eventlog.yml b/rules/windows/process_creation/win_susp_disable_eventlog.yml new file mode 100644 index 000000000..edbdd25fb --- /dev/null +++ b/rules/windows/process_creation/win_susp_disable_eventlog.yml @@ -0,0 +1,33 @@ +title: Disable or Delete Windows Eventlog +id: cd1f961e-0b96-436b-b7c6-38da4583ec00 +status: experimental +description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility +references: + - https://twitter.com/0gtweet/status/1359039665232306183?s=21 + - https://ss64.com/nt/logman.html +tags: + - attack.defense_evasion + - attack.t1562.001 + - attack.t1070.001 +author: Florian Roth +date: 2021/02/11 +modified: 2021/06/21 +logsource: + category: process_creation + product: windows +detection: + selection_tools: + CommandLine|contains: + - 'logman ' + selection_action: + CommandLine|contains: + - 'stop ' + - 'delete ' + selection_service: + CommandLine|contains: + - EventLog-System + condition: all of them +falsepositives: + - Legitimate deactivation by administrative staff + - Installer tools that disable services, e.g. before log collection agent installation +level: high diff --git a/rules/windows/process_creation/win_susp_disable_raccine.yml b/rules/windows/process_creation/win_susp_disable_raccine.yml new file mode 100644 index 000000000..b93f381d3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_disable_raccine.yml @@ -0,0 +1,33 @@ +title: Raccine Uninstall +id: a31eeaed-3fd5-478e-a8ba-e62c6b3f9ecc +status: experimental +description: Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. +references: + - https://github.com/Neo23x0/Raccine +tags: + - attack.defense_evasion + - attack.t1562.001 +author: Florian Roth +date: 2021/01/21 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains|all: + - 'taskkill ' + - '/IM RaccineSettings.exe' + selection2: + CommandLine|contains|all: + - 'reg.exe' + - 'delete' + - 'Raccine Tray' + selection3: + CommandLine|contains|all: + - 'schtasks' + - '/DELETE' + - 'Raccine Rules Updater' + condition: 1 of them +falsepositives: + - Legitimate deinstallation by administrative staff +level: high diff --git a/rules/windows/process_creation/win_susp_diskshadow.yml b/rules/windows/process_creation/win_susp_diskshadow.yml new file mode 100644 index 000000000..6c57237ed --- /dev/null +++ b/rules/windows/process_creation/win_susp_diskshadow.yml @@ -0,0 +1,27 @@ +title: Execution via Diskshadow.exe +id: 0c2f8629-7129-4a8a-9897-7e0768f13ff2 +status: experimental +description: Detects using Diskshadow.exe to execute arbitrary code in text file +references: + - https://bohops.com/2018/03/26/diskshadow-the-return-of-vss-evasion-persistence-and-active-directory-database-extraction/ +tags: + - attack.execution + - attack.t1218 +author: Ivan Dyachkov, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image|endswith: '\diskshadow.exe' + CommandLine|contains: + - '/s' + - '-s' + condition: selection +fields: + - CommandLine +falsepositives: + - False postitve can be if administrators use diskshadow tool in their infrastructure as a main backup tool with scripts. +level: high diff --git a/rules/windows/process_creation/win_susp_double_extension.yml b/rules/windows/process_creation/win_susp_double_extension.yml index 3c06ded41..0bd70927f 100644 --- a/rules/windows/process_creation/win_susp_double_extension.yml +++ b/rules/windows/process_creation/win_susp_double_extension.yml @@ -15,18 +15,18 @@ logsource: product: windows detection: selection: - Image: - - '*.doc.exe' - - '*.docx.exe' - - '*.xls.exe' - - '*.xlsx.exe' - - '*.ppt.exe' - - '*.pptx.exe' - - '*.rtf.exe' - - '*.pdf.exe' - - '*.txt.exe' - - '* .exe' - - '*______.exe' + Image|endswith: + - '.doc.exe' + - '.docx.exe' + - '.xls.exe' + - '.xlsx.exe' + - '.ppt.exe' + - '.pptx.exe' + - '.rtf.exe' + - '.pdf.exe' + - '.txt.exe' + - ' .exe' + - '______.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml deleted file mode 100644 index f42c4c82d..000000000 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ /dev/null @@ -1,42 +0,0 @@ -title: Executables Started in Suspicious Folder -id: 7a38aa19-86a9-4af7-ac51-6bfe4e59f254 -status: experimental -description: Detects process starts of binaries from a suspicious folder -author: Florian Roth -date: 2017/10/14 -modified: 2019/02/21 -references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md -tags: - - attack.defense_evasion - - attack.t1036 -logsource: - category: process_creation - product: windows -detection: - selection: - Image: - - C:\PerfLogs\\* - - C:\$Recycle.bin\\* - - C:\Intel\Logs\\* - - C:\Users\Default\\* - - C:\Users\Public\\* - - C:\Users\NetworkService\\* - - C:\Windows\Fonts\\* - - C:\Windows\Debug\\* - - C:\Windows\Media\\* - - C:\Windows\Help\\* - - C:\Windows\addins\\* - - C:\Windows\repair\\* - - C:\Windows\security\\* - - '*\RSA\MachineKeys\\*' - - C:\Windows\system32\config\systemprofile\\* - - C:\Windows\Tasks\\* - - C:\Windows\System32\Tasks\\* - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index 9e4136cd9..ed571e472 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -1,9 +1,15 @@ -title: Execution in Non-Executable Folder +title: Execution from Suspicious Folder id: 3dfd06d2-eaf4-4532-9555-68aca59f57c4 status: experimental -description: Detects a suspicious exection from an uncommon folder +description: Detects a suspicious execution from an uncommon folder author: Florian Roth date: 2019/01/16 +modified: 2021/03/31 +references: + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://github.com/ThreatHuntingProject/ThreatHunting/blob/master/hunts/suspicious_process_creation_via_windows_event_logs.md tags: - attack.defense_evasion - attack.t1036 @@ -12,16 +18,27 @@ logsource: product: windows detection: selection: - Image: - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' + - Image|contains: + - '\$Recycle.bin\' + - '\config\systemprofile\' + - '\Intel\Logs\' + - '\RSA\MachineKeys\' + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\NetworkService\' + - '\Users\Public\' + - '\Windows\addins\' + - '\Windows\debug\' + - '\Windows\Fonts\' + - '\Windows\Help\' + - '\Windows\IME\' + - '\Windows\Media\' + - '\Windows\repair\' + - '\Windows\security\' + - '\Windows\system32\config\systemprofile\' + - '\Windows\System32\Tasks\' + - '\Windows\Tasks\' + - Image|startswith: 'C:\Perflogs\' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index bdc9cf05f..f1ab6a6e3 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -13,17 +13,17 @@ logsource: product: windows detection: selection: - Image: - - '*\wwwroot\\*' - - '*\wmpub\\*' - - '*\htdocs\\*' + Image|contains: + - '\wwwroot\' + - '\wmpub\' + - '\htdocs\' filter: - Image: - - '*bin\\*' - - '*\Tools\\*' - - '*\SMSComponent\\*' - ParentImage: - - '*\services.exe' + Image|contains: + - 'bin\' + - '\Tools\' + - '\SMSComponent\' + ParentImage|endswith: + - '\services.exe' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_explorer.yml b/rules/windows/process_creation/win_susp_explorer.yml new file mode 100644 index 000000000..6d6d85388 --- /dev/null +++ b/rules/windows/process_creation/win_susp_explorer.yml @@ -0,0 +1,26 @@ +title: Proxy Execution Via Explorer.exe +id: 9eb271b9-24ae-4cd4-9465-19cfc1047f3e +description: Attackers can use explorer.exe for evading defense mechanisms +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' +status: experimental +date: 2020/10/05 +references: + - https://twitter.com/CyberRaiju/status/1273597319322058752 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - \explorer.exe + ParentImage|endswith: + - \cmd.exe + CommandLine|contains: + - explorer.exe + condition: selection +falsepositives: + - Legitimate explorer.exe run from cmd.exe +level: low diff --git a/rules/windows/process_creation/win_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml index 81b8fed82..7bfd6a159 100644 --- a/rules/windows/process_creation/win_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -7,7 +7,7 @@ references: - https://www.virustotal.com/#/file/276a765a10f98cda1a38d3a31e7483585ca3722ecad19d784441293acf1b7beb/detection author: Markus Neis, Sander Wiebing date: 2018/11/22 -modified: 2020/05/26 +modified: 2021/06/27 tags: - attack.execution - attack.t1059.006 @@ -27,7 +27,7 @@ detection: Description: '\?' Company: '\?' folder: - Image: '*\Downloads\\*' + Image|contains: '\Downloads\' condition: (selection1 or selection2 or selection3) and folder fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml new file mode 100644 index 000000000..63ffa1398 --- /dev/null +++ b/rules/windows/process_creation/win_susp_file_download_via_gfxdownloadwrapper.yml @@ -0,0 +1,27 @@ +title: GfxDownloadWrapper.exe Downloads File from Suspicious URL +id: eee00933-a761-4cd0-be70-c42fe91731e7 +status: experimental +description: Detects when GfxDownloadWrapper.exe downloads file from non standard URL +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/GfxDownloadWrapper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: '\GfxDownloadWrapper.exe' + cmd_known_url: + CommandLine|contains: 'gameplayapi.intel.com' + same_parent: + ParentImage|endswith: '\GfxDownloadWrapper.exe' + condition: image_path and not cmd_known_url and not same_parent +fields: + - CommandLine +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/win_susp_findstr.yml b/rules/windows/process_creation/win_susp_findstr.yml new file mode 100644 index 000000000..1a5a58037 --- /dev/null +++ b/rules/windows/process_creation/win_susp_findstr.yml @@ -0,0 +1,32 @@ +title: Abusing Findstr for Defense Evasion +id: bf6c39fc-e203-45b9-9538-05397c1b4f3f +description: Attackers can use findstr to hide their artifacts or search specific strings and evade defense mechanism +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' +status: experimental +date: 2020/10/05 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Findstr.yml + - https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selectionFindstr: + CommandLine|contains: + - findstr + selection_V_L: + CommandLine|contains|all: + - /V + - /L + selection_S_I: + CommandLine|contains|all: + - /S + - /I + condition: selectionFindstr and (selection_V_L or selection_S_I) +falsepositives: + - Administrative findstr usage +level: medium diff --git a/rules/windows/process_creation/win_susp_findstr_lnk.yml b/rules/windows/process_creation/win_susp_findstr_lnk.yml index fd192eac2..2c9f39874 100644 --- a/rules/windows/process_creation/win_susp_findstr_lnk.yml +++ b/rules/windows/process_creation/win_susp_findstr_lnk.yml @@ -17,8 +17,8 @@ logsource: product: windows detection: selection: - Image: '*\findstr.exe' - CommandLine: '*.lnk' + Image|endswith: '\findstr.exe' + CommandLine|endswith: '.lnk' condition: selection fields: - Image diff --git a/rules/windows/process_creation/win_susp_finger_usage.yml b/rules/windows/process_creation/win_susp_finger_usage.yml new file mode 100644 index 000000000..87fd5ff30 --- /dev/null +++ b/rules/windows/process_creation/win_susp_finger_usage.yml @@ -0,0 +1,22 @@ +title: Finger.exe Suspicious Invocation +id: af491bca-e752-4b44-9c86-df5680533dbc +description: Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays +author: Florian Roth, omkar72, oscd.community +date: 2021/02/24 +references: + - https://twitter.com/bigmacjpg/status/1349727699863011328?s=12 + - https://app.any.run/tasks/40115012-a919-4208-bfed-41e82cb3dadf/ + - http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\finger.exe' + condition: selection +falsepositives: + - Admin activity (unclear what they do nowadays with finger.exe) +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_ftp.yml b/rules/windows/process_creation/win_susp_ftp.yml new file mode 100644 index 000000000..7572cf22b --- /dev/null +++ b/rules/windows/process_creation/win_susp_ftp.yml @@ -0,0 +1,32 @@ +title: Suspicious ftp.exe +id: 06b401f4-107c-4ff9-947f-9ec1e7649f1e +status: experimental +description: Detects renamed ftp.exe, ftp.exe script execution and child processes ran by ftp.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + ftp_path: + Image|endswith: 'ftp.exe' + ftp_metadata: + OriginalFileName|contains: 'ftp.exe' + cmd_with_script_modifier: + CommandLine|contains: '-s:' + parent_path: + ParentImage|endswith: 'ftp.exe' + condition: (ftp_path and cmd_with_script_modifier) or (ftp_metadata and cmd_with_script_modifier) or (ftp_metadata and not ftp_path) or parent_path +fields: + - CommandLine + - ParentImage +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 19acad192..a6d7d8e3f 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -16,13 +16,13 @@ logsource: product: windows detection: selection: - Image: '*\GUP.exe' + Image|endswith: '\GUP.exe' filter: Image|endswith: - - ':\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - ':\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - - ':\Program Files\Notepad++\updater\GUP.exe' - - ':\Program Files (x86)\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' + - '\Program Files\Notepad++\updater\GUP.exe' + - '\Program Files (x86)\Notepad++\updater\GUP.exe' condition: selection and not filter falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 28305f82e..269e18518 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -6,6 +6,7 @@ references: - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth date: 2012/12/11 +modified: 2020/11/28 tags: - attack.persistence - attack.t1505.003 @@ -15,8 +16,11 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\APPCMD.EXE install module /name:*' + Image|endswith: '\appcmd.exe' + CommandLine|contains|all: + - 'install' + - 'module' + - '/name:' condition: selection falsepositives: - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml new file mode 100644 index 000000000..e609f086e --- /dev/null +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -0,0 +1,25 @@ +title: Mounted Share Deleted +id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 +status: experimental +description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md +author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +date: 2020/10/08 +tags: + - attack.defense_evasion + - attack.t1070.005 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\net.exe' + Image|endswith: '\net1.exe' + CommandLine|contains|all: + - 'share' + - '/delete' + condition: selection +falsepositives: + - Administrators or Power users may remove their shares via cmd line +level: low diff --git a/rules/windows/process_creation/win_susp_msiexec_cwd.yml b/rules/windows/process_creation/win_susp_msiexec_cwd.yml index 099b8fbd8..a22a717cd 100644 --- a/rules/windows/process_creation/win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/win_susp_msiexec_cwd.yml @@ -15,12 +15,12 @@ logsource: product: windows detection: selection: - Image: '*\msiexec.exe' + Image|endswith: '\msiexec.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\WinSxS\\*' + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 1e756bd07..3fbb4ca63 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -1,7 +1,7 @@ title: MsiExec Web Install id: f7b5f842-a6af-4da5-9e95-e32478f3cd2f status: experimental -description: Detects suspicious msiexec process starts with web addreses as parameter +description: Detects suspicious msiexec process starts with web addresses as parameter references: - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ tags: @@ -11,14 +11,15 @@ tags: - attack.t1105 author: Florian Roth date: 2018/02/09 -modified: 2020/08/30 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '* msiexec*://*' + CommandLine|contains|all: + - ' msiexec' + - '://' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index a4c3a7711..5773c4244 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -9,7 +9,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) date: 2019/01/16 -modified: 2020/08/30 +modified: 2020/11/28 tags: - attack.discovery - attack.t1049 @@ -29,19 +29,18 @@ logsource: product: windows detection: selection: - Image: - - '*\net.exe' - - '*\net1.exe' + Image|endswith: + - '\net.exe' + - '\net1.exe' cmdline: - CommandLine: - - '* group*' - - '* localgroup*' - - '* user*' - - '* view*' - - '* share' - - '* accounts*' - - '* use*' - - '* stop *' + CommandLine|contains: + - ' group' + - ' localgroup' + - ' user' + - ' view' + - ' share' + - ' accounts' + - ' stop ' condition: selection and cmdline fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_ngrok_pua.yml b/rules/windows/process_creation/win_susp_ngrok_pua.yml new file mode 100644 index 000000000..285ccec90 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ngrok_pua.yml @@ -0,0 +1,45 @@ +title: Ngrok Usage +id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 +description: Detects the use of Ngrok, a utility used for port forwarding and tunneling, often used by threat actors to make local protected services publicly available. Involved domains are bin.equinox.io for download and *.ngrok.io for connections. +status: experimental +references: + - https://ngrok.com/docs + - https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html + - https://stackoverflow.com/questions/42442320/ssh-tunnel-to-ngrok-and-initiate-rdp + - https://www.virustotal.com/gui/file/58d21840d915aaf4040ceb89522396124c82f325282f805d1085527e1e2ccfa1/detection + - https://cybleinc.com/2021/02/15/ngrok-platform-abused-by-hackers-to-deliver-a-new-wave-of-phishing-attacks/. +author: Florian Roth +date: 2021/05/14 +modified: 2021/06/07 +tags: + - attack.command_and_control + - attack.t1572 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: + - ' tcp 139' + - ' tcp 445' + - ' tcp 3389' + - ' tcp 5985' + - ' tcp 5986' + selection2: + CommandLine|contains|all: + - ' start ' + - '--all' + - '--config' + - '.yml' + selection3: + Image|endswith: + - 'ngrok.exe' + CommandLine|contains: + - ' tcp ' + - ' http ' + - ' authtoken ' + condition: 1 of them +falsepositives: + - Another tool that uses the command line switches of Ngrok + - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) +level: high diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 979a09213..45e867f75 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -6,17 +6,18 @@ references: - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke date: 2019/01/16 +modified: 2020/11/28 tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one + - attack.t1003 # an old one logsource: category: process_creation product: windows detection: selection: - CommandLine: '*\ntdsutil*' + Image|endswith: '\ntdsutil.exe' condition: selection falsepositives: - NTDS maintenance -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml index c45220166..4401ff162 100644 --- a/rules/windows/process_creation/win_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -11,15 +11,19 @@ tags: - attack.t1202 author: Markus Neis date: 2018/12/27 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: clientMailRules: - CommandLine: '*EnableUnsafeClientMailRules*' + CommandLine|contains: 'EnableUnsafeClientMailRules' outlookExec: - ParentImage: '*\outlook.exe' - CommandLine: \\\\*\\*.exe + ParentImage|endswith: '\outlook.exe' + CommandLine|contains|all: + - '\\\\' + - '\\' + - '.exe' condition: clientMailRules or outlookExec falsepositives: - unknown diff --git a/rules/windows/process_creation/win_susp_outlook_temp.yml b/rules/windows/process_creation/win_susp_outlook_temp.yml index 25e0f2d62..2059eb01a 100644 --- a/rules/windows/process_creation/win_susp_outlook_temp.yml +++ b/rules/windows/process_creation/win_susp_outlook_temp.yml @@ -4,6 +4,7 @@ status: experimental description: Detects a suspicious program execution in Outlook temp folder author: Florian Roth date: 2019/10/01 +modified: 2021/06/27 tags: - attack.initial_access - attack.t1566.001 @@ -13,7 +14,7 @@ logsource: product: windows detection: selection: - Image: '*\Temporary Internet Files\Content.Outlook\\*' + Image|contains: '\Temporary Internet Files\Content.Outlook\' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_pcwutl.yml b/rules/windows/process_creation/win_susp_pcwutl.yml new file mode 100644 index 000000000..a3f3ddd23 --- /dev/null +++ b/rules/windows/process_creation/win_susp_pcwutl.yml @@ -0,0 +1,27 @@ +title: Code Execution via Pcwutl.dll +id: 9386d78a-7207-4048-9c9f-a93a7c2d1c05 +description: Detects launch of executable by calling the LaunchApplication function from pcwutl.dll library. +status: experimental +references: + - https://github.com/api0cradle/LOLBAS/blob/master/OSLibraries/Pcwutl.md + - https://twitter.com/harr0ey/status/989617817849876488 +author: Julia Fomina, oscd.community +date: 2020/10/05 +tags: + - attack.defense_evasion + - attack.t1218.011 + - attack.execution # an old one + - attack.t1218 # an old one +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'pcwutl' + - 'LaunchApplication' + condition: selection +level: medium +falsepositives: + - Use of Program Compatibility Troubleshooter Helper diff --git a/rules/windows/process_creation/win_susp_pester.yml b/rules/windows/process_creation/win_susp_pester.yml new file mode 100644 index 000000000..a549111f6 --- /dev/null +++ b/rules/windows/process_creation/win_susp_pester.yml @@ -0,0 +1,35 @@ +title: Execute Code with Pester.bat +id: 59e938ff-0d6d-4dc3-b13f-36cc28734d4e +description: Detects code execution via Pester.bat (Pester - Powershell Modulte for testing) +status: experimental +references: + - https://twitter.com/Oddvarmoe/status/993383596244258816 +author: Julia Fomina, oscd.community +date: 2020/10/08 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + powershell_module: + Image|endswith: '\powershell.exe' + CommandLine|contains|all: + - 'Pester' + - 'Get-Help' + cmd_execution: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + - 'pester' + - ';' + get_help: + CommandLine|contains: + - 'help' + - '?' + condition: powershell_module or (cmd_execution and get_help) +level: medium +falsepositives: + - Legitimate use of Pester for writing tests for Powershell scripts and modules diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 451cabd72..9d9cf2862 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -2,11 +2,11 @@ title: Ping Hex IP id: 1a0d4aba-7668-4365-9ce4-6d79ab088dfd description: Detects a ping command that uses a hex encoded IP address references: - - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna + - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.can - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth date: 2018/03/23 -modified: 2020/10/16 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1140 @@ -16,11 +16,8 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - '\ping.exe 0x' - - '\ping 0x' - Image|contains: - - 'ping.exe' + Image|endswith: '\ping.exe' + CommandLine|contains: '0x' condition: selection fields: - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml index de818f0f2..f54f9fc6d 100644 --- a/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/win_susp_powershell_empire_uac_bypass.yml @@ -12,9 +12,9 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)*' - - '* -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);*' + CommandLine|contains: + - ' -NoP -NonI -w Hidden -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update)' + - ' -NoP -NonI -c $x=$((gp HKCU:Software\\Microsoft\\Windows Update).Update);' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index a384047e8..760907af5 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -4,9 +4,9 @@ description: Detects suspicious powershell process starts with base64 encoded co status: experimental references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community date: 2018/09/03 -modified: 2020/10/20 +modified: 2021/03/02 tags: - attack.execution - attack.t1059.001 @@ -16,32 +16,30 @@ logsource: product: windows detection: selection: - CommandLine: - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -e JAB*' - - '* -en JAB*' - - '* -enc JAB*' - - '* -enc* JAB*' - - '* -w hidden -e* JAB*' - - '* BA^J e-' - - '* -e SUVYI*' - - '* -e aWV4I*' - - '* -e SQBFAFgA*' - - '* -e aQBlAHgA*' - - '* -enc SUVYI*' - - '* -enc aWV4I*' - - '* -enc SQBFAFgA*' - - '* -enc aQBlAHgA*' - - '* -e* IAA*' - - '* -e* IAB*' - - '* -e* UwB*' - - '* -e* cwB*' - - '*.exe -ENCOD *' + CommandLine|contains: ' -e' # covers -en and -enc + selection2: + CommandLine|contains: ' JAB' + selection3: + CommandLine|contains|all: + - ' -w' + - ' hidden ' + selection4: + CommandLine|contains: + - ' BA^J' + - ' SUVYI' + - ' SQBFAFgA' + - ' aQBlAHgA' + - ' aWV4I' + - ' IAA' + - ' IAB' + - ' UwB' + - ' cwB' + selection5: + CommandLine|contains: + - '.exe -ENCOD ' falsepositive1: - CommandLine: '* -ExecutionPolicy remotesigned *' - condition: selection and not falsepositive1 + CommandLine|contains|all: + - ' -ExecutionPolicy' + - 'remotesigned ' + condition: ((selection and selection2) or (selection and selection2 and selection3) or (selection and selection4) or selection5) and not falsepositive1 level: high diff --git a/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml new file mode 100644 index 000000000..bffd87a36 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml @@ -0,0 +1,22 @@ +title: PowerShell Get-Process LSASS +id: b2815d0d-7481-4bf0-9b6c-a4c48a94b349 +description: Detects a Get-Process command on lsass process, which is in almost all cases a sign of malicious activity +status: experimental +references: + - https://twitter.com/PythonResponder/status/1385064506049630211 +author: Florian Roth +date: 2021/04/23 +tags: + - attack.credential_access + - attack.t1552.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - 'Get-Process lsass' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index d004c1e13..68771de9d 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -15,58 +15,58 @@ logsource: product: windows detection: encoded: - Image: '*\powershell.exe' - CommandLine: '* hidden *' + Image|endswith: '\powershell.exe' + CommandLine|contains: ' hidden ' selection: - CommandLine: - - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - - '*JGNodW5rX3Npem*' - - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - - '*RjaHVua19zaXpl*' - - '*Y2h1bmtfc2l6Z*' - - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - - '*lPLkNvbXByZXNzaW9u*' - - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - - '*SU8uQ29tcHJlc3Npb2*' - - '*Ty5Db21wcmVzc2lvb*' - - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - - '*lPLk1lbW9yeVN0cmVhb*' - - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - - '*SU8uTWVtb3J5U3RyZWFt*' - - '*Ty5NZW1vcnlTdHJlYW*' - - '*4ARwBlAHQAQwBoAHUAbgBrA*' - - '*5HZXRDaHVua*' - - '*AEcAZQB0AEMAaAB1AG4Aaw*' - - '*LgBHAGUAdABDAGgAdQBuAGsA*' - - '*LkdldENodW5r*' - - '*R2V0Q2h1bm*' - - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - - '*RIUkVBRF9JTkZPNj*' - - '*SFJFQURfSU5GTzY0*' - - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - - '*VEhSRUFEX0lORk82N*' - - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - - '*cmVhdGVSZW1vdGVUaHJlYW*' - - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - - '*0AZQBtAG0AbwB2AGUA*' - - '*1lbW1vdm*' - - '*AGUAbQBtAG8AdgBlA*' - - '*bQBlAG0AbQBvAHYAZQ*' - - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' + CommandLine|contains: + - 'AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA' + - 'aXRzYWRtaW4gL3RyYW5zZmVy' + - 'IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA' + - 'JpdHNhZG1pbiAvdHJhbnNmZX' + - 'YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg' + - 'Yml0c2FkbWluIC90cmFuc2Zlc' + - 'AGMAaAB1AG4AawBfAHMAaQB6AGUA' + - 'JABjAGgAdQBuAGsAXwBzAGkAegBlA' + - 'JGNodW5rX3Npem' + - 'QAYwBoAHUAbgBrAF8AcwBpAHoAZQ' + - 'RjaHVua19zaXpl' + - 'Y2h1bmtfc2l6Z' + - 'AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A' + - 'kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg' + - 'lPLkNvbXByZXNzaW9u' + - 'SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA' + - 'SU8uQ29tcHJlc3Npb2' + - 'Ty5Db21wcmVzc2lvb' + - 'AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ' + - 'kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA' + - 'lPLk1lbW9yeVN0cmVhb' + - 'SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A' + - 'SU8uTWVtb3J5U3RyZWFt' + - 'Ty5NZW1vcnlTdHJlYW' + - '4ARwBlAHQAQwBoAHUAbgBrA' + - '5HZXRDaHVua' + - 'AEcAZQB0AEMAaAB1AG4Aaw' + - 'LgBHAGUAdABDAGgAdQBuAGsA' + - 'LkdldENodW5r' + - 'R2V0Q2h1bm' + - 'AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A' + - 'QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA' + - 'RIUkVBRF9JTkZPNj' + - 'SFJFQURfSU5GTzY0' + - 'VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA' + - 'VEhSRUFEX0lORk82N' + - 'AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA' + - 'cmVhdGVSZW1vdGVUaHJlYW' + - 'MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA' + - 'NyZWF0ZVJlbW90ZVRocmVhZ' + - 'Q3JlYXRlUmVtb3RlVGhyZWFk' + - 'QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA' + - '0AZQBtAG0AbwB2AGUA' + - '1lbW1vdm' + - 'AGUAbQBtAG8AdgBlA' + - 'bQBlAG0AbQBvAHYAZQ' + - 'bWVtbW92Z' + - 'ZW1tb3Zl' condition: encoded and selection falsepositives: - Penetration tests diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 7ddebda00..d135cc636 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -4,6 +4,7 @@ status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth date: 2019/01/16 +modified: 2020/11/28 references: - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ tags: @@ -15,13 +16,12 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - Image: - - '*\powershell.exe' + ParentImage|endswith: + - '\wscript.exe' + - '\cscript.exe' + Image|endswith: '\powershell.exe' falsepositive: - CurrentDirectory: '*\Health Service State\\*' + CurrentDirectory|contains: '\Health Service State\' condition: selection and not falsepositive fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_print.yml b/rules/windows/process_creation/win_susp_print.yml new file mode 100644 index 000000000..bc3ddc59e --- /dev/null +++ b/rules/windows/process_creation/win_susp_print.yml @@ -0,0 +1,34 @@ +title: Abusing Print Executable +id: bafac3d6-7de9-4dd9-8874-4a1194b493ed +description: Attackers can use print.exe for remote file copy +author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' +status: experimental +date: 2020/10/05 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml + - https://twitter.com/Oddvarmoe/status/985518877076541440 +tags: + - attack.defense_evasion + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - \print.exe + CommandLine|startswith: + - print + selection2: + CommandLine|contains: + - /D + exeCondition: + CommandLine|contains: + - .exe + cmdExclude: + CommandLine|contains: + - print.exe + condition: selection1 and selection2 and exeCondition and not cmdExclude +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index 9a90a1c77..4a700b6a2 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,34 +1,24 @@ title: Suspicious Use of Procdump -id: 5afee48e-67dd-4e03-a783-f74259dcf998 -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +id: 03795938-1387-481b-9f4c-3f6241e604fe +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter ' -ma '. This way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental references: - Internal Research author: Florian Roth -date: 2018/10/30 -modified: 2019/10/14 +date: 2021/02/02 tags: - attack.defense_evasion - attack.t1036 - - attack.credential_access - attack.t1003.001 - - attack.t1003 # an old one - - car.2013-05-009 logsource: category: process_creation product: windows detection: - selection1: - CommandLine: - - '* -ma *' - selection2: - CommandLine: - - '* lsass*' - selection3: - CommandLine: - - '* -ma ls*' - condition: ( selection1 and selection2 ) or selection3 + selection: + CommandLine|contains: + - ' -ma ' + condition: selection falsepositives: - - Unlikely, because no one should dump an lsass process memory - Another tool that uses the command line switches of Procdump -level: high + - Legitimate use of procdump by a developer or administrator +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump_lsass.yml b/rules/windows/process_creation/win_susp_procdump_lsass.yml new file mode 100644 index 000000000..299ed2930 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump_lsass.yml @@ -0,0 +1,33 @@ +title: Suspicious Use of Procdump on LSASS +id: 5afee48e-67dd-4e03-a783-f74259dcf998 +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +modified: 2021/02/02 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003.001 + - attack.t1003 # an old one + - car.2013-05-009 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: ' -ma ' + selection2: + CommandLine|contains: ' lsass' + selection3: + CommandLine|contains|all: + - ' -ma ' + - ' ls' + condition: ( selection1 and selection2 ) or selection3 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: critical diff --git a/rules/windows/process_creation/win_susp_procs_req_dlls.yml b/rules/windows/process_creation/win_susp_procs_req_dlls.yml new file mode 100644 index 000000000..d52158f85 --- /dev/null +++ b/rules/windows/process_creation/win_susp_procs_req_dlls.yml @@ -0,0 +1,33 @@ +title: Suspicious Process Start Without DLL +id: f5647edc-a7bf-4737-ab50-ef8c60dc3add +description: Detects suspicious start of program that usually requires a DLL as parameter, which can be a sign of process injection or hollowing activity +status: experimental +references: + - https://twitter.com/CyberRaiju/status/1251492025678983169 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/regsvr32 + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/rundll32 + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regasm-exe-assembly-registration-tool + - https://docs.microsoft.com/en-us/dotnet/framework/tools/regsvcs-exe-net-services-installation-tool#feedback +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: + - '\rundll32.exe' + - '\regsvcs.exe' + - '\regasm.exe' + - '\regsvr32.exe' + filter1: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml deleted file mode 100644 index fef504ffc..000000000 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Suspicious Program Location Process Starts -id: f50bfd8b-e2a3-4c15-9373-7900b5a4c6d5 -status: experimental -description: Detects programs running in suspicious files system locations -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -tags: - - attack.defense_evasion - - attack.t1036 -author: Florian Roth -date: 2019/01/15 -logsource: - category: process_creation - product: windows -detection: - selection: - Image: - - '*\$Recycle.bin' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Windows\debug\\*' - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index b110943c1..bf9c48a62 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,17 +8,22 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one -author: Florian Roth + - attack.t1086 # an old one +author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '* /c powershell*\AppData\Local\\*' - - '* /c powershell*\AppData\Roaming\\*' + CommandLine|contains|all: + - '/c' + - 'powershell' + - '\AppData\' + CommandLine|contains: + - 'Local\' + - 'Roaming\' condition: selection falsepositives: - Administrative scripts diff --git a/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml new file mode 100644 index 000000000..404f2d7a3 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psexex_paexec_flags.yml @@ -0,0 +1,34 @@ +title: PsExec/PAExec Flags +id: 207b0396-3689-42d9-8399-4222658efc99 +status: experimental +description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec + - https://www.poweradmin.com/paexec/ + - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection_flags_1: # Escalation to LOCAL_SYSTEM + CommandLine|contains|all: + - '\\127.0.0.1' + - ' -s ' + - 'cmd.exe' + selection_flags_2: + CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks + - ' /accepteula ' + - 'cmd /c ' + - ' -u ' + - ' -p ' + filter: + CommandLine|contains: + - 'paexec' + - 'PsExec' + condition: ( selection_flags_1 or selection_flags_2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PsExec/PAExec with their software and rename it, so that it is less embarrassing +level: high diff --git a/rules/windows/process_creation/win_susp_rar_flags.yml b/rules/windows/process_creation/win_susp_rar_flags.yml index 67e7d2e28..16413091f 100644 --- a/rules/windows/process_creation/win_susp_rar_flags.yml +++ b/rules/windows/process_creation/win_susp_rar_flags.yml @@ -11,8 +11,7 @@ tags: - attack.collection - attack.t1560.001 - attack.exfiltration # an old one - - attack.t1002 # an old one - + - attack.t1002 # an old one logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_rclone_exec.yml b/rules/windows/process_creation/win_susp_rclone_exec.yml new file mode 100644 index 000000000..b6e35d7a2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rclone_exec.yml @@ -0,0 +1,37 @@ +title: Rclone Execution via Command Line or PowerShell +id: cb7286ba-f207-44ab-b9e6-760d82b84253 +description: Detects Rclone which is commonly used by ransomware groups for exfiltration +status: experimental +date: 2021/05/26 +author: Aaron Greetham (@beardofbinary) - NCC Group +references: + - https://research.nccgroup.com/2021/05/27/detecting-rclone-an-effective-tool-for-exfiltration/ +tags: + - attack.exfiltration + - attack.t1567.002 +falsepositives: + - Legitimate Rclone usage (rare) +level: high +logsource: + product: windows + category: process_creation +detection: + exec_selection: + Image|endswith: '\rclone.exe' + ParentImage|endswith: + - '\PowerShell.exe' + - '\cmd.exe' + command_selection: + CommandLine|contains: + - ' pass ' + - ' user ' + - ' copy ' + - ' mega ' + - ' sync ' + - ' config ' + - ' lsd ' + - ' remote ' + - ' ls ' + description_selection: + Description: 'Rsync for cloud storage' + condition: command_selection and ( description_selection or exec_selection ) \ No newline at end of file diff --git a/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml new file mode 100644 index 000000000..f6dc13602 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regedit_trustedinstaller.yml @@ -0,0 +1,20 @@ +title: Regedit as Trusted Installer +id: 883835a7-df45-43e4-bf1d-4268768afda4 +description: Detects a regedit started with TrustedInstaller privileges or by ProcessHacker.exe +references: + - https://twitter.com/1kwpeter/status/1397816101455765504 +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regedit.exe' + ParentImage|endswith: + - '\TrustedInstaller.exe' + - '\ProcessHacker.exe' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/win_susp_register_cimprovider.yml b/rules/windows/process_creation/win_susp_register_cimprovider.yml new file mode 100644 index 000000000..5244e22ff --- /dev/null +++ b/rules/windows/process_creation/win_susp_register_cimprovider.yml @@ -0,0 +1,28 @@ +title: DLL Execution Via Register-cimprovider.exe +id: a2910908-e86f-4687-aeba-76a5f996e652 +status: experimental +description: Detects using register-cimprovider.exe to execute arbitrary dll file. +references: + - https://twitter.com/PhilipTsukerman/status/992021361106268161 + - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md +tags: + - attack.defense_evasion + - attack.t1574 +author: Ivan Dyachkov, Yulia Fomina, oscd.community +date: 2020/10/07 +logsource: + category: process_creation + product: windows + definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' +detection: + selection: + Image|endswith: '\register-cimprovider.exe' + CommandLine|contains|all: + - '-path' + - 'dll' + condition: selection +fields: + - CommandLine +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index b4e4cc09b..8f8353422 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -2,9 +2,9 @@ title: Regsvr32 Anomaly id: 8e2b24c9-4add-46a0-b4bb-0057b4e6187d status: experimental description: Detects various anomalies in relation to regsvr32.exe -author: Florian Roth +author: Florian Roth, oscd.community date: 2019/01/16 -modified: 2020/08/28 +modified: 2020/11/28 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: @@ -14,31 +14,33 @@ tags: - attack.t1117 # an old one - car.2019-04-002 - car.2019-04-003 - logsource: category: process_creation product: windows detection: selection1: - Image: '*\regsvr32.exe' - CommandLine: '*\Temp\\*' + Image|endswith: '\regsvr32.exe' + CommandLine|contains: '\Temp\' selection2: - Image: '*\regsvr32.exe' - ParentImage: '*\powershell.exe' + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: '\powershell.exe' selection3: - Image: '*\regsvr32.exe' - ParentImage: '*\cmd.exe' + Image|endswith: '\regsvr32.exe' + ParentImage|endswith: '\cmd.exe' selection4: - Image: '*\regsvr32.exe' - CommandLine: - - '*/i:http* scrobj.dll' - - '*/i:ftp* scrobj.dll' + Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' + CommandLine|contains: + - 'http' + - 'ftp' + CommandLine|endswith: 'scrobj.dll' selection5: - Image: '*\wscript.exe' - ParentImage: '*\regsvr32.exe' + Image|endswith: '\wscript.exe' + ParentImage|endswith: '\regsvr32.exe' selection6: - Image: '*\EXCEL.EXE' - CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' + Image|endswith: '\EXCEL.EXE' + CommandLine|contains: '..\..\..\Windows\System32\regsvr32.exe ' condition: 1 of them fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index dcab5bd63..f421c1cd6 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -15,7 +15,7 @@ detection: - 'Sysinternals DebugView' - 'Sysinternals Debugview' filter: - OriginalFilename: 'Dbgview.exe' + OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' condition: selection and not filter falsepositives: diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml new file mode 100644 index 000000000..cc1d5f209 --- /dev/null +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -0,0 +1,25 @@ +title: Renamed PAExec +id: c4e49831-1496-40cf-8ce1-b53f942b02f9 +status: experimental +description: Detects suspicious renamed PAExec execution as often used by attackers +references: + - https://www.poweradmin.com/paexec/ +author: Florian Roth +date: 2021/05/22 +logsource: + category: process_creation + product: windows +detection: + selection1: + Description: 'PAExec Application' + selection2: + OriginalFilename: 'PAExec.exe' + filter: + Image|endswith: + - '\PAexec.exe' + - '\paexec.exe' + condition: ( selection1 or selection2 ) and not filter +falsepositives: + - Weird admins that rename their tools + - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing +level: high diff --git a/rules/windows/process_creation/win_susp_rpcping.yml b/rules/windows/process_creation/win_susp_rpcping.yml new file mode 100644 index 000000000..f8656ab4e --- /dev/null +++ b/rules/windows/process_creation/win_susp_rpcping.yml @@ -0,0 +1,41 @@ +title: Capture Credentials with Rpcping.exe +id: 93671f99-04eb-4ab4-a161-70d446a84003 +description: Detects using Rpcping.exe to send a RPC test connection to the target server (-s) and force the NTLM hash to be sent in the process. +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rpcping/ + - https://twitter.com/vysecurity/status/974806438316072960 + - https://twitter.com/vysecurity/status/873181705024266241 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh875578(v=ws.11) +author: Julia Fomina, oscd.community +date: 2020/10/09 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + use_rpcping: + Image|endswith: '\rpcping.exe' + remote_server: + CommandLine|contains: + - '-s' + - '/s' + ntlm_auth: + - CommandLine|contains|all: + - '-u' + - 'NTLM' + - CommandLine|contains|all: + - '/u' + - 'NTLM' + - CommandLine|contains|all: + - '-t' + - 'ncacn_np' + - CommandLine|contains|all: + - '/t' + - 'ncacn_np' + condition: use_rpcping and remote_server and ntlm_auth +level: medium +falsepositives: + - Unlikely diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index c00c297d4..2119c1e0e 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -4,8 +4,9 @@ description: Detects suspicious process run from unusual locations status: experimental references: - https://car.mitre.org/wiki/CAR-2013-05-002 -author: juju4 +author: juju4, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 +modified: 2020/11/28 tags: - attack.defense_evasion - attack.t1036 @@ -15,18 +16,18 @@ logsource: product: windows detection: selection: - Image: - - '*:\RECYCLER\\*' - - '*:\SystemVolumeInformation\\*' - - 'C:\\Windows\\Tasks\\*' - - 'C:\\Windows\\debug\\*' - - 'C:\\Windows\\fonts\\*' - - 'C:\\Windows\\help\\*' - - 'C:\\Windows\\drivers\\*' - - 'C:\\Windows\\addins\\*' - - 'C:\\Windows\\cursors\\*' - - 'C:\\Windows\\system32\tasks\\*' - + - Image|contains: + - ':\RECYCLER\' + - ':\SystemVolumeInformation\' + - Image|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 5e810d444..f04faf4d7 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -11,27 +11,67 @@ tags: - attack.execution # an old one - attack.t1218.011 - attack.t1085 # an old one -author: juju4 +author: juju4, Jonhnathan Ribeiro, oscd.community date: 2019/01/16 logsource: category: process_creation product: windows detection: selection: - CommandLine: - - '*\rundll32.exe* url.dll,*OpenURL *' - - '*\rundll32.exe* url.dll,*OpenURLA *' - - '*\rundll32.exe* url.dll,*FileProtocolHandler *' - - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' - - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' - - '*\rundll32.exe javascript:*' - - '* url.dll,*OpenURL *' - - '* url.dll,*OpenURLA *' - - '* url.dll,*FileProtocolHandler *' - - '* zipfldr.dll,*RouteTheCall *' - - '* Shell32.dll,*Control_RunDLL *' - - '* javascript:*' - - '*.RegisterXLL*' + - CommandLine|contains: + - 'javascript:' + - '.RegisterXLL' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'url.dll' + - 'OpenURLA' + - CommandLine|contains|all: + - 'url.dll' + - 'FileProtocolHandler' + - CommandLine|contains|all: + - 'zipfldr.dll' + - 'RouteTheCall' + - CommandLine|contains|all: + - 'shell32.dll' + - 'Control_RunDLL' + - CommandLine|contains|all: + - 'shell32.dll' + - 'ShellExec_RunDLL' + - CommandLine|contains|all: + - 'mshtml.dll' + - 'PrintHTML' + - CommandLine|contains|all: + - 'advpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'advpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'LaunchINFSection' + - CommandLine|contains|all: + - 'ieadvpack.dll' + - 'RegisterOCX' + - CommandLine|contains|all: + - 'ieframe.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'shdocvw.dll' + - 'OpenURL' + - CommandLine|contains|all: + - 'syssetup.dll' + - SetupInfObjectInstallAction' + - CommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' + - CommandLine|contains|all: + - 'pcwutl.dll' + - 'LaunchApplication' + - CommandLine|contains|all: + - 'dfshim.dll' + - 'ShOpenVerbApplication' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 584e5f49e..e51a968d9 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -1,7 +1,7 @@ title: Suspicious Call by Ordinal id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -status: experimental +status: stable references: - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ - https://github.com/Neo23x0/DLLRunner @@ -13,14 +13,21 @@ tags: - attack.t1085 # an old one author: Florian Roth date: 2019/10/22 +modified: 2021/04/29 logsource: category: process_creation product: windows detection: selection: - CommandLine: '*\rundll32.exe *,#*' - condition: selection + CommandLine|contains|all: + - '\rundll32.exe' + - ',#' + filter: + CommandLine|contains|all: + - 'EDGEHTML.dll' + - '#141' + condition: selection and not filter falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - - Windows contol panel elements have been identified as source (mmc) + - Windows control panel elements have been identified as source (mmc) level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml new file mode 100644 index 000000000..e85f144ea --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_inline_vbs.yml @@ -0,0 +1,22 @@ +title: Suspicious Rundll32 Invoking Inline VBScript +id: 1cc50f3f-1fc8-4acf-b2e9-6f172e1fdebd +description: Detects suspicious process related to rundll32 based on command line that invokes inline VBScript as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'rundll32.exe' + - 'Execute' + - 'RegRead' + - 'window.close' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_no_params.yml b/rules/windows/process_creation/win_susp_rundll32_no_params.yml new file mode 100644 index 000000000..b45e3b4e0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_no_params.yml @@ -0,0 +1,27 @@ +title: Suspicious Rundll32 Without Any CommandLine Params +id: 1775e15e-b61b-4d14-a1a3-80981298085a +description: Detects suspicious start of rundll32.exe without any parameters as found in CobaltStrike beacon activity +status: experimental +references: + - https://www.cobaltstrike.com/help-opsec +author: Florian Roth +date: 2021/05/27 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|endswith: '\rundll32.exe' + filter1: + ParentImage|endswith: '\svchost.exe' + filter2: + ParentImage|contains: + - '\AppData\Local\' + - '\Microsoft\Edge\' + condition: selection and not filter1 and not filter2 +fields: + - ParentImage + - ParentCommandLine +falsepositives: + - Possible but rare +level: high diff --git a/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml new file mode 100644 index 000000000..f1f6dafe9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_setupapi_installhinfsection.yml @@ -0,0 +1,35 @@ +title: Suspicious Rundll32 Setupapi.dll Activity +id: 285b85b1-a555-4095-8652-a8a4106af63f +description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. + This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) + InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/07 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSLibraries/Setupapi.yml + - https://gist.githubusercontent.com/bohops/0cc6586f205f3691e04a1ebf1806aabd/raw/baf7b29891bb91e76198e30889fbf7d6642e8974/calc_exe.inf + - https://raw.githubusercontent.com/huntresslabs/evading-autoruns/master/shady.inf + - https://twitter.com/Z3Jpa29z/status/1313742350292746241?s=20 +tags: + - attack.defense_evasion + - attack.t1218.011 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\runonce.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains|all: + - 'setupapi.dll' + - 'InstallHinfSection' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts and administrative tools that use INF files for driver installation with setupapi.dll +level: medium diff --git a/rules/windows/process_creation/win_susp_rundll32_sys.yml b/rules/windows/process_creation/win_susp_rundll32_sys.yml new file mode 100644 index 000000000..a59cfd3c2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_sys.yml @@ -0,0 +1,25 @@ +title: Suspicious Rundll32 Activity Invoking Sys File +id: 731231b9-0b5d-4219-94dd-abb6959aa7ea +description: Detects suspicious process related to rundll32 based on command line that includes a *.sys file as seen being used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +tags: + - attack.defense_evasion + - attack.t1218.011 +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine|contains: 'rundll32.exe' + selection2: + CommandLine|contains: + - '.sys,' + - '.sys ' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml new file mode 100644 index 000000000..f36b66f6f --- /dev/null +++ b/rules/windows/process_creation/win_susp_runonce_execution.yml @@ -0,0 +1,29 @@ +title: Run Once Task Execution as Configured in Registry +id: 198effb6-6c98-4d0c-9ea3-451fa143c45c +description: This rule detects the execution of Run Once task as configured in the registry +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/10/18 +references: + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: process_creation +detection: + process_name: + Image|endswith: + - '\runonce.exe' + process_description: + Description: + - 'Run Once Wrapper' + command_line: + CommandLine|contains: + - ' /AlternateShellStartup' + condition: (process_name or process_description) and command_line +falsepositives: + - Unknown +level: low diff --git a/rules/windows/process_creation/win_susp_runscripthelper.yml b/rules/windows/process_creation/win_susp_runscripthelper.yml new file mode 100644 index 000000000..3bea7fb7e --- /dev/null +++ b/rules/windows/process_creation/win_susp_runscripthelper.yml @@ -0,0 +1,27 @@ +title: Suspicious Runscripthelper.exe +id: eca49c87-8a75-4f13-9c73-a5a29e845f03 +status: experimental +description: Detects execution of powershell scripts via Runscripthelper.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runscripthelper.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: '\Runscripthelper.exe' + cmd: + CommandLine|contains: 'surfacecheck' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.execution + - attack.t1059 + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 491f18dd0..1647d2f54 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -9,8 +9,8 @@ logsource: product: windows detection: selection: - Image: '*\schtasks.exe' - CommandLine: '* /create *' + Image|endswith: '\schtasks.exe' + CommandLine|contains: ' /create ' filter: User: NT AUTHORITY\SYSTEM condition: selection and not filter diff --git a/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml b/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml new file mode 100644 index 000000000..65fda53ba --- /dev/null +++ b/rules/windows/process_creation/win_susp_schtask_creation_temp_folder.yml @@ -0,0 +1,30 @@ +title: Suspicious Scheduled Task Creation Involving Temp Folder +id: 39019a4e-317f-4ce3-ae63-309a8c6b53c5 +status: experimental +description: Detects the creation of scheduled tasks that involves a temporary folder and runs only once +author: Florian Roth +date: 2021/03/11 +references: + - https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289/3 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - ' /create ' + - ' /sc once ' + - '\Temp\' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.persistence + - attack.t1053.005 +falsepositives: + - Administrative activity + - Software installation +level: high diff --git a/rules/windows/process_creation/win_susp_screenconnect_access.yml b/rules/windows/process_creation/win_susp_screenconnect_access.yml new file mode 100644 index 000000000..0f6f6259b --- /dev/null +++ b/rules/windows/process_creation/win_susp_screenconnect_access.yml @@ -0,0 +1,23 @@ +title: ScreenConnect Remote Access +id: 75bfe6e6-cd8e-429e-91d3-03921e1d7962 +status: experimental +description: Detects ScreenConnect program starts that establish a remote access to that system (not meeting, not remote support) +references: + - https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies +author: Florian Roth +date: 2021/02/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'e=Access&' + - 'y=Guest&' + - '&p=' + - '&c=' + - '&k=' + condition: selection +falsepositives: + - Legitimate use by administrative staff +level: high diff --git a/rules/windows/process_creation/win_susp_service_dacl_modification.yml b/rules/windows/process_creation/win_susp_service_dacl_modification.yml new file mode 100644 index 000000000..82f5e0f35 --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_dacl_modification.yml @@ -0,0 +1,33 @@ +title: Suspicious Service DACL Modification +id: 99cf1e02-00fb-4c0d-8375-563f978dfd37 +description: Detects suspicious DACL modifications that can be used to hide services or make them unstopable +author: Jonhnathan Ribeiro, oscd.community +status: experimental +date: 2020/10/16 +references: + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ + - https://docs.microsoft.com/pt-br/windows/win32/secauthz/sid-strings +tags: + - attack.persistence + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\sc.exe' + CommandLine|contains|all: + - 'sdset' + - 'D;;' + sids: + CommandLine|contains: + - ';;;IU' + - ';;;SU' + - ';;;BA' + - ';;;SY' + - ';;;WD' + condition: selection and sids +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_service_dir.yml b/rules/windows/process_creation/win_susp_service_dir.yml new file mode 100644 index 000000000..bc04c1e4b --- /dev/null +++ b/rules/windows/process_creation/win_susp_service_dir.yml @@ -0,0 +1,32 @@ +title: Suspicious Service Binary Directory +id: 883faa95-175a-4e22-8181-e5761aeb373c +description: Detects a service binary running in a suspicious directory +author: Florian Roth +date: 2021/03/09 +status: experimental +references: + - https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/ +logsource: + category: process_creation + product: windows +detection: + selection: + Image|contains: + - '\Users\Public\' + - '\$Recycle.bin' + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Contacts\' + - '\Users\Searches\' + - 'C:\Perflogs\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + ParentImage|endswith: + - '\services.exe' + - '\svchost.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml index 8218f2a88..198851a13 100644 --- a/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/win_susp_shell_spawn_from_mssql.yml @@ -2,8 +2,9 @@ title: Suspicious Shells Spawn by SQL Server id: 869b9ca7-9ea2-4a5a-8325-e80e62f75445 description: Detects suspicious shell spawn from MSSQL process, this might be sight of RCE or SQL Injection status: experimental -author: FPT.EagleEye Team +author: FPT.EagleEye Team, wagga date: 2020/12/11 +modified: 2021/06/27 tags: - attack.t1100 - attack.t1190 @@ -15,12 +16,12 @@ logsource: product: windows detection: selection: - ParentImage: '*\sqlservr.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - - '*\bitsadmin.exe' + ParentImage|endswith: '\sqlservr.exe' + Image|endswith: + - '\cmd.exe' + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\bitsadmin.exe' condition: selection level: critical diff --git a/rules/windows/process_creation/win_susp_shimcache_flush.yml b/rules/windows/process_creation/win_susp_shimcache_flush.yml new file mode 100644 index 000000000..9cf4aeb2c --- /dev/null +++ b/rules/windows/process_creation/win_susp_shimcache_flush.yml @@ -0,0 +1,39 @@ +title: ShimCache Flush +id: b0524451-19af-4efa-a46f-562a977f792e +status: experimental +description: Detects actions that clear the local ShimCache and remove forensic evidence +references: + - https://medium.com/@blueteamops/shimcache-flush-89daff28d15e +tags: + - attack.defense_evasion + - attack.t1112 +author: Florian Roth +date: 2021/02/01 +logsource: + category: process_creation + product: windows +detection: + selection1a: + CommandLine|contains|all: + - 'rundll32' + - 'apphelp.dll' + selection1b: + CommandLine|contains: + - 'ShimFlushCache' + - '#250' + selection2a: + CommandLine|contains|all: + - 'rundll32' + - 'kernel32.dll' + selection2b: + CommandLine|contains: + - 'BaseFlushAppcompatCache' + - '#46' + condition: ( selection1a and selection1b ) or ( selection2a and selection2b ) +fields: + - Image + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml new file mode 100644 index 000000000..41b2a3c2e --- /dev/null +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -0,0 +1,28 @@ +title: Dumping Process via Sqldumper.exe +id: 23ceaf5c-b6f1-4a32-8559-f2ff734be516 +description: Detects process dump via legitimate sqldumper.exe binary +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqldumper.yml + - https://twitter.com/countuponsec/status/910977826853068800 + - https://twitter.com/countuponsec/status/910969424215232518 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/ +author: Kirill Kiryanov, oscd.community +date: 2020/10/08 +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\sqldumper.exe' + CommandLine|contains: + - '0x0110' + - '0x01100:40' + condition: selection +falsepositives: + - Legitimate MSSQL Server actions +level: medium + diff --git a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml index b07788187..f64de8c5d 100644 --- a/rules/windows/process_creation/win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/win_susp_squirrel_lolbin.yml @@ -9,9 +9,9 @@ tags: - attack.execution - attack.defense_evasion - attack.t1218 -author: Karneades / Markus Neis +author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2020/08/28 +modified: 2020/11/28 falsepositives: - 1Clipboard - Beaker Browser @@ -51,10 +51,11 @@ logsource: product: windows detection: selection: - Image: - - '*\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) - CommandLine: - - '*--processStart*.exe*' - - '*--processStartAndWait*.exe*' - - '*--createShortcut*.exe*' + Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + CommandLine|contains: + - '--processStart' + - '--processStartAndWait' + - '--createShortcut' + CommandLine|contains|all: + - '.exe' condition: selection diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 717a7bea2..39c9ae4cf 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -14,14 +14,14 @@ logsource: product: windows detection: selection: - Image: '*\svchost.exe' + Image|endswith: '\svchost.exe' filter: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - - '*\Mrt.exe' - - '*\rpcnet.exe' - - '*\svchost.exe' + ParentImage|endswith: + - '\services.exe' + - '\MsMpEng.exe' + - '\Mrt.exe' + - '\rpcnet.exe' + - '\svchost.exe' filter_null: ParentImage: null condition: selection and not filter and not filter_null diff --git a/rules/windows/process_creation/win_susp_svchost_no_cli.yml b/rules/windows/process_creation/win_susp_svchost_no_cli.yml index 9094eec7b..ac875f0d8 100644 --- a/rules/windows/process_creation/win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/win_susp_svchost_no_cli.yml @@ -6,7 +6,7 @@ references: - https://securitybytes.io/blue-team-fundamentals-part-two-windows-processes-759fe15965e2 author: David Burkett date: 2019/12/28 -modified: 2020/08/28 +modified: 2021/02/24 tags: - attack.defense_evasion - attack.privilege_escalation @@ -20,9 +20,10 @@ detection: selection2: Image|endswith: '\svchost.exe' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\rpcnet.exe' - '\rpcnetp.exe' + - CommandLine: null # no CommandLine value available condition: (selection1 and selection2) and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index 68c4260f4..dea91d765 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -15,9 +15,10 @@ logsource: product: windows detection: selection: - CommandLine: - - '*\sysprep.exe *\AppData\\*' - - sysprep.exe *\AppData\\* + Image|endswith: + - '\sysprep.exe' + CommandLine|contains: + - '\AppData\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index 3c8c2be83..f6ac9d331 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -5,9 +5,9 @@ description: Detects Access to Domain Group Policies stored in SYSVOL references: - https://adsecurity.org/?p=2288 - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis +author: Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2018/04/09 -modified: 2020/08/28 +modified: 2020/11/28 tags: - attack.credential_access - attack.t1552.006 @@ -17,7 +17,9 @@ logsource: product: windows detection: selection: - CommandLine: '*\SYSVOL\\*\policies\\*' + CommandLine|contains|all: + - '\SYSVOL\' + - '\policies\' condition: selection falsepositives: - administrative activity diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 5e4b331bb..4ac61fed9 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -13,8 +13,8 @@ logsource: detection: selection: User: NT AUTHORITY\SYSTEM - Image: '*\taskmgr.exe' + Image|endswith: '\taskmgr.exe' condition: selection falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml index 70d852123..f58197239 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -12,12 +12,12 @@ logsource: product: windows detection: selection: - ParentImage: '*\taskmgr.exe' + ParentImage|endswith: '\taskmgr.exe' filter: - Image: - - '*\resmon.exe' - - '*\mmc.exe' - - '*\taskmgr.exe' + Image|endswith: + - '\resmon.exe' + - '\mmc.exe' + - '\taskmgr.exe' condition: selection and not filter fields: - Image diff --git a/rules/windows/process_creation/win_susp_tracker_execution.yml b/rules/windows/process_creation/win_susp_tracker_execution.yml new file mode 100644 index 000000000..08ef303cc --- /dev/null +++ b/rules/windows/process_creation/win_susp_tracker_execution.yml @@ -0,0 +1,31 @@ +title: DLL Injection with Tracker.exe +id: 148431ce-4b70-403d-8525-fcc2993f29ea +description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/10/18 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Tracker.yml +tags: + - attack.defense_evasion + - attack.t1055.001 +logsource: + category: process_creation + product: windows +detection: + process_name: + Image|endswith: + - '\tracker.exe' + process_description: + Description: + - 'Tracker' + commandline_param1: + CommandLine|contains: + - ' /d ' + commandline_param2: + CommandLine|contains: + - ' /c ' + condition: (process_name or process_description) and commandline_param1 and commandline_param2 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index 6691257e4..b11145b61 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -16,7 +16,7 @@ logsource: detection: selection: User: NT AUTHORITY\SYSTEM - Image: '*\tscon.exe' + Image|endswith: '\tscon.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index 927cbef62..15b5dfc31 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - CommandLine: '* /dest:rdp-tcp:*' + CommandLine|contains: ' /dest:rdp-tcp:' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml new file mode 100644 index 000000000..28b3928a0 --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -0,0 +1,31 @@ +title: Detection of PowerShell Execution via Sqlps.exe +id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 +status: experimental +description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +references: + - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ + - https://twitter.com/bryon_/status/975835709587075072 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 +author: 'Agro (@agro_sev) oscd.community' +date: 2020/10/10 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\sqlps.exe' + selection2: + ParentImage|endswith: '\sqlps.exe' + selection3: + OriginalFileName: '\sqlps.exe' + reduction: + ParentImage|endswith: '\sqlagent.exe' + condition: selection1 or selection2 or selection3 and not reduction +falsepositives: + - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. +level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml new file mode 100644 index 000000000..0e74bea2b --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -0,0 +1,31 @@ +title: SQL Client Tools PowerShell Session Detection +id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 +status: experimental +description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml + - https://twitter.com/pabraeken/status/993298228840992768 +tags: + - attack.execution + - attack.t1059.001 + - attack.defense_evasion + - attack.t1127 +author: 'Agro (@agro_sev) oscd.communitly' +date: 2020/10/13 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\sqltoolsps.exe' + selection2: + ParentImage|endswith: '\sqltoolsps.exe' + selection3: + OriginalFileName: '\sqltoolsps.exe' + reduction: + ParentImage|endswith: '\smss.exe' + condition: selection1 or selection2 or selection3 and not reduction +falsepositives: + - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. +level: medium + diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml new file mode 100644 index 000000000..d74b74b0b --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -0,0 +1,27 @@ +title: Malicious Windows Script Components File Execution by TAEF Detection +id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b +status: experimental +description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml + - https://twitter.com/pabraeken/status/993298228840992768 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ +tags: + - attack.t1218 +author: 'Agro (@agro_sev) oscd.community' +date: 2020/10/13 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: '\te.exe' + selection2: + ParentImage|endswith: '\te.exe' + selection3: + OriginalFileName: '\te.exe' + condition: selection1 or selection2 or selection3 +falsepositives: + - It's not an uncommon to use te.exe directly to execute legal TAEF tests +level: low + diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml new file mode 100644 index 000000000..529aff91d --- /dev/null +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -0,0 +1,28 @@ +title: Malicious PE Execution by Microsoft Visual Studio Debugger +id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 +status: experimental +description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. +references: + - https://twitter.com/pabraeken/status/990758590020452353 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml + - https://docs.microsoft.com/en-us/visualstudio/debugger/debug-using-the-just-in-time-debugger?view=vs-2019 +tags: + - attack.t1218 + - attack.defense_evasion +author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community +date: 2020/10/14 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vsjitdebugger.exe' + reduction1: + ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' + reduction2: + ChildImage|endswith: '\devenv.exe' + condition: selection and not (reduction1 or reduction2) +falsepositives: + - the process spawned by vsjitdebugger.exe is uncommon. +level: medium + diff --git a/rules/windows/process_creation/win_susp_userinit_child.yml b/rules/windows/process_creation/win_susp_userinit_child.yml index c07a989c6..1b22804ee 100644 --- a/rules/windows/process_creation/win_susp_userinit_child.yml +++ b/rules/windows/process_creation/win_susp_userinit_child.yml @@ -6,16 +6,17 @@ references: - https://twitter.com/SBousseaden/status/1139811587760562176 author: Florian Roth (rule), Samir Bousseaden (idea) date: 2019/06/17 +modified: 2021/06/27 logsource: category: process_creation product: windows detection: selection: - ParentImage: '*\userinit.exe' + ParentImage|endswith: '\userinit.exe' filter1: - CommandLine: '*\\netlogon\\*' + CommandLine|contains: '\netlogon\' filter2: - Image: '*\explorer.exe' + Image|endswith: '\explorer.exe' condition: selection and not filter1 and not filter2 fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_vboxdrvInst.yml b/rules/windows/process_creation/win_susp_vboxdrvInst.yml new file mode 100644 index 000000000..024b51499 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vboxdrvInst.yml @@ -0,0 +1,31 @@ +title: Suspicious VBoxDrvInst.exe Parameters +id: b7b19cb6-9b32-4fc4-a108-73f19acfe262 +description: Detect VBoxDrvInst.exe run whith parameters allowing processing INF file. This allows to create values in the registry and install drivers. + For example one could use this technique to obtain persistence via modifying one of Run or RunOnce registry keys +status: experimental +author: Konstantin Grishchenko, oscd.community +date: 2020/10/06 +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherBinaries/VBoxDrvInst.yml + - https://twitter.com/pabraeken/status/993497996179492864 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\VBoxDrvInst.exe' + CommandLine|contains|all: + - 'driver' + - 'executeinf' + condition: selection +fields: + - ComputerName + - User + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use of VBoxDrvInst.exe utility by VirtualBox Guest Additions installation process +level: medium diff --git a/rules/windows/process_creation/win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml new file mode 100644 index 000000000..d224ddbf9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_vbscript_unc2452.yml @@ -0,0 +1,26 @@ +title: Suspicious VBScript UN2452 Pattern +id: 20c3f09d-c53d-4e85-8b74-6aa50e2f1b61 +description: Detects suspicious inline VBScript keywords as used by UNC2452 +status: experimental +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +author: Florian Roth +date: 2021/03/05 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Execute' + - 'CreateObject' + - 'RegRead' + - 'window.close' + - '\Microsoft\Windows\CurrentVersion' + filter: + CommandLine|contains: + - '\Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_volsnap_disable.yml b/rules/windows/process_creation/win_susp_volsnap_disable.yml new file mode 100644 index 000000000..416b8f301 --- /dev/null +++ b/rules/windows/process_creation/win_susp_volsnap_disable.yml @@ -0,0 +1,25 @@ +title: Disabled Volume Snapshots +id: dee4af55-1f22-4e1d-a9d2-4bdc7ecb472a +description: Detects commands that temporarily turn off Volume Snapshots +references: + - https://twitter.com/0gtweet/status/1354766164166115331 +date: 2021/01/28 +status: experimental +author: Florian Roth +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'reg' + - ' add ' + - '\Services\VSS\Diag' + - '/d Disabled' + condition: selection +falsepositives: + - Legitimate administration +level: high diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 1d3ec9ced..5fab95fae 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -16,11 +16,12 @@ logsource: product: windows detection: selection: - Image: '*\whoami.exe' + Image|endswith: '\whoami.exe' selection2: OriginalFileName: 'whoami.exe' condition: selection or selection2 falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment -level: high + - Monitoring activity +level: medium diff --git a/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml new file mode 100644 index 000000000..5ed592814 --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrm_AWL_bypass.yml @@ -0,0 +1,47 @@ +action: global +title: AWL Bypass with Winrm.vbs and Malicious WsmPty.xsl/WsmTxt.xsl +id: 074e0ded-6ced-4ebd-8b4d-53f55908119d +description: Detects execution of attacker-controlled WsmPty.xsl or WsmTxt.xsl via winrm.vbs and copied cscript.exe (can be renamed) +status: experimental +references: + - https://posts.specterops.io/application-whitelisting-bypass-and-arbitrary-unsigned-code-execution-technique-in-winrm-vbs-c8c24fb40404 +author: Julia Fomina, oscd.community +date: 2020/10/06 +tags: + - attack.defense_evasion + - attack.t1216 +level: medium +falsepositives: + - Unlikely +--- +logsource: + category: process_creation + product: windows +detection: + contains_format_pretty_arg: + CommandLine|contains: + - 'format:pretty' + - 'format:"pretty"' + - 'format:"text"' + - 'format:text' + image_from_system_folder: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + contains_winrm: + CommandLine|contains: 'winrm' + condition: contains_winrm and (contains_format_pretty_arg and not image_from_system_folder) +--- +logsource: + product: windows + category: file_event +detection: + system_files: + TargetFilename|endswith: + - 'WsmPty.xsl' + - 'WsmTxt.xsl' + in_system_folder: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: system_files and not in_system_folder diff --git a/rules/windows/process_creation/win_susp_winrm_execution.yml b/rules/windows/process_creation/win_susp_winrm_execution.yml new file mode 100644 index 000000000..2ecb2b39e --- /dev/null +++ b/rules/windows/process_creation/win_susp_winrm_execution.yml @@ -0,0 +1,27 @@ +title: Remote Code Execute via Winrm.vbs +id: 9df0dd3a-1a5c-47e3-a2bc-30ed177646a0 +description: Detects an attempt to execude code or create service on remote host via winrm.vbs. +status: experimental +references: + - https://twitter.com/bohops/status/994405551751815170 + - https://redcanary.com/blog/lateral-movement-winrm-wmi/ +author: Julia Fomina, oscd.community +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1216 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cscript.exe' + CommandLine|contains|all: + - 'winrm' + - 'invoke Create wmicimv2/Win32_' + - '-r:http' + condition: selection +level: medium +falsepositives: + - Legitimate use for administartive purposes. Unlikely + diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index 3c33aca3b..c6316f7a6 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -6,21 +6,31 @@ references: - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -author: Michael Haag, Florian Roth, juju4 +author: Michael Haag, Florian Roth, juju4, oscd.community date: 2019/01/16 +modified: 2020/11/28 logsource: category: process_creation product: windows detection: selection: - Image: - - '*\wmic.exe' - CommandLine: - - '*/NODE:*process call create *' - - '* path AntiVirusProduct get *' - - '* path FirewallProduct get *' - - '* shadowcopy delete *' - condition: selection + Image|endswith: '\wmic.exe' + selection2: + CommandLine|contains|all: + - 'process' + - 'call' + - 'create ' + recon_part1: + CommandLine|contains: ' path ' + recon_part2: + CommandLine|contains: + - 'AntiVirus' + - 'Firewall' + CommandLine|contains|all: + - 'Product' + - ' get ' + condition: (selection and selection2) or + (selection and recon_part1 and recon_part2) fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml b/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml new file mode 100644 index 000000000..17d3021c5 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wmic_eventconsumer_create.yml @@ -0,0 +1,27 @@ +title: Suspicious WMIC ActiveScriptEventConsumer Creation +id: ebef4391-1a81-4761-a40a-1db446c0e625 +status: experimental +description: Detects WMIC executions in which a event consumer gets created in order to establish persistence +references: + - https://twitter.com/johnlatwc/status/1408062131321270282?s=12 + - https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf +author: Florian Roth +date: 2021/06/25 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'ActiveScriptEventConsumer' + - ' CREATE ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.persistence + - attack.t1546.003 +falsepositives: + - Legitimate software creating script event consumers +level: high diff --git a/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml b/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml new file mode 100644 index 000000000..68e3f4910 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wmic_security_product_uninstall.yml @@ -0,0 +1,35 @@ +title: Wmic Uninstall Security Product +id: 847d5ff3-8a31-4737-a970-aeae8fe21765 +description: Detects deinstallation of security products using WMIC utility +references: + - https://twitter.com/cglyer/status/1355171195654709249 +date: 2021/01/30 +status: experimental +author: Florian Roth +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'wmic' + - 'product where name=' + - 'call uninstall' + - '/nointeractive' + selection_product: + CommandLine|contains: + - 'Antivirus' + - 'Endpoint Security' + - 'Endpoint Detection' + - 'Crowdstrike Sensor' + - 'Windows Defender' + - 'VirusScan' + - 'Threat Protection' + - 'Endpoint Sensor' + condition: selection and selection_product +falsepositives: + - Legitimate administration +level: medium diff --git a/rules/windows/process_creation/win_susp_wsl_lolbin.yml b/rules/windows/process_creation/win_susp_wsl_lolbin.yml new file mode 100644 index 000000000..71c561a9b --- /dev/null +++ b/rules/windows/process_creation/win_susp_wsl_lolbin.yml @@ -0,0 +1,27 @@ +title: WSL Execution +id: dec44ca7-61ad-493c-bfd7-8819c5faa09b +status: experimental +description: Detects Possible usage of Windows Subsystem for Linux (WSL) binary as a LOLBIN +references: + - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 +author: 'oscd.community, Zach Stanford @svch0st' +date: 2020/10/05 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\wsl.exe' + CommandLine|contains: + - ' -e ' + - ' --exec ' + condition: selection +falsepositives: + - Automation and orchestration scripts may use this method execute scripts etc +level: medium diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index dde4a5f13..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,10 +14,10 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: - ProcessCommandline|contains|all: + ProcessCommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' Image|endswith: @@ -24,4 +25,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml new file mode 100644 index 000000000..203fefb92 --- /dev/null +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -0,0 +1,30 @@ +action: global +title: SyncAppvPublishingServer Execution to Bypass Powershell Restriction +id: fde7929d-8beb-4a4c-b922-be9974671667 +description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +date: 2020/10/05 +tags: + - attack.defense_evasion + - attack.t1218 +detection: + condition: selection +falsepositives: + - App-V clients +level: medium +--- +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: '\SyncAppvPublishingServer.exe' +--- +logsource: + product: windows + service: powershell +detection: + selection: + Message|contains: 'SyncAppvPublishingServer.exe' \ No newline at end of file diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index 809970e8b..da03e08cd 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -4,8 +4,9 @@ status: experimental description: Detects a Windows program executable started in a suspicious folder references: - https://twitter.com/GelosSnake/status/934900723426439170 -author: Florian Roth, Patrick Bareiss +author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community date: 2017/11/27 +modified: 2021/03/02 tags: - attack.defense_evasion - attack.t1036 @@ -14,39 +15,40 @@ logsource: product: windows detection: selection: - Image: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - - '*\wininit.exe' - - '*\lsm.exe' - - '*\winlogon.exe' - - '*\explorer.exe' - - '*\taskhost.exe' - - '*\Taskmgr.exe' - - '*\sihost.exe' - - '*\RuntimeBroker.exe' - - '*\smartscreen.exe' - - '*\dllhost.exe' - - '*\audiodg.exe' - - '*\wlanext.exe' + Image|endswith: + - '\svchost.exe' + - '\rundll32.exe' + - '\services.exe' + - '\powershell.exe' + - '\regsvr32.exe' + - '\spoolsv.exe' + - '\lsass.exe' + - '\smss.exe' + - '\csrss.exe' + - '\conhost.exe' + - '\wininit.exe' + - '\lsm.exe' + - '\winlogon.exe' + - '\explorer.exe' + - '\taskhost.exe' + - '\Taskmgr.exe' + - '\sihost.exe' + - '\RuntimeBroker.exe' + - '\smartscreen.exe' + - '\dllhost.exe' + - '\audiodg.exe' + - '\wlanext.exe' filter: - Image: - - 'C:\Windows\System32\\*' - - 'C:\Windows\system32\\*' - - 'C:\Windows\SysWow64\\*' - - 'C:\Windows\SysWOW64\\*' - - 'C:\Windows\explorer.exe' - - 'C:\Windows\winsxs\\*' - - 'C:\Windows\WinSxS\\*' - - '\SystemRoot\System32\\*' + - Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWow64\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\winsxs\' + - 'C:\Windows\WinSxS\' + - 'C:\avast! sandbox' + - Image|contains: '\SystemRoot\System32\' + - Image: 'C:\Windows\explorer.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/win_task_folder_evasion.yml b/rules/windows/process_creation/win_task_folder_evasion.yml index a10446c67..402ff3615 100644 --- a/rules/windows/process_creation/win_task_folder_evasion.yml +++ b/rules/windows/process_creation/win_task_folder_evasion.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/subTee/status/1216465628946563073 - https://gist.github.com/am0nsec/8378da08f848424e4ab0cc5b317fdd26 date: 2020/01/13 -modified: 2020/08/29 +modified: 2021/05/30 author: Sreeman tags: - attack.defense_evasion @@ -17,7 +17,7 @@ tags: - attack.t1064 # an old one logsource: - product: Windows + product: windows detection: selection1: CommandLine|contains: diff --git a/rules/windows/process_creation/win_termserv_proc_spawn.yml b/rules/windows/process_creation/win_termserv_proc_spawn.yml index 0e4767335..f49573a1d 100644 --- a/rules/windows/process_creation/win_termserv_proc_spawn.yml +++ b/rules/windows/process_creation/win_termserv_proc_spawn.yml @@ -18,10 +18,12 @@ logsource: category: process_creation detection: selection: - ParentCommandLine: '*\svchost.exe*termsvcs' + ParentCommandLine|contains|all: + - '\svchost.exe' + - 'termsvcs' filter: - Image: '*\rdpclip.exe' + Image|endswith: '\rdpclip.exe' condition: selection and not filter falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 188ea07bd..718c98e2a 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -2,7 +2,7 @@ title: Domain Trust Discovery id: 3bad990e-4848-4a78-9530-b427d854aac0 description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community, omkar72 date: 2019/10/24 modified: 2020/10/30 references: diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 8f31e7c4a..76922a0a1 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -2,7 +2,7 @@ title: Bypass UAC via CMSTP id: e66779cc-383e-4224-a3a4-267eeb585c40 description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2020/08/29 references: diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index e17d29db4..303625acc 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -2,7 +2,7 @@ title: Bypass UAC via Fodhelper.exe id: 7f741dcf-fc22-4759-87b4-9ae8376676a2 description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index 4734aebac..62bb664af 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -2,7 +2,7 @@ title: Bypass UAC via WSReset.exe id: d797268e-28a9-49a7-b9a8-2f5039011c5c description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 modified: 2019/11/11 references: diff --git a/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml new file mode 100644 index 000000000..aa3b63073 --- /dev/null +++ b/rules/windows/process_creation/win_using_settingsynchost_as_lolbin.yml @@ -0,0 +1,33 @@ +title: Using SettingSyncHost.exe as LOLBin +description: Detects using SettingSyncHost.exe to run hijacked binary +id: b2ddd389-f676-4ac4-845a-e00781a48e5f +status: experimental +references: + - https://www.hexacorn.com/blog/2020/02/02/settingsynchost-exe-as-a-lolbin +tags: + - attack.execution + - attack.defense_evasion + - attack.t1574.008 +author: Anton Kutepov, oscd.community +date: 2020/02/05 +modified: 2020/10/10 +level: high +logsource: + category: process_creation + product: windows +detection: + system_utility: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + parent_is_settingsynchost: + ParentCommandLine|contains|all: + - 'cmd.exe /c' + - 'RoamDiag.cmd' + - '-outputpath' + condition: not system_utility and parent_is_settingsynchost +fields: + - TargetFilename + - Image +falsepositives: + - unknown diff --git a/rules/windows/process_creation/win_verclsid_runs_com.yml b/rules/windows/process_creation/win_verclsid_runs_com.yml new file mode 100644 index 000000000..99c649aec --- /dev/null +++ b/rules/windows/process_creation/win_verclsid_runs_com.yml @@ -0,0 +1,29 @@ +title: Verclsid.exe Runs COM Object +id: d06be4b9-8045-428b-a567-740a26d9db25 +status: experimental +description: Detects when verclsid.exe is used to run COM object via GUID +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Verclsid.yml + - https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5 + - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: '\verclsid.exe' + cmd_s: + CommandLine|contains: '/S' + cmd_c: + CommandLine|contains: '/C' + condition: image_path and cmd_c and cmd_s +fields: + - CommandLine +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/win_visual_basic_compiler.yml b/rules/windows/process_creation/win_visual_basic_compiler.yml new file mode 100644 index 000000000..3682987bf --- /dev/null +++ b/rules/windows/process_creation/win_visual_basic_compiler.yml @@ -0,0 +1,22 @@ +title: Visual Basic Command Line Compiler Usage +id: 7b10f171-7f04-47c7-9fa2-5be43c76e535 +status: experimental +description: Detects successful code compilation via Visual Basic Command Line Compiler that utilizes Windows Resource to Object Converter. +references: + - https://lolbas-project.github.io/lolbas/Binaries/Vbc/ +author: 'Ensar Şamil, @sblmsrsn, @oscd_initiative' +date: 2020/10/07 +tags: + - attack.defense_evasion + - attack.t1027.004 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\vbc.exe' + Image|endswith: '\cvtres.exe' + condition: selection +falsepositives: + - Utilization of this tool should not be seen in enterprise environment +level: high diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index 654135a43..06b658f96 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -9,10 +9,10 @@ logsource: product: windows detection: selection: - CommandLine: '*transport=dt_socket,address=*' + CommandLine|contains: 'transport=dt_socket,address=' exclusion: - - CommandLine: '*address=127.0.0.1*' - - CommandLine: '*address=localhost*' + - CommandLine|contains: 'address=127.0.0.1' + - CommandLine|contains: 'address=localhost' condition: selection and not exclusion fields: - CommandLine diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index a70037f40..09d432656 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -1,44 +1,69 @@ title: Webshell Detection With Command Line Keywords id: bed2a484-9348-4143-8a8a-b801c979301c description: Detects certain command line parameters often used during reconnaissance activity via web shells -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro, Anton Kutepov, oscd.community references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html + - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ date: 2017/01/01 -modified: 2021/01/06 +modified: 2021/03/02 tags: - attack.persistence - attack.t1505.003 + - attack.t1018 + - attack.t1033 + - attack.t1087 - attack.privilege_escalation # an old one - attack.t1100 # an old one logsource: category: process_creation product: windows detection: - selection: - ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' - CommandLine: - - '*whoami*' - - '*net user *' - - '*ping -n *' - - '*systeminfo' - - '*&cd&echo*' - - '*cd /d*' # https://www.computerhope.com/cdhlp.htm - - '*ipconfig*' - - '*pathping*' - - '*tracert*' - - '*netstat*' - - '*schtasks*' - - '*vssadmin*' - - '*wevtutil*' - - '*tasklist*' - condition: selection + parent_is_web_server_process: + - ParentImage|endswith: + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + - ParentImage|contains: + - '\apache' + - '\tomcat' + net_utility: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: + - ' user ' + - ' use ' + - ' group ' + ping_utility: + Image|endswith: '\ping.exe' + CommandLine|contains: ' -n ' + change_dir: + CommandLine|contains: + - '&cd&echo' # china chopper web shell + - 'cd /d ' # https://www.computerhope.com/cdhlp.htm + wmic_utility: + Image|endswith: '\wmic.exe' + CommandLine|contains: ' /node:' + misc_discovery_binaries: + Image|endswith: + - '\whoami.exe' + - '\systeminfo.exe' + - '\quser.exe' + - '\ipconfig.exe' + - '\pathping.exe' + - '\tracert.exe' + - '\netstat.exe' + - '\schtasks.exe' + - '\vssadmin.exe' + - '\wevtutil.exe' + - '\tasklist.exe' + misc_discovery_commands: + CommandLine|contains: + - ' Test-NetConnection ' + - 'dir \' # remote dir: dir \\C$:\windows\temp\*.exe + condition: parent_is_web_server_process and (net_utility or ping_utility or change_dir or wmic_utility or misc_discovery_binaries or misc_discovery_commands) fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_webshell_recon_detection.yml b/rules/windows/process_creation/win_webshell_recon_detection.yml index a6004cc22..5c9663ce7 100644 --- a/rules/windows/process_creation/win_webshell_recon_detection.yml +++ b/rules/windows/process_creation/win_webshell_recon_detection.yml @@ -16,21 +16,23 @@ logsource: product: windows detection: selection: - ParentImage|contains: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' + - ParentImage|contains: + - '\apache' + - '\tomcat' + - ParentImage|endswith: + - '\w3wp.exe' + - '\php-cgi.exe' + - '\nginx.exe' + - '\httpd.exe' + selection2: Image|endswith: - - '*\cmd.exe' + - '\cmd.exe' CommandLine|contains: - - '*perl --help*' - - '*python --help*' - - '*wget --help*' - - '*perl -h*' - condition: selection + - 'perl --help' + - 'python --help' + - 'wget --help' + - 'perl -h' + condition: selection and selection2 fields: - Image - CommandLine diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index 982cd23f8..197567f6a 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -10,18 +10,19 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - - '*\php-cgi.exe' - - '*\tomcat.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - - '*\bitsadmin.exe' + ParentImage|endswith: + - '\w3wp.exe' + - '\httpd.exe' + - '\nginx.exe' + - '\php-cgi.exe' + - '\tomcat.exe' + - '\UMWorkerProcess.exe' # https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html + Image|endswith: + - '\cmd.exe' + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\bitsadmin.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_whoami_priv.yml b/rules/windows/process_creation/win_whoami_priv.yml new file mode 100644 index 000000000..3cd02819c --- /dev/null +++ b/rules/windows/process_creation/win_whoami_priv.yml @@ -0,0 +1,23 @@ +title: Run Whoami Showing Privileges +id: 97a80ec7-0e2f-4d05-9ef4-65760e634f6b +status: experimental +description: Detects a whoami.exe executed with the /priv command line flag instructing the tool to show all current user privieleges. This is often used after a privilege escalation attempt. +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami +author: Florian Roth +date: 2021/05/05 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\whoami.exe' + CommandLine|contains: '/priv' + condition: selection +falsepositives: + - Administrative activity (rare lookups on current privileges) +level: high diff --git a/rules/windows/process_creation/win_win10_sched_task_0day.yml b/rules/windows/process_creation/win_win10_sched_task_0day.yml index 93db4c7d2..282891345 100644 --- a/rules/windows/process_creation/win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/win_win10_sched_task_0day.yml @@ -13,7 +13,11 @@ logsource: detection: selection: Image|endswith: '\schtasks.exe' - CommandLine: '*/change*/TN*/RU*/RP*' + CommandLine|contains|all: + - '/change' + - '/TN' + - '/RU' + - '/RP' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_winword_dll_load.yml b/rules/windows/process_creation/win_winword_dll_load.yml new file mode 100644 index 000000000..cae14f604 --- /dev/null +++ b/rules/windows/process_creation/win_winword_dll_load.yml @@ -0,0 +1,25 @@ +title: Winword.exe Loads Suspicious DLL +id: 2621b3a6-3840-4810-ac14-a02426086171 +status: experimental +description: Detects Winword.exe loading of custmom dll via /l cmd switch +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/LOLUtilz/OtherMSBinaries/Winword.yml +author: Victor Sergeev, oscd.community +date: 2020/10/09 +logsource: + category: process_creation + product: windows +detection: + image_path: + Image|endswith: '\winword.exe' + cmd: + CommandLine|contains: '/l' + condition: image_path and cmd +fields: + - CommandLine +tags: + - attack.defense_evasion + - attack.t1202 +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index ef2451168..4e8ce30d6 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -1,7 +1,7 @@ title: WMI Backdoor Exchange Transport Agent id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b status: experimental -description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters +description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters author: Florian Roth date: 2019/10/11 references: @@ -16,7 +16,7 @@ tags: - attack.t1084 # an old one detection: selection: - ParentImage: '*\EdgeTransport.exe' + ParentImage|endswith: '\EdgeTransport.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_wmi_spwns_powershell.yml b/rules/windows/process_creation/win_wmi_spwns_powershell.yml index dee9e10d6..dcd52ef39 100644 --- a/rules/windows/process_creation/win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/win_wmi_spwns_powershell.yml @@ -7,7 +7,7 @@ references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis / @Karneades date: 2019/04/03 -modified: 2020/08/29 +modified: 2021/02/24 tags: - attack.execution - attack.t1047 @@ -19,11 +19,15 @@ logsource: product: windows detection: selection: - ParentImage: - - '*\wmiprvse.exe' - Image: - - '*\powershell.exe' - condition: selection + ParentImage|endswith: + - '\wmiprvse.exe' + Image|endswith: + - '\powershell.exe' + filter_null1: + CommandLine: 'null' + filter_null2: # some backends need the null value in a seperate expression + CommandLine: null + condition: selection and not filter_null1 and not filter_null2 falsepositives: - AppvClient - CCM diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index aafe963ea..d5a59f6e0 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,10 +3,10 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2020/11/05 +modified: 2021/02/24 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1047_windows_management_instrumentation/wmi_win32_process_create_remote.md + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html tags: - attack.execution - attack.t1047 @@ -17,12 +17,21 @@ detection: selection: ParentImage|endswith: '\WmiPrvSe.exe' filter: - - LogonId: '0x3e7' # LUID 999 for SYSTEM + - LogonId: + - '0x3e7' # LUID 999 for SYSTEM + - 'null' # too many false positives + - SubjectLogonId: + - '0x3e7' # LUID 999 for SYSTEM + - 'null' # too many false positives - User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe' - condition: selection and not filter + filter_null1: # some backends need the null value in a seperate expression + LogonId: null + filter_null2: # some backends need the null value in a seperate expression + SubjectLogonId: null + condition: selection and not filter and not filter_null1 and not filter_null2 falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml index 496138fde..9347f2b35 100644 --- a/rules/windows/process_creation/win_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection: - Image: '*\Microsoft.Workflow.Compiler.exe' + Image|endswith: '\Microsoft.Workflow.Compiler.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml new file mode 100644 index 000000000..4462da4e7 --- /dev/null +++ b/rules/windows/process_creation/win_write_protect_for_storage_disabled.yml @@ -0,0 +1,20 @@ +title: Write Protect For Storage Disabled +id: 75f7a0e2-7154-4c4d-9eae-5cdb4e0a5c13 +description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. +status: experimental +author: Sreeman +date: 2021/06/11 +modified: 2021/06/11 +tags: + - attack.defense_evasion + - attack.t1562 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|re: '(?i).*reg add.*hklm\\system\\currentcontrolset\\control.*(storage|storagedevicepolicies).*write protection.*0.*' + condition: selection +falsepositives: + - none observed +level: medium \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml similarity index 91% rename from rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml rename to rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index 0f4ec0b92..72fbafb62 100644 --- a/rules/windows/sysmon/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -10,10 +10,8 @@ tags: - attack.t1006 logsource: product: windows - service: sysmon + category: raw_access_thread detection: - selection: - EventID: 9 filter_1: Device|contains: floppy filter_2: @@ -32,7 +30,7 @@ detection: - '\dfsrs.exe' - '\vds.exe' - '\lsass.exe' - condition: selection and not filter_1 and not filter_2 + condition: not filter_1 and not filter_2 fields: - ComputerName - Image diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index 916d4773d..243d2d7ec 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -7,7 +7,7 @@ references: tags: - attack.defense_evasion - attack.t1112 -author: megan201296 +author: megan201296, Jonhnathan Ribeiro date: 2019/04/14 modified: 2020/09/06 logsource: @@ -17,21 +17,26 @@ detection: selection: TargetObject: - 'HKCR\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - - 'HKU\\*_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + TargetObject|endswith: # covers HKU\* and HKLM.. - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - - '*\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - - '*\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - - '*\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' + - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' + - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' + - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' + - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' + - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + selection2: + TargetObject|startswith: + - 'HKU\' + TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - - 'HKU\\*_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\\*' + - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - - 'HKU\\*_Classes\AppX3bbba44c6cae4d9695755183472171e2\\*' + - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\' # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - - 'HKU\\*_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\\*' - condition: selection + - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' + - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + condition: selection or selection2 falsepositives: - Unknown level: critical diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index 80f4a8237..a8bb54d79 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -1,38 +1,213 @@ title: Autorun Keys Modification id: 17f878b8-9968-4578-b814-c4217fc5768c -description: Detects modification of autostart extensibility point (ASEP) in registry +description: Detects modification of autostart extensibility point (ASEP) in registry. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md + - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns + - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys tags: - attack.persistence - - attack.t1060 # an old one - attack.t1547.001 -date: 2019/10/21 -modified: 2020/09/06 -author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community + - attack.t1060 # an old one +date: 2019/10/25 +modified: 2020/11/04 +author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community logsource: category: registry_event product: windows +level: medium detection: - selection: + main_selection: TargetObject|contains: - - '\software\Microsoft\Windows\CurrentVersion\Run' - - '\software\Microsoft\Windows\CurrentVersion\RunOnce' - - '\software\Microsoft\Windows\CurrentVersion\RunOnceEx' - - '\software\Microsoft\Windows\CurrentVersion\RunServices' - - '\software\Microsoft\Windows\CurrentVersion\RunServicesOnce' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit' - - '\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell' - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs' # Appinit DLL - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Load' # WindowsShellLoadAndRun in HKCU - - '\software\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU - - '\software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Run' # WindowsShellLoadAndRun in HKCU - - '\software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders' - condition: selection + - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' + - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnDisconnect' + - '\SOFTWARE\Microsoft\Windows CE Services\AutoStartOnConnect' + - '\SYSTEM\Setup\CmdLine' + - '\Software\Microsoft\Ctf\LangBarAddin' + - '\Software\Microsoft\Command Processor\Autorun' + - '\SOFTWARE\Microsoft\Active Setup\Installed Components' + - '\SOFTWARE\Classes\Protocols\Handler' + - '\SOFTWARE\Classes\Protocols\Filter' + - '\SOFTWARE\Classes\Htmlfile\Shell\Open\Command\(Default)' + - '\Environment\UserInitMprLogonScript' + - '\SOFTWARE\Policies\Microsoft\Windows\Control Panel\Desktop\Scrnsave.exe' + - '\Software\Microsoft\Internet Explorer\UrlSearchHooks' + - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' + - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' + - '\Control Panel\Desktop\Scrnsave.exe' + session_manager_base: + TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' + session_manager: + TargetObject|contains: + - '\SetupExecute' + - '\S0InitialCommand' + - '\KnownDlls' + - '\Execute' + - '\BootExecute' + - '\AppCertDlls' + current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' + current_version: + TargetObject|contains: + - '\ShellServiceObjectDelayLoad' + - '\Run' + - '\Policies\System\Shell' + - '\Policies\Explorer\Run' + - '\Group Policy\Scripts\Startup' + - '\Group Policy\Scripts\Shutdown' + - '\Group Policy\Scripts\Logon' + - '\Group Policy\Scripts\Logoff' + - '\Explorer\ShellServiceObjects' + - '\Explorer\ShellIconOverlayIdentifiers' + - '\Explorer\ShellExecuteHooks' + - '\Explorer\SharedTaskScheduler' + - '\Explorer\Browser Helper Objects' + - '\Authentication\PLAP Providers' + - '\Authentication\Credential Providers' + - '\Authentication\Credential Provider Filters' + nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + nt_current_version: + TargetObject|contains: + - '\Winlogon\VmApplet' + - '\Winlogon\Userinit' + - '\Winlogon\Taskman' + - '\Winlogon\Shell' + - '\Winlogon\GpExtensions' + - '\Winlogon\AppSetup' + - '\Winlogon\AlternateShells\AvailableShells' + - '\Windows\IconServiceLib' + - '\Windows\Appinit_Dlls' + - '\Image File Execution Options' + - '\Font Drivers' + - '\Drivers32' + - '\Windows\Run' + - '\Windows\Load' + wow_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' + wow_current_version: + TargetObject|contains: + - '\ShellServiceObjectDelayLoad' + - '\Run' + - '\Explorer\ShellServiceObjects' + - '\Explorer\ShellIconOverlayIdentifiers' + - '\Explorer\ShellExecuteHooks' + - '\Explorer\SharedTaskScheduler' + - '\Explorer\Browser Helper Objects' + wow_nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' + wow_nt_current_version: + TargetObject|contains: + - '\Windows\Appinit_Dlls' + - '\Image File Execution Options' + - '\Drivers32' + wow_office: + TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office' + office: + TargetObject|contains: '\Software\Microsoft\Office' + wow_office_details: + TargetObject|contains: + - '\Word\Addins' + - '\PowerPoint\Addins' + - '\Outlook\Addins' + - '\Onenote\Addins' + - '\Excel\Addins' + - '\Access\Addins' + - 'test\Special\Perf' + wow_ie: + TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer' + ie: + TargetObject|contains: '\Software\Microsoft\Internet Explorer' + wow_ie_details: + TargetObject|contains: + - '\Toolbar' + - '\Extensions' + - '\Explorer Bars' + wow_classes_base: + TargetObject|contains: '\Software\Wow6432Node\Classes' + wow_classes: + TargetObject|contains: + - '\Folder\ShellEx\ExtShellFolderViews' + - '\Folder\ShellEx\DragDropHandlers' + - '\Folder\ShellEx\ColumnHandlers' + - '\Directory\Shellex\DragDropHandlers' + - '\Directory\Shellex\CopyHookHandlers' + - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\ShellEx\PropertySheetHandlers' + - '\ShellEx\ContextMenuHandlers' + classes_base: + TargetObject|contains: '\Software\Classes' + classes: + TargetObject|contains: + - '\Folder\ShellEx\ExtShellFolderViews' + - '\Folder\ShellEx\DragDropHandlers' + - '\Folder\Shellex\ColumnHandlers' + - '\Filter' + - '\Exefile\Shell\Open\Command\(Default)' + - '\Directory\Shellex\DragDropHandlers' + - '\Directory\Shellex\CopyHookHandlers' + - '\CLSID\{AC757296-3522-4E11-9862-C17BE5A1767E}\Instance' + - '\CLSID\{ABE3B9A4-257D-4B97-BD1A-294AF496222E}\Instance' + - '\CLSID\{7ED96837-96F0-4812-B211-F13C24117ED3}\Instance' + - '\CLSID\{083863F1-70DE-11d0-BD40-00A0C911CE86}\Instance' + - '\Classes\AllFileSystemObjects\ShellEx\DragDropHandlers' + - '\.exe' + - '\.cmd' + - '\ShellEx\PropertySheetHandlers' + - '\ShellEx\ContextMenuHandlers' + scripts_base: + TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' + scripts: + TargetObject|contains: + - '\Startup' + - '\Shutdown' + - '\Logon' + - '\Logoff' + winsock_parameters_base: + TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' + winsock_parameters: + TargetObject|contains: + - '\Protocol_Catalog9\Catalog_Entries' + - '\NameSpace_Catalog5\Catalog_Entries' + system_control_base: + TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' + system_control: + TargetObject|contains: + - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' + - '\Terminal Server\Wds\rdpwd\StartupPrograms' + - '\SecurityProviders\SecurityProviders' + - '\SafeBoot\AlternateShell' + - '\Print\Providers' + - '\Print\Monitors' + - '\NetworkProvider\Order' + - '\Lsa\Notification Packages' + - '\Lsa\Authentication Packages' + - '\BootVerificationProgram\ImagePath' + condition: main_selection OR + session_manager_base AND session_manager OR + current_version_base AND current_version OR + nt_current_version_base AND nt_current_version OR + wow_current_version_base AND wow_current_version OR + wow_nt_current_version_base AND wow_nt_current_version OR + (wow_office OR office) AND wow_office_details OR + (wow_ie OR ie) AND wow_ie_details OR + wow_classes_base AND wow_classes OR + classes_base AND classes OR + scripts_base AND scripts OR + winsock_parameters_base AND winsock_parameters OR + system_control_base AND system_control +fields: + - SecurityID + - ObjectName + - OldValueType + - NewValueType falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - Legitimate administrator sets up autorun keys for legitimate reason -level: medium diff --git a/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml new file mode 100644 index 000000000..d20032bda --- /dev/null +++ b/rules/windows/registry_event/sysmon_bypass_via_wsreset.yml @@ -0,0 +1,29 @@ +title: UAC Bypass Via Wsreset +id: 6ea3bf32-9680-422d-9f50-e90716b12a66 +status: experimental +description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +references: + - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +author: oscd.community, Dmitry Uchakin +date: 2020/10/07 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: + - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + condition: selection +fields: + - ComputerName + - Image + - EventType + - TargetObject +falsepositives: + - unknown +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml index 81302dfea..10c7f0b17 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml @@ -25,11 +25,6 @@ logsource: category: registry_event product: windows detection: - # Registry Object Add - selection1: - TargetObject: '*\cmmgr32.exe*' - EventType: 'CreateKey' - # Registry Object Value Set - selection2: - TargetObject: '*\cmmgr32.exe*' - condition: 1 of them + selection: + TargetObject|contains: '\cmmgr32.exe' + condition: selection diff --git a/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml new file mode 100644 index 000000000..9d7818cbf --- /dev/null +++ b/rules/windows/registry_event/sysmon_cobaltstrike_service_installs.yml @@ -0,0 +1,37 @@ +title: CobaltStrike Service Installations in Registry +id: 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 +description: Detects known malicious service installs that appear in cases in which a Cobalt Strike beacon elevates privileges or lateral movement. + We can also catch this by system log 7045 (https://github.com/SigmaHQ/sigma/blob/master/rules/windows/builtin/win_cobaltstrike_service_installs.yml) + In some SIEM you can catch those events also in HKLM\System\ControlSet001\Services or HKLM\System\ControlSet002\Services, however, this rule is based on a regular sysmon's events. +status: experimental +date: 2021/06/29 +author: Wojciech Lesicki +tags: + - attack.execution + - attack.privilege_escalation + - attack.lateral_movement + - attack.t1021.002 + - attack.t1543.003 + - attack.t1569.002 +references: + - https://www.sans.org/webcasts/tech-tuesday-workshop-cobalt-strike-detection-log-analysis-119395 +logsource: + category: registry_event + product: windows +detection: + selection1: + EventType: SetValue + TargetObject|contains: 'HKLM\System\CurrentControlSet\Services' + selection2: + Details|contains|all: + - 'ADMIN$' + - '.exe' + selection3: + Details|contains|all: + - '%COMSPEC%' + - 'start' + - 'powershell' + condition: selection1 and (selection2 or selection3) +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml index bf76b00d8..dedf925a5 100644 --- a/rules/windows/registry_event/sysmon_comhijack_sdclt.yml +++ b/rules/windows/registry_event/sysmon_comhijack_sdclt.yml @@ -18,8 +18,6 @@ detection: selection: TargetObject: - 'HKCU\Software\Classes\Folder\shell\open\command\DelegateExecute' - EventType: - - SetValue condition: selection falsepositives: - unknown diff --git a/rules/windows/registry_event/sysmon_cve-2020-1048.yml b/rules/windows/registry_event/sysmon_cve-2020-1048.yml index e5e17ef11..8a02f889e 100644 --- a/rules/windows/registry_event/sysmon_cve-2020-1048.yml +++ b/rules/windows/registry_event/sysmon_cve-2020-1048.yml @@ -18,10 +18,6 @@ logsource: detection: selection: TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Ports' - EventType: - - SetValue - - DeleteValue - - CreateValue Details|contains: - '.dll' - '.exe' diff --git a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml index c2cff4812..d8b7daf7c 100755 --- a/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml +++ b/rules/windows/registry_event/sysmon_dhcp_calloutdll.yml @@ -19,10 +19,9 @@ logsource: product: windows detection: selection: - - TargetObject: - - '*\Services\DHCPServer\Parameters\CalloutDlls' - - '*\Services\DHCPServer\Parameters\CalloutEnabled' + TargetObject|endswith: + - '\Services\DHCPServer\Parameters\CalloutDlls' + - '\Services\DHCPServer\Parameters\CalloutEnabled' condition: selection falsepositives: - unknown diff --git a/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml b/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml new file mode 100644 index 000000000..bbf21c9fc --- /dev/null +++ b/rules/windows/registry_event/sysmon_disable_microsoft_office_security_features.yml @@ -0,0 +1,37 @@ +title: Disable Microsoft Office Security Features +id: 7c637634-c95d-4bbf-b26c-a82510874b34 +description: Disable Microsoft Office Security Features by registry +status: experimental +date: 2021/06/08 +author: frack113 +tags: + - attack.defense_evasion + - attack.t1562.001 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ + - https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/ + +logsource: + product: windows + category: registry_event + definition: key must be add to the sysmon configuration to works + # Sysmon + # \VBAWarnings + # \DisableInternetFilesInPV + # \DisableUnsafeLocationsInPV + # \DisableAttachementsInPV +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SOFTWARE\Microsoft\Office\' + TargetObject|endswith: + - VBAWarnings + - DisableInternetFilesInPV + - DisableUnsafeLocationsInPV + - DisableAttachementsInPV + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 42acc1d3b..d43eca7b5 100755 --- a/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/registry_event/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -29,5 +29,5 @@ fields: - TargetObject - NewName falsepositives: - - Unkown + - Unknown level: high diff --git a/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml new file mode 100644 index 000000000..07ffdf7ce --- /dev/null +++ b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml @@ -0,0 +1,21 @@ +title: Wdigest CredGuard Registry Modification +id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. +status: experimental +date: 2019/08/25 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1112 +references: + - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\IsCredGuardEnabled' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml index 59849ff88..fd7d5d2c1 100755 --- a/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml +++ b/rules/windows/registry_event/sysmon_dns_serverlevelplugindll.yml @@ -30,7 +30,7 @@ logsource: category: registry_event detection: dnsregmod: - TargetObject: '*\services\DNS\Parameters\ServerLevelPluginDll' + TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: 1 of them --- logsource: @@ -38,5 +38,8 @@ logsource: product: windows detection: dnsadmin: - CommandLine: 'dnscmd.exe /config /serverlevelplugindll *' - condition: 1 of them \ No newline at end of file + Image|endswith: '\dnscmd.exe' + CommandLine|contains|all: + - '/config' + - '/serverlevelplugindll' + condition: 1 of them diff --git a/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml new file mode 100644 index 000000000..384ed94f0 --- /dev/null +++ b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml @@ -0,0 +1,25 @@ +title: Enabling COR Profiler Environment Variables +id: ad89044a-8f49-4673-9a55-cbd88a1b374f +description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured. +status: experimental +date: 2020/09/10 +author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.012 +references: + - https://twitter.com/jamieantisocial/status/1304520651248668673 + - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors + - https://www.sans.org/cyber-security-summit/archives +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: + - '\COR_ENABLE_PROFILING' + - '\COR_PROFILER' + condition: selection +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 647282408..e3f50de16 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -15,9 +15,9 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: Services\WCESERVICE\Start condition: selection falsepositives: - - 'Another service that uses a single -s command line switch' -level: critical \ No newline at end of file + - Unknown +level: critical diff --git a/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml new file mode 100644 index 000000000..3563a2722 --- /dev/null +++ b/rules/windows/registry_event/sysmon_hybridconnectionmgr_svc_installation.yml @@ -0,0 +1,22 @@ +title: HybridConnectionManager Service Installation +id: ac8866c7-ce44-46fd-8c17-b24acff96ca8 +description: Detects the installation of the Azure Hybrid Connection Manager service to allow remote code execution from Azure function. +status: experimental +date: 2021/04/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.persistence +references: + - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +logsource: + category: registry_event + product: windows +detection: + selection1: + TargetObject|contains: '\Services\HybridConnectionManager' + selection2: + Details|contains: 'Microsoft.HybridConnectionManager.Listener.exe' + condition: selection1 or selection2 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml index 069aaa501..e9ee2839a 100644 --- a/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml +++ b/rules/windows/registry_event/sysmon_logon_scripts_userinitmprlogonscript_reg.yml @@ -17,9 +17,9 @@ logsource: product: windows detection: create_keywords_reg: - TargetObject: '*UserInitMprLogonScript*' + TargetObject|contains: 'UserInitMprLogonScript' condition: create_keywords_reg falsepositives: - exclude legitimate logon scripts - penetration tests, red teaming -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml new file mode 100644 index 000000000..8dd2cc28f --- /dev/null +++ b/rules/windows/registry_event/sysmon_modify_screensaver_binary_path.yml @@ -0,0 +1,27 @@ +title: Path To Screensaver Binary Modified +id: 67a6c006-3fbe-46a7-9074-2ba3b82c3000 +status: experimental +description: Detects value modification of registry key containing path to binary used as screensaver. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.002 +author: Bartlomiej Czyz @bczyz1, oscd.community +date: 2020/10/11 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\Control Panel\Desktop\SCRNSAVE.EXE' # HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE + filter: + Image|endswith: + - '\rundll32.exe' + - '\explorer.exe' + condition: selection and not filter +level: medium +falsepositives: + - 'Legitimate modification of screensaver.' diff --git a/rules/windows/registry_event/sysmon_new_application_appcompat.yml b/rules/windows/registry_event/sysmon_new_application_appcompat.yml new file mode 100644 index 000000000..298f2660f --- /dev/null +++ b/rules/windows/registry_event/sysmon_new_application_appcompat.yml @@ -0,0 +1,24 @@ +title: New Application in AppCompat +id: 60936b49-fca0-4f32-993d-7415edcf9a5d +description: A General detection for a new application in AppCompat. This indicates an application executing for the first time on an endpoint. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1204.002 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/1 + - https://threathunterplaybook.com/evals/apt29/detections/1.A.1_DFD6A782-9BDB-4550-AB6B-525E825B095E.html +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: '\AppCompatFlags\Compatibility Assistant\Store\' + condition: selection +falsepositives: + - This rule is to explore new applications on an endpoint. False positives depends on the organization. + - Newly setup system. + - Legitimate installation of new application. +level: informational \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 6eef73b35..7a2f3e618 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -29,5 +29,5 @@ fields: - TargetObject - NewName falsepositives: - - Unkown + - Unknown level: medium diff --git a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 86586574a..820a65f60 100755 --- a/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/registry_event/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -17,13 +17,13 @@ logsource: product: windows detection: selection: - - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - TargetObject|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - # key rename - NewName: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' - - '*\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + NewName|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' + - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_Dlls' condition: selection fields: - EventID @@ -31,5 +31,5 @@ fields: - TargetObject - NewName falsepositives: - - Unkown + - Unknown level: medium diff --git a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml index 4afc0fbc3..8eac61ee8 100644 --- a/rules/windows/registry_event/sysmon_office_vsto_persistence.yml +++ b/rules/windows/registry_event/sysmon_office_vsto_persistence.yml @@ -9,6 +9,7 @@ tags: - attack.persistence author: Bhabesh Raj date: 2021/01/10 +modified: 2021/06/01 logsource: category: registry_event product: windows @@ -20,7 +21,9 @@ detection: - '\Software\Microsoft\Office\Excel\Addins\' - '\Software\Microsoft\Office\Powerpoint\Addins\' - '\Software\Microsoft\VSTO\Security\Inclusion\' - condition: selection + filter: + Image|endswith: '\msiexec.exe' + condition: selection and not filter falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_powershell_as_service.yml b/rules/windows/registry_event/sysmon_powershell_as_service.yml new file mode 100644 index 000000000..a297c6680 --- /dev/null +++ b/rules/windows/registry_event/sysmon_powershell_as_service.yml @@ -0,0 +1,26 @@ +title: PowerShell as a Service in Registry +id: 4a5f5a5e-ac01-474b-9b4e-d61298c9df1d +description: Detects that a powershell code is written to the registry as a service. +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/05/21 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.execution + - attack.t1569.002 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: '\Services\' + TargetObject|endswith: '\ImagePath' + Details|contains: + - 'powershell' + - 'pwsh' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml index 3fe7d6cda..3df09fb62 100755 --- a/rules/windows/registry_event/sysmon_rdp_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_rdp_registry_modification.yml @@ -6,7 +6,7 @@ date: 2019/09/12 modified: 2019/11/10 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/05_defense_evasion/T1112_Modify_Registry/enable_rdp_registry.md + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-190407183310.html tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml index 425c550b6..4a9041570 100755 --- a/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml +++ b/rules/windows/registry_event/sysmon_rdp_settings_hijack.yml @@ -11,10 +11,10 @@ logsource: product: windows detection: selection_reg: - TargetObject: - - '*\services\TermService\Parameters\ServiceDll*' - - '*\Control\Terminal Server\fSingleSessionPerUser*' - - '*\Control\Terminal Server\fDenyTSConnections*' + TargetObject|contains: + - '\services\TermService\Parameters\ServiceDll' + - '\Control\Terminal Server\fSingleSessionPerUser' + - '\Control\Terminal Server\fDenyTSConnections' condition: selection_reg tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index 8e538be85..27e6957c5 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -16,14 +16,10 @@ logsource: detection: sec_settings: TargetObject|endswith: - - '*\Security\Trusted Documents\TrustRecords' - - '*\Security\AccessVBOM' - - '*\Security\VBAWarnings' - EventType: - - SetValue - - DeleteValue - - CreateValue + - '\Security\Trusted Documents\TrustRecords' + - '\Security\AccessVBOM' + - '\Security\VBAWarnings' condition: sec_settings falsepositives: - Valid Macros and/or internal documents -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml new file mode 100644 index 000000000..c8404f2cc --- /dev/null +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit.yml @@ -0,0 +1,22 @@ +title: SilentProcessExit Monitor Registrytion +id: c81fe886-cac0-4913-a511-2822d72ff505 +description: Detects changes to the Registry in which a monitor program gets registered to monitor the exit of another process +author: Florian Roth +references: + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ + - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ +date: 2021/02/26 +tags: + - attack.persistence + - attack.t1546.012 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit' + Details|contains: 'MonitorProcess' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml new file mode 100644 index 000000000..66a5dc12a --- /dev/null +++ b/rules/windows/registry_event/sysmon_reg_silentprocessexit_lsass.yml @@ -0,0 +1,21 @@ +title: SilentProcessExit Monitor Registrytion for LSASS +id: 55e29995-75e7-451a-bef0-6225e2f13597 +description: Detects changes to the Registry in which a monitor program gets registered to dump process memory of the lsass.exe process memory +author: Florian Roth +references: + - https://www.deepinstinct.com/2021/02/16/lsass-memory-dumps-are-stealthier-than-ever-before-part-2/ + - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ +date: 2021/02/26 +tags: + - attack.credential_access + - attack.t1003.007 +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Microsoft\Windows NT\CurrentVersion\SilentProcessExit\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml new file mode 100644 index 000000000..0104e1bf4 --- /dev/null +++ b/rules/windows/registry_event/sysmon_reg_vbs_payload_stored.yml @@ -0,0 +1,31 @@ +title: VBScript Payload Stored in Registry +id: 46490193-1b22-4c29-bdd6-5bf63907216f +description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group +status: experimental +date: 2021/03/05 +author: Florian Roth +references: + - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' + Details|contains: + - 'vbscript' + - 'jscript' + - 'mshtml' + - 'mshtml,' + - 'mshtml ' + - 'RunHTMLApplication' + - 'Execute(' + - 'CreateObject' + - 'RegRead' + - 'window.close' + filter: + TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml new file mode 100644 index 000000000..0b9558835 --- /dev/null +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -0,0 +1,24 @@ +title: Creation of a Local Hidden User Account by Registry +id: 460479f3-80b7-42da-9c43-2cc1d54dbccd +description: Sysmon registry detection of a local hidden user account. +status: experimental +date: 2021/05/03 +modified: 2021/05/12 +author: Christian Burkard +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' + TargetObject|endswith: '$' + Image|endswith: "lsass.exe" + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 2e2abe6be..2ede1d708 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -16,8 +16,11 @@ logsource: detection: selection: EventType: 'CreateKey' # don't want DeleteKey events - TargetObject: 'HKU\\*_Classes\CLSID\\*\TreatAs' + TargetObject|contains|all: + - 'HKU\' + - '_Classes\CLSID\' + - '\TreatAs' condition: selection falsepositives: - - Maybe some system utilities in rare cases use linking keys for backward compability + - Maybe some system utilities in rare cases use linking keys for backward compatibility level: medium diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index ed0c58392..7f4b07fc4 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -4,9 +4,9 @@ status: experimental description: Detects potential COM object hijacking leveraging the COM Search Order references: - https://www.cyberbit.com/blog/endpoint-security/com-hijacking-windows-overlooked-security-vulnerability/ -author: Maxime Thiebaut (@0xThiebaut) +author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2020/09/06 +modified: 2021/05/01 tags: - attack.persistence - attack.t1038 # an old one @@ -16,15 +16,30 @@ logsource: product: windows detection: selection: # Detect new COM servers in the user hive - TargetObject: 'HKU\\*_Classes\CLSID\\*\InProcServer32\(Default)' - filter: - Details: # Exclude privileged directories and observed FPs - - '%%systemroot%%\system32\\*' - - '%%systemroot%%\SysWow64\\*' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileCoAuthLib64.dll' - - '*\AppData\Local\Microsoft\OneDrive\\*\FileSyncShell64.dll' - - '*\AppData\Local\Microsoft\TeamsMeetingAddin\\*\Microsoft.Teams.AddinLoader.dll' - condition: selection and not filter + TargetObject|contains|all: + - 'HKU\' + - '_Classes\CLSID\' + - '\InProcServer32\(Default)' + filter1: + - Details|contains: # Exclude privileged directories and observed FPs + - '%%systemroot%%\system32\' + - '%%systemroot%%\SysWow64\' + filterOneDrive: + - Details|contains: '\AppData\Local\Microsoft\OneDrive\' + filterOneDrive2: + - Details|contains: + - '\FileCoAuthLib64.dll' + - '\FileSyncShell64.dll' + - '\FileSyncApi64.dll' + filter2: + - Details|contains|all: + - '\AppData\Local\Microsoft\TeamsMeetingAddin\' + - '\Microsoft.Teams.AddinLoader.dll' + filter3: + - Details|contains|all: + - '\AppData\Roaming\Dropbox\' + - '\DropboxExt64.*.dll' + condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium diff --git a/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml b/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml new file mode 100644 index 000000000..9428a3d39 --- /dev/null +++ b/rules/windows/registry_event/sysmon_removal_amsi_registry_key.yml @@ -0,0 +1,26 @@ +title: Removal Amsi Provider Reg Key +id: 41d1058a-aea7-4952-9293-29eaaf516465 +description: Remove the AMSI Provider registry key in HKLM\Software\Microsoft\AMSI to disable AMSI inspection +status: experimental +date: 2021/06/07 +author: frack113 +tags: + - attack.defense_evasion + - attack.t1562.001 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://seclists.org/fulldisclosure/2020/Mar/45 +logsource: + product: windows + category: registry_event + definition: key must be add to the sysmon configuration to works +detection: + selection: + EventType: DeleteKey + TargetObject|endswith: + - '{2781761E-28E0-4109-99FE-B9D127C57AFE}' + - '{A7C452EF-8E9F-42EB-9F2B-245613CA0DC9}' + condition: selection +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml new file mode 100644 index 000000000..d834dcb1b --- /dev/null +++ b/rules/windows/registry_event/sysmon_removal_com_hijacking_registry_key.yml @@ -0,0 +1,26 @@ +title: Removal of Potential COM Hijacking Registry Keys +id: 96f697b0-b499-4e5d-9908-a67bec11cdb6 +description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. +status: experimental +date: 2020/05/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1112 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/7 + - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html + - https://docs.microsoft.com/en-us/windows/win32/shell/launch + - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code +logsource: + product: windows + category: registry_event +detection: + selection: + EventType: 'DeleteKey' + TargetObject|endswith: '\shell\open\command' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_runonce_persistence.yml b/rules/windows/registry_event/sysmon_runonce_persistence.yml new file mode 100644 index 000000000..6e74aedb5 --- /dev/null +++ b/rules/windows/registry_event/sysmon_runonce_persistence.yml @@ -0,0 +1,23 @@ +title: Run Once Task Configuration in Registry +id: c74d7efc-8826-45d9-b8bb-f04fac9e4eff +description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup +author: 'Avneet Singh @v3t0_, oscd.community' +status: experimental +date: 2020/11/15 +references: + - https://twitter.com/pabraeken/status/990717080805789697 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Runonce.yml +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components' + TargetObject|endswith: '\StubPath' + condition: selection +falsepositives: + - Legitimate modification of the registry key by legitimate program +level: medium diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 06e822d14..7f23a3298 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -12,9 +12,9 @@ tags: - attack.t1546.008 - car.2014-11-003 - car.2014-11-008 -author: Florian Roth, @twjackomo +author: Florian Roth, @twjackomo, Jonhnathan Ribeiro, oscd.community date: 2018/03/15 -modified: 2020/09/06 +modified: 2020/11/28 falsepositives: - Unlikely level: critical @@ -23,15 +23,14 @@ logsource: category: registry_event product: windows detection: - selection_registry: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' - EventType: 'SetValue' + selection_registry: + TargetObject|endswith: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe\Debugger' + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DisplaySwitch.exe\Debugger' condition: 1 of them --- logsource: @@ -39,13 +38,13 @@ logsource: product: windows detection: selection_process: - ParentImage: - - '*\winlogon.exe' - CommandLine: - - '*cmd.exe sethc.exe *' - - '*cmd.exe utilman.exe *' - - '*cmd.exe osk.exe *' - - '*cmd.exe Magnify.exe *' - - '*cmd.exe Narrator.exe *' - - '*cmd.exe DisplaySwitch.exe *' + ParentImage|endswith: '\winlogon.exe' + Image|endswith: '\cmd.exe' + CommandLine|contains: + - 'sethc.exe' + - 'utilman.exe' + - 'osk.exe' + - 'Magnify.exe' + - 'Narrator.exe' + - 'DisplaySwitch.exe' condition: 1 of them diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml new file mode 100644 index 000000000..55850ba37 --- /dev/null +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -0,0 +1,26 @@ +title: Atbroker Registry Change +id: 9577edbb-851f-4243-8c91-1d5b50c1a39b +description: Detects creation/modification of Assisitive Technology applications and persistance with usage of ATs +author: Mateusz Wydra, oscd.community +references: + - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Atbroker.yml +date: 2020/10/13 +modified: 2021/05/24 +tags: + - attack.defense_evasion + - attack.t1218 + - attack.persistence + - attack.t1547 +logsource: + category: registry_event + product: windows +detection: + creation: + TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' + persistance: + TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' + condition: creation or persistance +falsepositives: + - Creation of non-default, legitimate AT. +level: high diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index 963cbfc92..fcc8c3b45 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -1,4 +1,4 @@ -title: Suspicious RUN Key from Download +title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: experimental description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - Image: - - '*\Downloads\\*' - - '*\Temporary Internet Files\Content.Outlook\\*' - - '*\Local Settings\Temporary Internet Files\\*' - TargetObject: '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' + Image|contains: + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' condition: selection falsepositives: - Software installers downloaded and used by users diff --git a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml index e7ff37013..d17f68a15 100644 --- a/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml +++ b/rules/windows/registry_event/sysmon_susp_lsass_dll_load.yml @@ -13,9 +13,9 @@ logsource: product: windows detection: selection: - TargetObject: - - '*\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt*' - - '*\CurrentControlSet\Services\NTDS\LsaDbExtPt*' + TargetObject|contains: + - '\CurrentControlSet\Services\NTDS\DirectoryServiceExtPt' + - '\CurrentControlSet\Services\NTDS\LsaDbExtPt' condition: selection tags: - attack.execution diff --git a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml index 0729a3207..f8ffaeb6f 100644 --- a/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml +++ b/rules/windows/registry_event/sysmon_susp_mic_cam_access.yml @@ -14,8 +14,9 @@ logsource: product: windows detection: selection_1: - TargetObject|contains: - - \Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\\*\NonPackaged + TargetObject|contains|all: + - '\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\' + - '\NonPackaged' selection_2: TargetObject|contains: - microphone diff --git a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml index 8a84eff4c..2c6ae5ca2 100755 --- a/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml +++ b/rules/windows/registry_event/sysmon_susp_reg_persist_explorer_run.yml @@ -2,7 +2,7 @@ title: Registry Persistence via Explorer Run Key id: b7916c2a-fa2f-4795-9477-32b731f70f11 status: experimental description: Detects a possible persistence mechanism using RUN key for Windows Explorer and pointing to a suspicious folder -author: Florian Roth +author: Florian Roth, oscd.community date: 2018/07/18 modified: 2020/09/06 references: @@ -12,16 +12,18 @@ logsource: product: windows detection: selection: - TargetObject: '*\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' - Details: - - 'C:\Windows\Temp\\*' - - 'C:\ProgramData\\*' - - '*\AppData\\*' - - 'C:\$Recycle.bin\\*' - - 'C:\Temp\\*' - - 'C:\Users\Public\\*' - - 'C:\Users\Default\\*' - condition: selection + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run' + selection2: + - Details|startswith: + - 'C:\Windows\Temp\' + - 'C:\ProgramData\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - Details|contains: + - '\AppData\' + condition: selection and selection2 tags: - attack.persistence - attack.t1060 # an old one diff --git a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml index 309d978d8..af430e49a 100755 --- a/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml +++ b/rules/windows/registry_event/sysmon_susp_run_key_img_folder.yml @@ -16,20 +16,22 @@ logsource: product: windows detection: selection: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\*' - - '*\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\\*' - Details: - - '*C:\Windows\Temp\\*' - - '*C:\$Recycle.bin\\*' - - '*C:\Temp\\*' - - '*C:\Users\Public\\*' - - '%Public%\\*' - - '*C:\Users\Default\\*' - - '*C:\Users\Desktop\\*' - - 'wscript*' - - 'cscript*' - condition: selection + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' + - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' + selection2: + - Details|contains: + - 'C:\Windows\Temp\' + - 'C:\$Recycle.bin\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - Details|startswith: + - '%Public%\' + - 'wscript' + - 'cscript' + condition: selection and selection2 fields: - Image falsepositives: diff --git a/rules/windows/registry_event/sysmon_susp_service_installed.yml b/rules/windows/registry_event/sysmon_susp_service_installed.yml index 2d302e4f3..00e4022e6 100755 --- a/rules/windows/registry_event/sysmon_susp_service_installed.yml +++ b/rules/windows/registry_event/sysmon_susp_service_installed.yml @@ -19,14 +19,14 @@ detection: - 'HKLM\System\CurrentControlSet\Services\NalDrv\ImagePath' - 'HKLM\System\CurrentControlSet\Services\PROCEXP152\ImagePath' selection_2: - Image|contains: - - '*\procexp64.exe' - - '*\procexp.exe' - - '*\procmon64.exe' - - '*\procmon.exe' + Image|endswith: + - '\procexp64.exe' + - '\procexp.exe' + - '\procmon64.exe' + - '\procmon.exe' selection_3: Details|contains: - - '*\WINDOWS\system32\Drivers\PROCEXP152.SYS' + - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection_1 and not selection_2 and not selection_3 falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. diff --git a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml index 125d927da..0cd426a5b 100755 --- a/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml +++ b/rules/windows/registry_event/sysmon_suspicious_keyboard_layout_load.yml @@ -14,9 +14,9 @@ logsource: definition: 'Requirements: Sysmon config that monitors \Keyboard Layout\Preload subkey of the HKLU hives - see https://github.com/SwiftOnSecurity/sysmon-config/pull/92/files' detection: selection_registry: - TargetObject: - - '*\Keyboard Layout\Preload\\*' - - '*\Keyboard Layout\Substitutes\\*' + TargetObject|contains: + - '\Keyboard Layout\Preload\' + - '\Keyboard Layout\Substitutes\' Details|contains: - 00000429 # Persian (Iran) - 00050429 # Persian (Iran) diff --git a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml index 056d98d40..717e6b93a 100755 --- a/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_eula_accepted.yml @@ -17,7 +17,7 @@ logsource: category: registry_event detection: selection1: - TargetObject: '*\EulaAccepted' + TargetObject|endswith: '\EulaAccepted' condition: 1 of them --- logsource: @@ -25,5 +25,5 @@ logsource: product: windows detection: selection2: - CommandLine: '* -accepteula*' - condition: 1 of them \ No newline at end of file + CommandLine|contains: ' -accepteula' + condition: 1 of them diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml new file mode 100644 index 000000000..ea6a92f21 --- /dev/null +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -0,0 +1,23 @@ +title: Sysinternals SDelete Registry Keys +id: 9841b233-8df8-4ad7-9133-b0b4402a9014 +description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. +status: experimental +date: 2020/05/02 +modified: 2021/05/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1070.004 +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: '\Software\Sysinternals\SDelete' + condition: selection +falsepositives: + - unknown +level: medium \ No newline at end of file diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml new file mode 100644 index 000000000..03465933f --- /dev/null +++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml @@ -0,0 +1,21 @@ +title: New TaskCache Entry +id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d +description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered +tags: + - attack.persistence + - attack.t1053 + - attack.t1053.005 +date: 2021/06/18 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ +author: Syed Hasan (@syedhasan009) +falsepositives: + - Unknown +level: medium +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' + condition: selection diff --git a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml index f566bc863..065779e19 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_eventvwr.yml @@ -24,7 +24,8 @@ logsource: category: registry_event detection: methregistry: - TargetObject: 'HKU\\*\mscfile\shell\open\command' + TargetObject|startswith: 'HKU\' + TargetObject|endswith: '\mscfile\shell\open\command' condition: methregistry --- logsource: @@ -32,9 +33,9 @@ logsource: product: windows detection: methprocess: - ParentImage: '*\eventvwr.exe' + ParentImage|endswith: '\eventvwr.exe' filterprocess: - Image: '*\mmc.exe' + Image|endswith: '\mmc.exe' condition: methprocess and not filterprocess fields: - CommandLine diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index 79063257e..5a91724f2 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -13,7 +13,8 @@ logsource: detection: selection: # usrclass.dat is mounted on HKU\USERSID_Classes\... - TargetObject: 'HKU\\*_Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject|startswith: 'HKU\' + TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' condition: selection tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml new file mode 100644 index 000000000..eb48e9352 --- /dev/null +++ b/rules/windows/registry_event/sysmon_volume_shadow_copy_service_keys.yml @@ -0,0 +1,24 @@ +title: Volume Shadow Copy Service Keys +id: 5aad0995-46ab-41bd-a9ff-724f41114971 +description: Detects the volume shadow copy service initialization and processing. Registry keys such as HKLM\\System\\CurrentControlSet\\Services\\VSS\\Diag\\VolSnap\\Volume are captured. +status: experimental +date: 2020/10/20 +modified: 2021/06/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.credential_access + - attack.t1003.002 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|contains: 'System\CurrentControlSet\Services\VSS' + filter: + TargetObject|contains: 'System\CurrentControlSet\Services\VSS\Start' + condition: selection and not filter +falsepositives: + - Other services accessing that key or sub keys +level: high diff --git a/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml new file mode 100644 index 000000000..351020fc0 --- /dev/null +++ b/rules/windows/registry_event/sysmon_wab_dllpath_reg_change.yml @@ -0,0 +1,26 @@ +title: Execution DLL of Choice Using WAB.EXE +id: fc014922-5def-4da9-a0fc-28c973f41bfb +description: This rule detects that the path to the DLL written in the registry is different from the default one. Launched WAB.exe tries to load the DLL from Registry. +status: experimental +references: + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Wab.yml + - https://twitter.com/Hexacorn/status/991447379864932352 + - http://www.hexacorn.com/blog/2018/05/01/wab-exe-as-a-lolbin/ +tags: + - attack.defense_evasion + - attack.t1218 +date: 2020/10/13 +modified: 2021/05/21 +author: oscd.community, Natalia Shornikova +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\Software\Microsoft\WAB\DLLPath' + filter: + Details: '%CommonProgramFiles%\System\wab32.dll' + condition: selection and not filter +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml new file mode 100644 index 000000000..6a53796b6 --- /dev/null +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -0,0 +1,22 @@ +title: Wdigest Enable UseLogonCredential +id: d6a9b252-c666-4de6-8806-5561bbbd3bdc +description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials +status: experimental +date: 2019/09/12 +modified: 2021/05/27 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1112 +references: + - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: 'WDigest\UseLogonCredential' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/registry_event/sysmon_win_reg_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_persistence.yml index 25f5ef43a..883c5863a 100755 --- a/rules/windows/registry_event/sysmon_win_reg_persistence.yml +++ b/rules/windows/registry_event/sysmon_win_reg_persistence.yml @@ -5,18 +5,25 @@ references: - https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/ date: 2018/04/11 modified: 2020/09/06 -author: Karneades +author: Karneades, Jonhnathan Ribeiro logsource: category: registry_event product: windows detection: selection_reg1: - TargetObject: - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\\*\GlobalFlag' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\ReportingMode' - - '*\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\\*\MonitorProcess' - EventType: SetValue - condition: selection_reg1 + TargetObject|contains: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + selection_reg2: + - TargetObject|contains|all: + - '\Image File Execution Options\' + - '\GlobalFlag' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\ReportingMode' + - TargetObject|contains|all: + - 'SilentProcessExit\' + - '\MonitorProcess' + condition: selection_reg1 and selection_reg2 tags: - attack.privilege_escalation - attack.persistence diff --git a/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml new file mode 100644 index 000000000..6cdb6cb24 --- /dev/null +++ b/rules/windows/registry_event/sysmon_win_reg_telemetry_persistence.yml @@ -0,0 +1,29 @@ +title: Registry Persistence Mechanism via Windows Telemetry +id: 73a883d0-0348-4be4-a8d8-51031c2564f8 +description: Detects persistence method using windows telemetry +status: experimental +date: 2020/10/16 +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +author: Lednyov Alexey, oscd.community +tags: + - attack.persistence + - attack.t1053.005 +logsource: + category: registry_event + product: windows + definition: 'Requirements: Sysmon config that monitors \SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController subkey of the HKLU hives' +detection: + selection: + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\' + - '\Command' + Details|contains: '.exe' + filter: + Details|contains: + - '\system32\CompatTelRunner.exe' + - '\system32\DeviceCensus.exe' + condition: selection and not filter +falsepositives: + - unknown +level: critical diff --git a/rules/windows/registry_event/win_outlook_c2_registry_key.yml b/rules/windows/registry_event/win_outlook_c2_registry_key.yml new file mode 100644 index 000000000..4d6524277 --- /dev/null +++ b/rules/windows/registry_event/win_outlook_c2_registry_key.yml @@ -0,0 +1,25 @@ +title: Outlook C2 Registry Key +id: e3b50fa5-3c3f-444e-937b-0a99d33731cd +status: experimental +description: Detects the modification of Outlook Security Setting to allow unprompted execution. Goes with win_outlook_c2_macro_creation.yml and is particularly interesting if both events occur near to each other. +references: + - https://www.mdsec.co.uk/2020/11/a-fresh-outlook-on-mail-based-persistence/ +author: '@ScoubiMtl' +tags: + - attack.persistence + - attack.command_and_control + - attack.t1137 + - attack.t1008 + - attack.t1546 +date: 2021/04/05 +logsource: + category: registry_event + product: windows +detection: + selection_registry: + TargetObject: 'HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Security\Level' + Details|contains: '0x00000001' + condition: selection_registry +falsepositives: + - Unlikely +level: medium diff --git a/rules/windows/registry_event/win_outlook_registry_todaypage.yml b/rules/windows/registry_event/win_outlook_registry_todaypage.yml new file mode 100644 index 000000000..71a6dca99 --- /dev/null +++ b/rules/windows/registry_event/win_outlook_registry_todaypage.yml @@ -0,0 +1,32 @@ +title: Persistent Outlook Landing Pages +id: 487bb375-12ef-41f6-baae-c6a1572b4dd1 +description: Detects the manipulation of persistant URLs which could execute malicious code +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 +author: Tobias Michalski +date: 2021/06/10 +tags: + - attack.persistence + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject|contains: + - 'Software\Microsoft\Office\' + - '\Outlook\Today\' + selectionStamp: + TargetObject|endswith: + - 'Stamp' + Details: DWORD (0x00000001) + selectionUserDefined: + TargetObject|endswith: + - 'UserDefinedUrl' + condition: selection1 and (selectionStamp or selectionUserDefined) +fields: + - Details +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/win_outlook_registry_webview.yml b/rules/windows/registry_event/win_outlook_registry_webview.yml new file mode 100644 index 000000000..7033f1c03 --- /dev/null +++ b/rules/windows/registry_event/win_outlook_registry_webview.yml @@ -0,0 +1,31 @@ +title: Persistent Outlook Landing Pages +id: ddd171b5-2cc6-4975-9e78-f0eccd08cc76 +description: Detects the manipulation of persistant URLs which can be malicious +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 + - https://support.microsoft.com/en-us/topic/outlook-home-page-feature-is-missing-in-folder-properties-d207edb7-aa02-46c5-b608-5d9dbed9bd04?ui=en-us&rs=en-us&ad=us +author: Tobias Michalski +date: 2021/06/09 +tags: + - attack.persistence + - attack.t1112 +logsource: + product: windows + category: registry_event +detection: + selection1: + TargetObject|contains: + - 'Software\Microsoft\Office\' + - 'Outlook\WebView\' + TargetObject|endswith: 'URL' + selection2: + TargetObject|contains: + - 'Calendar' + - 'Inbox' + condition: selection1 and 1 of selection2 +fields: + - Details +falsepositives: + - unknown +level: high diff --git a/rules/windows/registry_event/win_portproxy_registry_key.yml b/rules/windows/registry_event/win_portproxy_registry_key.yml new file mode 100644 index 000000000..2559c6202 --- /dev/null +++ b/rules/windows/registry_event/win_portproxy_registry_key.yml @@ -0,0 +1,26 @@ +title: PortProxy Registry Key +id: a54f842a-3713-4b45-8c84-5f136fdebd3c +status: experimental +description: Detects the modification of PortProxy registry key which is used for port forwarding. For command execution see rule win_netsh_port_fwd.yml. +references: + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + - https://adepts.of0x.cc/netsh-portproxy-code/ + - https://www.dfirnotes.net/portproxy_detection/ +date: 2021/06/22 +tags: + - attack.lateral_movement + - attack.defense_evasion + - attack.command_and_control + - attack.t1090 +author: Andreas Hunkeler (@Karneades) +logsource: + category: registry_event + product: windows +detection: + selection_registry: + TargetObject: 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PortProxy\v4tov4\tcp' + condition: selection_registry +falsepositives: + - WSL2 network bridge PowerShell script used for WSL/Kubernetes/Docker (e.g. https://github.com/microsoft/WSL/issues/4150#issuecomment-504209723) + - Synergy Software KVM (https://symless.com/synergy) +level: medium diff --git a/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml new file mode 100644 index 000000000..6c6c6de81 --- /dev/null +++ b/rules/windows/sysmon/sysmon_abusing_windows_telemetry_for_persistence.yml @@ -0,0 +1,41 @@ +action: global +title: Abusing Windows Telemetry For Persistence +id: 4e8d5fd3-c959-441f-a941-f73d0cdcdca5 +status: Experimental +description: Windows telemetry makes use of the binary CompatTelRunner.exe to run a variety of commands and perform the actual telemetry collections. This binary was created to be easily extensible, and to that end, it relies on the registry to instruct on which commands to run. The problem is, it will run any arbitrary command without restriction of location or type. +references: + - https://www.trustedsec.com/blog/abusing-windows-telemetry-for-persistence/ +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1112 + - attack.t1053 +author: Sreeman +date: 2020/09/29 +modified: 2021/06/11 +fields: + - EventID + - CommandLine + - TargetObject + - Details +falsepositives: + - none +level: high +--- +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|contains: + - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\TelemetryController\ + Details|re: '.*(.sh|.exe|.dll|.bin|.bat|.cmd|.js|.ps|.vb|.jar|.hta|.msi|.vbs)$' + condition: selection +--- +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|re: '(?i).*schtasks.*(-|/)r.*\\Application Experience\\Microsoft Compatibility Appraiser.*' + condition: selection \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml new file mode 100644 index 000000000..0eabbe262 --- /dev/null +++ b/rules/windows/sysmon/sysmon_accessing_winapi_in_powershell_credentials_dumping.yml @@ -0,0 +1,26 @@ +title: Accessing WinAPI in PowerShell for Credentials Dumping +id: 3f07b9d1-2082-4c56-9277-613a621983cc +description: Detects Accessing to lsass.exe by Powershell +status: experimental +author: oscd.community, Natalia Shornikova +date: 2020/10/06 +modified: 2021/05/24 +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +tags: + - attack.credential_access + - attack.t1003.001 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: + - 8 + - 10 + SourceImage|endswith: '\powershell.exe' + TargetImage|endswith: '\lsass.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml new file mode 100644 index 000000000..a24cddcaa --- /dev/null +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -0,0 +1,38 @@ +action: global +title: Sysmon Configuration Modification +id: 1f2b5353-573f-4880-8e33-7d04dcf97744 +description: Someone try to hide from Sysmon +status: experimental +author: frack113 +date: 2021/06/04 +modified: 2021/06/10 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html +tags: + - attack.defense_evasion + - attack.t1564 +falsepositives: + - legitimate administrative action +level: high +--- +logsource: + product: windows + category: sysmon_status +detection: + selection_stop: + State: Stopped + selection_conf: + message|startswith: + - 'Sysmon config state changed' + condition: selection_stop or selection_conf +--- +logsource: + product: windows + category: sysmon_error +detection: + selection_error: + Description|contains: + - 'Failed to open service configuration with error' + - 'Failed to connect to the driver to update configuration' + condition: selection_error \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml new file mode 100644 index 000000000..9a22b547a --- /dev/null +++ b/rules/windows/sysmon/sysmon_dcom_iertutil_dll_hijack.yml @@ -0,0 +1,29 @@ +title: T1021 DCOM InternetExplorer.Application Iertutil DLL Hijack +id: e554f142-5cf3-4e55-ace9-a1b59e0def65 +description: Detects a threat actor creating a file named `iertutil.dll` in the `C:\Program Files\Internet Explorer\` directory over the network and loading it for a DCOM InternetExplorer DLL Hijack scenario. +status: experimental +date: 2020/10/12 +modified: 2021/06/27 +author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR), wagga +tags: + - attack.lateral_movement + - attack.t1021.002 + - attack.t1021.003 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009183000.html +logsource: + product: windows + service: sysmon +detection: + selection_one: + EventID: 11 + Image: System + TargetFilename|endswith: '\Internet Explorer\iertutil.dll' + selection_two: + EventID: 7 + Image|endswith: '\Internet Explorer\iexplore.exe' + ImageLoaded|endswith: '\Internet Explorer\iertutil.dll' + condition: selection_one or selection_two +falsepositives: + - Unknown +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml b/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml new file mode 100644 index 000000000..cd02807d2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_dns_hybridconnectionmgr_servicebus.yml @@ -0,0 +1,22 @@ +title: DNS HybridConnectionManager Service Bus +id: 7bd3902d-8b8b-4dd4-838a-c6862d40150d +description: Detects Azure Hybrid Connection Manager services querying the Azure service bus service +status: experimental +date: 2021/04/12 +modified: 2021/06/10 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.persistence +references: + - https://twitter.com/Cyb3rWard0g/status/1381642789369286662 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|contains: servicebus.windows.net + Image|contains: HybridConnectionManager + condition: selection +falsepositives: + - Legitimate use of Azure Hybrid Connection Manager and the Azure Service Bus service +level: high diff --git a/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml new file mode 100644 index 000000000..b8064b87d --- /dev/null +++ b/rules/windows/sysmon/sysmon_wmiprvse_wbemcomn_dll_hijack.yml @@ -0,0 +1,36 @@ +action: global +title: Wmiprvse Wbemcomn DLL Hijack +id: 614a7e17-5643-4d89-b6fe-f9df1a79641c +description: Detects a threat actor creating a file named `wbemcomn.dll` in the `C:\Windows\System32\wbem\` directory over the network and loading it for a WMI DLL Hijack scenario. +status: experimental +date: 2020/10/12 +modified: 2021/06/10 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1047 + - attack.lateral_movement + - attack.t1021.002 +references: + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html +falsepositives: + - Unknown +level: critical +--- +logsource: + product: windows + category: file_event +detection: + selection: + Image: System + TargetFilename|endswith: '\wbem\wbemcomn.dll' + condition: selection +--- +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\wmiprvse.exe' + ImageLoaded|endswith: '\wbem\wbemcomn.dll' + condition: selection diff --git a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml similarity index 95% rename from rules/windows/sysmon/sysmon_wmi_event_subscription.yml rename to rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index df6b6e440..fc1bb7513 100644 --- a/rules/windows/sysmon/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -10,7 +10,7 @@ author: Tom Ueltschi (@c_APT_ure) date: 2019/01/12 logsource: product: windows - service: sysmon + category: wmi_event detection: selector: EventID: diff --git a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml similarity index 53% rename from rules/windows/sysmon/sysmon_wmi_susp_scripting.yml rename to rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml index e1f150b77..bea1f3afb 100644 --- a/rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +++ b/rules/windows/wmi_event/sysmon_wmi_susp_scripting.yml @@ -2,7 +2,7 @@ title: Suspicious Scripting in a WMI Consumer id: fe21810c-2a8c-478f-8dd3-5a287fb2a0e0 status: experimental description: Detects suspicious scripting in WMI Event Consumers -author: Florian Roth +author: Florian Roth, Jonhnathan Ribeiro references: - https://in.security/an-intro-into-abusing-and-identifying-wmi-event-subscriptions-for-persistence/ - https://github.com/Neo23x0/signature-base/blob/master/yara/gen_susp_lnk_files.yar#L19 @@ -13,22 +13,27 @@ tags: - attack.t1059.005 logsource: product: windows - service: sysmon + category: wmi_event detection: selection: EventID: 20 - Destination: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' - - '*new-object net.webclient).downloadfile(*' - - '* iex(*' - - '*WScript.shell*' - - '* -nop *' - - '* -noprofile *' - - '* -decode *' - - '* -enc *' - condition: selection + selection_destination: + - Destination|contains|all: + - 'new-object' + - 'net.webclient' + - '.downloadstring' + - Destination|contains|all: + - 'new-object' + - 'net.webclient' + - '.downloadfile' + - Destination|contains: + - ' iex(' + - 'WScript.shell' + - ' -nop ' + - ' -noprofile ' + - ' -decode ' + - ' -enc ' + condition: selection and selection_destination fields: - CommandLine - ParentCommandLine diff --git a/tests/test-backend-es-qs.py b/tests/test-backend-es-qs.py index 5bb10d2fe..72fc5ffac 100755 --- a/tests/test-backend-es-qs.py +++ b/tests/test-backend-es-qs.py @@ -111,7 +111,7 @@ loop.close() esa.transport.close() print() -# Check if sigmac runned successfully +# Check if sigmac ran successfully try: if task_sigmac.result() != 0: # sigmac failed print("!!! sigmac failed while test!") diff --git a/tests/test-backend-netwitness.py b/tests/test-backend-netwitness.py index 4b1d8a718..ab0956594 100755 --- a/tests/test-backend-netwitness.py +++ b/tests/test-backend-netwitness.py @@ -67,7 +67,7 @@ done, pending = loop.run_until_complete(asyncio.wait(tasks)) loop.close() print() -# Check if sigmac runned successfully +# Check if sigmac ran successfully try: if task_sigmac.result() != 0: # sigmac failed print("!!! sigmac failed while test!") diff --git a/tests/test_rules.py b/tests/test_rules.py index 160c98dfa..9849bbdd0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -17,6 +17,8 @@ from colorama import Fore class TestRules(unittest.TestCase): MITRE_TECHNIQUE_NAMES = ["process_injection", "signed_binary_proxy_execution", "process_injection"] # incomplete list MITRE_TACTICS = ["initial_access", "execution", "persistence", "privilege_escalation", "defense_evasion", "credential_access", "discovery", "lateral_movement", "collection", "exfiltration", "command_and_control", "impact", "launch"] + # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules + TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} path_to_rules = "rules" @@ -58,6 +60,19 @@ class TestRules(unittest.TestCase): self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + "There are rule files with extensions other than .yml") + def test_legal_trademark_violations(self): + files_with_legal_issues = [] + + for file in self.yield_next_rule_file_path(self.path_to_rules): + with open(file, 'r') as fh: + file_data = fh.read() + for tm in self.TRADE_MARKS: + if tm in file_data: + files_with_legal_issues.append(file) + + self.assertEqual(files_with_legal_issues, [], Fore.RED + + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") + def test_confirm_correct_mitre_tags(self): files_with_incorrect_mitre_tags = [] @@ -357,9 +372,10 @@ class TestRules(unittest.TestCase): for key in logsource: if key.lower() not in ['category', 'product', 'service', 'definition']: print(Fore.RED + "Rule {} has a logsource with an invalid field ({})".format(file, key)) + def get_mitre_data(): """ - Generate tags from live MITRE ATT&CK® TAXI service to get up-to-date data + Generate tags from live TAXI service to get up-to-date data """ # Get ATT&CK information lift = attack_client() diff --git a/LICENSE.LGPL.txt b/tools/LICENSE.LGPL.txt similarity index 100% rename from LICENSE.LGPL.txt rename to tools/LICENSE.LGPL.txt diff --git a/tools/MANIFEST.in b/tools/MANIFEST.in new file mode 100644 index 000000000..e30577e80 --- /dev/null +++ b/tools/MANIFEST.in @@ -0,0 +1,2 @@ +include LONG_DESCRIPTION.md +include LICENSE.LGPL.txt \ No newline at end of file diff --git a/tools/README.md b/tools/README.md index 9e39698ee..3b79e6dd5 100644 --- a/tools/README.md +++ b/tools/README.md @@ -74,7 +74,7 @@ A configuration should contain the following attributes: Field mappings in the *fieldmappings* section map between Sigma field names and field names used in target SIEM systems. There are three types of field mappings: -* Simple: the source field name corresponds to exactly one target field name given as string. Exmaple: `EventID: EventCode` for translation of Windows event identifiers between Sigma and Splunk. +* Simple: the source field name corresponds to exactly one target field name given as string. Example: `EventID: EventCode` for translation of Windows event identifiers between Sigma and Splunk. * Multiple: a source field corresponds to a list of target fields. Sigmac generates an OR condition that covers all field names. This can be useful in configuration change and migration scenarios, when field names change. A further use case is when the SIEM normalizes one source field name into different target field names and the exact rules are unknown. * Conditional: a source field is translated to one or multiple target field names depending on values from other fields in specific rules. This is useful in scenarios where the SIEM maps the same Sigma field to different target field names depending on the event or log type, like Logpoint. @@ -346,4 +346,20 @@ tools/sigmac -t es-qs -c tools/config/winlogbeat.yml --backend-option keyword_ba ```bash tools/sigmac -t es-qs -c tools/config/winlogbeat.yml --backend-option keyword_field=".keyword" --backend-option analyzed_sub_field_name=".security" rules/windows/sysmon/sysmon_wmi_susp_scripting.yml +``` + +### Devo +Devo backend admits several configurations that, based on the data source type, will apply a specific mapping and +will point to the proper Devo table. The current available configurations are: +* `devo-windows`, for windows sources +* `devo-web`, for generic web sources (webserver, apache, proxy...) +* `devo-network`, for generic network sources (firewall, dns...) + +These backend configurations will specify the Devo table to build the query upon, and the output query will reference such +table if the rule sources matches the configuration sources. + +For example, in order to translate a windows-related Sigma rule, one would use: + +```bash +tools/sigmac -t devo -c tools/config/devo-windows.yml rules/windows/sysmon/sysmon_wmi_susp_scripting.yml ``` \ No newline at end of file diff --git a/tools/config/carbon-black-eedr.yml b/tools/config/carbon-black-eedr.yml new file mode 100644 index 000000000..dbdd9a215 --- /dev/null +++ b/tools/config/carbon-black-eedr.yml @@ -0,0 +1,141 @@ +title: CarbonBlack Enterprise EDR +order: 20 +backends: + - carbonblack + - cb +fieldmappings: + AccountName: + - process_username + - childproc_username + CallingProcessName: process_name + CommandLine: process_cmdline + ComputerName: device_name + Company: process_publisher + Description: + - process_product_name + - process_product_version + - process_publisher + - process_file_description + DestPort: + - netconn_port + - netconn_remote_port + Destination: + - netconn_domain + DestinationAddress: + - netconn_domain + - netconn_ipv4 + - netconn_ipv6 + - netconn_remote_ipv4 + - netconn_remote_ipv6 + DestinationHostname: + - netconn_domain + - netconn_proxy_domain + DestinationIp: + - netconn_ipv4 + - netconn_ipv6 + - netconn_remote_ipv4 + - netconn_remote_ipv6 + DestinationPort: + - netconn_port + - netconn_remote_port + Device: device_name + FileName: + - process_internal_name + - process_name + - process_original_filename + FileVersion: process_product_version + Image: + - process_name + - process_internal_name + IntegrityLevel: process_integrity_level + IpAddress: + - netconn_ipv4 + - netconn_ipv6 + - netconn_local_ipv4 + - netconn_local_ipv6 + - netconn_remote_ipv4 + - netconn_remote_ipv6 + LogonId: + - childproc_username + - process_username + md5: hash + NewName: regmod_new_name + OriginalFileName: process_original_filename + ParentCommandLine: parent_cmdline + ParentImage: parent_name + ParentIntegrityLevel: process_integrity_level + ProcessCommandLine: process_cmdline + ProcessName: process_name + Product: + - process_product_name + - process_file_description + RelativeTargetName: childproc_name + ScriptBlockText: + - childproc_cmdline + - crossproc_cmdline + - process_cmdline + ServiceFileName: process_service_name + ServiceName: process_service_name + sha256: hash + Signature: + - childproc_publisher + - filemod_publisher + - modload_publisher + - parent_publisher + - process_publisher + Signed: + - childproc_publisher_state + - filemod_publisher_state + - modload_publisher_state + - parent_publisher_state + - process_publisher_state + - scriptload_publisher_state + SourceImage: parent_name + SourceNetworkAddress: + - netconn_local_ipv4 + - netconn_local_ipv6 + SourcePort: + - netconn_local_port + - netconn_port + SourceWorkstation: device_name + TargetFilename: + - filemod_name + - crossproc_name + TargetImage: + - filemod_name + - crossproc_name + TargetName: + - filemod_name + - crossproc_name + TargetUserName: + - childproc_username + - process_username + TargetObject: + - regmod_name + - regmod_new_name + User: + - childproc_username + - process_username + Value: + - regmod_name + - regmod_new_name + Workstation: device_name + WorkstationName: device_name + + dst_ip: + - netconn_ipv4 + - netconn_ipv6 + - netconn_local_ipv4 + - netconn_local_ipv6 + - netconn_remote_ipv4 + - netconn_remote_ipv6 + dst_port: + - netconn_port + - netconn_remote_port + src_ip: + - netconn_ipv4 + - netconn_ipv6 + - netconn_local_ipv4 + - netconn_local_ipv6 + - netconn_remote_ipv4 + - netconn_remote_ipv6 \ No newline at end of file diff --git a/tools/config/carbon-black.yml b/tools/config/carbon-black.yml index 4b7d6dd41..aaf7ae18a 100644 --- a/tools/config/carbon-black.yml +++ b/tools/config/carbon-black.yml @@ -26,7 +26,6 @@ fieldmappings: #Signature: digsig_result SourceIp: ipaddr DestinationAddress: ipaddr - DestinationPort: ipport DestPort: ipport TargetObject: regmod TargetFilename: filemod @@ -38,15 +37,11 @@ fieldmappings: Product: product_name Signature: digsig_publisher CallTrace: modload - DestinationHostname: domain User: username StartModule: modload Company: company_name - Description: file_desc FileVersion: file_version - - # DestinationHostname: hostname # DestinationIp: ipaddr # DestinationPort: ipport diff --git a/tools/config/chronicle.yml b/tools/config/chronicle.yml new file mode 100644 index 000000000..8eea48d4a --- /dev/null +++ b/tools/config/chronicle.yml @@ -0,0 +1,180 @@ +title: Google Chronicle field mapping +order: 20 +backends: + - chronicle +fieldmappings: + EventID: metadata.product_event_type + EventId: metadata.product_event_type + event_id: metadata.product_event_type + CommandLine: target.process.command_line + Commandline: target.process.command_line + Command: target.process.command_line + ComputerName: target.hostname + CurrentDirectory: principal.file.full_path + DestinationHostname: target.hostname + dest-domain: target.hostname + DestinationIp: target.ip + event_data.DestinationIp: target.ip + destinationIp: target.ip + dst_ip: target.ip + dest_ip: target.ip + DestinationIP: target.ip + DestinationIsIpv6: target.ip + DestinationAddress: target.ip + #DestinationIsIpv6: winlog.event_data.DestinationIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 + DestinationPort: target.port + dst_port: target.port + dest_port: target.port + DestinationPortName: protocol + Details: metadata.description + EventType: metadata.event_type + type: metadata.event_type + + FileName: target.file.full_path + OriginalFileName: target.file.full_path + TargetFileName: target.file.full_path + event_data.TargetFilename: target.file.full_path + file_name: target.file.full_path + Targetfilename: target.file.full_path + FilePath: target.file.full_path + + Hashes: target.file.md5 + event_data.Hashes: target.file.md5 + Hash: target.file.md5 + hash: target.file.md5 + Imphash: target.file.md5 + file_hash: target.file.md5 + file_hash_imphash: target.file.md5 + + Image: target.process.file.full_path + event_data.Image: target.process.file.full_path + baseImage: src.process.file.full_path + ImageLoaded: target.process.file.full_path + ImageLoad: target.process.file.full_path + ImagePath: target.file.full_path + + IpAddress: principal.ip + IpPort: principal.port + logonType: extensions.auth.mechanism + LogonType: extensions.auth.mechanism + ObjectValueName: target.registry.registry_value_name + + ParentCommandLine: src.process.command_line + ParentProcessName: src.process.file.full_path + ServiceFileName: target.process.command_line + ServiceName: target.process.command_line + ParentImage: src.process.file.full_path + Path: target.file.full_path + PipeName: file.name + ProcessCommandLine: target.process.command_line + ProcessName: target.process.file.full_path + process.name: target.process.command_line + process.args: target.process.command_line + exe: target.process.file.full_path + TaskName: target.resource.name + TargetProcessAddress: target.process.file.file_metadata.pe.import_hash + StartAddress: target.process.file.file_metadata.pe.import_hash + event_data.StartAddress: target.process.file.file_metadata.pe.import_hash + FailureCode: security_result.description + Status: security_result.description + TicketOptions: security_result.about.labels.value + + SourceHostname: principal.hostname + cs_host: + - principal.hostname + - target.hostname + Host: principal.hostname + SourceImage: src.process.file.full_path + SourceIp: principal.ip + SourceIP: principal.ip + SourceAddress: principal.ip + src_ip: principal.ip + SourceNetworkAddress: principal.ip + ip: principal.ip + SourcePort: principal.port + src_port: principal.port + SubjectDomainName: src.user.domain + SubjectUserName: src.user.user_display_name + SubjectUserSid: src.user.userid + TargetFilename: target.file.full_path + TargetImage: target.process.file.full_path + TargetObject: target.registry.registry_key + event_data.TargetObject: target.registry.registry_key + TargetDomainName: target.user.domain + TargetUserName: target.user.user_display_name + TargetUserSid: target.user.userid + SidHistory: target.process.product_specific_process_id + sid: target.process.product_specific_process_id + Sid: target.process.product_specific_process_id + User: src.user.user_display_name + domain: src.hostname + WorkstationName: principal.hostname + URL: target.url + url: target.url + http_uri: target.url + c_uri_query: target.url + query: target.url + c-uri-path: target.url + c-useragent: src.application + StartModule: src.application + UserAgent: src.application + User-Agent: src.application + http_userAgent: src.application + http_url_rootDomain: target.hostname + dns_query_name: network.dns.questions.name + r_dns: target.hostname + r-dns: target.hostname + Signature: target.registry.registry_value_data + signature: target.registry.registry_value_data + Value: target.registry.registry_value_data + TargetValue: target.registry.registry_value_data + ObjectName: + - target.registry.registry_value_data + - target.file.full_path + ScriptBlockText: target.process.command_line + Command_Line: target.process.command_line + event_data.CommandLine: target.process.command_line + commandLine: target.process.command_line + c-uri: target.url + cs-uri-query: target.url + c-uri-query: target.url + c_uri: target.url + request_url: target.url + cs_uri_query: target.url + c-uri-extension: target.url + resource.URL: target.url + web.url: target.url + web.payload: target.url + http_method: network.http.method + cs_method: network.http.method + cs-method: network.http.method + HttpMethod: network.http.method + web.method: network.http.method + web.status: network.http.response_code + application: network.http.user_agent + Application: network.http.user_agent + AccountName: src.user.user_display_name + objectType: src.user.user_display_name + ObjectType: src.user.user_display_name + ShareName: target.resource.name + RelativeTargetName: target.file.full_path + AccessMask: target.process.access_mask + Properties: target.process.file.file_metadata.pe.import_hash + Product: metadata.product_name + product: metadata.product_name + FileVersion: metadata.description + description: metadata.description + Description: metadata.description + Company: metadata.description + Source: src.application + app: src.application + AuthenticationPackageName: src.application + action: security_result.action + NewProcessName: target.process.command_line + answers: network.dns.answers.data + answer: network.dns.answers.data + sc-status: network.http.response_code + cs-host: target.hostname + eventName: metadata.description + destination.domain: target.hostname + destination: target.hostname diff --git a/tools/config/crowdstrike.yml b/tools/config/crowdstrike.yml index 8a90c07e4..25309412a 100644 --- a/tools/config/crowdstrike.yml +++ b/tools/config/crowdstrike.yml @@ -1,4 +1,4 @@ -title: Splunk Windows log source conditions +title: Splunk used in Falcon Portal order: 20 backends: - crowdstrike diff --git a/tools/config/devo-network.yml b/tools/config/devo-network.yml new file mode 100644 index 000000000..a01bd186b --- /dev/null +++ b/tools/config/devo-network.yml @@ -0,0 +1,22 @@ +title: Devo sourcetype mappings for network sources +order: 20 +backends: + - devo +logsources: + firewall-product: + product: firewall + index: firewall.all.traffic + firewall-category: + category: firewall + index: firewall.all.traffic + dns: + category: dns + index: network.dns +fieldmappings: + src_ip: srcIp + dst_ip: dstIp + dst_port: dstPort + parent_domain: select rootdomain(name) as parent_domain + record_type: type + answer: answers + query: name \ No newline at end of file diff --git a/tools/config/devo-web.yml b/tools/config/devo-web.yml new file mode 100644 index 000000000..3891aedb7 --- /dev/null +++ b/tools/config/devo-web.yml @@ -0,0 +1,29 @@ +title: Devo sourcetype mappings for web sources +order: 20 +backends: + - devo +logsources: + web: + category: webserver + index: web.all.access + proxy: + category: proxy + index: proxy.all.access + apache: + product: apache + index: web.all.access +fieldmappings: + c-uri: url + c-useragent: userAgent + sc-status: statusCode + useragent: userAgent + cs-method: method + clientip: srcIp + uri_query: select uriquery(url) as url_query + r-dns: select urihost(url) as url_dns + cs-host: srcHost + c-uri-query: select uriquery(url) as url_query + c-uri-stem: url + c-uri-extension: select uripath(url) as uri_path + cs-uri-query: select uriquery(url) as url_query + diff --git a/tools/config/devo-windows.yml b/tools/config/devo-windows.yml new file mode 100644 index 000000000..dbda11524 --- /dev/null +++ b/tools/config/devo-windows.yml @@ -0,0 +1,144 @@ +title: Devo sourcetype mappings for windows sources +order: 20 +backends: + - devo +logsources: + windows: + product: windows + index: box.all.win + windows-category-process_creation: + product: windows + category: process_creation + windows-service-powershell: + product: windows + service: powershell + windows-service-powershell-classic: + product: windows + service: powershell-classic + windows-service-security: + product: windows + service: security + windows-service-sysmon: + product: windows + service: security + windows-category-registry_event: + product: windows + category: registry_event + windows-category-process_access: + product: windows + category: process_access + windows-service-windefend: + product: windows + service: windefend + windows-service-windef: + product: windows + service: windef + windows_defender: + product: windows_defender + index: box.all.win + windows-service-taskscheduler: + product: windows + service: taskscheduler + windows-service-wmi: + product: windows + service: wmi + windows-service-system: + product: windows + service: system + windows-category-network_connection: + product: windows + category: network_connection + windows-category-image_load: + product: windows + category: image_load + windows-category-file_event: + product: windows + category: file_event + windows-category-driver_load: + product: windows + category: driver_load + windows-service-applocker: + product: windows + service: applocker + windows-service-dns-server: + product: windows + service: dns-server + windows-service-ntlm: + product: windows + service: ntlm + windows-service-driver-framework: + product: windows + service: driver-framework + windows-category-create_remote_thread: + product: windows + category: create_remote_thread + windows-category-create_stream_hash: + product: windows + category: create_stream_hash + windows-category-dns_query: + product: windows + category: dns_query + windows-category-file_delete: + product: windows + category: file_delete + windows-category-pipe_created: + product: windows + category: pipe_created + windows-category-raw_access_thread: + product: windows + category: raw_access_thread + windows-category-wmi_event: + product: windows + category: wmi_event +fieldmappings: + EventID: eventID + HostName: machine + HostApplication: ProcessName # ??? + Message: message + CommandLine: procCmdLine + Commandline: procCmdLine + ProcessCommandline: procCmdLine + ProcessCommandLine: procCmdLine + Image: serviceFileName + User: username + TaskName: category + TargetFilename: serviceFileName # ??? + ServiceName: service + ProcessName: callerProcName + OriginalFilename: serviceFileName + OriginalFileName: serviceFileName + MachineName: machine + LogonId: subjectLogonId + GroupName: groupName + EventType: eventType + Description: message + Details: extMessage + ObjectName: objName + CreatorProcessName: parentProcessName + ServiceFileName: serviceFileName + ObjectType: objType + Keywords: keywords + SubjectLogonId: subjectLogonId + UserName: username + Status: status + SourceNetworkAddress: srcIp + AccountName: account + ObjectValueName: objValueName + LogonProcessName: procName + TargetUserName: targetUsername + WorkstationName: workstation + SubjectUserName: subjectUsername + Source: sourceName + Destination: dstIp + TargetImage: serviceFileName + CallingProcessName: callerProcName + TargetName: targetUsername + FileName: serviceFileName + TargetObject: objName + DestinationHostname: machine + DestinationIp: dstIp + DestinationIsIpv6: dstIp + ImageLoaded: serviceFileName + ScriptBlockText: select str(jqeval(jqcompile(".columns.data.EventData.ScriptBlockText"), jsonparse(message))) as ScriptBlockText + DestinationPort: select int(trim(split(split(rawMessage, "Destination Port:", 1), "&", 0))) as destinationPort / where eventID > 5100 or eventID < 5199 + diff --git a/tools/config/ecs-dns.yml b/tools/config/ecs-dns.yml index fddfc32eb..aaa8e636a 100644 --- a/tools/config/ecs-dns.yml +++ b/tools/config/ecs-dns.yml @@ -56,7 +56,6 @@ fieldmappings: qclass: dns.qclass qtype_name: dns.question.type qtype: dns.qtype - query: dns.question.name #question_length: labels.dns.query_length RA: dns.RA rcode_name: dns.response_code diff --git a/tools/config/ecs-proxy.yml b/tools/config/ecs-proxy.yml index 2aa441a17..eabb3c52e 100644 --- a/tools/config/ecs-proxy.yml +++ b/tools/config/ecs-proxy.yml @@ -37,7 +37,6 @@ fieldmappings: c-uri-stem: url.original c-uri: url.original c-useragent: user_agent.original - cs-bytes: http.request.body.bytes cs-cookie: http.cookie cs-host: - url.domain diff --git a/tools/config/ecs-zeek-elastic-beats-implementation.yml b/tools/config/ecs-zeek-elastic-beats-implementation.yml index ac9b8a45c..c79b4e892 100644 --- a/tools/config/ecs-zeek-elastic-beats-implementation.yml +++ b/tools/config/ecs-zeek-elastic-beats-implementation.yml @@ -3,6 +3,7 @@ order: 20 backends: - es-qs - es-dsl + - es-rule - elasticsearch-rule - kibana - kibana-ndjson @@ -1016,4 +1017,4 @@ fieldmappings: - host - server_name dest_ip: destination.ip - dest_port: destination.port \ No newline at end of file + dest_port: destination.port diff --git a/tools/config/elk-windows.yml b/tools/config/elk-windows.yml index 0714d7699..cbca160eb 100644 --- a/tools/config/elk-windows.yml +++ b/tools/config/elk-windows.yml @@ -42,4 +42,19 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventLog: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventLog: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' defaultindex: logstash-* diff --git a/tools/config/elk-winlogbeat-sp.yml b/tools/config/elk-winlogbeat-sp.yml index 078f68025..b609bec65 100644 --- a/tools/config/elk-winlogbeat-sp.yml +++ b/tools/config/elk-winlogbeat-sp.yml @@ -42,8 +42,23 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' defaultindex: -# Extract all field names qith yq: +# Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 9c77653fa..007c2ee26 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -42,8 +42,23 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + log_name: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + log_name: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + log_name: 'Microsoft-Windows-SmbClient/Security' defaultindex: winlogbeat-* -# Extract all field names qith yq: +# Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: diff --git a/tools/config/fireeye-helix.yml b/tools/config/fireeye-helix.yml index f50446380..c0950266f 100644 --- a/tools/config/fireeye-helix.yml +++ b/tools/config/fireeye-helix.yml @@ -64,6 +64,24 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + index: windows + service: msexchange-management + conditions: + channel: 'MSExchange Management' + windows-printservice-admin: + product: windows + index: windows + service: printservice-admin + conditions: + channel: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + index: windows + service: smbclient-security + conditions: + channel: 'Microsoft-Windows-SmbClient/Security' windows-powershell: product: windows index: windows diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 2d650f703..46d3c39be 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -9,6 +9,14 @@ logsources: rewrite: product: windows service: sysmon + file_change: + category: file_change + product: windows + conditions: + EventID: 2 + rewrite: + product: windows + service: sysmon network_connection: category: network_connection product: windows @@ -17,11 +25,69 @@ logsources: rewrite: product: windows service: sysmon - dns_query: - category: dns_query + sysmon_status: + category: sysmon_status product: windows conditions: - EventID: 22 + EventID: + - 4 + - 16 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 rewrite: product: windows service: sysmon @@ -36,44 +102,69 @@ logsources: rewrite: product: windows service: sysmon - file_creation: - category: file_event + create_stream_hash: + category: create_stream_hash product: windows conditions: - EventID: 11 + EventID: 15 rewrite: product: windows service: sysmon - process_access: - category: process_access + pipe_created: + category: pipe_created product: windows conditions: - EventID: 10 + EventID: + - 17 + - 18 rewrite: product: windows service: sysmon - image_loaded: - category: image_load + wmi_event: + category: wmi_event product: windows conditions: - EventID: 7 + EventID: + - 19 + - 20 + - 21 rewrite: product: windows service: sysmon - driver_loaded: - category: driver_load + dns_query: + category: dns_query product: windows conditions: - EventID: 6 + EventID: 22 rewrite: product: windows service: sysmon - process_terminated: - category: process_termination + file_delete: + category: file_delete product: windows conditions: - EventID: 5 + EventID: 23 rewrite: product: windows service: sysmon - + clipboard_capture: + category: clipboard_capture + product: windows + conditions: + EventID: 24 + rewrite: + product: windows + service: sysmon + process_tampering: + category: process_tampering + product: windows + conditions: + EventID: 25 + rewrite: + product: windows + service: sysmon + sysmon_error: + category: sysmon_error + product: windows + conditions: + EventID: 255 \ No newline at end of file diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 83b143c96..63080759e 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -1,4 +1,4 @@ -title: Conversion of generic process_creation rules into Security/4688 +title: Conversion for Windows Native Auditing Events order: 10 logsources: process_creation: @@ -9,6 +9,18 @@ logsources: rewrite: product: windows service: security + registry_event: + category: registry_event + product: windows + conditions: + EventID: 4657 + OperationType: + - 'New registry value created' + - 'Existing registry value modified' + rewrite: + product: windows + service: security fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + Details: NewValue diff --git a/tools/config/logpoint-windows.yml b/tools/config/logpoint-windows.yml index 1dfb74aaa..e02b02afb 100644 --- a/tools/config/logpoint-windows.yml +++ b/tools/config/logpoint-windows.yml @@ -42,7 +42,21 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' - + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + event_source: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + event_source: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + event_source: 'Microsoft-Windows-SmbClient/Security' fieldmappings: EventID: event_id FailureCode: result_code diff --git a/tools/config/logstash-windows.yml b/tools/config/logstash-windows.yml index 317abd9f0..1d3232b90 100644 --- a/tools/config/logstash-windows.yml +++ b/tools/config/logstash-windows.yml @@ -63,4 +63,19 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' defaultindex: logstash-* diff --git a/tools/config/powershell-windows-all.yml b/tools/config/powershell-windows-all.yml index e7bf8ae9c..28727d567 100644 --- a/tools/config/powershell-windows-all.yml +++ b/tools/config/powershell-windows-all.yml @@ -69,3 +69,18 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + LogName: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + LogName: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + LogName: 'Microsoft-Windows-SmbClient/Security' \ No newline at end of file diff --git a/tools/config/powershell.yml b/tools/config/powershell.yml index e116f0cd1..dfe2cc204 100644 --- a/tools/config/powershell.yml +++ b/tools/config/powershell.yml @@ -83,3 +83,18 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + LogName: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + LogName: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + LogName: 'Microsoft-Windows-SmbClient/Security' \ No newline at end of file diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index 3c298599a..18f065c5d 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -79,5 +79,20 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + source: 'MSExchange Management' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + source: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + source: 'Microsoft-Windows-SmbClient/Security' fieldmappings: EventID: EventCode diff --git a/tools/config/stix-custom.yml b/tools/config/stix-custom.yml new file mode 100644 index 000000000..c65d89074 --- /dev/null +++ b/tools/config/stix-custom.yml @@ -0,0 +1,128 @@ +title: Additional STIX mapping for future use +backends: + - stix +order: 10 +fieldmappings: + record_type: + - x-dns:record_type + requestParameters.attribute: + - x-cloud:request_parameters + responseElements.publiclyAccessible: + - x-cloud:publicly_accessible + errorMessage: + - x-error:message + errorCode: + - x-error:code + responseElements: + - x-cloud:response_elements + requestParameters.userData: + - x-cloud:request_parameters + AccessMask: + - x-windows:accessmask + Accesses: + - x-windows:accesses + CallTrace: + - x-windows:calltrace + DestinationIsIpv6: + - x-windows:destisipv6 + ErrorCode: + - x-error:code + ExtendedErrorCode: + - x-error:code + - x-error:id + GrantedAccess: + - x-windows:grantedaccess + GroupDomain: + - x-group:domain + GroupID: + - x-group:id + GroupName: + - x-group:name + GroupSecurityID: + - x-group:security_id + IMPHash: + - x-windows:imphash + Imphash: + - x-windows:imphash + ImageTempPath: + - process:binary_ref.x_temp_path + InitiatedConnection: + - x-windows:initiatedconnection + Initiated: + - x-windows:initiatedconnection + IntegrityLevel: + - x-windows:integritylevel + LogonType: + - x-windows:logontype + ObjectName: + - x-windows:objectname + ObjectType: + - x-windows:objecttype + PipeName: + - x-windows:pipename + QueryName: + - x-windows:queryname + QueryResults: + - x-windows:queryresults + QueryStatus: + - x-windows:querystatus + ShareName: + - x-windows:sharename + SharePath: + - x-windows:sharepath + Signature: + - x-windows:signature + SignatureStatus: + - x-windows:signaturestatus + Signed: + - x-windows:signed + SourceImageTempPath: + - x-windows:sourceimagetemppath + SourceWorkstation: + - x-windows:sourceworkstation + StartAddress: + - x-windows:startaddress + StartFunction: + - x-windows:startfunction + StartModule: + - x-windows:startmodule + TargetAccountSecurityID: + - x-windows:targetaccountsecurityid + TargetComputerDomain: + - x-windows:targetcomputerdomain + TargetComputerName: + - x-windows:targetcomputername + TargetDetails: + - x-windows:targetdetails + TargetImageName: + - x-windows:targetimagename + TargetProcessGuid: + - x-windows:targetprocessguid + TargetProcessAddress: + - x-windows:startaddress + TargetUserDomain: + - x-windows:targetuserdomain + TargetUserName: + - x-windows:targetusername + TaskName: + - x-windows:taskname + TicketEncryptionType: + - x-windows:ticketencryptiontype + event_data.PipeName: + - x-windows:pipename + event_data.ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ShareName: + - x-windows:sharename + event_data.Signature: + - x-windows:signature + event_data.SourceImage: + - x-windows:sourceimage + event_data.StartModule: + - x-windows:startmodule + event_data.TargetImage: + - x-windows:targetimage + key: + - x-sigma:keywords + sc-status: + - x-web:status_code diff --git a/tools/config/stix-linux.yml b/tools/config/stix-linux.yml deleted file mode 100644 index 3bab20725..000000000 --- a/tools/config/stix-linux.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: STIX for Linux Logs -backends: - - stix -order: 40 -logsources: - linux: - product: linux -fieldmappings: - type: - - x-event:action - keywords: - - artifact:payload_bin - a0: - - process:command_line - a1: - - process:command_line - name: - - file:name - a3: - - process:command_line - key: - - x-sigma:keywords - exe: - - file:name - a2: - - process:command_line - SYSCALL: - - x-event:action - pam_message: - - x-event:action - pam_user: - - user-account:user_id - pam_rhost: - - x-host:name - USER: - - user-account:user_id \ No newline at end of file diff --git a/tools/config/stix-qradar.yml b/tools/config/stix-qradar.yml deleted file mode 100644 index cd78c1904..000000000 --- a/tools/config/stix-qradar.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: STIX for QRadar -backends: - - stix -order: 30 -fieldmappings: - categoryid: - - x-ibm-ariel:category_id - categoryname: - - x-ibm-ariel:category_name - credescription: - - x-ibm-finding:description - Description: - - x-ibm-finding:description - credibility: - - x-ibm-ariel:credibility - crename: - - x-ibm-finding:name - devicetype: - - x-ibm-ariel:device_type - Device: - - x-ibm-ariel:device_type - direction: - - x-ibm-ariel:direction - domainid: - - x-ibm-ariel:domain_id - geographic: - - x-ibm-ariel:geographic - high_level_category_id: - - x-ibm-ariel:high_level_category_id - high_level_category_name: - - x-ibm-ariel:high_level_category_name - identityhostname: - - x-ibm-ariel:identity_host_name - logsourceid: - - x-ibm-ariel:log_source_id - logsourcename: - - x-ibm-ariel:log_source_name - logsourcetypename: - - x-ibm-ariel:log_source_type_name - magnitude: - - x-ibm-ariel:magnitude - qid: - - x-ibm-ariel:qid - qidname: - - x-ibm-ariel:event_name - relevance: - - x-ibm-ariel:relevance - rulenames: - - x-ibm-ariel:rule_names[*] - severity: - - x-ibm-ariel:severity diff --git a/tools/config/stix-shifter.yml b/tools/config/stix-shifter.yml new file mode 100644 index 000000000..0ad48d7f7 --- /dev/null +++ b/tools/config/stix-shifter.yml @@ -0,0 +1,115 @@ +title: Custom mappings for stix-shifter project +backends: + - stix +order: 30 +fieldmappings: + # x-oca-event SCO + action: + - x-oca-event:action + operation: + - x-oca-event:action + event.category: + - x-oca-event:category + eventName: + - x-oca-event:action + eventType: + - x-oca-event:category + Description: + - x-oca-event:action + - x-ibm-finding:description + Event-ID: + - x-oca-event:code + EventID: + - x-oca-event:code + Event_ID: + - x-oca-event:code + event-id: + - x-oca-event:code + eventId: + - x-oca-event:code + EventType: + - x-oca-event:action + Message: + - x-oca-event:original + Details: + - windows-registry-key:values[*].data + - x-oca-event:original + event_id: + - x-oca-event:code + eventid: + - x-oca-event:code + type: + - x-oca-event:action + pam_message: + - x-oca-event:action + + # x-oca-asset SCO + cs-host: + - x-oca-asset:hostname + - domain-name:value + eventSource: + - x-oca-asset:hostname + ComputerName: + - x-oca-asset:hostname + pam_rhost: + - x-oca-asset:hostname + + # DNS network extension + r-dns: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + query: + - domain-name:value + - url:value + - network-traffic:extensions.'dns-ext'.question.domain_ref + + # x-ibm-finding object + credescription: + - x-ibm-finding:description + crename: + - x-ibm-finding:name + rulenames: + - x-ibm-finding:rule_names[*] + + # x-qradar custom object + categoryid: + - x-qradar:category_id + categoryname: + - x-qradar:category_name + credibility: + - x-qradar:credibility + Device: + - x-qradar:device_type + - file:name + devicetype: + - x-qradar:device_type + direction: + - x-qradar:direction + domainid: + - x-qradar:domain_id + geographic: + - x-qradar:geographic + high_level_category_id: + - x-qradar:high_level_category_id + high_level_category_name: + - x-qradar:high_level_category_name + identityhostname: + - x-qradar:identity_host_name + logsourceid: + - x-qradar:log_source_id + logsourcename: + - x-qradar:log_source_name + logsourcetypename: + - x-qradar:log_source_type_name + magnitude: + - x-qradar:magnitude + qid: + - x-qradar:qid + qidname: + - x-qradar:event_name + relevance: + - x-qradar:relevance + severity: + - x-qradar:severity + diff --git a/tools/config/stix-windows.yml b/tools/config/stix-windows.yml deleted file mode 100644 index 6a9de243c..000000000 --- a/tools/config/stix-windows.yml +++ /dev/null @@ -1,269 +0,0 @@ -title: STIX for Windows Logs -backends: - - stix -order: 40 -logsources: - windows: - product: windows -fieldmappings: - AccessMask: - - x-windows:accessmask - Accesses: - - x-windows:accesses - AccountDomain: - - user-account:x_domain - AccountID: - - user-account:user_id - AccountName: - - user-account:account_login - - user-account:display_name - AccountSecurityID: - - user-account:x_security_id - CallTrace: - - x-windows:calltrace - ClientIP: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - ComputerName: - - x-host:name - Description: - - x-event:action - DestinationIsIpv6: - - x-windows:destisipv6 - DestinationHostname: - - network-traffic:dst_ref.value - Device: - - file:name - ErrorCode: - - x-error:code - Event-ID: - - x-event:id - - x-event:code - EventID: - - x-event:id - - x-event:code - Event_ID: - - x-event:id - - x-event:code - EventType: - - x-event:action - ExtendedErrorCode: - - x-error:code - - x-error:id - FileDirectory: - - directory:path - FileExtension: - - file:x_extension - FileHash: - - file:hashes.SHA-256 - - file:hashes.MD5 - - file:hashes.SHA-1 - FilePath: - - file:name - Filename: - - file:name - GrantedAccess: - - x-windows:grantedaccess - GroupDomain: - - x-group:domain - GroupID: - - x-group:id - GroupName: - - x-group:name - GroupSecurityID: - - x-group:security_id - HomeDirectory: - - directory:path - IMPHash: - - x-windows:imphash - Imphash: - - x-windows:imphash - Image: - - process:image_ref.name - ImageLoadedTempPath: - - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path - ImageName: - - process:image_ref.name - ImagePath: - - process:image_ref.name - ImageTempPath: - - process:image_ref.x_temp_path - InitiatedConnection: - - x-windows:initiatedconnection - Initiated: - - x-windows:initiatedconnection - InitiatorUserName: - - user-account:user_id - - user-account:account_login - IntegrityLevel: - - x-windows:integritylevel - LoadedImage: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - LoadedImageName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - LogonType: - - x-windows:logontype - MD5Hash: - - file:hashes.MD5 - Message: - - x-event:original - NewName: - - windows-registry-key:key - ObjectName: - - x-windows:objectname - ObjectType: - - x-windows:objecttype - ParentCommandLine: - - process:parent_ref.command_line - ParentImage: - - process:parent_ref.image_ref.name - ParentImageName: - - process:parent_ref.image_ref.name - ParentProcessGuid: - - process:parent_ref.x_guid - ParentProcessName: - - process:parent_ref.image_ref.name - ParentProcessPath: - - process:parent_ref.image_ref.name - PipeName: - - x-windows:pipename - ProcessCommandLine: - - process:command_line - Command: - - process:command_line - CommandLine: - - process:command_line - ProcessGuid: - - process:x_guid - ProcessId: - - process:pid - ProcessName: - - process:image_ref.name - ProcessPath: - - process:image_ref.name - QueryName: - - x-windows:queryname - QueryResults: - - x-windows:queryresults - QueryStatus: - - x-windows:querystatus - RegistryKey: - - windows-registry-key:key - RegistryValueData: - - windows-registry-key:values[*].data - RegistryValueName: - - windows-registry-key:values[*].name - SAMAccountName: - - user-account:account_login - - user-account:display_name - SHA1Hash: - - file:hashes.SHA-1 - SHA256Hash: - - file:hashes.SHA-256 - ServiceFileName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - ServiceName: - - process:extensions.'windows-service-ext'.service_name - ShareName: - - x-windows:sharename - SharePath: - - x-windows:sharepath - Signature: - - x-windows:signature - SignatureStatus: - - x-windows:signaturestatus - Signed: - - x-windows:signed - SourceImage: - - x-windows:sourceimage - SourceImageTempPath: - - x-windows:sourceimagetemppath - SourceWorkstation: - - x-windows:sourceworkstation - StartAddress: - - x-windows:startaddress - StartFunction: - - x-windows:startfunction - StartModule: - - x-windows:startmodule - TargetAccountSecurityID: - - x-windows:targetaccountsecurityid - TargetComputerDomain: - - x-windows:targetcomputerdomain - TargetComputerName: - - x-windows:targetcomputername - TargetDetails: - - x-windows:targetdetails - Details: - - windows-registry-key:values[*].data - - x-event:original - TargetFilename: - - file:name - TargetImage: - - x-windows:targetimage - TargetImageName: - - x-windows:targetimagename - TargetObject: - - windows-registry-key:key - TargetProcessGuid: - - x-windows:targetprocessguid - TargetProcessAddress: - - x-windows:startaddress - TargetUserDomain: - - x-windows:targetuserdomain - TargetUserName: - - x-windows:targetusername - TaskName: - - x-windows:taskname - TicketEncryptionType: - - x-windows:ticketencryptiontype - User: - - user-account:user_id - UserDomain: - - user-account:x_domain - event-id: - - x-event:id - eventId: - - x-event:id - event_data.FileName: - - file:name - event_data.Image: - - process:image_ref.name - event_data.ImageLoaded: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - ImageLoaded: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - event_data.ImagePath: - - process:image_ref.name - event_data.ParentCommandLine: - - process:parent_ref.command_line - event_data.ParentImage: - - process:parent_ref.image_ref.name - event_data.ParentProcessName: - - process:parent_ref.image_ref.name - event_data.PipeName: - - x-windows:pipename - event_data.ServiceFileName: - - process:extensions.'windows-service-ext'.service_dll_refs[*].name - event_data.ShareName: - - x-windows:sharename - event_data.Signature: - - x-windows:signature - event_data.SourceImage: - - x-windows:sourceimage - event_data.StartModule: - - x-windows:startmodule - event_data.SubjectUserName: - - user-account:user_id - - user-account:account_login - event_data.TargetFilename: - - file:name - event_data.TargetImage: - - x-windows:targetimage - event_data.User: - - user-account:user_id - event_id: - - x-event:id - eventid: - - x-event:id \ No newline at end of file diff --git a/tools/config/stix.yml b/tools/config/stix.yml deleted file mode 100644 index 88b37fba0..000000000 --- a/tools/config/stix.yml +++ /dev/null @@ -1,175 +0,0 @@ -title: Basic STIX -backends: - - stix -order: 20 -fieldmappings: - action: - - x-event:action - User: - - user-account:user_id - c-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - cs-ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - destinationip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - destinationmac: - - mac-addr:value - - network-traffic:dst_ref.value - destinationport: - - network-traffic:dst_port - dst_port: - - network-traffic:dst_port - domainname: - - domain-name:value - dst: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - dst_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - endtime: - - network-traffic:end - event_data.DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - DestinationIp: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:dst_ref.value - event_data.DestinationPort: - - network-traffic:dst_port - DestinationPort: - - network-traffic:dst_port - destination.port: - - network-traffic:dst_port - event_data.SubjectUserName: - - user-account:user_id - event_data.User: - - user-account:user_id - filehash: - - file:hashes.SHA-256 - - file:hashes.MD5 - - file:hashes.SHA-1 - filename: - - file:name - filepath: - - file:parent_directory_ref - - directory:path - identityip: - - ipv4-addr:value - protocolid: - - network-traffic:protocols[*] - sourceip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - sourcemac: - - mac-addr:value - - network-traffic:src_ref.value - sourceport: - - network-traffic:src_port - SourcePort: - - network-traffic:src_port - src: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - src_ip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - starttime: - - network-traffic:start - url: - - url:value - user: - - user-account:user_id - username: - - user-account:user_id - utf8_payload: - - artifact:payload_bin - - # Web + Proxy mapping - c-uri: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-query: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - c-uri-stem: - - network-traffic:extensions.'http-request-ext'.request_value - - url:value - keywords: - - artifact:payload_bin - cs-method: - - network-traffic:extensions.'http-request-ext'.request_method - sc-status: - - x-web:status_code - clientip: - - ipv4-addr:value - - ipv6-addr:value - - network-traffic:src_ref.value - c-useragent: - - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' - r-dns: - - domain-name:value - - url:value - - x-dns:query - cs-host: - - x-host:name - - domain-name:value - cs-cookie: - - network-traffic:extensions.'http-request-ext'.request_header.Cookie - query: - - domain-name:value - - url:value - - x-dns:query - record_type: - - x-dns:record_type - operation: - - x-event:action - - # Compliance mapping - event.category: - - x-event:action - host.scan.vuln_name: - - vulnerability:name - host.scan.vuln: - - vulnerability:external_references[*].external_id - - # Cloud mapping - eventSource: - - x-host:name - eventName: - - x-event:action - requestParameters.attribute: - - x-cloud:request_parameters - responseElements.publiclyAccessible: - - x-cloud:publicly_accessible - errorMessage: - - x-error:message - errorCode: - - x-error:code - responseElements: - - x-cloud:response_elements - requestParameters.userData: - - x-cloud:request_parameters - userIdentity.type: - - user-account:account_login - eventType: - - x-event:action - userIdentity.arn: - - user-account:account_login - - user-account:display_name - responseElements.pendingModifiedValues.masterUserPassword: - - user-account:credential diff --git a/tools/config/stix2.0.yml b/tools/config/stix2.0.yml new file mode 100644 index 000000000..afe291144 --- /dev/null +++ b/tools/config/stix2.0.yml @@ -0,0 +1,284 @@ +title: Official STIX 2.0 +backends: + - stix +order: 100 +fieldmappings: + User: + - user-account:user_id + USER: + - user-account:user_id + user: + - user-account:user_id + event_data.SubjectUserName: + - user-account:user_id + - user-account:account_login + c-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + cs-ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + destinationip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + destinationmac: + - mac-addr:value + - network-traffic:dst_ref.value + destinationport: + - network-traffic:dst_port + dst_port: + - network-traffic:dst_port + domainname: + - domain-name:value + dst: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + dst_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + endtime: + - network-traffic:end + event_data.DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + DestinationIp: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:dst_ref.value + event_data.DestinationPort: + - network-traffic:dst_port + DestinationPort: + - network-traffic:dst_port + destination.port: + - network-traffic:dst_port + filehash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + filename: + - file:name + filepath: + - file:parent_directory_ref + - directory:path + identityip: + - ipv4-addr:value + protocolid: + - network-traffic:protocols[*] + sourceip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + sourcemac: + - mac-addr:value + - network-traffic:src_ref.value + sourceport: + - network-traffic:src_port + SourcePort: + - network-traffic:src_port + src: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + src_ip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + starttime: + - network-traffic:start + url: + - url:value + username: + - user-account:user_id + utf8_payload: + - artifact:payload_bin + + # Web + Proxy mapping + c-uri: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-query: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + c-uri-stem: + - network-traffic:extensions.'http-request-ext'.request_value + - url:value + keywords: + - artifact:payload_bin + cs-method: + - network-traffic:extensions.'http-request-ext'.request_method + clientip: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + c-useragent: + - network-traffic:extensions.'http-request-ext'.request_header.'User-Agent' + r-dns: + - domain-name:value + - url:value + cs-host: + - domain-name:value + cs-cookie: + - network-traffic:extensions.'http-request-ext'.request_header.Cookie + query: + - domain-name:value + - url:value + + # Compliance mapping + host.scan.vuln_name: + - vulnerability:name + host.scan.vuln: + - vulnerability:external_references[*].external_id + + # Cloud mapping + userIdentity.type: + - user-account:account_login + userIdentity.arn: + - user-account:account_login + - user-account:display_name + responseElements.pendingModifiedValues.masterUserPassword: + - user-account:credential + AccountDomain: + - user-account:x_domain + AccountID: + - user-account:user_id + AccountName: + - user-account:account_login + - user-account:display_name + AccountSecurityID: + - user-account:x_security_id + ClientIP: + - ipv4-addr:value + - ipv6-addr:value + - network-traffic:src_ref.value + DestinationHostname: + - network-traffic:dst_ref.value + Device: + - file:name + FileDirectory: + - directory:path + FileExtension: + - file:x_extension + FileHash: + - file:hashes.SHA-256 + - file:hashes.MD5 + - file:hashes.SHA-1 + FilePath: + - file:name + Filename: + - file:name + HomeDirectory: + - directory:path + Image: + - process:binary_ref.name + ImageLoadedTempPath: + - process:extensions.'windows-service-ext'.service_dll_refs[*].x_temp_path + ImageName: + - process:binary_ref.name + ImagePath: + - process:binary_ref.parent_directory_ref.path.name + SourceImage: + - process:binary_ref.name + InitiatorUserName: + - user-account:user_id + - user-account:account_login + LoadedImage: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + LoadedImageName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + MD5Hash: + - file:hashes.MD5 + NewName: + - windows-registry-key:key + ParentCommandLine: + - process:parent_ref.command_line + ParentImage: + - process:parent_ref.binary_ref.name + ParentImageName: + - process:parent_ref.binary_ref.name + ParentProcessGuid: + - process:parent_ref.x_guid + ParentProcessName: + - process:parent_ref.binary_ref.name + ParentProcessPath: + - process:parent_ref.binary_ref.name + ProcessCommandLine: + - process:command_line + Command: + - process:command_line + CommandLine: + - process:command_line + ProcessGuid: + - process:x_guid + ProcessId: + - process:pid + ProcessName: + - process:binary_ref.name + ProcessPath: + - process:binary_ref.parent_directory_ref.path + RegistryKey: + - windows-registry-key:key + RegistryValueData: + - windows-registry-key:values[*].data + RegistryValueName: + - windows-registry-key:values[*].name + SAMAccountName: + - user-account:account_login + - user-account:display_name + SHA1Hash: + - file:hashes.SHA-1 + SHA256Hash: + - file:hashes.SHA-256 + ServiceFileName: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ServiceName: + - process:extensions.'windows-service-ext'.service_name + Details: + - windows-registry-key:values[*].data + TargetFilename: + - file:name + TargetImage: + - process:binary_ref.name + TargetObject: + - windows-registry-key:key + UserDomain: + - user-account:x_domain + event_data.FileName: + - file:name + event_data.Image: + - process:binary_ref.name + event_data.ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + ImageLoaded: + - process:extensions.'windows-service-ext'.service_dll_refs[*].name + event_data.ImagePath: + - process:binary_ref.parent_directory_ref.path + event_data.ParentCommandLine: + - process:parent_ref.command_line + event_data.ParentImage: + - process:parent_ref.binary_ref.name + event_data.ParentProcessName: + - process:parent_ref.binary_ref.name + event_data.TargetFilename: + - file:name + event_data.User: + - user-account:user_id + a0: + - process:command_line + a1: + - process:command_line + name: + - file:name + a3: + - process:command_line + exe: + - file:name + a2: + - process:command_line + pam_user: + - user-account:user_id diff --git a/tools/config/sumologic.yml b/tools/config/sumologic.yml index a26d000f8..285ef0273 100644 --- a/tools/config/sumologic.yml +++ b/tools/config/sumologic.yml @@ -71,6 +71,21 @@ logsources: service: ntlm conditions: EventChannel: 'Microsoft-Windows-NTLM/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + EventChannel: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + EventChannel: 'Microsoft-Windows-SmbClient/Security' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + EventChannel: 'MSExchange Management' apache: product: apache service: apache diff --git a/tools/config/thor.yml b/tools/config/thor.yml index 3e67dcf5a..394839ec5 100644 --- a/tools/config/thor.yml +++ b/tools/config/thor.yml @@ -25,80 +25,214 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + network_connection: + category: network_connection + product: windows + conditions: + EventID: 3 + rewrite: + product: windows + service: sysmon + process_terminated: + category: process_termination + product: windows + conditions: + EventID: 5 + rewrite: + product: windows + service: sysmon + driver_loaded: + category: driver_load + product: windows + conditions: + EventID: 6 + rewrite: + product: windows + service: sysmon + image_loaded: + category: image_load + product: windows + conditions: + EventID: 7 + rewrite: + product: windows + service: sysmon + create_remote_thread: + category: create_remote_thread + product: windows + conditions: + EventID: 8 + rewrite: + product: windows + service: sysmon + raw_access_thread: + category: raw_access_thread + product: windows + conditions: + EventID: 9 + rewrite: + product: windows + service: sysmon + process_access: + category: process_access + product: windows + conditions: + EventID: 10 + rewrite: + product: windows + service: sysmon + file_creation: + category: file_event + product: windows + conditions: + EventID: 11 + rewrite: + product: windows + service: sysmon + registry_event: + category: registry_event + product: windows + conditions: + EventID: + - 12 + - 13 + - 14 + rewrite: + product: windows + service: sysmon + create_stream_hash: + category: create_stream_hash + product: windows + conditions: + EventID: 15 + rewrite: + product: windows + service: sysmon + pipe_created: + category: pipe_created + product: windows + conditions: + EventID: + - 17 + - 18 + rewrite: + product: windows + service: sysmon + wmi_event: + category: wmi_event + product: windows + conditions: + EventID: + - 19 + - 20 + - 21 + rewrite: + product: windows + service: sysmon + dns_query: + category: dns_query + product: windows + conditions: + EventID: 22 + rewrite: + product: windows + service: sysmon + file_delete: + category: file_delete + product: windows + conditions: + EventID: 23 + rewrite: + product: windows + service: sysmon # target system configurations windows-application: product: windows service: application sources: - - 'WinEventLog:Application' + - "WinEventLog:Application" windows-security: product: windows service: security sources: - - 'WinEventLog:Security' + - "WinEventLog:Security" windows-system: product: windows service: system sources: - - 'WinEventLog:System' + - "WinEventLog:System" windows-ntlm: product: windows service: ntlm sources: - - 'WinEventLog:Microsoft-Windows-NTLM/Operational' + - "WinEventLog:Microsoft-Windows-NTLM/Operational" windows-sysmon: product: windows service: sysmon sources: - - 'WinEventLog:Microsoft-Windows-Sysmon/Operational' + - "WinEventLog:Microsoft-Windows-Sysmon/Operational" windows-powershell: product: windows service: powershell sources: - - 'WinEventLog:Microsoft-Windows-PowerShell/Operational' + - "WinEventLog:Microsoft-Windows-PowerShell/Operational" windows-taskscheduler: product: windows service: taskscheduler sources: - - 'WinEventLog:Microsoft-Windows-TaskScheduler/Operational' + - "WinEventLog:Microsoft-Windows-TaskScheduler/Operational" windows-wmi: product: windows service: wmi sources: - - 'WinEventLog:Microsoft-Windows-WMI-Activity/Operational' + - "WinEventLog:Microsoft-Windows-WMI-Activity/Operational" windows-dhcp: product: windows service: dhcp sources: - - 'WinEventLog:Microsoft-Windows-DHCP-Server/Operational' + - "WinEventLog:Microsoft-Windows-DHCP-Server/Operational" + windows-printservice-admin: + product: windows + service: printservice-admin + sources: + - "WinEventLog:Microsoft-Windows-PrintService/Admin" + windows-smbclient-security: + product: windows + service: smbclient-security + sources: + - "Microsoft-Windows-SmbClient/Security" windows-applocker: product: windows service: applocker - conditions: - sources: - - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' - - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' - - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + sources: + - 'WinEventLog:Microsoft-Windows-AppLocker/MSI and Script' + - 'WinEventLog:Microsoft-Windows-AppLocker/EXE and DLL' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'WinEventLog:Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + sources: + - 'WinEventLog:MSExchange Management' apache: category: webserver sources: - - 'File:/var/log/apache/*.log' - - 'File:/var/log/apache2/*.log' - - 'File:/var/log/httpd/*.log' + - "File:/var/log/apache/*.log" + - "File:/var/log/apache2/*.log" + - "File:/var/log/httpd/*.log" linux-auth: product: linux service: auth sources: - - 'File:/var/log/auth.log' - - 'File:/var/log/auth.log.?' + - "File:/var/log/auth.log" + - "File:/var/log/auth.log.?" linux-syslog: product: linux service: syslog sources: - - 'File:/var/log/syslog' - - 'File:/var/log/syslog.?' + - "File:/var/log/syslog" + - "File:/var/log/syslog.?" logfiles: category: logfile sources: - - 'File:*.log' + - "File:*.log" diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 292f8d0d6..a066280d5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -4,6 +4,8 @@ backends: - es-qs - es-dsl - es-rule + - es-rule-eql + - es-eql - kibana - kibana-ndjson - xpack-watcher @@ -25,11 +27,26 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -55,6 +72,16 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + winlog.channel: 'Microsoft-Windows-SmbClient/Security' windows-applocker: product: windows service: applocker @@ -64,8 +91,13 @@ logsources: - 'Microsoft-Windows-AppLocker/EXE and DLL' - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + winlog.channel: 'MSExchange Management' defaultindex: winlogbeat-* -# Extract all field names qith yq: +# Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: @@ -79,7 +111,7 @@ fieldmappings: CallingProcessName: winlog.event_data.CallingProcessName CallTrace: winlog.event_data.CallTrace Channel: winlog.channel - CommandLine: process.args + CommandLine: process.command_line ComputerName: winlog.ComputerName CurrentDirectory: process.working_directory Description: winlog.event_data.Description @@ -120,15 +152,17 @@ fieldmappings: ObjectName: winlog.event_data.ObjectName ObjectType: winlog.event_data.ObjectType ObjectValueName: winlog.event_data.ObjectValueName - ParentCommandLine: process.parent.args + ParentCommandLine: process.parent.command_line ParentProcessName: process.parent.name ParentImage: process.parent.executable Path: winlog.event_data.Path PipeName: file.name ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: process.executable + Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName @@ -143,6 +177,7 @@ fieldmappings: src_port: source.port #SourceIsIpv6: winlog.event_data.SourceIsIpv6 #=gets deleted and not boolean...https://github.com/elastic/beats/blob/71eee76e7cfb8d5b18dfacad64864370ddb14ce7/x-pack/winlogbeat/module/sysmon/config/winlogbeat-sysmon.js#L278-L279 StartModule: winlog.event_data.StartModule + State: winlog.event_data.State Status: winlog.event_data.Status SubjectDomainName: user.domain SubjectUserName: user.name @@ -170,3 +205,12 @@ fieldmappings: PHYType: winlog.event_data.PHYType ProfileName: winlog.event_data.ProfileName SSID: winlog.event_data.SSID + # powershell + SequenceNumber: event.sequence + NewEngineState: powershell.engine.new_state + PreviousEngineState: powershell.engine.previous_state + NewProviderState: powershell.provider.new_state + ProviderName: powershell.provider.name + HostId: process.entity_id + HostApplication: process.command_line + HostName: process.title \ No newline at end of file diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 3955c35a5..be68b3193 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -24,11 +24,26 @@ logsources: service: security conditions: log_name: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: log_name: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -64,7 +79,7 @@ logsources: - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* -# Extract all field names qith yq: +# Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: @@ -117,7 +132,9 @@ fieldmappings: PipeName: event_data.PipeName ProcessCommandLine: event_data.ProcessCommandLine ProcessName: event_data.ProcessName + Product: event_data.Product Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 4f2b45371..3cb86cc88 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -24,11 +24,26 @@ logsources: service: security conditions: winlog.channel: Security + windows-system: + product: windows + service: system + conditions: + winlog.channel: System windows-sysmon: product: windows service: sysmon conditions: winlog.channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + winlog.channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + winlog.channel: 'Windows PowerShell' windows-dns-server: product: windows service: dns-server @@ -54,6 +69,16 @@ logsources: service: windefend conditions: winlog.channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + winlog.channel: 'Microsoft-Windows-PrintService/Admin' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + winlog.channel: 'Microsoft-Windows-SmbClient/Security' windows-applocker: product: windows service: applocker @@ -64,12 +89,13 @@ logsources: - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' - 'Microsoft-Windows-AppLocker/Packaged app-Execution' defaultindex: winlogbeat-* -# Extract all field names qith yq: +# Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' # Keep EventID! Clean up the list afterwards! fieldmappings: EventID: winlog.event_id AccessMask: winlog.event_data.AccessMask + AccessList: winlog.event_data.AccessList AccountName: winlog.event_data.AccountName AllowedToDelegateTo: winlog.event_data.AllowedToDelegateTo AttributeLDAPDisplayName: winlog.event_data.AttributeLDAPDisplayName @@ -120,8 +146,11 @@ fieldmappings: PipeName: winlog.event_data.PipeName ProcessCommandLine: winlog.event_data.ProcessCommandLine ProcessName: winlog.event_data.ProcessName + Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + SAMAccountName: winlog.event_data.SamAccountName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/requirements-devel.txt b/tools/requirements-devel.txt deleted file mode 100644 index 3665b6ee4..000000000 --- a/tools/requirements-devel.txt +++ /dev/null @@ -1,10 +0,0 @@ -coverage~=5.0 -yamllint~=1.21 -elasticsearch~=7.6 -elasticsearch-async~=6.2 -setuptools -wheel -pytest~=5.4 -colorama -stix2 -attackcti \ No newline at end of file diff --git a/tools/requirements.txt b/tools/requirements.txt deleted file mode 100644 index 3debba0b4..000000000 --- a/tools/requirements.txt +++ /dev/null @@ -1,5 +0,0 @@ -pyyaml>=4.2b1 -requests~=2.23 -urllib3~=1.25 -progressbar2~=3.47 -pymisp~=2.4.123 diff --git a/tools/setup.py b/tools/setup.py index ff92b4a6e..5793f455f 100644 --- a/tools/setup.py +++ b/tools/setup.py @@ -14,7 +14,7 @@ with open(path.join(here, 'LONG_DESCRIPTION.md'), encoding='utf-8') as f: setup( name='sigmatools', - version='0.18.1', + version='0.19.1', description='Tools for the Generic Signature Format for SIEM Systems', long_description=long_description, long_description_content_type="text/markdown", diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 1ef7e175a..e9901e06d 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -114,6 +114,8 @@ class BaseBackend: def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + if len(sigmaparser.condparsed) > 1: + raise NotImplementedError("Base backend doesn't support multiple conditions") for parsed in sigmaparser.condparsed: query = self.generateQuery(parsed) before = self.generateBefore(parsed) diff --git a/tools/sigma/backends/carbonblack.py b/tools/sigma/backends/carbonblack.py index 975381620..1a1476290 100644 --- a/tools/sigma/backends/carbonblack.py +++ b/tools/sigma/backends/carbonblack.py @@ -109,8 +109,8 @@ class CarbonBlackQueryBackend(CarbonBlackWildcardHandlingMixin, SingleTextQueryB def cleanWhitespace(self, val): val = val.replace('*', ' AND ').replace(' ', ' ') if re.match('\S+ \S', val): - matchs = re.findall('(?:^|\(| )(.+?)(?:\)| OR| AND|$)', val) - for strMatch in matchs: + matches = re.findall('(?:^|\(| )(.+?)(?:\)| OR| AND|$)', val) + for strMatch in matches: if re.match('\S+ \S', strMatch): strUnescapeMatch = self.unescapeCharacter(strMatch) val = val.replace(strMatch, '"{}"'.format(strUnescapeMatch)) diff --git a/tools/sigma/backends/chronicle.py b/tools/sigma/backends/chronicle.py new file mode 100644 index 000000000..c1516ad65 --- /dev/null +++ b/tools/sigma/backends/chronicle.py @@ -0,0 +1,192 @@ +import re +from datetime import datetime + +import sigma +from sigma.backends.base import SingleTextQueryBackend +from sigma.backends.mixins import MultiRuleOutputMixin + +from .exceptions import NotSupportedError +from ..parser.condition import SigmaAggregationParser +from ..parser.modifiers.base import SigmaTypeModifier +from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier +from ..parser.modifiers.type import SigmaRegularExpressionModifier + +comparative = ["greater_than", + "greater_equal", + "less_than", + "less_equal", + ] + +class ChronicleBackend(SingleTextQueryBackend): + """Converts Sigma rule into Google Chronicle YARA-L. Contributed by SOC Prime. https://socprime.com""" + identifier = "chronicle" + active = True + andToken = " and " + #\\\ + reEscape = re.compile('([\"]|(\\\\))') + reClear = re.compile('`') + + orToken = " or " + notToken = "not " + subExpression = "(%s)" + valueExpression = "\"%s\"" + mapExpression = "%s = %s" + listExpression = "(%s)" + listSeparator = " or " + config_required = True + mapListsSpecialHandling = True + + def __init__(self, *args, **kwargs): + self.defaultEventName = "event" + self.condition_name = None + self.parsed_detection = None + self.author = None + self.description = None + self.created = None + self.title = None + self.references = None + self.rule_count = 0 + return super().__init__(*args, **kwargs) + + def cleanValue(self, val): + if val and isinstance(val, str) and val.endswith("/"): + val = val.rstrip("/") + if val and isinstance(val, str) and val.startswith("\\"): + val = val.lstrip("\\") + return super().cleanValue(val) + + def parseTitle(self, title): + new_title = re.sub(re.compile('[()*:;+!,\[\].?"-/]'), "", title.lower()) + new_title = re.sub(re.compile('\s'), "_", new_title.lower()) + index = 0 + for i, title_char in enumerate(new_title): + if not title_char.isdigit(): + index = i + break + new_title = new_title[index:] + new_title = new_title.strip("_") + return new_title + + def generateMapItemNode(self, node): + fieldname, value = node + + transformed_fieldname = self.fieldNameMapping(fieldname, value) + if type(value) in (str, int): + return self.regex_check(transformed_fieldname=transformed_fieldname, val=value) + elif type(value) == list: + return self.generateMapItemListNode(transformed_fieldname, value) + elif isinstance(value, SigmaTypeModifier): + return self.generateMapItemTypedNode(transformed_fieldname, value) + elif value is None: + return self.nullExpression % (transformed_fieldname, ) + else: + raise TypeError("Backend does not support map values of type " + str(type(value))) + + def createFinalRule(self, body): + # Spaces required in rule for structure + function_name = self.parseTitle(self.title) + if self.rule_count != 0: + function_name += "_part_{}".format(self.rule_count) + + meta = """ meta:\n author = \"{author}\"\n description = \"{description}\"\n reference = \"{reference}\"\n version = \"0.01\"""".format( + author=self.author, description=self.description, reference="" + ) + if self.created: + meta += "\n created = \"{}\"".format(self.created) + if any(self.logsource): + logsources = "\n ".join([f'{i} = "{j}"' for i, j in self.logsource.items() if i not in ("description", "definition")]) + meta += "\n {}".format(logsources) + if self.tags: + tags = ", ".join([item.replace("attack.", "") for item in self.tags]) + meta += "\n mitre = \"{}\"".format(tags) + condition_func = """ condition:\n {condition}""".format(condition=self.condition) + result = """rule {function_name} {{\n{meta}\n\n events:\n{function}\n\n{condition}\n}}""".format( + function_name=function_name, + meta=meta, + function=body, + condition=condition_func + ) + self.rule_count += 1 + return result + + def fieldNameMapping(self, fieldname, value): + return f"${self.condition_name}.{fieldname}" + + def regex_check(self, transformed_fieldname, val): + if val and isinstance(val, str) and '*' in val: + val = val.replace("\*", "*") + val = self.cleanValue(val) + val = val.replace("(", "\(") + val = val.replace(")", "\)") + val = re.compile(r'([+.?])').sub("\\\\\g<1>", val) + val = val.replace("*", ".*") + return f"re.regex({transformed_fieldname}, `{val}`)" + if val and isinstance(val, str): + return self.mapExpression % (transformed_fieldname, self.generateNode(val)) + else: + return self.mapExpression % (transformed_fieldname, self.generateNode(val)) + + def generateMapItemListNode(self, fieldname, value): + list_query = [] + for item in value: + updated_field_value = self.regex_check(transformed_fieldname=fieldname, val=item) + list_query.append(updated_field_value) + if len(list_query) > 1: + return "(" + " or ".join(list_query) + ")" + return list_query[0] + + def generate(self, sigmaparser): + detection = sigmaparser.parsedyaml.get("detection") + condition_name = [item for item in detection.keys() if item not in ("condition", "keywords")] + if any(condition_name): + self.condition_name = condition_name[0] + else: + self.condition_name = "event" + self.author = sigmaparser.parsedyaml.get("author") + self.title = sigmaparser.parsedyaml.get("title") + description = "{} Author: {}.".format(sigmaparser.parsedyaml.get("description"), self.author) + description = description.replace("\\", "\\\\") + description = description.replace("\n", "") + self.description = description.replace('"', '\\"') + self.created = sigmaparser.parsedyaml.get("date", datetime.now().strftime("%Y-%m-%d")) + references = sigmaparser.parsedyaml.get("reference", []) + if not any(references): + references = sigmaparser.parsedyaml.get("references", []) + self.references = references + self.logsource = sigmaparser.parsedyaml.get("logsource") if sigmaparser.parsedyaml.get("logsource") else sigmaparser.parsedyaml.get("logsources", {}) + self.tags = sigmaparser.parsedyaml.get("tags") + for parsed in sigmaparser.condparsed: + aggregation = None + translate = self.generateQuery(parsed) + self.condition = "${}".format(self.condition_name) + if parsed.parsedAgg: + translate = self.generateAggregation(agg=parsed.parsedAgg, body=translate) + return self.createFinalRule(body=translate) + + def generateQuery(self, parsed): + result = self.generateNode(parsed.parsedSearch) + return result + + def generateAggregation(self, agg, body): + if agg is None: + return "" + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError( + "The 'near' aggregation operator is not " + + f"implemented for the %s backend" % self.identifier + ) + if agg.aggfunc_notrans != 'count' and agg.aggfield is None: + raise NotSupportedError( + "The '%s' aggregation operator " % agg.aggfunc_notrans + + "must have an aggregation field for the %s backend" % self.identifier + ) + if agg.aggfunc_notrans == 'count': + if agg.groupfield: + self.condition = "${condition} and #target {op} {cond}".format(condition=self.condition_name, + field=agg.groupfield, + op=agg.cond_op, + cond=agg.condition) + body += "\n${condition}.{field} = $target".format(condition=self.condition_name, field=agg.groupfield,) + else: + self.condition = "#{} {} {}".format(self.condition_name, agg.cond_op, agg.condition) + return body \ No newline at end of file diff --git a/tools/sigma/backends/devo.py b/tools/sigma/backends/devo.py new file mode 100644 index 000000000..aeca596f7 --- /dev/null +++ b/tools/sigma/backends/devo.py @@ -0,0 +1,254 @@ +# Output backends for sigmac +# Copyright 2021 Devo, Inc. +# Author: Eduardo Ocete + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import re +from .base import SingleTextQueryBackend +from sigma.parser.modifiers.type import SigmaRegularExpressionModifier +from sigma.parser.condition import SigmaAggregationParser +from sigma.parser.exceptions import SigmaParseError + +class DevoBackend(SingleTextQueryBackend): + """Converts Sigma rule into Devo query.""" + identifier = "devo" + active = True + + andToken = " and " # Token used for linking expressions with logical AND + orToken = " or " # Same for OR + notToken = " not " # Same for NOT + subExpression = "(%s)" # Syntax for subexpressions, usually parenthesis around it. %s is inner expression + listExpression = "%s" # Syntax for lists, %s are list items separated with listSeparator + listSeparator = ", " # Character for separation of list items + valueExpression = "\"%s\"" # Expression of values, %s represents value + intValueExpression = "%s" # Expression of int values, %s represents value + nullExpression = "isnull(%s)" # Expression of queries for null values or non-existing fields. %s is field name + notNullExpression = "isnotnull(%s)" # Expression of queries for not null values. %s is field name + mapExpression = "%s = %s" # Syntax for field/value conditions. First %s is fieldname, second is value + mapMulti = "has(%s, %s)" # Syntax for field/value conditions. First %s is fieldname, second is value + mapWildcard = "matches(%s, nameglob(%s))" # Syntax for globbing conditions + mapRe = "matches(%s, %s)" # Syntax for regex conditions that already were transformed by SigmaRegularExpressionModifier + mapContains = "toktains(%s, %s, true, true)" # Systax for token value searches + mapListValueExpression = "%s or %s" # Syntax for field/value condititons where map value is a list + mapFullTextSearch = "weaktoktains(raw, \"%s\", true, true)" # Expression for full text searches + typedValueExpression = { + SigmaRegularExpressionModifier: "re(\"%s\")", # Syntax for regular expressions + } + + # \ -> \\ + # \* -> \* + # \\* -> \\* + reEscape = re.compile('("|(? 3 # Covers "*" case + + if type(value) == SigmaRegularExpressionModifier: + return self.mapRe % (transformed_fieldname, self.generateNode(value)) + elif type(value) == list: + if has_contains: + return self.subExpression % self.andToken.join(self.mapContains % (transformed_fieldname, self.generateNode(val[1:-1])) for val in value) + elif has_startswith or has_endswith: + return self.generateMapItemListNode(transformed_fieldname, value) + else: + return self.mapMulti % (transformed_fieldname, self.generateNode(value)) + elif type(value) in (str, int): + if has_contains: + return self.mapContains % (transformed_fieldname, self.generateNode(value[1:-1])) + elif has_startswith or has_endswith: + return self.mapWildcard % (transformed_fieldname, self.generateNode(value)) + else: + return self.mapExpression % (transformed_fieldname, self.generateNode(value)) + else: + raise TypeError("Devo backend does not support map values of type " + str(type(value))) + + def generateMapItemListNode(self, key, value): + return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")" + + def generateValueNode(self, node): + if type(node) == int: + return self.intValueExpression % int(node) + return self.valueExpression % (self.cleanValue(node)) + + def generateNULLValueNode(self, fieldname): + return self.nullExpression % fieldname + + def generateNotNULLValueNode(self, fieldname): + return self.notNullExpression % fieldname + + def generateTypedValueNode(self, node): + try: + return self.typedValueExpression[type(node)] % (self.cleanValue(str(node))) + except KeyError: + raise NotImplementedError("Type modifier '{}' is not supported by backend".format(node.identifier)) + + def generateFTS(self, value): + return self.mapFullTextSearch % self.cleanValue(value) + + def requireFTS(self, value): + return isinstance(value, str) or isinstance(value, int) or isinstance(value, list) + + def fieldNameMapping(self, field, value): + # Handle derived fields + matched = self.derivedField.search(field) + if matched: + self.derivedFieldSet.add(field) + return matched.group(1) + return field + + def generateAggregation(self, agg, where_clause): + if not agg: + return self.table, where_clause + + # Near operator not supported yet + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: + raise NotImplementedError("The 'near' aggregation operator is not implemented for the %s backend" % self.identifier) + if (agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT or + agg.aggfunc == SigmaAggregationParser.AGGFUNC_MAX or + agg.aggfunc == SigmaAggregationParser.AGGFUNC_MIN or + agg.aggfunc == SigmaAggregationParser.AGGFUNC_SUM or + agg.aggfunc == SigmaAggregationParser.AGGFUNC_AVG): + + if agg.groupfield: + group_by = " group by {0}".format(self.fieldNameMapping(agg.groupfield, None)) + else: + group_by = "" + + if agg.aggfield: + select = "{}({}) as agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + else: + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: + select = "{}(*) as agg".format(agg.aggfunc_notrans) + else: + raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) + + if self.derivedFieldSet: + derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet)) + else: + derivedFieldsStr = "" + + temp_table = "from {}{} where {}{} select {}".format(self.table, derivedFieldsStr, where_clause, group_by, select) + agg_condition = "agg {} {}".format(agg.cond_op, agg.condition) + + return temp_table, agg_condition + + raise NotImplementedError("{} aggregation not implemented in Devo Backend".format(agg.aggfunc_notrans)) + + def generateQuery(self, parsed): + if self.requireFTS(parsed.parsedSearch): + result = self.generateFTS(parsed.parsedSearch) + else: + result = self.generateNode(parsed.parsedSearch) + if parsed.parsedAgg: + fro, whe = self.generateAggregation(parsed.parsedAgg, result) + return "{} where {} select *".format(fro, whe) + + if self.derivedFieldSet: + derivedFieldsStr = " {}".format(" ".join(self.derivedFieldSet)) + else: + derivedFieldsStr = "" + + return "from {}{} where {} select *".format(self.table, derivedFieldsStr, result) + + def generate(self, sigmaparser): + """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" + self.derivedFieldSet = set() + if sigmaparser.get_logsource() and sigmaparser.get_logsource().index: + self.table = sigmaparser.get_logsource().index[0] + else: + self.table = "sourcetable" + + for parsed in sigmaparser.condparsed: + # Multi condition rules are not supported yet, only the first one will be processed + query = self.generateQuery(parsed) + before = self.generateBefore(parsed) + after = self.generateAfter(parsed) + + result = "" + if before is not None: + result = before + if query is not None: + result += query + if after is not None: + result += after + + return result \ No newline at end of file diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a0c80dae9..855e8815d 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -21,11 +21,12 @@ import sys import os from random import randrange from distutils.util import strtobool +from uuid import uuid4 import sigma import yaml from sigma.parser.modifiers.type import SigmaRegularExpressionModifier, SigmaTypeModifier -from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression +from sigma.parser.condition import ConditionOR, ConditionAND, NodeSubexpression, SigmaAggregationParser, SigmaConditionParser, SigmaConditionTokenizer from sigma.config.mapping import ConditionalFieldMapping from .base import BaseBackend, SingleTextQueryBackend @@ -300,6 +301,120 @@ class ElasticsearchQuerystringBackend(DeepFieldMappingMixin, ElasticsearchWildca else: return super().generateSubexpressionNode(node) +class ElasticsearchEQLBackend(DeepFieldMappingMixin, ElasticsearchWildcardHandlingMixin, SingleTextQueryBackend): + """Converts Sigma rule into EQL.""" + identifier = "es-eql" + active = True + + # XXX case sensitivity + # case insensitive (and regex!!!) + # - map/field: "%s == %s" becomes "%s : %s" + # - map/list: "%s in %s" becomes "%s : %s" + + andToken = " and " + orToken = " or " + notToken = " not " + subExpression = "(%s)" + listExpression = "(%s)" + listSeparator = "," + valueExpression = "\"%s\"" # XXX numeric? + typedValueExpression = dict() # XXX Expression of typed values generated by type modifiers. modifier identifier -> expression dict, %s represents value + nullExpression = "%s == null" + notNullExpression = "%s != null" + mapExpression = "%s : %s" + mapListsSpecialHandling = False + mapListValueExpression = "%s : %s" + + sort_condition_lists = True + + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.categories = set() + self.sequence = False + self.maxspan = None + + def generate(self, sigmaparser): + # reset per-rule variables + self.categories = set() + self.sequence = False + self.maxspan = None + return super().generate(sigmaparser) + + def escapeSlashes(self, value): + return value.replace("\\", "\\\\") + + def generateMapItemNode(self, node): + fieldname, _ = node + try: + category, fieldname = fieldname.split('.', 1) + # check against https://www.elastic.co/guide/en/ecs/1.8/ecs-allowed-values-event-category.html + if category in ("authentication", "configuration", "database", "driver", "file", "host", "iam", "intrusion_detection", "malware", "network", "package", "process", "registry", "session", "web"): + self.categories.add(category) + except ValueError: + pass + return super().generateMapItemNode(node) + + def generateMapItemTypedNode(self, fieldname, value): + return self.mapExpression % (fieldname, self.generateTypedValueNode(value)) + + def generateValueNode(self, node): + return self.valueExpression % (self.escapeSlashes(self.cleanValue(str(node)))) + + def generateAggregationQuery(self, agg, searchId): + condtoken = SigmaConditionTokenizer(searchId) + condparsed = SigmaConditionParser(agg.parser, condtoken) + backend = ElasticsearchEQLBackend(agg.config) + query = backend.generateQuery(condparsed) + before = backend.generateBefore(condparsed) + return before + query + + def generateAggregation(self, agg): + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_NEAR: + self.sequence = True + self.maxspan = agg.parser.parsedyaml['detection'].get('timeframe', None) + + includeQueries = [] + excludeQueries = [] + + for include in agg.include: + includeQueries.append(self.generateAggregationQuery(agg, include)) + + for exclude in agg.exclude: + excludeQueries.append(self.generateAggregationQuery(agg, exclude)) + + ret = " ] [ " + " ] [ ".join(includeQueries) + " ]" + if len(excludeQueries) > 0: + ret += " until [ " + " ] [ ".join(excludeQueries) + " ]" + return ret + + raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans) + + def generateEventCategory(self): + if len(self.categories) == 0: + return "any where " + elif len(self.categories) == 1: + return "%s where " % self.categories.pop() + # XXX raise NotImplementedError? >1 category is probably due to unmapped fields + return "any where " + + def generateBefore(self, parsed): + before = "" + + if self.sequence: + before += "sequence " + if self.maxspan != None: + before += "with maxspan=%s " % self.maxspan + before += "[ " + + before += self.generateEventCategory() + + return before + + def fieldNameMapping(self, fieldname, value): + if fieldname.count("-") > 0 or fieldname.count(" ") > 0 or fieldname[0].isdigit(): + return "`%s`" % fieldname + return fieldname + class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, ElasticsearchWildcardHandlingMixin, BaseBackend): """ElasticSearch DSL backend""" identifier = 'es-dsl' @@ -355,7 +470,7 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast raise TypeError("Field mapping must return string or list") fields = ",".join(str(x) for x in columns) - self.queries[-1]['_source_'] = columns + self.queries[-1]['_source'] = columns except KeyError: # no 'fields' attribute mapped = None pass @@ -509,16 +624,22 @@ class ElasticsearchDSLBackend(DeepFieldMappingMixin, RulenameCommentMixin, Elast } else: # if the condition is count() by MyGroupedField > XYZ group_aggname = "{}_count".format(agg.groupfield) + count_agg_name = "single_{}_count".format(agg.groupfield) self.queries[-1]['aggs'] = { group_aggname: { 'terms': { 'field': '%s' % (agg.groupfield) }, 'aggs': { + count_agg_name: { + 'value_count': { + 'field': '%s' % agg.groupfield + } + }, 'limit': { 'bucket_selector': { 'buckets_path': { - 'count': group_aggname + 'count': count_agg_name }, 'script': 'params.count %s %s' % (agg.cond_op, agg.condition) } @@ -1045,7 +1166,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): index = "logstash-*" elif len(index) > 0: index = index[0] - #Init a rule number cpt in case there are several elastalert rules generated fron one Sigma rule + #Init a rule number cpt in case there are several elastalert rules generated from one Sigma rule rule_number = 0 for parsed in sigmaparser.condparsed: #Static data @@ -1211,15 +1332,34 @@ class ElastalertBackendQs(ElastalertBackend, ElasticsearchQuerystringBackend): #Generate ES QS Query return [{ 'query' : { 'query_string' : { 'query' : super().generateQuery(parsed) } } }] -class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): +class ElasticSearchRuleBackend(object): """Elasticsearch detection rule backend""" - identifier = "es-rule" active = True + uuid_black_list = [] + options = ElasticsearchQuerystringBackend.options + ( + ("put_filename_in_ref", False, "Want to have yml name in reference ?", None), + ("convert_to_url", False, "Want to convert to a URL ?", None), + ("path_to_replace", "../", "The local path to replace with dest_base_url", None), + ("dest_base_url", "https://github.com/SigmaHQ/sigma/tree/master/", "The URL prefix", None), + ("custom_tag", None , "Add custom tag. for multi split with a comma tag1,tag2 ", None), + ) + default_rule_type = "query" def __init__(self, *args, **kwargs): super().__init__(*args, **kwargs) self.tactics = self._load_mitre_file("tactics") self.techniques = self._load_mitre_file("techniques") + self.rule_type = self.default_rule_type + self.rule_threshold = {} + + def _rule_lang_from_type(self): + rule_lang_map = { + "eql": "eql", + "query": "lucene", + "threat-match": "lucene", + "threshold": "lucene", + } + return rule_lang_map[self.rule_type] def _load_mitre_file(self, mitre_type): try: @@ -1236,6 +1376,10 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): return [] def generate(self, sigmaparser): + # reset per-detection variables + self.rule_type = self.default_rule_type + self.rule_threshold = {} + translation = super().generate(sigmaparser) if translation: index = sigmaparser.get_logsource().index @@ -1282,14 +1426,45 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): return technique def map_risk_score(self, level): + if level not in ["low","medium","high","critical"]: + level = "medium" if level == "low": - return randrange(0,22) + return 5 elif level == "medium": - return randrange(22,48) + return 35 elif level == "high": - return randrange(48,74) + return 65 elif level == "critical": - return randrange(74,101) + return 95 + + def map_severity(self, severity): + severity = severity.lower() + if severity in ["low","medium","high","critical"]: + return severity + elif severity == "informational": + return "low" + else: + return "medium" + + def build_ymlfile_ref(self, configs): + if self.put_filename_in_ref == False: # Dont want + return None + + yml_filename = configs.get("yml_filename") + yml_path = configs.get("yml_path") + if yml_filename == None or yml_path == None: + return None + + if self.convert_to_url: + yml_path = yml_path.replace('\\','/') #windows path to url + self.path_to_replace = self.path_to_replace.replace('\\','/') #windows path to url + if self.path_to_replace not in yml_path: #Error to change + return None + + new_ref = yml_path.replace(self.path_to_replace,self.dest_base_url) + '/' + yml_filename + else: + new_ref = yml_filename + return new_ref def create_rule(self, configs, index): tags = configs.get("tags", []) @@ -1322,24 +1497,55 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): if tact: new_tags.append(tag.title()) tactics_list.append(tact) + + if self.custom_tag: + if ',' in self.custom_tag: + tag_split = self.custom_tag.split(",") + for l_tag in tag_split: + new_tags.append(l_tag) + else: + new_tags.append(self.custom_tag) + threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + rule_uuid = configs.get("id", "").lower() + if rule_uuid == "": + rule_uuid = str(uuid4()) + if rule_uuid in self.uuid_black_list: + rule_uuid = str(uuid4()) + self.uuid_black_list.append(rule_uuid) + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: references = configs.get("references") + falsepositives = [] + yml_falsepositives = configs.get('falsepositives',["Unknown"]) + if isinstance(yml_falsepositives,str): + falsepositives.append(yml_falsepositives) + else: + falsepositives=yml_falsepositives + + add_ref_yml= self.build_ymlfile_ref(configs) + if add_ref_yml: + if references is None: # No ref + references=[] + if add_ref_yml in references: + pass # else put a duplicate ref for multi rule file + else: + references.append(add_ref_yml) + rule = { "description": configs.get("description", ""), "enabled": True, - "false_positives": configs.get('falsepositives', "Unkown"), + "false_positives": falsepositives, "filters": [], "from": "now-360s", "immutable": False, "index": index, "interval": "5m", "rule_id": rule_id, - "language": "lucene", + "language": self._rule_lang_from_type(), "output_index": ".siem-signals-default", "max_signals": 100, "risk_score": risk_score, @@ -1348,17 +1554,45 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): "meta": { "from": "1m" }, - "severity": configs.get("level", "medium"), + "severity": self.map_severity(configs.get("level", "medium")), "tags": new_tags, "to": "now", - "type": "query", + "type": self.rule_type, "threat": threat, "version": 1 } + if self.rule_type == "threshold": + rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) return json.dumps(rule) + +class ElasticSearchRuleEqlBackend(ElasticSearchRuleBackend, ElasticsearchEQLBackend): + default_rule_type = "eql" + identifier = "es-rule-eql" + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + +class ElasticSearchRuleQsBackend(ElasticSearchRuleBackend, ElasticsearchQuerystringBackend): + identifier = "es-rule" + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + + def generateAggregation(self, agg): + if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: + if agg.cond_op not in [">", ">="]: + raise NotImplementedError("Threshold rules can only handle > and >= operators") + if agg.aggfield: + raise NotImplementedError("Threshold rules cannot COUNT(DISTINCT %s)" % agg.aggfield) + self.rule_type = "threshold" + self.rule_threshold = { + "field": agg.groupfield if agg.groupfield else [], + "value": int(agg.condition) if agg.cond_op == ">=" else int(agg.condition) + 1 + } + return "" + raise NotImplementedError("Aggregation %s is not implemented for this backend" % agg.aggfunc_notrans) + class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): """Converts Sigma rule into Kibana JSON Configuration files (searches only).""" identifier = "kibana-ndjson" diff --git a/tools/sigma/backends/fireeye-helix.py b/tools/sigma/backends/fireeye-helix.py index 4b0487557..fca445da9 100644 --- a/tools/sigma/backends/fireeye-helix.py +++ b/tools/sigma/backends/fireeye-helix.py @@ -58,7 +58,7 @@ class FireEyeHelixBackend(SingleTextQueryBackend): def __init__(self, *args, **kwargs): """Initialize field mappings""" super().__init__(*args, **kwargs) - # Retrieve a list of fields explicity mapped in the config so we can use "rawmsg" for unmapped fields + # Retrieve a list of fields explicitly mapped in the config so we can use "rawmsg" for unmapped fields fl = ["metaclass", "channel"] for item in self.sigmaconfig.fieldmappings.values(): if item.target_type == list: @@ -125,14 +125,14 @@ class FireEyeHelixBackend(SingleTextQueryBackend): def generateNULLValueNode(self, node): # Don't generate null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.notNullExpression % (node.item) def generateNotNULLValueNode(self, node): # Don't generate not null value nodes for fields we don't map - if node.item is "rawmsg": + if node.item == "rawmsg": return None else: return self.nullExpression % (node.item) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index a6086cf5e..383134a40 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -23,11 +23,16 @@ from sigma.parser.modifiers.type import SigmaRegularExpressionModifier # A few helper functions for cases where field mapping cannot be done # as easily one by one, or can be done more efficiently. -def _windowsEventLogFieldName(fieldName): +def _windowsEventLogArtifactFieldName(fieldName): if 'EventID' == fieldName: return 'Event/System/EventID' return 'Event/EventData/%s' % (fieldName,) +def _windowsEventLogEDRFieldName(fieldName): + if 'EventID' == fieldName: + return 'event/EVENT/System/EventID' + return 'event/EVENT/EventData/%s' % (fieldName,) + def _mapProcessCreationOperations(node): # Here we fix some common pitfalls found in rules # in a consistent fashion (already processed to D&R rule). @@ -63,134 +68,202 @@ SigmaLCConfig = namedtuple('SigmaLCConfig', [ 'isAllStringValues', 'keywordField', 'postOpMapper', + 'isCaseSensitive', ]) _allFieldMappings = { - "windows/process_creation/": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is windows", - }, - fieldMappings = { - "CommandLine": "event/COMMAND_LINE", - "Image": "event/FILE_PATH", - "ParentImage": "event/PARENT/FILE_PATH", - "ParentCommandLine": "event/PARENT/COMMAND_LINE", - "User": "event/USER_NAME", - "OriginalFileName": "event/ORIGINAL_FILE_NAME", - # Custom field names coming from somewhere unknown. - "NewProcessName": "event/FILE_PATH", - "ProcessCommandLine": "event/COMMAND_LINE", - # Another one-off command line. - "Command": "event/COMMAND_LINE", - }, - isAllStringValues = False, - keywordField = "event/COMMAND_LINE", - postOpMapper = _mapProcessCreationOperations - ), - "windows//": SigmaLCConfig( - topLevelParams = { - "target": "log", - "log type": "wel", - }, - preConditions = None, - fieldMappings = _windowsEventLogFieldName, - isAllStringValues = True, - keywordField = None, - postOpMapper = None - ), - "windows_defender//": SigmaLCConfig( - topLevelParams = { - "target": "log", - "log type": "wel", - }, - preConditions = None, - fieldMappings = _windowsEventLogFieldName, - isAllStringValues = True, - keywordField = None, - postOpMapper = None - ), - "dns//": SigmaLCConfig( - topLevelParams = { - "event": "DNS_REQUEST", - }, - preConditions = None, - fieldMappings = { - "query": "event/DOMAIN_NAME", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), - "linux//": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is linux", - }, - fieldMappings = { - "exe": "event/FILE_PATH", - "type": None, - }, - isAllStringValues = False, - keywordField = 'event/COMMAND_LINE', - postOpMapper = None - ), - "unix//": SigmaLCConfig( - topLevelParams = { - "events": [ - "NEW_PROCESS", - "EXISTING_PROCESS", - ] - }, - preConditions = { - "op": "is linux", - }, - fieldMappings = { - "exe": "event/FILE_PATH", - "type": None, - }, - isAllStringValues = False, - keywordField = 'event/COMMAND_LINE', - postOpMapper = None - ), - "netflow//": SigmaLCConfig( - topLevelParams = { - "event": "NETWORK_CONNECTIONS", - }, - preConditions = None, - fieldMappings = { - "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT", - "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), - "/proxy/": SigmaLCConfig( - topLevelParams = { - "event": "HTTP_REQUEST", - }, - preConditions = None, - fieldMappings = { - "c-uri|contains": "event/URL", - "c-uri": "event/URL", - "URL": "event/URL", - "cs-uri-query": "event/URL", - "cs-uri-stem": "event/URL", - }, - isAllStringValues = False, - keywordField = None, - postOpMapper = None - ), + 'edr': { + "windows//": SigmaLCConfig( + topLevelParams = { + "event": "WEL", + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = _windowsEventLogEDRFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "windows_defender//": SigmaLCConfig( + topLevelParams = { + "event": "WEL", + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = _windowsEventLogEDRFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "windows/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is windows", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = [] + ), + "dns//": SigmaLCConfig( + topLevelParams = { + "event": "DNS_REQUEST", + }, + preConditions = None, + fieldMappings = { + "query": "event/DOMAIN_NAME", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "linux//": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is linux", + }, + fieldMappings = { + "exe": "event/FILE_PATH", + "type": None, + }, + isAllStringValues = False, + keywordField = 'event/COMMAND_LINE', + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] + ), + "unix//": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is linux", + }, + fieldMappings = { + "exe": "event/FILE_PATH", + "type": None, + }, + isAllStringValues = False, + keywordField = 'event/COMMAND_LINE', + postOpMapper = None, + isCaseSensitive = ['event/FILE_PATH'] + ), + "netflow//": SigmaLCConfig( + topLevelParams = { + "event": "NETWORK_CONNECTIONS", + }, + preConditions = None, + fieldMappings = { + "destination.port": "event/NETWORK_ACTIVITY/DESTINATION/PORT", + "source.port": "event/NETWORK_ACTIVITY/SOURCE/PORT", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "/proxy/": SigmaLCConfig( + topLevelParams = { + "event": "HTTP_REQUEST", + }, + preConditions = None, + fieldMappings = { + "c-uri|contains": "event/URL", + "c-uri": "event/URL", + "URL": "event/URL", + "cs-uri-query": "event/URL", + "cs-uri-stem": "event/URL", + }, + isAllStringValues = False, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "macos/process_creation/": SigmaLCConfig( + topLevelParams = { + "events": [ + "NEW_PROCESS", + "EXISTING_PROCESS", + ] + }, + preConditions = { + "op": "is mac", + }, + fieldMappings = { + "CommandLine": "event/COMMAND_LINE", + "Commandline": "event/COMMAND_LINE", + "Image": "event/FILE_PATH", + "ParentImage": "event/PARENT/FILE_PATH", + "ParentCommandLine": "event/PARENT/COMMAND_LINE", + "User": "event/USER_NAME", + "OriginalFileName": "event/ORIGINAL_FILE_NAME", + # Custom field names coming from somewhere unknown. + "NewProcessName": "event/FILE_PATH", + "ProcessCommandLine": "event/COMMAND_LINE", + # Another one-off command line. + "Command": "event/COMMAND_LINE", + }, + isAllStringValues = False, + keywordField = "event/COMMAND_LINE", + postOpMapper = _mapProcessCreationOperations, + isCaseSensitive = ['event/FILE_PATH'] + ), + }, + "artifact": { + "windows//": SigmaLCConfig( + topLevelParams = { + "target": "log", + "log type": "wel", + }, + preConditions = None, + fieldMappings = _windowsEventLogArtifactFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + "windows_defender//": SigmaLCConfig( + topLevelParams = { + "target": "log", + "log type": "wel", + }, + preConditions = None, + fieldMappings = _windowsEventLogArtifactFieldName, + isAllStringValues = True, + keywordField = None, + postOpMapper = None, + isCaseSensitive = [] + ), + } } class LimaCharlieBackend(BaseBackend): @@ -200,6 +273,15 @@ class LimaCharlieBackend(BaseBackend): config_required = False default_config = ["limacharlie"] + options = ( + ( + "lc_target", + "edr", + "Generate LimaCharlie D&R rules for the following target, one of: edr, artifact.", + None, + ), + ) + def generate(self, sigmaparser): # Take the log source information and figure out which set of mappings to use. ruleConfig = sigmaparser.parsedyaml @@ -230,7 +312,7 @@ class LimaCharlieBackend(BaseBackend): # See if we have a definition for the source combination. mappingKey = "%s/%s/%s" % (product, category, service) - topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper = _allFieldMappings.get(mappingKey, tuple([None, None, None, None, None, None])) + topFilter, preCond, mappings, isAllStringValues, keywordField, postOpMapper, isCaseSensitive = _allFieldMappings.get(self.lc_target, {}).get(mappingKey, tuple([None, None, None, None, None, None, None])) if mappings is None: raise NotImplementedError("Log source %s/%s/%s not supported by backend." % (product, category, service)) @@ -249,6 +331,9 @@ class LimaCharlieBackend(BaseBackend): # Call to fixup all operations after the fact. self._postOpMapper = postOpMapper + # Event paths that are case sensitive. + self._isCaseSensitiveFS = isCaseSensitive + # Call the original generation code. detectComponent = super().generate(sigmaparser) @@ -411,7 +496,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal @@ -429,7 +514,7 @@ class LimaCharlieBackend(BaseBackend): newOp = { "op": op, "path": fieldname, - "case sensitive": False, + "case sensitive": fieldname in self._isCaseSensitiveFS, } if op == "matches": newOp["re"] = newVal @@ -593,7 +678,7 @@ class LimaCharlieBackend(BaseBackend): raise NotImplementedError("Full-text keyboard searches not supported.") # This seems to be indicative only of "keywords" which are mostly - # representative of full-text searches. We don't suport that but + # representative of full-text searches. We don't support that but # in some data sources we can alias them to an actual field. op, newVal = self._valuePatternToLcOp(val) newOp = { diff --git a/tools/sigma/backends/mdatp.py b/tools/sigma/backends/mdatp.py index b843ddfcd..eb535835a 100644 --- a/tools/sigma/backends/mdatp.py +++ b/tools/sigma/backends/mdatp.py @@ -19,8 +19,6 @@ from functools import wraps from .base import SingleTextQueryBackend from .exceptions import NotSupportedError from ..parser.modifiers.base import SigmaTypeModifier -from ..parser.modifiers.transform import SigmaContainsModifier, SigmaStartswithModifier, SigmaEndswithModifier -from ..parser.modifiers.type import SigmaRegularExpressionModifier def wrapper(method): @@ -42,10 +40,7 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): active = True config_required = False - # \ -> \\ - # \* -> \* - # \\* -> \\* - reEscape = re.compile('("|(?', val) val = re.sub('\\*', '.*', val) val = re.sub('\\?', '.', val) - else: # value possibly only starts and/or ends with *, use prefix/postfix match + else: + # value possibly only starts and/or ends with *, use prefix/postfix match if val.endswith("*") and val.startswith("*"): op = "contains" val = self.cleanValue(val[1:-1]) @@ -192,6 +216,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): return "%s \"%s\"" % (op, val) + def porttype_mapping(self, val): + return "%s \"%s\"" % ("==", val) + def logontype_mapping(self, src): """Value mapping for logon events to reduced ATP LogonType set""" logontype_mapping = { @@ -240,6 +267,9 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): elif (self.category, self.product, self.service) == ("file_event", "windows", None): self.tables.append("DeviceFileEvents") self.current_table = "DeviceFileEvents" + elif (self.category, self.product, self.service) == ("image_load", "windows", None): + self.tables.append("DeviceImageLoadEvents") + self.current_table = "DeviceImageLoadEvents" elif (self.category, self.product, self.service) == ("network_connection", "windows", None): self.tables.append("DeviceNetworkEvents") self.current_table = "DeviceNetworkEvents" @@ -273,6 +303,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): return "%s" % generated return generated + def cleanValue(self, val): + if self.reEscape: + val = self.reEscape.sub(self.escapeSubst, val) + return val def mapEventId(self, event_id): if self.product == "windows": @@ -314,6 +348,10 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): self.tables.append("DeviceLogonEvents") self.current_table = "DeviceLogonEvents" return None + elif self.service == "system" and event_id == 7045: # New Service Install + self.tables.append("DeviceEvents") + self.current_table = "DeviceEvents" + return "ActionType == \"ServiceInstalled\"" else: if not self.tables: raise NotSupportedError("No sysmon Event ID provided") diff --git a/tools/sigma/backends/netwitness-epl.py b/tools/sigma/backends/netwitness-epl.py index e580b259c..62506337b 100644 --- a/tools/sigma/backends/netwitness-epl.py +++ b/tools/sigma/backends/netwitness-epl.py @@ -55,8 +55,8 @@ class NetWitnessEplBackend(SingleTextQueryBackend): listSeparator = ", " valueExpression = "\'%s\'" keyExpression = "%s" - nullExpression = "%s exists" - notNullExpression = "%s exists" + nullExpression = "%s is null" + notNullExpression = "%s is not null" mapExpression = "(%s=%s)" mapListsSpecialHandling = True diff --git a/tools/sigma/backends/netwitness.py b/tools/sigma/backends/netwitness.py index 25aed08d0..c8898ec67 100644 --- a/tools/sigma/backends/netwitness.py +++ b/tools/sigma/backends/netwitness.py @@ -37,7 +37,7 @@ class NetWitnessBackend(SingleTextQueryBackend): listSeparator = ", " valueExpression = "\'%s\'" keyExpression = "%s" - nullExpression = "%s exists" + nullExpression = "%s !exists" notNullExpression = "%s exists" mapExpression = "(%s=%s)" mapListsSpecialHandling = True diff --git a/tools/sigma/backends/powershell.py b/tools/sigma/backends/powershell.py index 192e5369d..67d347a03 100644 --- a/tools/sigma/backends/powershell.py +++ b/tools/sigma/backends/powershell.py @@ -44,6 +44,11 @@ class PowerShellBackend(SingleTextQueryBackend): mapListsSpecialHandling = True logname = None + fieldMappings = { + "EventID": "ID", + "ID": "ID", + "ServiceFileName": "Service File Name" + } def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" @@ -112,9 +117,8 @@ class PowerShellBackend(SingleTextQueryBackend): if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if key in ("LogName","source"): self.logname = value - elif key in ("ID", "EventID"): - if key == "EventID": - key = "ID" + elif key in self.fieldMappings.keys(): + key = self.fieldMappings[key] return self.mapExpression % (key, self.generateValueNode(value, True)) elif type(value) == str and "*" in value: value = value.replace("*", ".*") @@ -136,9 +140,8 @@ class PowerShellBackend(SingleTextQueryBackend): def generateMapItemListNode(self, key, value): itemslist = list() for item in value: - if key in ("ID", "EventID"): - if key == "EventID": - key = "ID" + if key in self.fieldMappings.keys(): + key = self.fieldMappings[key] itemslist.append(self.mapExpression % (key, self.generateValueNode(item, True))) elif type(item) == str and "*" in item: item = item.replace("*", ".*") diff --git a/tools/sigma/backends/qradar.py b/tools/sigma/backends/qradar.py index f29024af1..027042ae4 100644 --- a/tools/sigma/backends/qradar.py +++ b/tools/sigma/backends/qradar.py @@ -103,7 +103,11 @@ class QRadarBackend(SingleTextQueryBackend): def generateMapItemListNode(self, key, value): itemslist = list() for item in value: - if type(item) == str and "*" in item: + if item is None: + itemslist.append(self.nullExpression % (key)) + elif type(item) == str and "ip" in key and ("/16" in item or "/24" in item): + itemslist.append("INCIDR(%s, %s)" % (self.generateValueNode(item, True), self.cleanKey(key))) + elif type(item) == str and "*" in item: item = item.replace("*", "%") itemslist.append('%s ilike %s' % (self.cleanKey(key), self.generateValueNode(item, True))) else: @@ -197,17 +201,20 @@ class QRadarBackend(SingleTextQueryBackend): aql_database = "flows" else: aql_database = "events" - - qradarPrefix="SELECT " + + qradarPrefix="SELECT UTF8(payload) as search_payload" try: mappedFields = [] for field in sigmaparser.parsedyaml["fields"]: mapped = sigmaparser.config.get_fieldmapping(field).resolve_fieldname(field, sigmaparser) mappedFields.append(mapped) - qradarPrefix += str(mappedFields).strip('[]') + if " " in mapped and not "(" in mapped: + qradarPrefix += ", \"" + mapped + "\"" + else: + qradarPrefix += ", " + mapped + except KeyError: # no 'fields' attribute mapped = None - qradarPrefix+="UTF8(payload) as search_payload" pass qradarPrefix += " from %s where " % (aql_database) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 5b446a6f3..bc55a1ba1 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -1,6 +1,7 @@ # Output backends for sigmac # Copyright 2019 Jayden Zheng # Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -43,9 +44,16 @@ class SQLBackend(SingleTextQueryBackend): mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list mapLength = "(%s %s)" - def __init__(self, sigmaconfig, table): + options = SingleTextQueryBackend.options + ( + ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) - self.table = table + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] @@ -162,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend): group_by = "" if agg.aggfield: - select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - select = "{}(*) AS agg".format(agg.aggfunc_notrans) + select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) @@ -193,7 +201,7 @@ class SQLBackend(SingleTextQueryBackend): #False: no subexpression found, where a full text search is needed def _evaluateCondition(condition): - #Helper function to evaulate condtions + #Helper function to evaluate conditions if type(condition) not in [ConditionAND, ConditionOR, ConditionNOT]: raise NotImplementedError("Error in recursive Search logic") diff --git a/tools/sigma/backends/stix.py b/tools/sigma/backends/stix.py index 03191d8bf..c802180c4 100644 --- a/tools/sigma/backends/stix.py +++ b/tools/sigma/backends/stix.py @@ -16,7 +16,7 @@ class STIXBackend(SingleTextQueryBackend): mapExpression = "%s = %s" notMapExpression = "%s != %s" mapListsSpecialHandling = True - sigmaSTIXObjectName = "x-sigma" + sort_condition_lists = True def cleanKey(self, key): if key is None: @@ -113,7 +113,8 @@ class STIXBackend(SingleTextQueryBackend): def generateMapItemNode(self, node, currently_within_NOT_node=False): key, value = node if ":" not in key: - key = "%s:%s" % (self.sigmaSTIXObjectName, str(key).lower()) + # key wasn't mapped + return None if self.mapListsSpecialHandling == False and type(value) in (str, int, list) or self.mapListsSpecialHandling == True and type(value) in (str, int): if type(value) == str and "*" in value: value = value.replace("*", "%") diff --git a/tools/sigma/backends/sumologic.py b/tools/sigma/backends/sumologic.py index 04e13039e..138fd3808 100644 --- a/tools/sigma/backends/sumologic.py +++ b/tools/sigma/backends/sumologic.py @@ -176,7 +176,7 @@ class SumoLogicBackend(SingleTextQueryBackend): # return self.valueExpression % (self.cleanValue(str(value))) # Clearing values from special characters. - # Sumologic: only removing '*' (in quotes, is litteral. without, is wildcard) and '"' + # Sumologic: only removing '*' (in quotes, is literal. without, is wildcard) and '"' def cleanNode(self, node, key=None): if "*" in node and key and not re.search("[\s]", node): diff --git a/tools/sigma/backends/sysmon.py b/tools/sigma/backends/sysmon.py index 66832d576..963021815 100644 --- a/tools/sigma/backends/sysmon.py +++ b/tools/sigma/backends/sysmon.py @@ -20,6 +20,7 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): conditionDict = { "startswith": "begin with", "endswith": "end with", + "all": "contains all" } def __init__(self, *args, **kwargs): @@ -78,14 +79,19 @@ class SysmonConfigBackend(SingleTextQueryBackend, MultiRuleOutputMixin): def mapFiledValue(self, field, value): condition = None + any_selector = "contains any" if "|" in field: field, *pipes = field.split("|") if len(pipes) == 1: - condition = pipes[0] + modifier = pipes[0] + if modifier in self.conditionDict: + condition = self.conditionDict[modifier] + if modifier == "all": + any_selector = "contains all" else: raise NotImplementedError("not implemented condition") if isinstance(value, list) and len(value) > 1: - condition = "contains any" + condition = any_selector value = ";".join(value) elif "*" in value: if value.startswith("*") and value.endswith("*"): diff --git a/tools/sigma/backends/tools.py b/tools/sigma/backends/tools.py index d11995a59..972a92edb 100644 --- a/tools/sigma/backends/tools.py +++ b/tools/sigma/backends/tools.py @@ -16,7 +16,7 @@ from .base import BaseBackend -### Backends for developement purposes +### Backends for development purposes class FieldnameListBackend(BaseBackend): """List all fieldnames from given Sigma rules for creation of a field mapping configuration.""" @@ -53,8 +53,6 @@ class FieldnameListBackend(BaseBackend): def generateMapItemNode(self, node): key, value = node - if type(value) not in (str, int, list, type(None)): - raise TypeError("Map values must be strings, numbers or lists, not " + str(type(value))) return [key] def generateValueNode(self, node): diff --git a/tools/sigma/backends/uberagent.py b/tools/sigma/backends/uberagent.py index 569675091..682e91161 100644 --- a/tools/sigma/backends/uberagent.py +++ b/tools/sigma/backends/uberagent.py @@ -34,7 +34,8 @@ def convert_sigma_name_to_uberagent_tag(name): def convert_sigma_category_to_uberagent_event_type(category): categories = { "process_creation": "Process.Start", - "image_load": "Image.Load" + "image_load": "Image.Load", + "dns": "Dns.Query" } if category in categories: @@ -48,6 +49,14 @@ def is_sigma_category_supported(category): return convert_sigma_category_to_uberagent_event_type(category) is not None +class IgnoreTypedModifierException(Exception): + """ + IgnoreTypedModifierException + Helper class to ignore exceptions of type identifiers that are not yet supported. + """ + pass + + class IgnoreFieldException(Exception): """ IgnoreFieldException @@ -56,6 +65,13 @@ class IgnoreFieldException(Exception): pass +class IgnoreAggregationException(Exception): + """ + IgnoreAggregationException + Helper class to ignore exceptions of aggregation rules that are not yet supported. + """ + + class MalformedRuleException(Exception): """ MalformedRuleException @@ -79,6 +95,46 @@ class ActivityMonitoringRule: self.description = "" self.sigma_level = "" + # Specifies the properties that are being evaluated and send to the backend + # if an Activity Monitoring rule is matched. + self.generic_properties = { + "Process.": [ + "Process.Hash.MD5", + "Process.Hash.SHA1", + "Process.Hash.SHA256", + "Process.Hash.IMP" + ], + "Image.": [ + "Image.Name", + "Image.Path", + "Image.Hash.MD5", + "Image.Hash.SHA1", + "Image.Hash.SHA256", + "Image.Hash.IMP" + ], + "Net.": [ + "Net.Target.Ip", + "Net.Target.Name", + "Net.Target.Port", + "Net.Target.Protocol" + ], + "Reg.": [ + "Reg.Key.Path", + "Reg.Key.Path.New", + "Reg.Key.Path.Old" + "Reg.Key.Name", + "Reg.Parent.Key.Path", + "Reg.Value.Name", + "Reg.File.Name", + "Reg.Key.Sddl", + "Reg.Key.Hive", + ], + "Dns.": [ + "Dns.QueryRequest", + "Dns.QueryResponse" + ] + } + def set_query(self, query): """Sets the generated query.""" self.query = query @@ -148,6 +204,18 @@ class ActivityMonitoringRule: result += "RiskScore = {}\n".format(self.risk_score) result += "Query = {}\n".format(self.query) + + counter = 1 + for event_type_prefix in self.generic_properties: + if self.event_type.startswith(event_type_prefix): + for prop in self.generic_properties[event_type_prefix]: + # Generic properties are limited to 10. + if counter > 10: + break + + result += "GenericProperty{} = {}\n".format(counter, prop) + counter += 1 + return result @@ -190,6 +258,7 @@ class uberAgentBackend(SingleTextQueryBackend): active = True config_required = False rule = None + current_category = None # # SingleTextQueryBackend @@ -201,8 +270,8 @@ class uberAgentBackend(SingleTextQueryBackend): listExpression = "[%s]" listSeparator = ", " valueExpression = "\"%s\"" - nullExpression = "is null" - notNullExpression = "is not null" + nullExpression = "%s == ''" + notNullExpression = "%s != ''" mapExpression = "%s == %s" mapListsSpecialHandling = True mapListValueExpression = "%s in %s" @@ -229,7 +298,31 @@ class uberAgentBackend(SingleTextQueryBackend): "command": "Process.CommandLine", "processname": "Process.Name", "user": "Process.User", - "username": "Process.User" + "username": "Process.User", + "company": "Process.Company" + } + + fieldMappingPerCategory = { + "process_creation": { + "sha1": "Process.Hash.SHA1", + "imphash": "Process.Hash.IMP", + "childimage": "Process.Path" + # Not yet supported. + # "signed": "Process.IsSigned" + }, + "image_load": { + "sha1": "Image.Hash.SHA1", + "imphash": "Image.Hash.IMP", + "childimage": "Image.Path" + # Not yet supported. + # "signed": "Image.IsSigned" + }, + "dns": { + "query": "Dns.QueryRequest", + # Not yet supported. + # "record_type": "Dns.QueryResponseType", + "answer": "Dns.QueryResponse" + } } # We ignore some fields that we don't support yet but we don't want them to @@ -240,19 +333,25 @@ class uberAgentBackend(SingleTextQueryBackend): "logonid", "integritylevel", "currentdirectory", - "company", "parentintegritylevel", - "sha1", "eventid", "parentuser", - "imphash" + "parent_domain", + "signed", + "parentofparentimage", + "record_type" ] rules = [] def fieldNameMapping(self, fieldname, value): - """Maps field names to uberAgent field names.""" key = fieldname.lower() + + if self.current_category is not None: + if self.current_category in self.fieldMappingPerCategory: + if key in self.fieldMappingPerCategory[self.current_category]: + return self.fieldMappingPerCategory[self.current_category][key] + if key not in self.fieldMapping: if key in self.ignoreFieldList: raise IgnoreFieldException() @@ -261,18 +360,26 @@ class uberAgentBackend(SingleTextQueryBackend): return self.fieldMapping[key] + def generateQuery(self, parsed): + if parsed.parsedAgg: + raise IgnoreAggregationException() + + return self.generateNode(parsed.parsedSearch) + def generate(self, sigmaparser): """Method is called for each sigma rule and receives the parsed rule (SigmaParser)""" product, category, service, title, level, condition, description = get_parser_properties(sigmaparser) - if product not in ["windows"]: - return "" # Do not generate a rule if the given category is unsupported by now. if not is_sigma_category_supported(category): return "" - if category not in ["process_creation", "image_load"]: + + # We support windows rules and generic rules that don't have a specific product specifier - such as DNS. + if product not in ["windows", ""]: return "" + self.current_category = category + try: rule = ActivityMonitoringRule() @@ -287,6 +394,10 @@ class uberAgentBackend(SingleTextQueryBackend): rule.set_description(description) self.rules.append(rule) print("Generated rule <{}>.. [level: {}]".format(rule.name, level)) + except IgnoreTypedModifierException: + return "" + except IgnoreAggregationException: + return "" except IgnoreFieldException: return "" except MalformedRuleException: @@ -313,16 +424,17 @@ class uberAgentBackend(SingleTextQueryBackend): count_low = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-low.conf", "low") count_medium = self.serialize_file("uberAgent-ESA-am-sigma-proc-creation-medium.conf", "medium") print("Generated {} activity monitoring rules..".format(len(self.rules))) - print("This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, count_high, count_medium, count_low)) + print( + "This includes {} critical rules, {} high rules, {} medium rules and {} low rules..".format(count_critical, + count_high, + count_medium, + count_low)) def generateTypedValueNode(self, node): - raise NotImplementedError("Default implementation for identifier {} not available.".format(node.identifier)) + raise IgnoreTypedModifierException() def generateMapItemTypedNode(self, fieldname, value): - try: - return self.typedValueExpression[type(value)] % (fieldname, str(value)) - except KeyError: - raise NotImplementedError("Type modifier '{}' is not supported by backend".format(value.identifier)) + raise IgnoreTypedModifierException() def generateMapItemListNode(self, key, value): return "(" + (" or ".join([self.mapWildcard % (key, self.generateValueNode(item)) for item in value])) + ")" @@ -331,6 +443,9 @@ class uberAgentBackend(SingleTextQueryBackend): fieldname, value = node transformed_fieldname = self.fieldNameMapping(fieldname, value) + if value is None: + return self.nullExpression % (transformed_fieldname,) + has_wildcard = re.search(r"((\\(\*|\?|\\))|\*|\?|_|%)", self.generateNode(value)) if "," in self.generateNode(value) and not has_wildcard: diff --git a/tools/sigma/config/collection.py b/tools/sigma/config/collection.py index 898fb2cbe..cced47b2e 100644 --- a/tools/sigma/config/collection.py +++ b/tools/sigma/config/collection.py @@ -23,7 +23,7 @@ from sigma.config.exceptions import SigmaConfigParseError class SigmaConfigurationManager(object): """ - Locate Sigma configuration files in a directory and provide them as well as informations + Locate Sigma configuration files in a directory and provide them as well as information about them. """ re_identifier = re.compile("^[\\w-]+$") diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 05e111333..826775d8a 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -68,6 +68,17 @@ class SigmaConfigurationChain(list): category, product, service = logsource.rewrite return SigmaLogsourceConfiguration(matching, self.defaultindex) + def get_logsourcemerging(self): + value = '' + for config in self: + if value == '': + value = config.get_logsourcemerging().lower() + + if not value in ['and', 'or']: + value = 'and' + + return value + def set_backend(self, backend): """Set backend for all sigma conversion configurations in chain.""" self.backend = backend @@ -124,6 +135,12 @@ class SigmaConfiguration: matching = [logsource for logsource in self.logsources if logsource.matches(category, product, service)] return SigmaLogsourceConfiguration(matching, self.defaultindex) + def get_logsourcemerging(self): + if self.config != None: + if 'logsourcemerging' in self.config: + return self.config['logsourcemerging'] + return '' + def set_backend(self, backend): """Set backend. This is used by other code to determine target properties for index addressing""" self.backend = backend diff --git a/tools/sigma/filter.py b/tools/sigma/filter.py index 5ec72b621..f3bc6feb2 100644 --- a/tools/sigma/filter.py +++ b/tools/sigma/filter.py @@ -15,6 +15,7 @@ # along with this program. If not, see . # Rule Filtering +import datetime class SigmaRuleFilter: """Filter for Sigma rules with conditions""" LEVELS = { @@ -26,11 +27,16 @@ class SigmaRuleFilter: STATES = ["experimental", "testing", "stable"] def __init__(self, expr): - self.minlevel = None - self.maxlevel = None - self.status = None - self.logsources = list() - self.tags = list() + self.minlevel = None + self.maxlevel = None + self.status = None + self.logsources = list() + self.notlogsources = list() + self.tags = list() + self.nottags = list() + self.inlastday = None + self.condition = list() + self.notcondition = list() for cond in [c.replace(" ", "") for c in expr.split(",")]: if cond.startswith("level<="): @@ -58,8 +64,22 @@ class SigmaRuleFilter: raise SigmaRuleFilterParseException("Unknown status '%s' in condition '%s'" % (self.status, cond)) elif cond.startswith("logsource="): self.logsources.append(cond[cond.index("=") + 1:]) + elif cond.startswith("logsource!="): + self.notlogsources.append(cond[cond.index("=") + 1:]) elif cond.startswith("tag="): self.tags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("tag!="): + self.nottags.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("condition="): + self.condition.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("condition!="): + self.notcondition.append(cond[cond.index("=") + 1:].lower()) + elif cond.startswith("inlastday="): + nbday = cond[cond.index("=") + 1:] + try: + self.inlastday = int(nbday) + except ValueError as e: + raise SigmaRuleFilterParseException("Unknown number '%s' in condition '%s'" % (nbday, cond)) from e else: raise SigmaRuleFilterParseException("Unknown condition '%s'" % cond) @@ -101,6 +121,17 @@ class SigmaRuleFilter: if logsrc not in logsources: return False + # NOT Log Sources + if self.notlogsources: + try: + notlogsources = { value for key, value in yamldoc['logsource'].items() } + except (KeyError, AttributeError): # no log source set + return False # User wants status restriction, but it's not possible here + + for logsrc in self.notlogsources: + if logsrc in notlogsources: + return False + # Tags if self.tags: try: @@ -111,6 +142,62 @@ class SigmaRuleFilter: for tag in self.tags: if tag not in tags: return False + # NOT Tags + if self.nottags: + try: + nottags = [ tag.lower() for tag in yamldoc['tags']] + except (KeyError, AttributeError): # no tags set + return False + + for tag in self.nottags: + if tag in nottags: + return False + + # date in the last N days + if self.inlastday: + try: + date_str = yamldoc['date'] + except KeyError: # missing date + return False # User wants date time restriction, but it's not possible here + + try: + modified_str = yamldoc['modified'] + except KeyError: # no update + modified_str = None + if modified_str: + date_str = modified_str + + date_object = datetime.datetime.strptime(date_str, '%Y/%m/%d') + today_objet = datetime.datetime.now() + delta = today_objet - date_object + if delta.days > self.inlastday: + return False + + if self.condition: + try: + conditions = yamldoc['detection']['condition'] + if isinstance(conditions,list): # sone time conditions are list even with only 1 line + s_condition = ' '.join(conditions) + else: + s_condition = conditions + except KeyError: # missing condition + return False # User wants condition restriction, but it's not possible here + for val in self.condition: + if not val in s_condition: + return False + + if self.notcondition: + try: + conditions = yamldoc['detection']['condition'] + if isinstance(conditions,list): # sone time conditions are list even with only 1 line + s_condition = ' '.join(conditions) + else: + s_condition = conditions + except KeyError: # missing condition + return False # User wants condition restriction, but it's not possible here + for val in self.notcondition: + if val in s_condition: + return False # all tests passed return True diff --git a/tools/sigma/parser/collection.py b/tools/sigma/parser/collection.py index 7de47cce7..b7cc9ccf1 100644 --- a/tools/sigma/parser/collection.py +++ b/tools/sigma/parser/collection.py @@ -28,7 +28,7 @@ class SigmaCollectionParser: * reset: resets global attributes from previous set_global statements * repeat: takes attributes from this YAML document, merges into previous rule YAML and regenerates the rule """ - def __init__(self, content, config=None, rulefilter=None): + def __init__(self, content, config=None, rulefilter=None, filename=None): if config is None: from sigma.configuration import SigmaConfiguration config = SigmaConfiguration() @@ -36,6 +36,13 @@ class SigmaCollectionParser: globalyaml = dict() self.parsers = list() prevrule = None + if filename: + try: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) + except: + filename = None + for yamldoc in self.yamls: action = None try: @@ -48,6 +55,9 @@ class SigmaCollectionParser: deep_update_dict(globalyaml, yamldoc) elif action == "reset": globalyaml = dict() + if filename: + globalyaml['yml_filename']=str(filename.name) + globalyaml['yml_path']=str(filename.parent) elif action == "repeat": if prevrule is None: raise SigmaCollectionParseError("action 'repeat' is only applicable after first valid Sigma rule") diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 516465bd9..a4c908cc8 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -403,7 +403,8 @@ class SigmaConditionOptimizer: if len(promoted) > 0: for child in node.items: for cand in promoted: - child.items.remove(cand) + if cand in child.items: + child.items.remove(cand) newnode = othertype() newnode.items = promoted newnode.add(node) diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 85b5e5737..763beaf56 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -90,7 +90,7 @@ class SigmaParser: if isinstance(value, (ConditionAND, ConditionOR)): # value is condition node (by transformation modifier) value.items = [ mapping.resolve(key, item, self) for item in value.items ] cond.add(value) - else: # plain value or something unexpected (catched by backends) + else: # plain value or something unexpected (caught by backends) mapped = mapping.resolve(key, value, self) cond.add(mapped) @@ -134,26 +134,27 @@ class SigmaParser: return self.config.get_logsource(category, product, service) + def build_conditions(self, condition_func, items): + cond = condition_func() + for item in items: + if type(item) is list: + cond.add(self.build_conditions(ConditionAND, item)) + else: + mapping = self.config.get_fieldmapping(item[0]) + cond.add(mapping.resolve(item[0], item[1], self)) + + return cond + def get_logsource_condition(self): logsource = self.get_logsource() if logsource is None: return None else: - if logsource.merged: # Merged log source, flatten nested list of condition items - kvconds = [ item for sublscond in logsource.conditions for item in sublscond ] - else: # Simple log sources already contain flat list of conditions items - kvconds = logsource.conditions - - # Apply field mappings - mapped_kvconds = list() - for field, value in kvconds: - mapping = self.config.get_fieldmapping(field) - mapped_kvconds.append(mapping.resolve(field, value, self)) - - # AND-link condition items cond = ConditionAND() - for kvcond in mapped_kvconds: - cond.add(kvcond) + if self.config.get_logsourcemerging() == 'or': + cond.add(self.build_conditions(ConditionOR, logsource.conditions)) + else: + cond.add(self.build_conditions(ConditionAND, logsource.conditions)) # Add index condition if supported by backend and defined in log source index_field = self.config.get_indexfield() diff --git a/tools/sigma/sigma-similarity.py b/tools/sigma/sigma-similarity.py index de5022c3e..393e2398e 100755 --- a/tools/sigma/sigma-similarity.py +++ b/tools/sigma/sigma-similarity.py @@ -18,7 +18,7 @@ argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse i argparser.add_argument("--verbose", "-v", action="count", help="Be verbose. Use once more for debug output.") argparser.add_argument("--top", "-t", type=int, help="Only output the n most similar rule pairs.") argparser.add_argument("--min-similarity", "-m", type=int, help="Only output pairs with a similarity above this threshold (percent)") -argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at leat one primary rule are compared. Primary rules must also be contained in input rule set.") +argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at least one primary rule are compared. Primary rules must also be contained in input rule set.") argparser.add_argument("inputs", nargs="+", help="Sigma input files") args = argparser.parse_args() diff --git a/tools/sigma/sigma2misp.py b/tools/sigma/sigma2misp.py index 5d42ba468..ea372b57b 100755 --- a/tools/sigma/sigma2misp.py +++ b/tools/sigma/sigma2misp.py @@ -31,7 +31,7 @@ def main(): argparser = MISPImportArgumentParser() argparser.add_argument("--url", "-u", default="https://localhost", help="URL of MISP instance") argparser.add_argument("--key", "-k", required=True, help="API key") - argparser.add_argument("--insecure", "-I", action="store_false", help="Disable TLS certifcate validation.") + argparser.add_argument("--insecure", "-I", action="store_false", help="Disable TLS certificate validation.") argparser.add_argument("--event", "-e", type=int, help="Add Sigma rule to event with this ID. If not set, create new event.") argparser.add_argument("--same-event", "-s", action="store_true", help="Import all Sigma rules to the same event, if no event is set.") argparser.add_argument("--info", "-i", default="Sigma import", help="Event Information field for newly created MISP event.") diff --git a/tools/sigma/sigma_similarity.py b/tools/sigma/sigma_similarity.py index 38a74d8a5..5167bcb5a 100755 --- a/tools/sigma/sigma_similarity.py +++ b/tools/sigma/sigma_similarity.py @@ -18,7 +18,7 @@ argparser.add_argument("--recursive", "-r", action="store_true", help="Recurse i argparser.add_argument("--verbose", "-v", action="count", help="Be verbose. Use once more for debug output.") argparser.add_argument("--top", "-t", type=int, help="Only output the n most similar rule pairs.") argparser.add_argument("--min-similarity", "-m", type=int, help="Only output pairs with a similarity above this threshold (percent)") -argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at leat one primary rule are compared. Primary rules must also be contained in input rule set.") +argparser.add_argument("--primary", "-p", help="File with list of paths to primary rules. If given, only rule combinations with at least one primary rule are compared. Primary rules must also be contained in input rule set.") argparser.add_argument("inputs", nargs="+", help="Sigma input files") args = argparser.parse_args() diff --git a/tools/sigma/sigmac.py b/tools/sigma/sigmac.py index defd1f2a4..5d50a3733 100755 --- a/tools/sigma/sigmac.py +++ b/tools/sigma/sigmac.py @@ -101,7 +101,7 @@ def set_argparser(): """) argparser.add_argument("--target", "-t", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--lists", "-l", action="store_true", help="List available output target formats and configurations") - argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.") + argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authoritative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated") argparser.add_argument("--print0", action="store_true", help="Delimit results by NUL-character") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") @@ -233,7 +233,7 @@ def main(): f = sigmafile else: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter, sigmafile) results = parser.generate(backend) newline_separator = '\0' if cmdargs.print0 else '\n' @@ -243,23 +243,23 @@ def main(): print("Failed to open Sigma file %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_OPEN_SIGMA_RULE except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: - print("Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma file %s is no valid YAML: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_INVALID_YAML if not cmdargs.defer_abort: sys.exit(error) except (SigmaParseError, SigmaCollectionParseError) as e: - print("Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Sigma parse error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) error = ERR_SIGMA_PARSING if not cmdargs.defer_abort: sys.exit(error) except NotSupportedError as e: - print("The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) + print("Error: The Sigma rule requires a feature that is not supported by the target system: " + str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_NOT_SUPPORTED if not cmdargs.defer_abort: sys.exit(error) except BackendError as e: - print("Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) + print("Error: Backend error in %s: %s" % (sigmafile, str(e)), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_BACKEND if not cmdargs.defer_abort: @@ -272,13 +272,13 @@ def main(): if not cmdargs.defer_abort: sys.exit(error) except PartialMatchError as e: - print("Partial field match error: %s" % str(e), file=sys.stderr) + print("Error: Partial field match error: %s" % str(e), file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_PARTIAL_FIELD_MATCH if not cmdargs.defer_abort: sys.exit(error) except FullMatchError as e: - print("Full field match error", file=sys.stderr) + print("Error: Full field match error", file=sys.stderr) if not cmdargs.ignore_backend_errors: error = ERR_FULL_FIELD_MATCH if not cmdargs.defer_abort: diff --git a/tools/tests/test_backend_devo.py b/tools/tests/test_backend_devo.py new file mode 100644 index 000000000..9dd412b76 --- /dev/null +++ b/tools/tests/test_backend_devo.py @@ -0,0 +1,237 @@ +# Test output backends for sigmac +# Copyright 2021 Devo, Inc. +# Author: Eduardo Ocete + +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. + +# You should have received a copy of the GNU Lesser General Public License +# along with this program. If not, see . + +import unittest +from unittest.mock import patch + +from sigma.backends.devo import DevoBackend + +from sigma.parser.collection import SigmaCollectionParser +from sigma.configuration import SigmaConfiguration + +class TestDevoBackend(unittest.TestCase): + + def setUp(self): + self.basic_rule = {"title": "Devo Backend Test", "level": "testing"} + self.table = "sourcetable" + + def testPlain(self): + # Int value + detection = {"selection1": {"fieldname1": 1}, + "condition": "selection1"} + expected_result = 'from {} where fieldname1 = 1 select *'.format(self.table) + self.validate(detection, expected_result) + + # String value + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1"} + expected_result = 'from {} where fieldname1 = "value1" select *'.format(self.table) + self.validate(detection, expected_result) + + # Int array value + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "condition": "selection1"} + expected_result = 'from {} where has(fieldname1, 1, 2, 3) select *'.format(self.table) + self.validate(detection, expected_result) + + # String array value + detection = {"selection1": {"fieldname1": ["value1", "value2", "value3"]}, + "condition": "selection1"} + expected_result = 'from {} where has(fieldname1, "value1", "value2", "value3") select *'.format(self.table) + self.validate(detection, expected_result) + + # Simple and + detection = {"selection1": {"fieldname1": ["value1", "value2", "value3"], + "fieldname2": "value5"}, + "condition": "selection1"} + expected_result = 'from {} where (has(fieldname1, "value1", "value2", "value3") and fieldname2 = "value5") select *'.format(self.table) + self.validate(detection, expected_result) + + # Selection and + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "selection2": {"fieldname2": "value5"}, + "condition": "selection1 and selection2"} + expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and fieldname2 = "value5") select *'.format(self.table) + self.validate(detection, expected_result) + + # Selection or + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "selection2": {"fieldname2": "value5"}, + "condition": "selection1 or selection2"} + expected_result = 'from {} where (has(fieldname1, 1, 2, 3) or fieldname2 = "value5") select *'.format(self.table) + self.validate(detection, expected_result) + + # Selection one of them + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "selection2": {"fieldname2": "value5"}, + "condition": "1 of them"} + expected_result = 'from {} where (has(fieldname1, 1, 2, 3) or fieldname2 = "value5") select *'.format(self.table) + self.validate(detection, expected_result) + + # Selection all of them + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "selection2": {"fieldname2": "value5"}, + "condition": "all of them"} + expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and fieldname2 = "value5") select *'.format(self.table) + self.validate(detection, expected_result) + + # Negation + detection = {"selection1": {"fieldname1": [1, 2, 3]}, + "selection2": {"fieldname2": "value5"}, + "condition": "selection1 and not selection2"} + expected_result = 'from {} where (has(fieldname1, 1, 2, 3) and not (fieldname2 = "value5")) select *'.format(self.table) + self.validate(detection, expected_result) + + + def testModifiers(self): + # Contains + detection = {"selection1": {"fieldname1|contains": "value1"}, + "condition": "selection1"} + expected_result = 'from {} where toktains(fieldname1, "value1", true, true) select *'.format(self.table) + self.validate(detection, expected_result) + + # StartsWith + detection = {"selection1": {"fieldname1|startswith": "value1"}, + "condition": "selection1"} + expected_result = 'from {} where matches(fieldname1, nameglob("value1*")) select *'.format(self.table) + self.validate(detection, expected_result) + + # EndsWith + detection = {"selection1": {"fieldname1|endswith": "value1"}, + "condition": "selection1"} + expected_result = 'from {} where matches(fieldname1, nameglob("*value1")) select *'.format(self.table) + self.validate(detection, expected_result) + + # All + detection = {"selection1": {"fieldname1|all": ["value1", "value2"]}, + "condition": "selection1"} + expected_result = 'from {} where (fieldname1 = "value1" and fieldname1 = "value2") select *'.format(self.table) + self.validate(detection, expected_result) + + def testAggregations(self): + # Count + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | count() > 1"} + expected_result = 'from {} where fieldname1 = "value1" select count(*) as agg where agg > 1 select *'.format(self.table) + self.validate(detection, expected_result) + + # Min + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | min(fieldname2) by fieldname3 > 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select min(fieldname2) as agg where agg > 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # Max + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | max(fieldname2) by fieldname3 > 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select max(fieldname2) as agg where agg > 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # Avg + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | avg(fieldname2) by fieldname3 > 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select avg(fieldname2) as agg where agg > 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # sum + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | sum(fieldname2) by fieldname3 > 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg > 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # < + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | sum(fieldname2) by fieldname3 < 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg < 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # == + detection = {"selection1": {"fieldname1": "value1"}, + "condition": "selection1 | sum(fieldname2) by fieldname3 == 5"} + expected_result = 'from {} where fieldname1 = "value1" group by fieldname3 select sum(fieldname2) as agg where agg == 5 select *'.format(self.table) + self.validate(detection, expected_result) + + # Multiple conditions + detection = {"selection1": {"fieldname1": "value1"}, + "selection2": {"fieldname2": "*", "fieldname3": "*"}, + "condition": "selection1 or selection2 | count(fieldname4) by fieldname5 > 3"} + expected_result = 'from {} where (fieldname1 = "value1" or (matches(fieldname2, nameglob("*")) and matches(fieldname3, nameglob("*")))) group by fieldname5 select count(fieldname4) as agg where agg > 3 select *'.format(self.table) + self.validate(detection, expected_result) + + def testFullTextSearch(self): + # Single str FTS + detection = {"selection1": ["value1"], + "condition": "selection1"} + expected_result = 'from {} where weaktoktains(raw, "value1", true, true) select *'.format(self.table) + self.validate(detection, expected_result) + + # OR node FTS + detection = {"selection1": {"fieldname1": "value1"}, + "selection2|contains": ["value2", "value3"], + "condition": "1 of them"} + expected_result = 'from {} where (fieldname1 = "value1" or weaktoktains(raw, "value2", true, true) or weaktoktains(raw, "value3", true, true)) select *'.format(self.table) + self.validate(detection, expected_result) + + def testRegex(self): + # Arrange + detection = {"selection1": {"fieldname1|re": "([0-9]|[1-9][0-9]|[1-4][0-9]{2})"}, + "condition": "selection1"} + expected_result = 'from ' + self.table + ' where matches(fieldname1, re(\"([0-9]|[1-9][0-9]|[1-4][0-9]{2})\")) select *' + + # Act & Assert + self.validate(detection, expected_result) + + def testDerivedFields(self): + # Arrange + detection = {"selection1": {"select func(fieldname1) as fieldname1": "value1"}, + "condition": "selection1"} + expected_result = 'from ' + self.table + \ + ' select func(fieldname1) as fieldname1 where fieldname1 = "value1" select *' + # Act & Assert + self.validate(detection, expected_result) + + def testNearNotSupported(self): + # Arrange + detection = {"selection1": {"fieldname1": "value1"}, + "selection2": {"fieldname2": "value2"}, + "condition": "selection1 | near selection1 and selection2"} + expected_result = NotImplementedError() + + # Act & Assert + self.validate(detection, expected_result) + + + def validate(self, detection, expectation): + config = SigmaConfiguration() + + self.basic_rule["detection"] = detection + + with patch("yaml.safe_load_all", return_value=[self.basic_rule]): + parser = SigmaCollectionParser("any sigma io", config, None) + backend = DevoBackend(config, self.table) + + assert len(parser.parsers) == 1 + + for p in parser.parsers: + if isinstance(expectation, str): + self.assertEqual(expectation, backend.generate(p)) + elif isinstance(expectation, Exception): + self.assertRaises(type(expectation), backend.generate, p) + + +if __name__ == '__main__': + unittest.main() diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py index b4bd82026..b30da675d 100644 --- a/tools/tests/test_backend_sql.py +++ b/tools/tests/test_backend_sql.py @@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase): # count detection = {"selection": {"fieldname": "test"}, "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase): # min detection = {"selection": {"fieldname1": "test"}, "condition": "selection | min(fieldname2) > 5"} - inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase): # max detection = {"selection": {"fieldname1": "test"}, "condition": "selection | max(fieldname2) > 5"} - inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase): # avg detection = {"selection": {"fieldname1": "test"}, "condition": "selection | avg(fieldname2) > 5"} - inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase): # sum detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) > 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase): # < detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) < 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query) self.validate(detection, expected_result) @@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase): # == detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase): # group by detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) by fieldname3 == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase): # multiple conditions detection = {"selection": {"fieldname1": "test"}, "filter": { "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py index 66fc68123..294a59de2 100644 --- a/tools/tests/test_backend_sqlite.py +++ b/tools/tests/test_backend_sqlite.py @@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase): # aggregation with fts detection = {"selection": ["test"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) detection = {"selection": ["test1", "test2"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase): # aggregation + group by + fts detection = {"selection": ["test1", "test2"], "condition": "selection | count() by fieldname > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -106,7 +106,7 @@ class TestFullTextSearch(unittest.TestCase): self.validate(detection, expected_result) - # fts is not implemented for nested condtions + # fts is not implemented for nested conditions detection = {"selection": ["test"], "filter": [ "test2"], "condition": "selection and filter"} # this is ok detection = {"selection": ["test"], "filter": [