From ff178408c8e51ea209b0d4cb43aef2a1d6d4f672 Mon Sep 17 00:00:00 2001 From: Michael Epping <19227815+mepples21@users.noreply.github.com> Date: Tue, 28 Jun 2022 11:12:12 -0700 Subject: [PATCH 01/16] Added device registration w/o MFA sigma rule --- ...evice_registration_or_join_without_mfa.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml diff --git a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml new file mode 100644 index 000000000..b36baa9fd --- /dev/null +++ b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml @@ -0,0 +1,27 @@ +title: Device Registration or Join Without MFA +id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +description: Monitor and alert for device registration or join events where MFA was not performed. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: signinlogs +detection: + selection: + ResourceDisplayName: + - Device Registration Service + conditionalAccessStatus: + - success + filter_mfa: + AuthenticationRequirement: + - 'multiFactorAuthentication' + condition: selection and not filter_mfa +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 From 749dd21a7ba3e5bb976198038f4b11ca9c3d894d Mon Sep 17 00:00:00 2001 From: Michael Epping <19227815+mepples21@users.noreply.github.com> Date: Tue, 28 Jun 2022 11:55:41 -0700 Subject: [PATCH 02/16] Create azure_ad_sign_ins_from_noncompliant_devices.yml --- ..._ad_sign_ins_from_noncompliant_devices.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml new file mode 100644 index 000000000..b36baa9fd --- /dev/null +++ b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -0,0 +1,27 @@ +title: Device Registration or Join Without MFA +id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +description: Monitor and alert for device registration or join events where MFA was not performed. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy +logsource: + product: azure + service: signinlogs +detection: + selection: + ResourceDisplayName: + - Device Registration Service + conditionalAccessStatus: + - success + filter_mfa: + AuthenticationRequirement: + - 'multiFactorAuthentication' + condition: selection and not filter_mfa +falsepositives: + - Unknown +level: medium +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 From 024514886f00671794af336db1c32718a4920086 Mon Sep 17 00:00:00 2001 From: Michael Epping <19227815+mepples21@users.noreply.github.com> Date: Tue, 28 Jun 2022 11:55:54 -0700 Subject: [PATCH 03/16] Update azure_ad_sign_ins_from_noncompliant_devices.yml --- ..._ad_sign_ins_from_noncompliant_devices.yml | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml index b36baa9fd..56e865d06 100644 --- a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -1,26 +1,21 @@ -title: Device Registration or Join Without MFA +title: Sign-ins from non-compliant devices id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 -description: Monitor and alert for device registration or join events where MFA was not performed. +description: Monitor and alert for sign-ins where the device was non-compliant. author: Michael Epping, '@mepples21' date: 2022/06/28 references: - - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-registrations-and-joins-outside-policy + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in logsource: product: azure service: signinlogs detection: selection: - ResourceDisplayName: - - Device Registration Service - conditionalAccessStatus: - - success - filter_mfa: - AuthenticationRequirement: - - 'multiFactorAuthentication' - condition: selection and not filter_mfa + DeviceDetail.isCompliant: + - 'false' + condition: selection falsepositives: - Unknown -level: medium +level: high status: experimental tags: - attack.valid_accounts From c9e42d3dd2e6135cb00dc1ecfc02a9cd09101e8a Mon Sep 17 00:00:00 2001 From: Michael Epping <19227815+mepples21@users.noreply.github.com> Date: Tue, 28 Jun 2022 15:01:10 -0700 Subject: [PATCH 04/16] Create azure_ad_users_added_to_device_admin_roles.yml --- ...e_ad_users_added_to_device_admin_roles.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml diff --git a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml new file mode 100644 index 000000000..3a1963000 --- /dev/null +++ b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml @@ -0,0 +1,27 @@ +title: Users added to global or device admin roles +id: 11c767ae-500b-423b-bae3-b234450736ed +description: Monitor and alert for users added to device admin roles. +author: Michael Epping, '@mepples21' +date: 2022/06/28 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#device-administrator-roles +logsource: + product: azure + service: auditlogs +detection: + selection: + Category: + - RoleManagement + OperationName|contains: + - Add* *member to role + TargetResources|contains: + - 7698a772-787b-4ac8-901f-60d6b08affd2 + - 62e90394-69f5-4237-9190-012177145e10 + condition: selection +falsepositives: + - Unknown +level: high +status: experimental +tags: + - attack.valid_accounts + - attack.t1078 From c90b8fa7f306e87a0a36702d0a8ac7e6b5eec634 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 29 Jun 2022 19:38:37 +0200 Subject: [PATCH 05/16] Update azure_ad_users_added_to_device_admin_roles.yml --- .../azure/azure_ad_users_added_to_device_admin_roles.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml index 3a1963000..92a1564a0 100644 --- a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml @@ -12,11 +12,12 @@ detection: selection: Category: - RoleManagement - OperationName|contains: - - Add* *member to role + OperationName|contains|all: + - 'Add' + - 'member to role' TargetResources|contains: - - 7698a772-787b-4ac8-901f-60d6b08affd2 - - 62e90394-69f5-4237-9190-012177145e10 + - '7698a772-787b-4ac8-901f-60d6b08affd2' + - '62e90394-69f5-4237-9190-012177145e10' condition: selection falsepositives: - Unknown From fa1eb1669caff887c922d6885c3f5aecbee5554e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 1 Jul 2022 14:18:26 +0200 Subject: [PATCH 06/16] Update azure_ad_users_added_to_device_admin_roles.yml --- .../azure/azure_ad_users_added_to_device_admin_roles.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml index 92a1564a0..0c3140549 100644 --- a/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml +++ b/rules/cloud/azure/azure_ad_users_added_to_device_admin_roles.yml @@ -1,4 +1,4 @@ -title: Users added to global or device admin roles +title: Users Added to Global or Device Admin Roles id: 11c767ae-500b-423b-bae3-b234450736ed description: Monitor and alert for users added to device admin roles. author: Michael Epping, '@mepples21' @@ -10,8 +10,7 @@ logsource: service: auditlogs detection: selection: - Category: - - RoleManagement + Category: RoleManagement OperationName|contains|all: - 'Add' - 'member to role' From d4c9e5640fffc6f8959a29f25d4f57f47c280ea4 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 1 Jul 2022 14:24:38 +0200 Subject: [PATCH 07/16] Update azure_ad_sign_ins_from_noncompliant_devices.yml --- .../azure/azure_ad_sign_ins_from_noncompliant_devices.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml index 56e865d06..91f5999df 100644 --- a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -1,4 +1,4 @@ -title: Sign-ins from non-compliant devices +title: Sign-ins from Non-Compliant Devices id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 description: Monitor and alert for sign-ins where the device was non-compliant. author: Michael Epping, '@mepples21' @@ -10,8 +10,7 @@ logsource: service: signinlogs detection: selection: - DeviceDetail.isCompliant: - - 'false' + DeviceDetail.isCompliant: 'false' condition: selection falsepositives: - Unknown From d12293d3c149334920ae92465acb62ff979a0130 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 1 Jul 2022 14:25:20 +0200 Subject: [PATCH 08/16] Update azure_ad_device_registration_or_join_without_mfa.yml --- .../azure_ad_device_registration_or_join_without_mfa.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml index b36baa9fd..23c3582cb 100644 --- a/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml +++ b/rules/cloud/azure/azure_ad_device_registration_or_join_without_mfa.yml @@ -10,13 +10,10 @@ logsource: service: signinlogs detection: selection: - ResourceDisplayName: - - Device Registration Service - conditionalAccessStatus: - - success + ResourceDisplayName: 'Device Registration Service' + conditionalAccessStatus: 'success' filter_mfa: - AuthenticationRequirement: - - 'multiFactorAuthentication' + AuthenticationRequirement: 'multiFactorAuthentication' condition: selection and not filter_mfa falsepositives: - Unknown From f5668cd223eeea1f7b925baa9eff97976c3c0774 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 1 Jul 2022 21:04:56 +0200 Subject: [PATCH 09/16] fix id --- .../cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml index 91f5999df..45003d427 100644 --- a/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml +++ b/rules/cloud/azure/azure_ad_sign_ins_from_noncompliant_devices.yml @@ -1,5 +1,5 @@ title: Sign-ins from Non-Compliant Devices -id: 5afa454e-030c-4ab4-9253-a90aa7fcc581 +id: 4f77e1d7-3982-4ee0-8489-abf2d6b75284 description: Monitor and alert for sign-ins where the device was non-compliant. author: Michael Epping, '@mepples21' date: 2022/06/28 From 6fb1a22e777bf40f9f83cddd22092afcf5481745 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 12:39:31 +0200 Subject: [PATCH 10/16] regsvr rule extended --- .../proc_creation_win_susp_regsvr32_anomalies.yml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 897d240f6..2886841da 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community date: 2019/01/16 -modified: 2022/06/20 +modified: 2022/07/04 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -52,6 +52,17 @@ detection: CommandLine|contains: - '\AppData\Local' - 'C:\Users\Public' + selection9: # suspicious extensions https://twitter.com/Max_Mal_/status/1542461200797163522/photo/3 + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: + - '.jpg' + - '.jpeg' + - '.png' + - '.gif' + - '.bin' + - '.tmp' + - '.temp' + - '.txt' filter: CommandLine|contains: '\AppData\Local\Microsoft\Teams' condition: 1 of selection* and not filter From 2781e2e5c71dd842b06ff699e97e8adb54799ed4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 13:20:20 +0200 Subject: [PATCH 11/16] rule: Disabled Windows Defender Eventlog --- ...t_disabled_microsoft_defender_eventlog.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml diff --git a/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml new file mode 100644 index 000000000..7b61cd8de --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_disabled_microsoft_defender_eventlog.yml @@ -0,0 +1,23 @@ +title: Disabled Windows Defender Eventlog +id: fcddca7c-b9c0-4ddf-98da-e1e2d18b0157 +description: Detects the disabling of the Windows Defender eventlog as seen in relation to Lockbit 3.0 infections +status: experimental +date: 2022/07/04 +author: Florian Roth +references: + - https://twitter.com/WhichbufferArda/status/1543900539280293889/photo/2 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Windows Defender/Operational\Enabled' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Other Antivirus software installations could cause Windows to disable that eventlog (unknown) +level: high +tags: + - attack.defense_evasion + - attack.t1562.001 \ No newline at end of file From de15afbbf7bfbe43e9642d5d36b3fb2ddf17145d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 13:20:40 +0200 Subject: [PATCH 12/16] refactor: improved old rule --- ...stry_set_disabled_pua_protection_on_microsoft_defender.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml index f002205d6..2124509d3 100644 --- a/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml +++ b/rules/windows/registry/registry_set/registry_set_disabled_pua_protection_on_microsoft_defender.yml @@ -3,7 +3,7 @@ id: 8ffc5407-52e3-478f-9596-0a7371eafe13 description: Detects disabling Windows Defender PUA protection status: experimental date: 2021/08/04 -modified: 2022/03/26 +modified: 2022/07/04 author: Austin Songer @austinsonger references: - https://www.tenforums.com/tutorials/32236-enable-disable-microsoft-defender-pua-protection-windows-10-a.html @@ -13,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|contains: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\PUAProtection' + TargetObject|contains: '\Policies\Microsoft\Windows Defender\PUAProtection' Details: 'DWORD (0x00000000)' condition: selection falsepositives: From 5b2c38d05b4ac21b0737aade943334e8a9640cf5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 13:24:56 +0200 Subject: [PATCH 13/16] refactor: curl rules refactored --- .../proc_creation_win_curl_download.yml | 32 +++++++++++++++++++ .../proc_creation_win_susp_curl_download.yml | 29 ++++++++++------- 2 files changed, 50 insertions(+), 11 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_curl_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_download.yml new file mode 100644 index 000000000..ecf740e57 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_download.yml @@ -0,0 +1,32 @@ +title: Curl Usage on Windows +id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 +status: test +description: Detects a curl process start on Windows and outputs the requested document to a local file +author: Florian Roth +references: + - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 +date: 2020/07/03 +modified: 2022/06/11 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\curl.exe' + - Product: 'The curl executable' + selection_cli: + CommandLine|contains: + - ' -O' + - ' -o ' + - '--remote-name' + condition: all of selection* +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index a1bf5b9b9..a6f476767 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -1,12 +1,11 @@ title: Suspicious Curl Usage on Windows -id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 -status: test +id: 9740755c-4e83-43bf-b6ec-bb3422bee84c +status: experimental description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file author: Florian Roth references: - - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 -date: 2020/07/03 -modified: 2022/06/11 + - https://twitter.com/max_mal_/status/1542461200797163522 +date: 2022/07/05 logsource: category: process_creation product: windows @@ -15,17 +14,25 @@ detection: - Image|endswith: '\curl.exe' - Product: 'The curl executable' selection_cli: - CommandLine|contains: - - ' -O' - - '--remote-name' + - CommandLine|contains: + - '\AppData\' + - '\Users\Public\' + - '\Temp' + - CommandLine|endswith: + - '.jpg' + - '.jpeg' + - '.png' + - '.gif' + - '.tmp' + - '.temp' + - '.txt' condition: all of selection* fields: - CommandLine - ParentCommandLine falsepositives: - - Scripts created by developers and admins - - Administrative activity -level: medium + - Unknown +level: high tags: - attack.command_and_control - attack.t1105 From 6238c6fd2c73c63409a9b22839e45ec1029b9153 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 14:50:44 +0200 Subject: [PATCH 14/16] refactor: curl refactoring --- .../proc_creation_win_curl_download.yml | 18 +++++--------- .../proc_creation_win_susp_curl_download.yml | 24 +++++++++++++------ 2 files changed, 23 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_download.yml index ecf740e57..1e7dd7a76 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download.yml @@ -1,32 +1,26 @@ title: Curl Usage on Windows -id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 +id: bbeaed61-1990-4773-bf57-b81dbad7db2d status: test -description: Detects a curl process start on Windows and outputs the requested document to a local file +description: Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server author: Florian Roth references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 -date: 2020/07/03 -modified: 2022/06/11 +date: 2022/07/05 logsource: category: process_creation product: windows detection: - selection_img: + selection: - Image|endswith: '\curl.exe' - Product: 'The curl executable' - selection_cli: - CommandLine|contains: - - ' -O' - - ' -o ' - - '--remote-name' - condition: all of selection* + condition: selection fields: - CommandLine - ParentCommandLine falsepositives: - Scripts created by developers and admins - Administrative activity -level: medium +level: low tags: - attack.command_and_control - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index a6f476767..ac3a8712e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -1,24 +1,30 @@ title: Suspicious Curl Usage on Windows -id: 9740755c-4e83-43bf-b6ec-bb3422bee84c +id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 status: experimental description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file author: Florian Roth references: - https://twitter.com/max_mal_/status/1542461200797163522 -date: 2022/07/05 + date: 2020/07/03 + modified: 2022/07/05 logsource: category: process_creation product: windows detection: - selection_img: + selection_curl: - Image|endswith: '\curl.exe' - Product: 'The curl executable' - selection_cli: - - CommandLine|contains: + selection_susp_locations: + CommandLine|contains: - '\AppData\' - '\Users\Public\' - '\Temp' - - CommandLine|endswith: + - '%AppData%' + - '%Temp%' + - '%Public%' + - '\Desktop' + selection_susp_extensions: + CommandLine|endswith: - '.jpg' - '.jpeg' - '.png' @@ -26,7 +32,11 @@ detection: - '.tmp' - '.temp' - '.txt' - condition: all of selection* + selection_susp_remote_name: + CommandLine|contains: + - ' -O' # alias for --remote-name + - '--remote-name' + condition: selection_curl and 1 of selection_susp* fields: - CommandLine - ParentCommandLine From 86c3062b34676d41f882dbca8c070a44853bb1e1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 17:08:23 +0200 Subject: [PATCH 15/16] refactor: curl changes --- .../proc_creation_win_susp_curl_start_combo.yml | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml index e310e71ec..37c0d37ae 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml @@ -6,22 +6,26 @@ author: Sreeman references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 date: 2020/01/13 -modified: 2021/11/27 +modified: 2022/07/05 logsource: category: process_creation product: windows detection: - condition: selection - selection: - CommandLine|contains|all: - - 'curl' + selection_curl: + - Image|endswith: '\curl.exe' + - Product: 'The curl executable' + selection_susp_flags: + CommandLine|contains: - ' start ' + - '&call ' + - '& call ' + condition: all of selection* fields: - ParentImage - CommandLine falsepositives: - Administrative scripts (installers) -level: medium +level: high tags: - attack.execution - attack.t1218 From 169410189375ae1488b36918655256e8727de47e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 4 Jul 2022 17:09:53 +0200 Subject: [PATCH 16/16] fix: indentation --- .../process_creation/proc_creation_win_susp_curl_download.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index ac3a8712e..a40726f6c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -5,8 +5,8 @@ description: Detects a suspicious curl process start on Windows and outputs the author: Florian Roth references: - https://twitter.com/max_mal_/status/1542461200797163522 - date: 2020/07/03 - modified: 2022/07/05 +date: 2020/07/03 +modified: 2022/07/05 logsource: category: process_creation product: windows