diff --git a/rules/cloud/m365/microsoft365_pst_export_alert.yml b/rules/cloud/m365/microsoft365_pst_export_alert.yml index 9c060c90f..03c2e2309 100644 --- a/rules/cloud/m365/microsoft365_pst_export_alert.yml +++ b/rules/cloud/m365/microsoft365_pst_export_alert.yml @@ -1,17 +1,22 @@ -title: PST Export Alert +title: PST Export Alert Using eDiscovery Alert id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +related: + - id: 6897cd82-6664-11ed-9022-0242ac120002 + type: similar status: experimental description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content references: - - https://attack.mitre.org/techniques/T1114/ -author: 'Sorina Ionescu' + - https://learn.microsoft.com/en-us/microsoft-365/compliance/alert-policies?view=o365-worldwide +author: Sorina Ionescu date: 2022/02/08 +modified: 2022/11/17 tags: - attack.collection - attack.t1114 logsource: service: threat_management product: m365 + definition: Requires the 'eDiscovery search or exported' alert to be enabled detection: selection: eventSource: SecurityComplianceCenter diff --git a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml index 389ffb115..5b8746d2e 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_execution_macos_script_editor.yml @@ -1,4 +1,4 @@ -title: Suspicious Exeution via macOS Script Editor +title: Suspicious Execution via macOS Script Editor id: 6e4dcdd1-e48b-42f7-b2d8-3b413fc58cb4 status: experimental description: Detects when the macOS Script Editor utility spawns an unusual child process. @@ -7,6 +7,7 @@ references: - https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-7f541fbc4a4a28a92970e8bf53effea5bd934604429112c920affb457f5b2685 - https://wojciechregula.blog/post/macos-red-teaming-initial-access-via-applescript-url/ date: 2022/10/21 +modified: 2022/11/17 logsource: category: process_creation product: macos diff --git a/rules/windows/dns_query/dns_query_win_susp_ipify.yml b/rules/windows/dns_query/dns_query_win_susp_ipify.yml index 27bbf3d7c..94da7045b 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ipify.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ipify.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/neonprimetime/status/1436376497980428318 author: Brandon George (blog post), Thomas Patzke (rule) date: 2021/07/08 -modified: 2022/10/31 +modified: 2022/11/18 tags: - attack.reconnaissance - attack.t1590 @@ -33,6 +33,7 @@ detection: - 'ipv4bot.whatismyipaddress.com' - 'freegeoip.app' - 'ifconfig.me' + - 'ipwho.is' filter_browser: Image|endswith: # Add missing browsers you use and exclude the ones you don't diff --git a/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml new file mode 100644 index 000000000..8520b93de --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_computer_discovery_get_adcomputer.yml @@ -0,0 +1,34 @@ +title: Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell +id: db885529-903f-4c5d-9864-28fe199e6370 +related: + - id: 435e10e4-992a-4281-96f3-38b11106adde + type: similar +status: experimental +description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ + - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf +author: Nasreddine Bencherchali +date: 2022/11/17 +tags: + - attack.discovery + - attack.t1033 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Get-ADComputer ' + - ' -Filter \*' + ScriptBlockText|contains: + - ' | Select ' + - 'Out-File' + - 'Set-Content' + - 'Add-Content' + condition: selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml similarity index 75% rename from rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml index 32cfd4e79..0e41957b9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adcomputer.yml @@ -1,11 +1,12 @@ -title: Suspicious Enumerate Active Directory Computers with Get-AdComputer +title: Active Directory Computers Enumeration with Get-AdComputer id: 36bed6b2-e9a0-4fff-beeb-413a92b86138 status: experimental -description: utilize Get-AdComputer to enumerate Computers within Active Directory. +description: Detects usage of the "Get-AdComputer" to enumerate Computers within Active Directory. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 date: 2022/03/17 +modified: 2022/11/18 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml similarity index 76% rename from rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml rename to rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml index 1a512d560..df302f649 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adgroup.yml @@ -1,11 +1,12 @@ -title: Suspicious Enumerate Active Directory Groups with Get-AdComputer +title: Active Directory Group Enumeration With Get-AdGroup id: 8c3a6607-b7dc-4f0d-a646-ef38c00b76ee status: experimental -description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory +description: Detects usage of the "Get-AdGroup" cmdlet to enumerate Groups within Active Directory references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: frack113 date: 2022/03/17 +modified: 2022/11/17 tags: - attack.discovery - attack.t1069.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml new file mode 100644 index 000000000..eccbec3af --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_user_discovery_get_aduser.yml @@ -0,0 +1,34 @@ +title: User Discovery And Export Via Get-ADUser Cmdlet - PowerShell +id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +related: + - id: 1114e048-b69c-4f41-bc20-657245ae6e3f + type: similar +status: experimental +description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ +author: Nasreddine Bencherchali +date: 2022/11/17 +tags: + - attack.discovery + - attack.t1033 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - 'Get-ADUser ' + - ' -Filter \*' + ScriptBlockText|contains: + - ' > ' + - ' | Select ' + - 'Out-File' + - 'Set-Content' + - 'Add-Content' + condition: selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml index 07b8ab10c..e51b3c716 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win_defender_exclusions_added.yml @@ -17,6 +17,7 @@ tags: logsource: category: ps_script product: windows + definition: Script block logging must be enabled detection: selection_args_exc: ScriptBlockText|contains: diff --git a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml index f884e1403..0989036a8 100644 --- a/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml +++ b/rules/windows/process_creation/proc_creation_win_computer_discovery_get_adcomputer.yml @@ -1,12 +1,17 @@ title: Computer Discovery And Export Via Get-ADComputer Cmdlet id: 435e10e4-992a-4281-96f3-38b11106adde +related: + - id: db885529-903f-4c5d-9864-28fe199e6370 + type: similar status: experimental description: Detects usage of the Get-ADComputer cmdlet to collect computer information and output it to a file references: - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ + - https://www.cisa.gov/uscert/sites/default/files/publications/aa22-320a_joint_csa_iranian_government-sponsored_apt_actors_compromise_federal%20network_deploy_crypto%20miner_credential_harvester.pdf author: Nasreddine Bencherchali date: 2022/11/10 +modified: 2022/11/17 tags: - attack.discovery - attack.t1033 @@ -25,9 +30,9 @@ detection: CommandLine|contains|all: - 'Get-ADComputer ' - ' -Filter \*' - selection_output: CommandLine|contains: - ' > ' + - ' | Select ' - 'Out-File' - 'Set-Content' - 'Add-Content' diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml index f5726cdc6..8ac47c9a4 100644 --- a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -1,5 +1,8 @@ title: User Discovery And Export Via Get-ADUser Cmdlet -id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +id: 1114e048-b69c-4f41-bc20-657245ae6e3f +related: + - id: c2993223-6da8-4b1a-88ee-668b8bf315e9 + type: similar status: experimental description: Detects usage of the Get-ADUser cmdlet to collect user information and output it to a file references: @@ -7,7 +10,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2022/10/18/defenders-beware-a-case-for-post-ransomware-investigations/ author: Nasreddine Bencherchali date: 2022/09/09 -modified: 2022/11/10 +modified: 2022/11/17 tags: - attack.discovery - attack.t1033 @@ -26,9 +29,9 @@ detection: CommandLine|contains|all: - 'Get-ADUser ' - ' -Filter \*' - selection_output: CommandLine|contains: - ' > ' + - ' | Select ' - 'Out-File' - 'Set-Content' - 'Add-Content' diff --git a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml index cd043992c..befc469e0 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_function_user.yml @@ -5,9 +5,10 @@ description: Detects registry modifications that change features of internal Win references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1112/T1112.md - https://www.mandiant.com/resources/unc2165-shifts-to-evade-sanctions + - https://blogs.vmware.com/security/2022/11/batloader-the-evasive-downloader-malware.html author: frack113, Nasreddine Bencherchali date: 2022/03/18 -modified: 2022/06/03 +modified: 2022/11/17 tags: - attack.defense_evasion - attack.t1112 @@ -30,6 +31,7 @@ detection: EventType: SetValue TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\PushNotifications\ToastEnabled' - '\SYSTEM\CurrentControlSet\Control\Storage\Write Protection' - '\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect'