diff --git a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml index c54f9d6f2..f853d9684 100644 --- a/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_remote_system_discovery.yml @@ -4,43 +4,43 @@ status: test description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md date: 2020/10/22 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection_1: - Image|endswith: '/arp' - CommandLine|contains: '-a' - selection_2: - Image|endswith: '/ping' - CommandLine|contains: - - ' 10.' #10.0.0.0/8 - - ' 192.168.' #192.168.0.0/16 - - ' 172.16.' #172.16.0.0/12 - - ' 172.17.' - - ' 172.18.' - - ' 172.19.' - - ' 172.20.' - - ' 172.21.' - - ' 172.22.' - - ' 172.23.' - - ' 172.24.' - - ' 172.25.' - - ' 172.26.' - - ' 172.27.' - - ' 172.28.' - - ' 172.29.' - - ' 172.30.' - - ' 172.31.' - - ' 127.' #127.0.0.0/8 - - ' 169.254.' #169.254.0.0/16 - condition: 1 of selection* + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.discovery - - attack.t1018 + - attack.discovery + - attack.t1018 diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index 0a78a6256..963798bdd 100644 --- a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -4,22 +4,22 @@ status: test description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md date: 2020/10/06 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: 'crontab' - CommandLine|contains: '/tmp/' - condition: selection + selection: + Image|endswith: 'crontab' + CommandLine|contains: '/tmp/' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.003 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index dd93f19bd..49c153a04 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -4,29 +4,29 @@ status: test description: Detects usage of system utilities (only grep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - grep_execution: - Image|endswith: '/grep' - security_services_and_processes: - CommandLine|contains: - - 'nessusd' # nessus vulnerability scanner - - 'td-agent' # fluentd log shipper - - 'packetbeat' # elastic network logger/shipper - - 'filebeat' # elastic log file shipper - - 'auditbeat' # elastic auditing agent/log shipper - - 'osqueryd' # facebook osquery - - 'cbagentd' # carbon black - - 'falcond' # crowdstrike falcon - condition: grep_execution and security_services_and_processes + grep_execution: + Image|endswith: '/grep' + security_services_and_processes: + CommandLine|contains: + - 'nessusd' # nessus vulnerability scanner + - 'td-agent' # fluentd log shipper + - 'packetbeat' # elastic network logger/shipper + - 'filebeat' # elastic log file shipper + - 'auditbeat' # elastic auditing agent/log shipper + - 'osqueryd' # facebook osquery + - 'cbagentd' # carbon black + - 'falcond' # crowdstrike falcon + condition: grep_execution and security_services_and_processes falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.discovery - - attack.t1518.001 + - attack.discovery + - attack.t1518.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index 0455235a2..b800cd73a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -6,7 +6,7 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community date: 2020/06/17 modified: 2021/09/14 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.004/T1562.004.md tags: - attack.defense_evasion - attack.t1562.004 @@ -80,4 +80,4 @@ detection: condition: 1 of selection* falsepositives: - Legitimate administration activities -level: medium \ No newline at end of file +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml index 080bc6be2..919dec84e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_chmod_directories.yml @@ -4,24 +4,24 @@ status: experimental description: Detects chmod targeting files in abnormal directory paths. author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md + - https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.002/T1222.002.md date: 2022/06/03 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/chmod' - CommandLine|contains: - - '/tmp/' - - '/.Library/' - - '/etc/' - - '/opt/' - condition: selection + selection: + Image|endswith: '/chmod' + CommandLine|contains: + - '/tmp/' + - '/.Library/' + - '/etc/' + - '/opt/' + condition: selection falsepositives: - - Admin changing file permissions. + - Admin changing file permissions. level: medium tags: - - attack.defense_evasion - - attack.t1222.002 + - attack.defense_evasion + - attack.t1222.002 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml index b5c14e47b..3b903bde0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_recon_indicators.yml @@ -4,22 +4,22 @@ status: experimental description: Detects events with patterns found in commands used for reconnaissance on linux systems author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py + - https://github.com/sleventyeleven/linuxprivchecker/blob/0d701080bbf92efd464e97d71a70f97c6f2cd658/linuxprivchecker.py date: 2022/06/20 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - CommandLine|contains: - - ' -name .htpasswd' - - ' -perm -4000 ' - condition: selection + selection: + CommandLine|contains: + - ' -name .htpasswd' + - ' -perm -4000 ' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high tags: - - attack.reconnaissance - - attack.t1592.004 - - attack.credential_access - - attack.t1552.001 + - attack.reconnaissance + - attack.t1592.004 + - attack.credential_access + - attack.t1552.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml index 8bec4ce24..cf961ff7a 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_info_discovery.yml @@ -6,7 +6,7 @@ author: Ömer Günal, oscd.community date: 2020/10/08 modified: 2021/09/14 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1082/T1082.md tags: - attack.discovery - attack.t1082 @@ -16,13 +16,13 @@ logsource: detection: selection: Image|endswith: - - '/uname' - - '/hostname' - - '/uptime' - - '/lspci' - - '/dmidecode' - - '/lscpu' - - '/lsmod' + - '/uname' + - '/hostname' + - '/uptime' + - '/lspci' + - '/dmidecode' + - '/lscpu' + - '/lsmod' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml index b013e068b..5687b9b67 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_connections_discovery.yml @@ -4,24 +4,24 @@ status: test description: Detects usage of system utilities to discover system network connections author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/who' - - '/w' - - '/last' - - '/lsof' - - '/netstat' - condition: selection + selection: + Image|endswith: + - '/who' + - '/w' + - '/last' + - '/lsof' + - '/netstat' + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.discovery - - attack.t1049 + - attack.discovery + - attack.t1049 diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 891e743f3..354e8d008 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -4,30 +4,30 @@ status: test description: Detects enumeration of local network configuration author: Ömer Günal and remotephone, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1016/T1016.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md date: 2020/10/06 -modified: 2021/11/27 +modified: 2022/07/11 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: - - '/firewall-cmd' - - '/ufw' - - '/iptables' - - '/netstat' - - '/ss' - - '/ip' - - '/ifconfig' - - '/systemd-resolve' - - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: selection1 or selection2 + selection1: + Image|endswith: + - '/firewall-cmd' + - '/ufw' + - '/iptables' + - '/netstat' + - '/ss' + - '/ip' + - '/ifconfig' + - '/systemd-resolve' + - '/route' + selection2: + CommandLine|contains: '/etc/resolv.conf' + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.t1016 + - attack.discovery + - attack.t1016 diff --git a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml index 834ba05d5..31f58b372 100644 --- a/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml +++ b/rules/macos/file_event/file_event_macos_emond_launch_daemon.yml @@ -4,20 +4,20 @@ status: test description: Detects additions to the Emond Launch Daemon that adversaries may use to gain persistence and elevate privileges. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.014/T1546.014.md - - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.014/T1546.014.md + - https://posts.specterops.io/leveraging-emond-on-macos-for-persistence-a040a2785124 date: 2020/10/23 modified: 2021/11/27 logsource: - category: file_event - product: macos + category: file_event + product: macos detection: - selection_1: - TargetFilename|contains: '/etc/emond.d/rules/' - TargetFilename|endswith: '.plist' - selection_2: - TargetFilename|contains: '/private/var/db/emondClients/' - condition: selection_1 or selection_2 + selection_1: + TargetFilename|contains: '/etc/emond.d/rules/' + TargetFilename|endswith: '.plist' + selection_2: + TargetFilename|contains: '/private/var/db/emondClients/' + condition: 1 of selection_* falsepositives: - Legitimate administration activities level: medium diff --git a/rules/macos/file_event/file_event_macos_startup_items.yml b/rules/macos/file_event/file_event_macos_startup_items.yml index e87e5b6db..f48a28967 100644 --- a/rules/macos/file_event/file_event_macos_startup_items.yml +++ b/rules/macos/file_event/file_event_macos_startup_items.yml @@ -4,22 +4,21 @@ status: test description: Detects creation of startup item plist files that automatically get executed at boot initialization to establish persistence. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1037.005/T1037.005.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1037.005/T1037.005.md date: 2020/10/14 -modified: 2021/11/27 +modified: 2022/07/11 logsource: - category: file_event - product: macos + category: file_event + product: macos detection: - selection_1: - TargetFilename|contains: '/Library/StartupItems/' - selection_2: - TargetFilename|endswith: '.plist' - condition: selection_1 and selection_2 + selection: + - TargetFilename|contains: '/Library/StartupItems/' + - TargetFilename|endswith: '.plist' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1037.005 + - attack.persistence + - attack.privilege_escalation + - attack.t1037.005 diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index 1c4308a70..bd152d724 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -4,20 +4,20 @@ status: test description: Detects execution of AppleScript of the macOS scripting language AppleScript. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.002/T1059.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.002/T1059.002.md date: 2020/10/21 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection: - Image|endswith: '/osascript' - CommandLine|contains: '-e' - condition: selection + selection: + Image|endswith: '/osascript' + CommandLine|contains: '-e' + condition: selection falsepositives: - - Application installers might contain scripts as part of the installation process. + - Application installers might contain scripts as part of the installation process. level: medium tags: - - attack.execution - - attack.t1059.002 + - attack.execution + - attack.t1059.002 diff --git a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml index dd1a3dc4e..f56a77faa 100644 --- a/rules/macos/process_creation/proc_creation_macos_base64_decode.yml +++ b/rules/macos/process_creation/proc_creation_macos_base64_decode.yml @@ -4,20 +4,20 @@ status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027/T1027.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection: - Image: '/usr/bin/base64' - CommandLine|contains: '-d' - condition: selection + selection: + Image: '/usr/bin/base64' + CommandLine|contains: '-d' + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index 107d98437..cd3ac0294 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -4,25 +4,25 @@ status: test description: 'Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This rule detect using dd and truncate to add a junk data to file.' author: 'Igor Fits, Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.001/T1027.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.001/T1027.001.md date: 2020/10/19 modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: '/truncate' - CommandLine|contains: '-s' - selection2: - Image|endswith: '/dd' - CommandLine|contains: 'if=' - filter: - CommandLine|contains: 'of=' - condition: selection1 or (selection2 and not filter) + selection1: + Image|endswith: '/truncate' + CommandLine|contains: '-s' + selection2: + Image|endswith: '/dd' + CommandLine|contains: 'if=' + filter: + CommandLine|contains: 'of=' + condition: selection1 or (selection2 and not filter) falsepositives: - - Legitimate script work + - Legitimate script work level: high tags: - - attack.defense_evasion - - attack.t1027.001 + - attack.defense_evasion + - attack.t1027.001 diff --git a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index ea20d305f..a6f9cfd4f 100644 --- a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -1,28 +1,27 @@ title: 'File Time Attribute Change' id: 88c0f9d8-30a8-4120-bb6b-ebb54abcf2a0 status: test -description: 'Detect file time attribute change to hide new or changes to existing files.' +description: Detect file time attribute change to hide new or changes to existing files author: 'Igor Fits, Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md date: 2020/10/19 modified: 2021/11/27 logsource: - product: macos - category: process_creation + product: macos + category: process_creation detection: - selection1: - Image|endswith: '/touch' - selection2: - CommandLine|contains: - - '-t' - - '-acmr' - - '-d' - - '-r' - condition: all of selection* + selection: + Image|endswith: '/touch' + CommandLine|contains: + - '-t' + - '-acmr' + - '-d' + - '-r' + condition: selection falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1070.006 + - attack.defense_evasion + - attack.t1070.006 diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 3aa5400fa..3c152beea 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -4,43 +4,43 @@ status: test description: Detects the enumeration of other remote systems. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md date: 2020/10/22 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection_1: - Image|endswith: '/arp' - CommandLine|contains: '-a' - selection_2: - Image|endswith: '/ping' - CommandLine|contains: - - ' 10.' #10.0.0.0/8 - - ' 192.168.' #192.168.0.0/16 - - ' 172.16.' #172.16.0.0/12 - - ' 172.17.' - - ' 172.18.' - - ' 172.19.' - - ' 172.20.' - - ' 172.21.' - - ' 172.22.' - - ' 172.23.' - - ' 172.24.' - - ' 172.25.' - - ' 172.26.' - - ' 172.27.' - - ' 172.28.' - - ' 172.29.' - - ' 172.30.' - - ' 172.31.' - - ' 127.' #127.0.0.0/8 - - ' 169.254.' #169.254.0.0/16 - condition: 1 of selection* + selection_1: + Image|endswith: '/arp' + CommandLine|contains: '-a' + selection_2: + Image|endswith: '/ping' + CommandLine|contains: + - ' 10.' #10.0.0.0/8 + - ' 192.168.' #192.168.0.0/16 + - ' 172.16.' #172.16.0.0/12 + - ' 172.17.' + - ' 172.18.' + - ' 172.19.' + - ' 172.20.' + - ' 172.21.' + - ' 172.22.' + - ' 172.23.' + - ' 172.24.' + - ' 172.25.' + - ' 172.26.' + - ' 172.27.' + - ' 172.28.' + - ' 172.29.' + - ' 172.30.' + - ' 172.31.' + - ' 127.' #127.0.0.0/8 + - ' 169.254.' #169.254.0.0/16 + condition: 1 of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: informational tags: - - attack.discovery - - attack.t1018 + - attack.discovery + - attack.t1018 diff --git a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml index 98db020a8..e85588da6 100644 --- a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml +++ b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -4,22 +4,22 @@ status: test description: Detects abuse of the cron utility to perform task scheduling for initial or recurring execution of malicious code. Detection will focus on crontab jobs uploaded from the tmp folder. author: Alejandro Ortuno, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.003/T1053.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.003/T1053.003.md date: 2020/10/06 modified: 2021/11/27 logsource: - category: process_creation - product: macos + category: process_creation + product: macos detection: - selection: - Image|endswith: '/crontab' - CommandLine|contains: '/tmp/' - condition: selection + selection: + Image|endswith: '/crontab' + CommandLine|contains: '/tmp/' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053.003 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053.003 diff --git a/rules/network/zeek/zeek_dns_torproxy.yml b/rules/network/zeek/zeek_dns_torproxy.yml index 38a787730..7807a9568 100644 --- a/rules/network/zeek/zeek_dns_torproxy.yml +++ b/rules/network/zeek/zeek_dns_torproxy.yml @@ -3,15 +3,12 @@ id: a8322756-015c-42e7-afb1-436e85ed3ff5 description: Identifies IPs performing DNS lookups associated with common Tor proxies. status: experimental references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimDNS/imDNS_TorProxies.yaml + - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/ASimDNS/imDNS_TorProxies.yaml date: 2021/08/15 author: Saw Winn Naung , Azure-Sentinel -level: medium -logsource: - service: dns - product: zeek -tags: - - attack.t1048 +logsource: + service: dns + product: zeek detection: selection: query: @@ -50,3 +47,8 @@ detection: condition: selection fields: - clientip +falsepositives: + - Unknown +level: medium +tags: + - attack.t1048 \ No newline at end of file diff --git a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml index df467848c..cb0f6683b 100644 --- a/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml +++ b/rules/network/zeek/zeek_http_omigod_no_auth_rce.yml @@ -1,5 +1,6 @@ title: OMIGOD HTTP No Authentication RCE id: ab6b1a39-a9ee-4ab4-b075-e83acf6e346b +status: stable description: Detects the exploitation of OMIGOD (CVE-2021-38647) which allows remote execute (RCE) commands as root with just a single unauthenticated HTTP request. Verify, successful, exploitation by viewing the HTTP client (request) body to see what was passed to the server (using PCAP). Within the client body is where the code execution would occur. Additionally, check the endpoint logs to see if suspicious commands or activity occurred within the timeframe of this HTTP request. author: Nate Guagenti (neu5ron) date: 2021/09/20 @@ -20,7 +21,7 @@ tags: logsource: product: zeek service: http - definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/master/scripts/policy/protocols/http/header-names.zeek + definition: Enable the builtin Zeek script that logs all HTTP header names by adding "@load policy/protocols/http/header-names" to your local.zeek config file. The script can be seen here for reference https://github.com/zeek/zeek/blob/d957f883df242ef159cfd846884e673addeea7a5/scripts/policy/protocols/http/header-names.zeek detection: selection: status_code: 200 @@ -37,10 +38,6 @@ detection: # - 1270 condition: selection and not auth_header and not too_small_http_client_body #condition: selection and winrm_ports and not auth_header and not too_small_http_client_body # Enable this to only perform search on default WinRM ports, however those ports are sometimes changed and therefore this is disabled by default to give a broader coverage of this rule -falsepositives: - - Exploits that were attempted but unsuccessful. - - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. -level: high fields: - id.orig_h - id.resp_h @@ -51,4 +48,7 @@ fields: - request_body_len - response_body_len - user_agent -status: stable +falsepositives: + - Exploits that were attempted but unsuccessful. + - Scanning attempts with the abnormal use of the HTTP POST method with no indication of code execution within the HTTP Client (Request) body. An example would be vulnerability scanners trying to identify unpatched versions while not actually exploiting the vulnerability. See description for investigation tips. +level: high diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index fdbf79f30..7ade8ce3d 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -4,15 +4,15 @@ status: test description: Detects an issue in apache logs that reports threading related errors author: Florian Roth references: - - https://github.com/hannob/apache-uaf/blob/master/README.md + - https://github.com/hannob/apache-uaf/blob/da40f2be3684c8095ec6066fa68eb5c07a086233/README.md date: 2019/01/22 modified: 2021/11/27 logsource: - service: apache + service: apache detection: - keywords: - - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' - condition: keywords + keywords: + - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' + condition: keywords falsepositives: - - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 + - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 level: medium diff --git a/rules/web/web_cve_2019_19781_citrix_exploit.yml b/rules/web/web_cve_2019_19781_citrix_exploit.yml index 6a1494cd8..910b5a376 100644 --- a/rules/web/web_cve_2019_19781_citrix_exploit.yml +++ b/rules/web/web_cve_2019_19781_citrix_exploit.yml @@ -4,31 +4,31 @@ status: test description: Detects CVE-2019-19781 exploitation attempt against Citrix Netscaler, Application Delivery Controller and Citrix Gateway Attack author: Arnim Rupp, Florian Roth references: - - https://support.citrix.com/article/CTX267679 - - https://support.citrix.com/article/CTX267027 - - https://isc.sans.edu/diary/25686 - - https://twitter.com/mpgn_x64/status/1216787131210829826 - - https://github.com/x1sec/x1sec.github.io/blob/master/CVE-2019-19781-DFIR.md + - https://support.citrix.com/article/CTX267679 + - https://support.citrix.com/article/CTX267027 + - https://isc.sans.edu/diary/25686 + - https://twitter.com/mpgn_x64/status/1216787131210829826 + - https://github.com/x1sec/CVE-2019-19781/blob/25f7ab97275b2d41800bb3414dac8ca3a78af7e5/CVE-2019-19781-DFIR.md date: 2020/01/02 modified: 2021/11/27 logsource: - category: webserver - definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' + category: webserver + definition: 'Make sure that your Netscaler appliance logs all kinds of attacks (test with http://your-citrix-gw.net/robots.txt). The directory traversal with ../ might not be needed on certain cloud instances or for authenticated users, so we also check for direct paths. All scripts in portal/scripts are exploitable except logout.pl.' detection: - selection: - c-uri: - - '*/../vpns/*' - - '*/vpns/cfg/smb.conf' - - '*/vpns/portal/scripts/*.pl*' - condition: selection + selection: + c-uri: + - '*/../vpns/*' + - '*/vpns/cfg/smb.conf' + - '*/vpns/portal/scripts/*.pl*' + condition: selection fields: - - client_ip - - vhost - - url - - response + - client_ip + - vhost + - url + - response falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2021_41773_apache_path_traversal.yml b/rules/web/web_cve_2021_41773_apache_path_traversal.yml index 29b8d5fa2..7e6121456 100644 --- a/rules/web/web_cve_2021_41773_apache_path_traversal.yml +++ b/rules/web/web_cve_2021_41773_apache_path_traversal.yml @@ -4,19 +4,19 @@ status: experimental description: Detects exploitation of flaw in path normalization in Apache HTTP server 2.4.49. An attacker could use a path traversal attack to map URLs to files outside the expected document root. If files outside of the document root are not protected by "require all denied" these requests can succeed. Additionally this flaw could leak the source of interpreted files like CGI scripts. This issue is known to be exploited in the wild. This issue only affects Apache 2.4.49 and not earlier versions. author: daffainfo, Florian Roth date: 2021/10/05 -modified: 2021/10/06 +modified: 2022/07/11 references: - https://nvd.nist.gov/vuln/detail/CVE-2021-41773 - https://github.com/apache/httpd/commit/e150697086e70c552b2588f369f2d17815cb1782 - https://twitter.com/ptswarm/status/1445376079548624899 - https://twitter.com/h4x0r_dz/status/1445401960371429381 - - https://github.com/projectdiscovery/nuclei-templates/blob/master/cves/2021/CVE-2021-41773.yaml + - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/cves/2021/CVE-2021-41773.yaml - https://twitter.com/bl4sty/status/1445462677824761878 logsource: category: webserver detection: - selection: - c-uri|contains: + selection_uri: + c-uri|contains: - '/cgi-bin/.%2e/' - '/icons/.%2e/' - '/cgi-bin/.%%32%65/' @@ -24,10 +24,10 @@ detection: - '/cgi-bin/.%%%25%33' - '/icons/.%%%25%33' selection_success: - sc-status: + sc-status: - 200 - - 301 - condition: selection and selection_success + - 301 + condition: all of selection_* falsepositives: - Unknown tags: diff --git a/rules/web/web_iis_tilt_shortname_scan.yml b/rules/web/web_iis_tilt_shortname_scan.yml index eebef6273..7fcee4b9c 100644 --- a/rules/web/web_iis_tilt_shortname_scan.yml +++ b/rules/web/web_iis_tilt_shortname_scan.yml @@ -2,9 +2,9 @@ title: Successful IIS Shortname Fuzzing Scan id: 7cb02516-6d95-4ffc-8eee-162075e111ac status: experimental author: frack113 -description: When IIS uses an old .Net Framework it's possible to enumeration folder with the symbol ~. +description: When IIS uses an old .Net Framework it's possible to enumerate folders with the symbol "~" references: - - https://github.com/projectdiscovery/nuclei-templates/blob/master/fuzzing/iis-shortname.yaml + - https://github.com/projectdiscovery/nuclei-templates/blob/9d2889356eebba661c8407038e430759dfd4ec31/fuzzing/iis-shortname.yaml - https://www.exploit-db.com/exploits/19525 - https://github.com/lijiejie/IIS_shortname_Scanner date: 2021/10/06 @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml index 4379c3a40..a6e0ae1ea 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_domain.yml @@ -3,7 +3,7 @@ id: d635249d-86b5-4dad-a8c7-d7272b788586 status: experimental description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth date: 2022/06/28 @@ -13,7 +13,7 @@ logsource: detection: selection: EventID: 16403 - RemoteName|contains: + RemoteName|contains: - 'raw.githubusercontent.com' - 'gist.githubusercontent.com' - 'pastebin.com' diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml index bab6511bd..ced1fa0ee 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_local_file.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 date: 2022/03/01 modified: 2022/06/12 @@ -26,7 +26,7 @@ detection: RemoteName|contains: '.com' condition: selection and not filter falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: medium tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml index 662ef1a86..7eb90b682 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_local_folder.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: Florian Roth date: 2022/06/28 logsource: @@ -20,7 +20,7 @@ detection: - '\Desktop\' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: high tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml index 6a9c27b1b..56d8ae6b9 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_powershell_job.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 date: 2022/03/01 logsource: @@ -17,7 +17,7 @@ detection: processPath|endswith: '\powershell.exe' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: low tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml b/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml index 1ccb2af71..eb8406bae 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_susp_use_bitsadmin.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md author: frack113 date: 2022/03/01 logsource: @@ -17,7 +17,7 @@ detection: processPath|endswith: '\bitsadmin.exe' condition: selection falsepositives: - - Administrator PowerShell scripts + - Administrator PowerShell scripts level: low tags: - attack.defense_evasion diff --git a/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml b/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml index b8da1a08b..98ebcdc74 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_uncommon_domain.yml @@ -3,7 +3,7 @@ id: 6d44fb93-e7d2-475c-9d3d-54c9c1e33427 status: experimental description: Detects a suspicious download using the BITS client from a FQDN that is unusual. Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 author: Florian Roth date: 2022/06/10 @@ -15,7 +15,7 @@ detection: selection: EventID: 16403 filter: - RemoteName|contains: + RemoteName|contains: - '.com' - '.azureedge.net' - '.sfx.ms' diff --git a/rules/windows/builtin/ldap/win_ldap_recon.yml b/rules/windows/builtin/ldap/win_ldap_recon.yml index e0a9559dd..27c3f6914 100644 --- a/rules/windows/builtin/ldap/win_ldap_recon.yml +++ b/rules/windows/builtin/ldap/win_ldap_recon.yml @@ -6,8 +6,8 @@ author: Adeem Mawani date: 2021/06/22 references: - https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/hunting-for-reconnaissance-activities-using-ldap-search-filters/ba-p/824726 - - https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1 - - https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/LdapBuilder.cs + - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/Recon/PowerView.ps1 + - https://github.com/BloodHoundAD/SharpHound3/blob/7d96b991b1887ff50349ce59c80980bc0d95c86a/SharpHound3/LdapBuilder.cs logsource: product: windows service: ldap_debug diff --git a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml index 663155d08..94d65c157 100644 --- a/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml +++ b/rules/windows/builtin/msexchange/win_exchange_proxyshell_remove_mailbox_export.yml @@ -3,14 +3,14 @@ id: 09570ae5-889e-43ea-aac0-0e1221fb3d95 status: experimental description: Detects removal of an exported Exchange mailbox which could be to cover tracks from ProxyShell exploit references: - - https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 + - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/modules/exploits/windows/http/exchange_proxyshell_rce.rb#L430 author: Christian Burkard date: 2021/08/27 -logsource: +logsource: service: msexchange-management product: windows detection: - command: + command: - 'Remove-MailboxExportRequest' - ' -Identity ' - ' -Confirm "False"' diff --git a/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml index 7636940d3..2474b134f 100644 --- a/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_aadhealth_mon_agent_regkey_access.yml @@ -11,7 +11,7 @@ tags: - attack.t1012 references: - https://o365blog.com/post/hybridhealthagent/ - - https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml + - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_monitoring_agent.yml logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml index fa30f12d6..2fbff184b 100644 --- a/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml +++ b/rules/windows/builtin/security/win_aadhealth_svc_agent_regkey_access.yml @@ -13,7 +13,7 @@ tags: - attack.t1012 references: - https://o365blog.com/post/hybridhealthagent/ - - https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml + - https://github.com/OTRF/Set-AuditRule/blob/c3dec5443414231714d850565d364ca73475ade5/rules/registry/aad_connect_health_service_agent.yml logsource: product: windows service: security diff --git a/rules/windows/builtin/security/win_alert_ruler.yml b/rules/windows/builtin/security/win_alert_ruler.yml index 94c382c2f..6b685d263 100644 --- a/rules/windows/builtin/security/win_alert_ruler.yml +++ b/rules/windows/builtin/security/win_alert_ruler.yml @@ -8,7 +8,7 @@ modified: 2021/08/09 references: - https://github.com/sensepost/ruler - https://github.com/sensepost/ruler/issues/47 - - https://github.com/staaldraad/go-ntlm/blob/master/ntlm/ntlmv1.go#L427 + - https://github.com/staaldraad/go-ntlm/blob/cd032d41aa8ce5751c07cb7945400c0f5c81e2eb/ntlm/ntlmv1.go#L427 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4776 - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624 tags: diff --git a/rules/windows/builtin/security/win_event_log_cleared.yml b/rules/windows/builtin/security/win_event_log_cleared.yml index 3bb242439..ab53b18be 100644 --- a/rules/windows/builtin/security/win_event_log_cleared.yml +++ b/rules/windows/builtin/security/win_event_log_cleared.yml @@ -2,15 +2,15 @@ title: Security Event Log Cleared id: a122ac13-daf8-4175-83a2-72c387be339d status: experimental description: Checks for event id 1102 which indicates the security event log was cleared. -references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/SecurityEventLogCleared.yaml +references: + - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/SecurityEventLogCleared.yaml date: 2021/08/15 modified: 2021/10/13 author: Saw Winn Naung level: medium -logsource: - service: security - product: windows +logsource: + service: security + product: windows tags: - attack.t1070.001 detection: diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml index 14b5f86e4..d4bf55fd5 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -3,13 +3,13 @@ id: fd0f5778-d3cb-4c9a-9695-66759d04702a related: - id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 type: derived -description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references' -references: - - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references +references: + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/09/16 +modified: 2022/07/11 tags: - attack.defense_evasion - attack.t1027 @@ -17,9 +17,9 @@ logsource: product: windows service: security detection: - selection: + selection_eid: EventID: 4697 - selection_1: + selection_servicefilename: - ServiceFileName|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ServiceFileName|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ServiceFileName|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -27,7 +27,7 @@ detection: - ServiceFileName|re: '\\*mdr\*\W\s*\)\.Name' - ServiceFileName|re: '\$VerbosePreference\.ToString\(' - ServiceFileName|re: '\String\]\s*\$VerbosePreference' - condition: selection and selection_1 + condition: all of selection_* falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_metasploit_authentication.yml b/rules/windows/builtin/security/win_metasploit_authentication.yml index 2addf4d35..e3158f137 100644 --- a/rules/windows/builtin/security/win_metasploit_authentication.yml +++ b/rules/windows/builtin/security/win_metasploit_authentication.yml @@ -5,8 +5,8 @@ id: 72124974-a68b-4366-b990-d30e0b2a190d author: Chakib Gzenayi (@Chak092), Hosni Mribah date: 2020/05/06 modified: 2021/07/07 -references: - - https://github.com/rapid7/metasploit-framework/blob/master/lib/rex/proto/smb/client.rb +references: + - https://github.com/rapid7/metasploit-framework/blob/1416b5776d963f21b7b5b45d19f3e961201e0aed/lib/rex/proto/smb/client.rb tags: - attack.lateral_movement - attack.t1021.002 @@ -25,7 +25,7 @@ detection: ProcessName: EventID: 4776 Workstation|re: '^[A-Za-z0-9]{16}$' - condition: selection1 or selection2 + condition: 1 of selection* falsepositives: - Linux hostnames composed of 16 characters. level: high diff --git a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml index 0c2b8efb5..4362daa68 100644 --- a/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml +++ b/rules/windows/builtin/security/win_rdp_reverse_tunnel.yml @@ -4,7 +4,7 @@ status: experimental description: Detects svchost hosting RDP termsvcs communicating with the loopback address references: - https://twitter.com/SBousseaden/status/1096148422984384514 - - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/master/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx + - https://github.com/sbousseaden/EVTX-ATTACK-SAMPLES/blob/44fbe85f72ee91582876b49678f9a26292a155fb/Command%20and%20Control/DE_RDP_Tunnel_5156.evtx author: Samir Bousseaden date: 2019/02/16 modified: 2022/06/29 diff --git a/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml index 5f19a2da4..8f1d9374b 100644 --- a/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/security/win_smb_file_creation_admin_shares.yml @@ -4,24 +4,24 @@ status: test description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) references: - - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml - - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file + - https://github.com/OTRF/ThreatHunter-Playbook/blob/f7a58156dbfc9b019f17f638b8c62d22e557d350/playbooks/WIN-201012004336.yaml + - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file date: 2020/08/06 modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security detection: - selection: - EventID: 5145 - ShareName|endswith: 'C$' - AccessMask: '0x2' - filter: - SubjectUserName|endswith: '$' - condition: selection and not filter + selection: + EventID: 5145 + ShareName|endswith: 'C$' + AccessMask: '0x2' + filter: + SubjectUserName|endswith: '$' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high tags: - - attack.lateral_movement - - attack.t1021.002 + - attack.lateral_movement + - attack.t1021.002 diff --git a/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml index fe7574613..d4d510aa9 100644 --- a/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml +++ b/rules/windows/builtin/security/win_vssaudit_secevent_source_registration.yml @@ -9,7 +9,7 @@ tags: - attack.credential_access - attack.t1003.002 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy logsource: product: windows service: security @@ -17,10 +17,10 @@ detection: selection: Provider_Name: Microsoft-Windows-Security-Auditing AuditSourceName: VSSAudit - EventID: + EventID: - 4904 - 4905 condition: selection falsepositives: - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. -level: informational \ No newline at end of file +level: informational diff --git a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml index 54c521f46..4dd375461 100644 --- a/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml +++ b/rules/windows/builtin/system/win_invoke_obfuscation_obfuscated_iex_services.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 51aa9387-1c53-4153-91cc-d73c59ae1ca9 -description: 'Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014' +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block linked in the references references: - - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 -modified: 2021/09/16 +modified: 2022/07/11 tags: - attack.defense_evasion - attack.t1027 @@ -14,9 +14,9 @@ logsource: product: windows service: system detection: - selection: + selection_eid: EventID: 7045 - selection_1: + selection_imagepath: - ImagePath|re: '\$PSHome\[\s*\d{1,3}\s*\]\s*\+\s*\$PSHome\[' - ImagePath|re: '\$ShellId\[\s*\d{1,3}\s*\]\s*\+\s*\$ShellId\[' - ImagePath|re: '\$env:Public\[\s*\d{1,3}\s*\]\s*\+\s*\$env:Public\[' @@ -24,7 +24,7 @@ detection: - ImagePath|re: '\\*mdr\*\W\s*\)\.Name' - ImagePath|re: '\$VerbosePreference\.ToString\(' - ImagePath|re: '\String\]\s*\$VerbosePreference' - condition: selection and selection_1 + condition: all of selection_* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/builtin/system/win_system_defender_disabled.yml b/rules/windows/builtin/system/win_system_defender_disabled.yml index 8ca595d0a..0f08c26dc 100644 --- a/rules/windows/builtin/system/win_system_defender_disabled.yml +++ b/rules/windows/builtin/system/win_system_defender_disabled.yml @@ -3,14 +3,14 @@ id: 6c0a7755-6d31-44fa-80e1-133e57752680 related: - id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 type: derived +status: stable description: Detects disabling Windows Defender threat protection date: 2020/07/28 modified: 2022/05/04 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md -status: stable + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md tags: - attack.defense_evasion - attack.t1562.001 @@ -29,4 +29,4 @@ detection: falsepositives: - Administrator actions - Auto updates of Windows Defender causes restarts -level: low \ No newline at end of file +level: low diff --git a/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml index de018ad86..b95c6abb2 100644 --- a/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/system/win_volume_shadow_copy_mount.yml @@ -1,6 +1,6 @@ title: Volume Shadow Copy Mount id: f512acbf-e662-4903-843e-97ce4652b740 -description: Detects volume shadow copy mount +description: Detects volume shadow copy mount via windows event log status: experimental date: 2020/10/20 modified: 2021/10/13 @@ -9,12 +9,12 @@ tags: - attack.credential_access - attack.t1003.002 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy logsource: product: windows service: system detection: - selection: + selection: Provider_Name: Microsoft-Windows-Ntfs EventID: 98 DeviceName|contains: HarddiskVolumeShadowCopy diff --git a/rules/windows/builtin/windefend/win_defender_disabled.yml b/rules/windows/builtin/windefend/win_defender_disabled.yml index 943131fe1..273ffa515 100644 --- a/rules/windows/builtin/windefend/win_defender_disabled.yml +++ b/rules/windows/builtin/windefend/win_defender_disabled.yml @@ -6,7 +6,7 @@ modified: 2022/05/06 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md status: stable tags: - attack.defense_evasion diff --git a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml index 39a38bcc1..ead5ffc81 100644 --- a/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml +++ b/rules/windows/create_stream_hash/sysmon_regedit_export_to_ads.yml @@ -4,22 +4,22 @@ status: test description: Exports the target Registry key and hides it in the specified alternate data stream. author: Oddvar Moe, Sander Wiebing, oscd.community references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Regedit.yml - - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f + - https://lolbas-project.github.io/lolbas/Binaries/Regedit/ + - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f date: 2020/10/07 modified: 2021/11/27 logsource: - product: windows - category: create_stream_hash + product: windows + category: create_stream_hash detection: - selection: - Image|endswith: '\regedit.exe' - condition: selection + selection: + Image|endswith: '\regedit.exe' + condition: selection fields: - - TargetFilename + - TargetFilename falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1564.004 + - attack.defense_evasion + - attack.t1564.004 diff --git a/rules/windows/dns_query/dns_query_remote_access_software_domains.yml b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml new file mode 100644 index 000000000..7d1b9fddf --- /dev/null +++ b/rules/windows/dns_query/dns_query_remote_access_software_domains.yml @@ -0,0 +1,29 @@ +title: Query To Remote Access Software Domain +id: 4d07b1f4-cb00-4470-b9f8-b0191d48ff52 +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution +author: frack113 +date: 2022/07/11 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|endswith: + - '.getgo.com' + - '.logmein.com' + - '.ammyy.com' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/dns_query/dns_query_win_ammyy.yml b/rules/windows/dns_query/dns_query_win_ammyy.yml deleted file mode 100644 index 893f21290..000000000 --- a/rules/windows/dns_query/dns_query_win_ammyy.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Query to Ammyy Remote Access Software Domain -id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f -status: experimental -description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution -author: frack113 -date: 2022/04/04 -logsource: - product: windows - category: dns_query -detection: - selection: - QueryName|endswith: '.ammyy.com' - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.command_and_control - - attack.t1219 \ No newline at end of file diff --git a/rules/windows/dns_query/dns_query_win_gotoopener.yml b/rules/windows/dns_query/dns_query_win_gotoopener.yml deleted file mode 100644 index 75fc35c4d..000000000 --- a/rules/windows/dns_query/dns_query_win_gotoopener.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Query to GoToAssist Remote Access Software Domain -id: 7c4cf8e0-1362-48b2-a512-b606d2065d7d -status: experimental -description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-4---gotoassist-files-detected-test-on-windows -author: frack113 -date: 2022/02/13 -logsource: - product: windows - category: dns_query -detection: - selection: - QueryName|endswith: '.getgo.com' - condition: selection -falsepositives: - - Unknown -level: medium \ No newline at end of file diff --git a/rules/windows/dns_query/dns_query_win_logmein.yml b/rules/windows/dns_query/dns_query_win_logmein.yml deleted file mode 100644 index 0a1879aee..000000000 --- a/rules/windows/dns_query/dns_query_win_logmein.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Query to LogMeIn Remote Access Software Domain -id: ed785237-70fa-46f3-83b6-d264d1dc6eb4 -status: experimental -description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-3---logmein-files-detected-test-on-windows -author: frack113 -date: 2022/02/11 -logsource: - product: windows - category: dns_query -detection: - selection: - QueryName|endswith: '.logmein.com' - condition: selection -falsepositives: - - Unknown -level: medium -tags: - - attack.command_and_control - - attack.t1219 \ No newline at end of file diff --git a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml index 0a9ffb60d..22db73948 100644 --- a/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml +++ b/rules/windows/dns_query/dns_query_win_regsvr32_network_activity.yml @@ -3,20 +3,19 @@ id: 36e037c4-c228-4866-b6a3-48eb292b9955 related: - id: c7e91a02-d771-4a6d-a700-42587e0b1095 type: derived +status: experimental description: Detects network connections and DNS queries initiated by Regsvr32.exe references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md +author: Dmitriy Lifanov, oscd.community +date: 2019/10/25 +modified: 2021/09/21 tags: - attack.execution - attack.t1559.001 - attack.defense_evasion - attack.t1218.010 -author: Dmitriy Lifanov, oscd.community -status: experimental -date: 2019/10/25 -modified: 2021/09/21 logsource: category: dns_query product: windows diff --git a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml index 5266a1518..5811518fc 100644 --- a/rules/windows/file_delete/file_delete_win_delete_appli_log.yml +++ b/rules/windows/file_delete/file_delete_win_delete_appli_log.yml @@ -4,20 +4,20 @@ status: experimental description: Deletion of log files is a known anti-forensic technique author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md date: 2022/01/16 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: selection_teamviewer: TargetFilename|endswith: '.log' TargetFilename|contains: '\TeamViewer_' - filter: + filter: Image: C:\Windows\system32\svchost.exe condition: selection_teamviewer and not filter falsepositives: - - Unknown + - Unknown level: low tags: - attack.defense_evasion diff --git a/rules/windows/file_delete/file_delete_win_delete_backup_file.yml b/rules/windows/file_delete/file_delete_win_delete_backup_file.yml index f158121cf..b1a52fe3c 100644 --- a/rules/windows/file_delete/file_delete_win_delete_backup_file.yml +++ b/rules/windows/file_delete/file_delete_win_delete_backup_file.yml @@ -4,28 +4,28 @@ status: experimental description: Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery. author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-6---windows---delete-backup-files date: 2022/01/02 modified: 2022/06/02 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: - selection: - Image|endswith: '\cmd.exe' - TargetFilename|endswith: - - '.VHD' - - '.bac' - - '.bak' - - '.wbcat' - - '.bkf' - - '.set' - - '.win' - - '.dsk' - condition: selection + selection: + Image|endswith: '\cmd.exe' + TargetFilename|endswith: + - '.VHD' + - '.bac' + - '.bak' + - '.wbcat' + - '.bkf' + - '.set' + - '.win' + - '.dsk' + condition: selection falsepositives: - - Legitime usage + - Legitime usage level: medium tags: - - attack.impact - - attack.t1490 + - attack.impact + - attack.t1490 diff --git a/rules/windows/file_event/file_event_win_access_susp_unattend_xml.yml b/rules/windows/file_event/file_event_win_access_susp_unattend_xml.yml index 6b9909cfe..e430a32df 100644 --- a/rules/windows/file_event/file_event_win_access_susp_unattend_xml.yml +++ b/rules/windows/file_event/file_event_win_access_susp_unattend_xml.yml @@ -6,18 +6,18 @@ description: | If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md date: 2021/12/19 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '\unattend.xml' - condition: selection + selection: + TargetFilename|endswith: '\unattend.xml' + condition: selection falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.credential_access - - attack.t1552.001 + - attack.credential_access + - attack.t1552.001 diff --git a/rules/windows/file_event/file_event_win_anydesk_artefact.yml b/rules/windows/file_event/file_event_win_anydesk_artefact.yml index 0d2800f5c..3623ece5f 100644 --- a/rules/windows/file_event/file_event_win_anydesk_artefact.yml +++ b/rules/windows/file_event/file_event_win_anydesk_artefact.yml @@ -4,9 +4,9 @@ status: experimental description: | An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 date: 2022/02/11 logsource: diff --git a/rules/windows/file_event/file_event_win_creation_new_shim_database.yml b/rules/windows/file_event/file_event_win_creation_new_shim_database.yml index c00f31c4e..9f8e52580 100644 --- a/rules/windows/file_event/file_event_win_creation_new_shim_database.yml +++ b/rules/windows/file_event/file_event_win_creation_new_shim_database.yml @@ -1,24 +1,24 @@ title: New Shim Database Created in the Default Directory id: ee63c85c-6d51-4d12-ad09-04e25877a947 status: experimental -description: | +description: | Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.011/T1546.011.md#atomic-test-2---new-shim-database-files-created-in-the-default-shim-database-directory date: 2021/12/29 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '.sdb' - TargetFilename|contains: '\Windows\apppatch\Custom\' - condition: selection + selection: + TargetFilename|endswith: '.sdb' + TargetFilename|contains: '\Windows\apppatch\Custom\' + condition: selection falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.persistence - - attack.t1547.009 + - attack.persistence + - attack.t1547.009 diff --git a/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml b/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml index 5d16e8fb9..fdb389f1d 100644 --- a/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml +++ b/rules/windows/file_event/file_event_win_creation_scr_binary_file.yml @@ -1,28 +1,28 @@ title: Suspicious Screensaver Binary File Creation id: 97aa2e88-555c-450d-85a6-229bcd87efb8 status: experimental -description: | +description: | Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.002/T1546.002.md date: 2021/12/29 modified: 2022/01/10 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '.scr' - filter: - Image|endswith: - - '\Kindle.exe' - - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection - condition: selection and not 1 of filter* + selection: + TargetFilename|endswith: '.scr' + filter: + Image|endswith: + - '\Kindle.exe' + - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection + condition: selection and not 1 of filter* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.persistence - - attack.t1546.002 + - attack.persistence + - attack.t1546.002 diff --git a/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml b/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml index 5b2dfdcb1..43f0a7b9c 100644 --- a/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml +++ b/rules/windows/file_event/file_event_win_creation_unquoted_service_path.yml @@ -1,24 +1,24 @@ title: Creation Exe for Service with Unquoted Path id: 8c3c76ca-8f8b-4b1d-aaf3-81aebcd367c9 status: experimental -description: | +description: | Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. - Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. + Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary's executable to launch. author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.009/T1574.009.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.009/T1574.009.md date: 2021/12/30 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - # Feel free to add more - TargetFilename: 'C:\program.exe' - condition: selection + selection: + # Feel free to add more + TargetFilename: 'C:\program.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.t1547.009 \ No newline at end of file + - attack.persistence + - attack.t1547.009 diff --git a/rules/windows/file_event/file_event_win_csharp_compile_artefact.yml b/rules/windows/file_event/file_event_win_csharp_compile_artefact.yml index 8fdf2aa2d..a985084bc 100644 --- a/rules/windows/file_event/file_event_win_csharp_compile_artefact.yml +++ b/rules/windows/file_event/file_event_win_csharp_compile_artefact.yml @@ -7,18 +7,18 @@ description: | This can be used to unpack a payload for execution author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile date: 2022/01/09 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '.cmdline' - condition: selection + selection: + TargetFilename|endswith: '.cmdline' + condition: selection falsepositives: - - Unknown + - Unknown level: low tags: - - attack.defense_evasion - - attack.t1027.004 + - attack.defense_evasion + - attack.t1027.004 diff --git a/rules/windows/file_event/file_event_win_susp_clr_logs.yml b/rules/windows/file_event/file_event_win_susp_clr_logs.yml index 544801e77..4b5d1c854 100644 --- a/rules/windows/file_event/file_event_win_susp_clr_logs.yml +++ b/rules/windows/file_event/file_event_win_susp_clr_logs.yml @@ -5,7 +5,7 @@ description: Detects suspicious .NET assembly executions. Could detect using Cob references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ - - https://github.com/olafhartong/sysmon-modular/blob/master/11_file_create/include_dotnet.xml + - https://github.com/olafhartong/sysmon-modular/blob/5e5f6d90819a7f35eec0aba08021d0d201bb9055/11_file_create/include_dotnet.xml author: omkar72, oscd.community, Wojciech Lesicki date: 2020/10/12 modified: 2022/06/24 diff --git a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml index 2f2608892..8c47cc0c0 100644 --- a/rules/windows/file_event/file_event_win_susp_desktop_txt.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_txt.yml @@ -4,22 +4,22 @@ status: experimental description: Ransomware create txt file in the user Desktop author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1486/T1486.md#atomic-test-5---purelocker-ransom-note date: 2021/12/26 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - Image|endswith: \cmd.exe - TargetFilename|contains|all: - - \Users\ - - \Desktop\ - TargetFilename|endswith: .txt - condition: selection + selection: + Image|endswith: \cmd.exe + TargetFilename|contains|all: + - \Users\ + - \Desktop\ + TargetFilename|endswith: .txt + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.impact - - attack.t1486 + - attack.impact + - attack.t1486 diff --git a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml index 5df4b850e..0eef7528d 100644 --- a/rules/windows/file_event/file_event_win_writing_local_admin_share.yml +++ b/rules/windows/file_event/file_event_win_writing_local_admin_share.yml @@ -1,25 +1,25 @@ title: Writing Local Admin Share id: 4aafb0fa-bff5-4b9d-b99e-8093e659c65f status: experimental -description: | +description: | Aversaries may use to interact with a remote network share using Server Message Block (SMB). This technique is used by post-exploitation frameworks. author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-4---execute-command-writing-output-to-local-admin-share date: 2022/01/01 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|contains|all: - - '\\127.0.0' - - '\ADMIN$\' - condition: selection + selection: + TargetFilename|contains|all: + - '\\127.0.0' + - '\ADMIN$\' + condition: selection falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.lateral_movement - - attack.t1546.002 \ No newline at end of file + - attack.lateral_movement + - attack.t1546.002 diff --git a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml index 4b9ad9667..f8a2e00e3 100644 --- a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml @@ -4,7 +4,7 @@ status: experimental description: Detects cases in which a file gets renamed to .dll, which often happens to bypass perimeter protection references: - https://twitter.com/ffforward/status/1481672378639912960 - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location author: frack113 date: 2022/02/19 modified: 2022/03/13 diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index f60f06682..69cac05e7 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -11,7 +11,7 @@ tags: - attack.t1056.002 references: - https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa logsource: category: image_load diff --git a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml index 1e1344c24..87cd877d2 100644 --- a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml @@ -4,51 +4,52 @@ status: test description: Detects Dllhost that communicates with public IP addresses author: bartblaze references: - - https://github.com/Neo23x0/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml + - https://redcanary.com/blog/child-processes/ + - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 date: 2020/07/13 modified: 2022/04/21 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Image|endswith: '\dllhost.exe' - Initiated: 'true' - filter_ipv4: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '169.254.' # link-local address - - '127.' # loopback address - filter_ipv6: - DestinationIp|startswith: - - '::1' # IPv6 loopback variant - - '0:0:0:0:0:0:0:1' # IPv6 loopback variant - - 'fe80:' # link-local address - - 'fc' # private address range fc00::/7 - - 'fd' # private address range fc00::/7 - condition: selection and not 1 of filter* + selection: + Image|endswith: '\dllhost.exe' + Initiated: 'true' + filter_ipv4: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '169.254.' # link-local address + - '127.' # loopback address + filter_ipv6: + DestinationIp|startswith: + - '::1' # IPv6 loopback variant + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + condition: selection and not 1 of filter* falsepositives: - - Communication to other corporate systems that use IP addresses from public address spaces + - Communication to other corporate systems that use IP addresses from public address spaces level: medium tags: - - attack.defense_evasion - - attack.t1218 - - attack.execution - - attack.t1559.001 + - attack.defense_evasion + - attack.t1218 + - attack.execution + - attack.t1559.001 diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index bbd5d676c..a40c00a16 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -4,20 +4,20 @@ status: experimental description: Use IMEWDBLD.exe (built-in to windows) to download a file author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download + - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ date: 2022/01/22 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - Image|endswith: '\IMEWDBLD.exe' - condition: selection + selection: + Initiated: 'true' + Image|endswith: '\IMEWDBLD.exe' + condition: selection falsepositives: - - Legitimate script + - Legitimate script level: high tags: - attack.command_and_control - - attack.t1105 \ No newline at end of file + - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_msiexec.yml b/rules/windows/network_connection/net_connection_win_msiexec.yml index 4233f744c..c6aaa7279 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec.yml +++ b/rules/windows/network_connection/net_connection_win_msiexec.yml @@ -7,19 +7,19 @@ description: | author: frack113 references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md date: 2022/01/16 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - Image|endswith: '\msiexec.exe' - condition: selection + selection: + Initiated: 'true' + Image|endswith: '\msiexec.exe' + condition: selection falsepositives: - - Legitimate msiexec over networks + - Legitimate msiexec over networks level: medium tags: - attack.defense_evasion - - attack.t1218.007 \ No newline at end of file + - attack.t1218.007 diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5f1b656af..2ec5d9714 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -4,19 +4,19 @@ status: experimental description: Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - - https://pypi.org/project/scapy/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python + - https://pypi.org/project/scapy/ date: 2021/12/10 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - Initiated: 'true' - Image|contains: python - condition: selection + selection: + Initiated: 'true' + Image|contains: python + condition: selection falsepositives: - - Legitimate python script + - Legitimate python script level: high tags: - attack.discovery diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 79d24648f..71537df3d 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -4,7 +4,6 @@ description: Detects network connections and DNS queries initiated by Regsvr32.e references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1117/T1117.md author: Dmitriy Lifanov, oscd.community status: experimental date: 2019/10/25 @@ -29,4 +28,4 @@ tags: - attack.execution - attack.t1559.001 - attack.defense_evasion - - attack.t1218.010 \ No newline at end of file + - attack.t1218.010 diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index e6f09eb98..89a6e4bf1 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -3,34 +3,34 @@ id: 9976fa64-2804-423c-8a5b-646ade840773 status: experimental description: | Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + The data may also be sent to an alternate network location from the main command and control server. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - - https://www.ietf.org/rfc/rfc2821.txt + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp + - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/01/07 modified: 2022/02/16 logsource: - category: network_connection - product: windows + category: network_connection + product: windows detection: - selection: - DestinationPort: - - 25 - - 587 - - 465 - - 2525 - Initiated: 'true' - filter_clients: - Image|endswith: - - \thunderbird.exe - - \outlook.exe - filter_mailserver: - Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' - condition: selection and not 1 of filter* + selection: + DestinationPort: + - 25 + - 587 + - 465 + - 2525 + Initiated: 'true' + filter_clients: + Image|endswith: + - \thunderbird.exe + - \outlook.exe + filter_mailserver: + Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' + condition: selection and not 1 of filter* falsepositives: - - Other SMTP tools + - Other SMTP tools level: medium tags: - attack.exfiltration - - attack.t1048.003 \ No newline at end of file + - attack.t1048.003 diff --git a/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml b/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml index ba73a5bff..7e5834cb8 100644 --- a/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml +++ b/rules/windows/pipe_created/pipe_created_susp_adfs_namedpipe_connection.yml @@ -6,7 +6,7 @@ date: 2021/10/08 modified: 2022/02/16 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml + - https://github.com/Azure/Azure-Sentinel/blob/f99542b94afe0ad2f19a82cc08262e7ac8e1428e/Detections/SecurityEvent/ADFSDBNamedPipeConnection.yaml - https://o365blog.com/post/adfs/ - https://github.com/Azure/SimuLand tags: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml index 80319180c..e8e4b05a3 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_delete_volume_shadow_copies.yml @@ -1,15 +1,14 @@ title: Delete Volume Shadow Copies Via WMI With PowerShell id: 87df9ee1-5416-453a-8a08-e8d4a51e9ce1 +status: stable description: Shadow Copies deletion using operating systems utilities via PowerShell +author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md - - https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_shadow_copies_deletion.yml + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md - https://www.fortinet.com/blog/threat-research/stomping-shadow-copies-a-second-look-into-deletion-methods tags: - attack.impact - attack.t1490 -status: stable -author: frack113 date: 2021/06/03 modified: 2021/10/16 logsource: @@ -17,15 +16,14 @@ logsource: category: ps_classic_start definition: fields have to be extract from event detection: - selection_obj: + selection: HostApplication|contains|all: - 'Get-WmiObject' - ' Win32_Shadowcopy' - selection_del: HostApplication|contains: - 'Delete()' - 'Remove-WmiObject' - condition: selection_obj and selection_del + condition: selection fields: - HostApplication falsepositives: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml index b9e8c6e79..3d91e0cff 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_powercat.yml @@ -11,7 +11,7 @@ description: Adversaries may use a non-application layer protocol for communicat references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md tags: - attack.command_and_control - attack.t1095 @@ -24,7 +24,7 @@ detection: HostApplication|contains: - 'powercat ' - 'powercat.ps1' - condition: selection + condition: selection falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml index 21bd9de4b..41ddfcce0 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_athremotefxvgpudisablementcommand.yml @@ -9,8 +9,8 @@ date: 2021/07/13 modified: 2021/09/07 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md - - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 tags: - attack.defense_evasion - attack.t1218 @@ -27,7 +27,7 @@ detection: - '-ModulePath ' - '-ScriptBlock ' - '-RemoteFXvGPUDisablementFilePath' - condition: selection_cmd and selection_opt + condition: all of selection_* fields: - ComputerName - User @@ -35,4 +35,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml index 9f8b0ad7e..39ed23976 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_get_nettcpconnection.yml @@ -1,9 +1,9 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection id: b366adb4-d63d-422d-8a2c-186463b5ded0 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 logsource: @@ -13,7 +13,7 @@ logsource: detection: selection: HostApplication|contains: Get-NetTCPConnection - condition: selection + condition: selection falsepositives: - Unknown level: low diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index 70fa976b4..b3ebc5408 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -9,7 +9,7 @@ date: 2021/07/20 modified: 2021/09/07 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md tags: - attack.collection - attack.t1074.001 @@ -24,7 +24,7 @@ detection: - ' -Path ' - ' -DestinationPath ' - '$env:TEMP\' - condition: selection + condition: selection falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml index 2ffff9458..9a4848faf 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_invoke_obfuscation_obfuscated_iex.yml @@ -3,9 +3,9 @@ id: 2f211361-7dce-442d-b78a-c04039677378 related: - id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 type: derived -description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 +description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the code block cited in the reference section below references: - - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: Daniel Bohannon (@Mandiant/@FireEye), oscd.community date: 2019/11/08 diff --git a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml index ef9261cae..fbfba628d 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_powercat.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_powercat.yml @@ -8,7 +8,7 @@ description: Adversaries may use a non-application layer protocol for communicat references: - https://nmap.org/ncat/ - https://github.com/besimorhino/powercat - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1095/T1095.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1095/T1095.md tags: - attack.command_and_control - attack.t1095 @@ -21,7 +21,7 @@ detection: ContextInfo|contains: - 'powercat ' - 'powercat.ps1' - condition: selection + condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml index a4f883a40..c1b2673e6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_ad_group_reco.yml @@ -1,11 +1,11 @@ -title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User +title: AD Groups Or Users Enumeration Using PowerShell - PoshModule id: 815bfc17-7fc6-4908-a55e-2f37b98cedb4 description: | Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md status: experimental author: frack113 date: 2021/12/15 @@ -34,4 +34,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml index cd9751e11..4ad279399 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_athremotefxvgpudisablementcommand.yml @@ -6,8 +6,8 @@ date: 2021/07/13 modified: 2021/10/16 description: RemoteFXvGPUDisablement.exe is an abusable, signed PowerShell host executable that was introduced in Windows 10 and Server 2019 (OS Build 17763.1339). references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md - - https://github.com/redcanaryco/AtomicTestHarnesses/blob/master/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/AtomicTestHarnesses/blob/7e1e4da116801e3d6fcc6bedb207064577e40572/TestHarnesses/T1218_SignedBinaryProxyExecution/InvokeRemoteFXvGPUDisablementCommand.ps1 tags: - attack.defense_evasion - attack.t1218 @@ -32,4 +32,4 @@ fields: - ParentCommandLine falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml index 39394b907..f32822bbd 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_get_nettcpconnection.yml @@ -1,9 +1,9 @@ -title: Use Get-NetTCPConnection +title: Use Get-NetTCPConnection id: aff815cc-e400-4bf0-a47a-5d8a2407d4e1 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-2---system-network-connections-discovery-with-powershell author: frack113 date: 2021/12/10 logsource: @@ -13,10 +13,10 @@ logsource: detection: selection: ContextInfo|contains: 'Get-NetTCPConnection' - condition: selection + condition: selection falsepositives: - Unknown level: low tags: - attack.discovery - - attack.t1049 \ No newline at end of file + - attack.t1049 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml index cebc691f1..f41058316 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_local_group_reco.yml @@ -5,7 +5,7 @@ description: | The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md status: experimental author: frack113 date: 2021/12/12 @@ -34,4 +34,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml index 3561af930..5c1f99b96 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_smb_share_reco.yml @@ -1,11 +1,10 @@ title: Suspicious Get Information for SMB Share id: 6942bd25-5970-40ab-af49-944247103358 description: | - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and - to identify potential systems of interest for Lateral Movement. - Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md status: experimental author: frack113 date: 2021/12/15 @@ -23,4 +22,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index b9daec61e..9cc35cb3e 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -9,7 +9,7 @@ date: 2021/07/20 modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml index 71c604502..56a47176f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_access_to_browser_login_data.yml @@ -7,22 +7,22 @@ status: experimental author: frack113 date: 2022/01/30 description: | - Adversaries may acquire credentials from web browsers by reading files specific to the target browser. - Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. - Web browsers typically store the credentials in an encrypted format within a credential store. + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555.003/T1555.003.md logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_cmd: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - Copy-Item - '-Destination' selection_path: - ScriptBlockText|contains: + ScriptBlockText|contains: - '\Opera Software\Opera Stable\Login Data' - '\Mozilla\Firefox\Profiles' - '\Microsoft\Edge\User Data\Default' @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1555.003 \ No newline at end of file + - attack.t1555.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml index f76e0c978..6829f26a4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_as_rep_roasting.yml @@ -1,11 +1,11 @@ -title: Get-ADUser Enumeration Using UserAccountControl Flags +title: Get-ADUser Enumeration Using UserAccountControl Flags id: 96c982fe-3d08-4df4-bed2-eb14e02f21c8 status: experimental description: Detects AS-REP roasting is an attack that is often-overlooked. It is not very common as you have to explicitly set accounts that do not require pre-authentication. date: 2022/03/17 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md#atomic-test-11---get-aduser-enumeration-using-useraccountcontrol-flags-as-rep-roasting - https://shellgeek.com/useraccountcontrol-flags-to-manipulate-properties/ logsource: product: windows @@ -14,12 +14,12 @@ logsource: detection: selection: #4194304 DONT_REQ_PREAUTH - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - 'Get-ADUser' - '-Filter' - 'useraccountcontrol' - '-band' - - '4194304' + - '4194304' condition: selection falsepositives: - Legitimate PowerShell scripts diff --git a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml index e0a718d54..f85d12599 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_automated_collection.yml @@ -6,7 +6,7 @@ date: 2021/07/28 modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml index b490bffdb..b006328ae 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_azurehound_commands.yml @@ -3,7 +3,7 @@ id: 83083ac6-1816-4e76-97d7-59af9a9ae46e status: experimental description: Detects the execution of AzureHound in PowerShell, a tool to gather data from Azure for BloodHound references: - - https://github.com/BloodHoundAD/BloodHound/blob/master/Collectors/AzureHound.ps1 + - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html author: Austin Songer (@austinsonger) date: 2021/10/23 diff --git a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml index 29e0f9b7e..ddae8a494 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_capture_screenshots.yml @@ -2,10 +2,10 @@ title: Windows Screen Capture with CopyFromScreen id: d4a11f63-2390-411c-9adf-d791fd152830 status: experimental description: | - Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. - Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations + Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. + Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1113/T1113.md#atomic-test-6---windows-screen-capture-copyfromscreen author: frack113 date: 2021/12/28 modified: 2022/07/07 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml index 24dd5f709..75b81b735 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript.yml @@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova date: 2020/10/14 modified: 2021/10/16 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 tags: - attack.defense_evasion @@ -18,8 +18,8 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - 'CL_Invocation.ps1' - - 'SyncInvoke' + - 'CL_Invocation.ps1' + - 'SyncInvoke' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml index 32789b70c..cae4b871e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml @@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova date: 2020/10/14 modified: 2021/10/16 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/Cl_invocation.yml + - https://lolbas-project.github.io/lolbas/Scripts/Cl_invocation/ - https://twitter.com/bohops/status/948061991012327424 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml index 8c8880442..44f7610e5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript.yml @@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova date: 2020/10/14 modified: 2021/10/16 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 tags: - attack.defense_evasion @@ -18,9 +18,9 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml index 00903625e..53b50941d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml @@ -6,7 +6,7 @@ author: oscd.community, Natalia Shornikova date: 2020/10/14 modified: 2021/10/16 references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSScripts/CL_mutexverifiers.yml + - https://lolbas-project.github.io/lolbas/Scripts/CL_mutexverifiers/ - https://twitter.com/pabraeken/status/995111125447577600 tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml index 2d872fa1d..050837322 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cmdlet_scheduled_task.yml @@ -3,8 +3,8 @@ id: 363eccc0-279a-4ccf-a3ab-24c2e63b11fb status: experimental description: Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-4---powershell-cmdlet-scheduled-task + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1053.005/T1053.005.md#atomic-test-6---wmi-invoke-cimmethod-scheduled-task author: frack113 date: 2021/12/28 logsource: @@ -13,7 +13,7 @@ logsource: definition: Script block logging must be enabled detection: selection_cmdlet: - ScriptBlockText|contains: + ScriptBlockText|contains: - 'New-ScheduledTaskAction' - 'New-ScheduledTaskTrigger' - 'New-ScheduledTaskPrincipal' @@ -32,5 +32,5 @@ falsepositives: - Unknown level: medium tags: - - attack.persistence - - attack.t1053.005 \ No newline at end of file + - attack.persistence + - attack.t1053.005 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml index 4ed37758d..1c92773af 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cor_profiler.yml @@ -2,15 +2,15 @@ title: Registry-Free Process Scope COR_PROFILER id: 23590215-4702-4a70-8805-8dc9e58314a2 status: experimental description: | - Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. - The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). - These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. - (Citation: Microsoft Profiling Mar 2017) - (Citation: Microsoft COR_PROFILER Feb 2013) + Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. + The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). + These profiliers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR. + (Citation: Microsoft Profiling Mar 2017) + (Citation: Microsoft COR_PROFILER Feb 2013) author: frack113 date: 2021/12/30 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.012/T1574.012.md#atomic-test-3---registry-free-process-scope-cor_profiler logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml index 2180d16e4..8b4983cbf 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_create_local_user.yml @@ -3,7 +3,7 @@ id: 243de76f-4725-4f2e-8225-a8a69b15ad61 status: experimental description: Detects creation of a local user via PowerShell references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml index 8c35c9c81..02098dfae 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2021/10/16 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml index 62ecf566d..3a7d39ced 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_detect_vm_env.yml @@ -6,7 +6,7 @@ date: 2021/08/03 modified: 2022/03/03 description: Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1497.001/T1497.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1497.001/T1497.001.md - https://techgenix.com/malicious-powershell-scripts-evade-detection/ tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml index 2be2fdf41..72b5b9b37 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directorysearcher.yml @@ -4,21 +4,21 @@ status: experimental description: Enumerates Active Directory to determine computers that are joined to the domain date: 2022/02/12 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-15---enumerate-domain-computers-within-active-directory-using-directorysearcher author: frack113 logsource: product: windows category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains|all: - - 'New-Object ' - - 'System.DirectoryServices.DirectorySearcher' - - '.PropertiesToLoad.Add' - - '.findall()' - - 'Properties.name' - condition: selection + selection: + ScriptBlockText|contains|all: + - 'New-Object ' + - 'System.DirectoryServices.DirectorySearcher' + - '.PropertiesToLoad.Add' + - '.findall()' + - 'Properties.name' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml index 1d5f8b08c..65bcc357a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_directoryservices_accountmanagement.yml @@ -2,10 +2,10 @@ title: Manipulation of User Computer or Group Security Principals Across AD id: b29a93fb-087c-4b5b-a84d-ee3309e69d08 status: experimental description: | - Adversaries may create a domain account to maintain access to victim systems. - Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. + Adversaries may create a domain account to maintain access to victim systems. + Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain.. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.002/T1136.002.md#atomic-test-3---create-a-new-domain-account-using-powershell - https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement?view=dotnet-plat-ext-6.0 author: frack113 date: 2021/12/28 diff --git a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml index fac4d03e1..596705cf0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_dump_password_windows_credential_manager.yml @@ -7,14 +7,14 @@ description: | Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_kiddie: - ScriptBlockText|contains: + ScriptBlockText|contains: - 'Get-PasswordVaultCredentials' - 'Get-CredManCreds' selection_rename_Password: @@ -34,4 +34,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1555 \ No newline at end of file + - attack.t1555 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml index 4798cd58b..b1134519d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_psremoting.yml @@ -3,7 +3,7 @@ id: 991a9744-f2f0-44f2-bd33-9092eba17dc3 status: experimental description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 author: frack113 date: 2022/01/07 diff --git a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml index dca1798f0..cd35eba18 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_enumerate_password_windows_credential_manager.yml @@ -4,17 +4,17 @@ status: experimental author: frack113 date: 2021/12/20 description: | - Adversaries may search for common password storage locations to obtain user credentials. - Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1555/T1555.md logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection_cmd: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - vaultcmd - '/listcreds:' selection_option: diff --git a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml index 429519485..413246730 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_file_and_directory_discovery.yml @@ -1,11 +1,10 @@ title: Powershell File and Directory Discovery id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 description: | - Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. - Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, - including whether or not the adversary fully infects the target and/or attempts specific actions. + Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. + Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md status: experimental author: frack113 date: 2021/12/15 @@ -27,4 +26,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1083 \ No newline at end of file + - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml index eac46859c..6602dc891 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_acl_service.yml @@ -2,11 +2,11 @@ title: Service Registry Permissions Weakness Check id: 95afc12e-3cbb-40c3-9340-84a032e596a3 status: experimental description: | - Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. - Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. - Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services + Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. + Adversaries may use flaws in the permissions for registry to redirect from the originally specified executable to one that they control, in order to launch their own code at Service start. + Windows stores local service configuration information in the Registry under HKLM\SYSTEM\CurrentControlSet\Services references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1574.011/T1574.011.md#atomic-test-1---service-registry-permissions-weakness - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.security/get-acl?view=powershell-7.2 author: frack113 date: 2021/12/30 @@ -21,8 +21,8 @@ detection: - 'REGISTRY::HKLM\SYSTEM\CurrentControlSet\Services\' condition: selection falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: medium tags: - - attack.persistence - - attack.t1574.011 + - attack.persistence + - attack.t1574.011 diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml index 2518b05ed..d4f4563f7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_adreplaccount.yml @@ -1,21 +1,21 @@ title: Suspicious Get-ADReplAccount id: 060c3ef1-fd0a-4091-bf46-e7d625f60b73 status: experimental -description: - The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. - These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. +description: | + The DSInternals PowerShell Module exposes several internal features of Active Directory and Azure Active Directory. + These include FIDO2 and NGC key auditing, offline ntds.dit file manipulation, password auditing, DC recovery from IFM backups and password hash calculation. date: 2022/02/06 author: frack113 references: - https://www.powershellgallery.com/packages/DSInternals - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.006/T1003.006.md#atomic-test-2---run-dsinternals-get-adreplaccount logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: selection: - ScriptBlockText|contains|all: + ScriptBlockText|contains|all: - Get-ADReplAccount - '-All ' - '-Server ' diff --git a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml index f6a1ad514..e236b8802 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_get_childitem_bookmarks.yml @@ -8,7 +8,7 @@ description: | Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md logsource: product: windows category: ps_script @@ -19,7 +19,7 @@ detection: - 'Get-ChildItem' - ' -Recurse ' - ' -Path ' - - ' -Filter Bookmarks' + - ' -Filter Bookmarks' - ' -ErrorAction SilentlyContinue' - ' -Force' condition: selection @@ -29,4 +29,3 @@ level: low tags: - attack.discovery - attack.t1217 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml index a2ed94f6d..544a4d5ce 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_hotfix_enum.yml @@ -4,7 +4,7 @@ status: experimental description: Detects call to "Win32_QuickFixEngineering" in order to enumerate installed hotfixes often used in "enum" scripts by attackers author: Nasreddine Bencherchali references: - - https://github.com/411Hall/JAWS/blob/master/jaws-enum.ps1 + - https://github.com/411Hall/JAWS/blob/233f142fcb1488172aa74228a666f6b3c5c48f1d/jaws-enum.ps1 date: 2022/06/21 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml index b64792133..ef385981a 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_icmp_exfiltration.yml @@ -3,7 +3,7 @@ id: 4c4af3cd-2115-479c-8193-6b8bfce9001c status: experimental description: Detects Exfiltration Over Alternative Protocol - ICMP. Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-2---exfiltration-over-alternative-protocol---icmp author: 'Bartlomiej Czyz @bczyz1, oscd.community' date: 2020/10/10 modified: 2021/10/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml index b913ce65a..e29bcb6af 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_command_remote.yml @@ -3,7 +3,7 @@ id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 status: experimental description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 author: frack113 date: 2022/01/07 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml index e01ea3ffb..9ebae50fb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_dnsexfiltration.yml @@ -3,7 +3,7 @@ id: d59d7842-9a21-4bc6-ba98-64bfe0091355 status: experimental description: DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh - https://github.com/Arno0x/DNSExfiltrator author: frack113 date: 2022/01/07 diff --git a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml index 777958209..57792288e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_invoke_obfuscation_obfuscated_iex.yml @@ -2,7 +2,7 @@ title: Invoke-Obfuscation Obfuscated IEX Invocation id: 1b9dc62e-6e9e-42a3-8990-94d7a10007f7 description: Detects all variations of obfuscated powershell IEX invocation code generated by Invoke-Obfuscation framework from the following code block \u2014 references: - - https://github.com/danielbohannon/Invoke-Obfuscation/blob/master/Out-ObfuscatedStringCommand.ps1#L873-L888 + - https://github.com/danielbohannon/Invoke-Obfuscation/blob/f20e7f843edd0a3a7716736e9eddfa423395dd26/Out-ObfuscatedStringCommand.ps1#L873-L888 status: experimental author: 'Daniel Bohannon (@Mandiant/@FireEye), oscd.community' date: 2019/11/08 diff --git a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml index 02631034c..70a46b929 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_keylogging.yml @@ -3,11 +3,11 @@ id: 34f90d3c-c297-49e9-b26d-911b05a4866c status: experimental author: frack113 date: 2021/07/30 -modified: 2021/10/16 +modified: 2022/07/11 description: Adversaries may log user keystrokes to intercept credentials as the user types them. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.001/src/Get-Keystrokes.ps1 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218/T1218.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1056.001/src/Get-Keystrokes.ps1 tags: - attack.collection - attack.t1056.001 @@ -22,7 +22,7 @@ detection: ScriptBlockText|contains|all: - 'Get-ProcAddress user32.dll GetAsyncKeyState' - 'Get-ProcAddress user32.dll GetForegroundWindow' - condition: selection_basic or selection_high + condition: 1 of selection_* falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml index bee3a979e..e92892dbe 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_localuser.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_localuser.yml @@ -2,10 +2,10 @@ title: Powershell LocalAccount Manipulation id: 4fdc44df-bfe9-4fcc-b041-68f5a2d3031c status: experimental description: | - Adversaries may manipulate accounts to maintain access to victim systems. - Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups + Adversaries may manipulate accounts to maintain access to victim systems. + Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1098/T1098.md#atomic-test-1---admin-account-manipulate - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.localaccounts/?view=powershell-5.1 author: frack113 date: 2021/12/28 @@ -25,8 +25,8 @@ detection: - 'Remove-LocalUser' condition: selection falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: medium tags: - - attack.persistence - - attack.t1098 + - attack.persistence + - attack.t1098 diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index 4b302c384..61e80eb83 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -6,8 +6,8 @@ author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (upd references: - https://adsecurity.org/?p=2921 - https://github.com/S3cur3Th1sSh1t/PowerSharpPack/tree/master/PowerSharpBinaries - - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/master/Invoke-ZeroLogon.ps1 - - https://github.com/xorrior/RandomPS-Scripts/blob/master/Start-WebcamRecorder.ps1 + - https://github.com/BC-SECURITY/Invoke-ZeroLogon/blob/111d17c7fec486d9bb23387e2e828b09a26075e4/Invoke-ZeroLogon.ps1 + - https://github.com/xorrior/RandomPS-Scripts/blob/848c919bfce4e2d67b626cbcf4404341cfe3d3b6/Get-DXWebcamVideo.ps1 date: 2017/03/05 modified: 2022/06/22 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml index fbfc39a21..91cd0993b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_msxml_com.yml @@ -2,14 +2,14 @@ title: Powershell MsXml COM Object id: 78aa1347-1517-4454-9982-b338d6df8343 status: experimental description: | - Adversaries may abuse PowerShell commands and scripts for execution. - PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) - Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) + Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code author: frack113, MatilJ date: 2022/01/19 modified: 2022/05/19 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-7---powershell-msxml-com-object---with-prompt - https://docs.microsoft.com/en-us/previous-versions/windows/desktop/ms766431(v=vs.85) - https://www.trendmicro.com/en_id/research/22/e/uncovering-a-kingminer-botnet-attack-using-trend-micro-managed-x.html logsource: @@ -25,8 +25,8 @@ detection: - 'XmlHttp' condition: selection falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: medium tags: - - attack.execution - - attack.t1059.001 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml index 3ff340115..34a83c4b6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_ntfs_ads_access.yml @@ -4,7 +4,7 @@ status: experimental description: Detects writing data into NTFS alternate data streams from powershell. Needs Script Block Logging. references: - http://www.powertheshell.com/ntfsstreams/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md tags: - attack.defense_evasion - attack.t1564.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml index 63a5aa27b..25a38346d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_office_comobject_registerxll.yml @@ -2,10 +2,10 @@ title: Code Executed Via Office Add-in XLL File id: 36fbec91-fa1b-4d5d-8df1-8d8edcb632ad status: experimental description: | - Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. - Office add-ins can be used to add functionality to Office programs + Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. + Office add-ins can be used to add functionality to Office programs references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1137.006/T1137.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1137.006/T1137.006.md author: frack113 date: 2021/12/28 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml index 7112bc4be..372b0507d 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remote_session_creation.yml @@ -5,7 +5,7 @@ description: | Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 author: frack113 date: 2022/01/06 diff --git a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml index 71161eb22..bed1490c0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_remove_item_path.yml @@ -4,7 +4,7 @@ status: experimental description: Powershell Remove-Item with -Path to delete a file or a folder with "-Recurse" author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.004/T1070.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Remove-Item?view=powershell-5.1&viewFallbackFrom=powershell-7 date: 2022/01/15 modified: 2022/03/17 diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml index fc2fc5414..c8bc85002 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml @@ -6,7 +6,7 @@ description: | This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell author: frack113 date: 2021/12/28 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 0a4c30fac..11e8de26c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -3,7 +3,7 @@ id: 42821614-9264-4761-acfc-5772c3286f76 status: experimental description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/10 modified: 2021/12/04 @@ -24,6 +24,6 @@ detection: - 'Import-Certificate' - 'Cert:\LocalMachine\Root' condition: 1 of selection* -level: medium falsepositives: - - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP \ No newline at end of file + - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml index e2a139a52..e70ff16ab 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_run_from_mount_diskimage.yml @@ -5,7 +5,7 @@ description: Adversaries may abuse container files such as disk image (.iso, .vh date: 2022/02/01 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-2---mount-an-iso-image-and-run-executable-from-the-iso - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml index 08bf14405..ab36d888e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_security_software_discovery.yml @@ -7,7 +7,7 @@ description: | Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-viru references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518.001/T1518.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md logsource: product: windows category: ps_script @@ -31,4 +31,3 @@ level: low tags: - attack.discovery - attack.t1518.001 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml index 05c15c2eb..f450b9dee 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_send_mailmessage.yml @@ -2,10 +2,10 @@ title: Powershell Exfiltration Over SMTP id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b status: experimental description: | - Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. - The data may also be sent to an alternate network location from the main command and control server. + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 - https://www.ietf.org/rfc/rfc2821.txt author: frack113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml index bdd9a5a6e..6fe4638b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_software_discovery.yml @@ -6,7 +6,7 @@ author: Nikita Nazarov, oscd.community date: 2020/10/16 modified: 2021/11/12 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1518/T1518.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518/T1518.md - https://github.com/harleyQu1nn/AggressorScripts #AVQuery.cna tags: - attack.discovery diff --git a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml index b7b6cb043..f55767d6e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_store_file_in_alternate_data_stream.yml @@ -6,7 +6,7 @@ date: 2021/09/02 modified: 2021/10/16 description: Storing files in Alternate Data Stream (ADS) similar to Astaroth malware. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md tags: - attack.defense_evasion - attack.t1564.004 @@ -24,4 +24,4 @@ detection: condition: selection_compspec falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml index cb2ec8d17..a974e13d5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ad_group_reco.yml @@ -1,11 +1,11 @@ -title: Suspicious Get Information for AD Groups or DoesNotRequirePreAuth User +title: AD Groups Or Users Enumeration Using PowerShell - ScriptBlock id: 88f0884b-331d-403d-a3a1-b668cf035603 description: | - Adversaries may attempt to find domain-level groups and permission settings. - The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. - Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. + Adversaries may attempt to find domain-level groups and permission settings. + The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. + Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md status: experimental author: frack113 date: 2021/12/15 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml index f291e4a53..a6a8eb1b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_directory_enum.yml @@ -5,7 +5,7 @@ description: Detects technique used by MAZE ransomware to enumerate directories date: 2022/03/17 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1083/T1083.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1083/T1083.md - https://www.mandiant.com/resources/tactics-techniques-procedures-associated-with-maze-ransomware-incidents logsource: product: windows @@ -24,7 +24,7 @@ detection: condition: selection falsepositives: - Legitimate PowerShell scripts -level: medium +level: medium tags: - attack.discovery - attack.t1083 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml index 3e5c4b491..f952b3ae5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_execute_batch_script.yml @@ -1,13 +1,13 @@ title: Powershell Execute Batch Script id: b5522a23-82da-44e5-9c8b-e10ed8955f88 description: | - Adversaries may abuse the Windows command shell for execution. - The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. - The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. - Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. - Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system + Adversaries may abuse the Windows command shell for execution. + The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. + The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. + Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. + Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple system references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1059.003/T1059.003.md#atomic-test-1---create-and-execute-batch-script status: experimental author: frack113 date: 2022/01/02 @@ -28,4 +28,4 @@ falsepositives: level: medium tags: - attack.execution - - attack.t1059.003 \ No newline at end of file + - attack.t1059.003 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml index b8be6f52d..578591967 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_extracting.yml @@ -4,11 +4,11 @@ status: experimental author: frack113 date: 2021/12/19 description: | - Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. - These can be files created by users to store their own credentials, shared credential stores for a group of individuals, - configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. + Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. + These can be files created by users to store their own credentials, shared credential stores for a group of individuals, + configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md logsource: product: windows category: ps_script @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.credential_access - - attack.t1552.001 \ No newline at end of file + - attack.t1552.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml index 6dc8e7ace..2d1fdcd42 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adcomputer.yml @@ -5,7 +5,7 @@ author: frack113 date: 2022/03/17 description: utilize Get-AdComputer to enumerate Computers within Active Directory. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md logsource: product: windows category: ps_script @@ -22,4 +22,3 @@ level: low tags: - attack.discovery - attack.t1018 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml index a9f07ef85..8c02d658c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_addefaultdomainpasswordpolicy.yml @@ -5,7 +5,7 @@ description: Detetcts PowerShell activity in which Get-Addefaultdomainpasswordpo date: 2022/03/17 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1201/T1201.md#atomic-test-9---enumerate-active-directory-password-policy-with-get-addefaultdomainpasswordpolicy - https://docs.microsoft.com/en-us/powershell/module/activedirectory/get-addefaultdomainpasswordpolicy logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml index ecb0a5a27..8828e3bd0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_adgroup.yml @@ -5,7 +5,7 @@ author: frack113 date: 2022/03/17 description: Detects the use of Get-AdGroup to enumerate Groups within Active Directory references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md logsource: product: windows category: ps_script @@ -22,4 +22,3 @@ level: low tags: - attack.discovery - attack.t1069.002 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml index 13b125580..8c94df484 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_current_user.yml @@ -5,8 +5,8 @@ description: Detects the use of PowerShell to identify the current logged user. date: 2022/04/04 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml index 0e4e827aa..8ec5f3608 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_gpo.yml @@ -5,7 +5,7 @@ description: Detect use of Get-GPO to get one GPO or all the GPOs in a domain. date: 2022/06/04 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/powershell/module/grouppolicy/get-gpo?view=windowsserver2022-ps logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml index 7897fdd92..2dc9e85f1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_get_process.yml @@ -5,7 +5,7 @@ description: Get the processes that are running on the local computer. date: 2022/03/17 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1057/T1057.md#atomic-test-3---process-discovery---get-process - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-process?view=powershell-7 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml index 8fdd67948..8f8c0b1d6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_gettypefromclsid.yml @@ -5,7 +5,7 @@ description: Detects suspicious Powershell code that execute COM Objects date: 2022/04/02 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.015/T1546.015.md#atomic-test-2---powershell-execute-com-object logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml index aa58dcda3..1f8c91ff0 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_hyper_v_condlet.yml @@ -6,7 +6,7 @@ date: 2022/04/09 author: frack113 references: - https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/quick-start/enable-hyper-v - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.006/T1564.006.md#atomic-test-3---create-and-start-hyper-v-virtual-machine logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml index 2477e7898..0c6876386 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_invoke_webrequest_useragent.yml @@ -4,10 +4,10 @@ status: experimental author: frack113 date: 2022/01/23 description: | - Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. - Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. + Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. + Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1071.001/T1071.001.md#t1071001---web-protocols + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#t1071001---web-protocols logsource: product: windows category: ps_script @@ -24,4 +24,3 @@ level: medium tags: - attack.command_and_control - attack.t1071.001 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml index f81018dbe..157bceab7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_iofilestream.yml @@ -6,7 +6,7 @@ date: 2022/01/09 modified: 2022/03/05 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1006/T1006.md logsource: product: windows category: ps_script @@ -14,7 +14,7 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - New-Object + - New-Object - IO.FileStream - '\\\\.\\' condition: selection diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml index aa9f62c65..7a58955c1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_keywords.yml @@ -7,8 +7,8 @@ modified: 2021/10/16 author: Florian Roth, Perez Diego (@darkquassar) references: - https://posts.specterops.io/entering-a-covenant-net-command-and-control-e11038bcf462 - - https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-ReflectivePEInjection.ps1 - - https://github.com/hlldz/Invoke-Phant0m/blob/master/Invoke-Phant0m.ps1 + - https://github.com/PowerShellMafia/PowerSploit/blob/d943001a7defb5e0d1657085a77a0e78609be58f/CodeExecution/Invoke-ReflectivePEInjection.ps1 + - https://github.com/hlldz/Phant0m/blob/30c2935d8cf4aafda17ee2fab7cd0c4aa9a607c2/old/Invoke-Phant0m.ps1 - https://gist.github.com/MHaggis/0dbe00ad401daa7137c81c99c268cfb7 tags: - attack.execution diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml index 8de541e27..d995e57ac 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_local_group_reco.yml @@ -6,7 +6,7 @@ description: | The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 logsource: @@ -16,8 +16,8 @@ logsource: detection: test_3: ScriptBlockText|contains: - - 'get-localgroup' - - 'Get-LocalGroupMember' + - 'get-localgroup' + - 'Get-LocalGroupMember' test_6: ScriptBlockText|contains|all: - 'Get-WMIObject' @@ -28,4 +28,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml index b89413bba..b12d37d83 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mail_acces.yml @@ -4,9 +4,9 @@ status: experimental author: frack113 date: 2021/07/21 modified: 2021/10/16 -description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files. +description: Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a users local system, such as Outlook storage or cache files. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1114.001/T1114.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1114.001/T1114.001.md tags: - attack.collection - attack.t1114.001 @@ -21,7 +21,7 @@ detection: - 'Microsoft.Office.Interop.Outlook' - 'Microsoft.Office.Interop.Outlook.olDefaultFolders' - '-comobject outlook.application' - condition: selection + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml index f65a6ff6e..85475c278 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mount_diskimage.yml @@ -5,7 +5,7 @@ description: Adversaries may abuse container files such as disk image (.iso, .vh date: 2022/02/01 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-1---mount-iso-image - https://docs.microsoft.com/en-us/powershell/module/storage/mount-diskimage?view=windowsserver2022-ps logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml index 968a3d47f..96a8c8f88 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_mounted_share_deletion.yml @@ -3,7 +3,7 @@ id: 66a4d409-451b-4151-94f4-a55d559c49b0 status: experimental description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.005/T1070.005.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md author: 'oscd.community, @redcanary, Zach Stanford @svch0st' date: 2020/10/08 modified: 2021/10/16 @@ -17,8 +17,8 @@ logsource: detection: selection: ScriptBlockText|contains: - - 'Remove-SmbShare' - - 'Remove-FileShare' + - 'Remove-SmbShare' + - 'Remove-FileShare' condition: selection falsepositives: - Administrators or Power users may remove their shares via cmd line diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml index fd0ad41f4..0d1262dd8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_networkcredential.yml @@ -5,7 +5,7 @@ description: | Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1110.001/T1110.001.md#atomic-test-2---brute-force-credentials-of-single-active-directory-domain-user-via-ldap-against-domain-controller-ntlm-or-kerberos author: frack113 date: 2021/12/27 logsource: @@ -15,9 +15,9 @@ logsource: detection: selection: ScriptBlockText|contains: - - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier' - - 'System.Net.NetworkCredential' - - 'System.DirectoryServices.Protocols.LdapConnection' + - 'System.DirectoryServices.Protocols.LdapDirectoryIdentifier' + - 'System.Net.NetworkCredential' + - 'System.DirectoryServices.Protocols.LdapConnection' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml index 9111d0cb5..5e32f9eec 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_new_psdrive.yml @@ -2,7 +2,7 @@ title: Suspicious New-PSDrive to Admin Share id: 1c563233-030e-4a07-af8c-ee0490a66d3a description: Adversaries may use to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.002/T1021.002.md#atomic-test-2---map-admin-share-powershell - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/new-psdrive?view=powershell-7.2 status: experimental author: frack113 @@ -26,4 +26,4 @@ falsepositives: level: medium tags: - attack.lateral_movement - - attack.t1021.002 \ No newline at end of file + - attack.t1021.002 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml index f22cc23ac..3e21c39d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_recon_export.yml @@ -6,7 +6,7 @@ date: 2021/07/30 modified: 2021/12/02 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md tags: - attack.collection - attack.t1119 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml index b58fc1988..927ae77c8 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_remove_adgroupmember.yml @@ -4,10 +4,10 @@ status: experimental author: frack113 date: 2021/12/26 description: | - Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. - Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. + Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. + Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1531/T1531.md#atomic-test-3---remove-account-from-domain-admin-group logsource: product: windows category: ps_script @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains|all: - 'Remove-ADGroupMember' - '-Identity ' - - '-Members ' + - '-Members ' condition: selection falsepositives: - Unknown @@ -25,4 +25,3 @@ level: medium tags: - attack.impact - attack.t1531 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml index 17ad10649..f3befb832 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_smb_share_reco.yml @@ -1,11 +1,10 @@ title: Suspicious Get Information for SMB Share id: 95f0643a-ed40-467c-806b-aac9542ec5ab description: | - Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and - to identify potential systems of interest for Lateral Movement. - Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. + Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. + Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.002/T1069.002.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.002/T1069.002.md status: experimental author: frack113 date: 2021/12/15 @@ -22,4 +21,4 @@ falsepositives: level: low tags: - attack.discovery - - attack.t1069.001 \ No newline at end of file + - attack.t1069.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml index 06de09ff1..9663b80e5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_ssl_keyword.yml @@ -3,7 +3,7 @@ id: 195626f3-5f1b-4403-93b7-e6cfd4d6a078 status: experimental description: Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1573/T1573.md#atomic-test-1---openssl-c2 - https://medium.com/walmartglobaltech/openssl-server-reverse-shell-from-windows-client-aee2dbfa0926 author: frack113 date: 2022/01/23 @@ -19,8 +19,8 @@ detection: - '.AuthenticateAsClient' condition: selection falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: low tags: - - attack.command_and_control - - attack.t1573 + - attack.command_and_control + - attack.t1573 diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml index 196e8c2b3..a44817bba 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_start_process.yml @@ -4,7 +4,7 @@ status: experimental description: Powershell use PassThru option to start in background author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1036.003/T1036.003.md - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/Start-Process?view=powershell-5.1&viewFallbackFrom=powershell-7 date: 2022/01/15 logsource: diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml index 42f6af469..324e94a36 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_unblock_file.yml @@ -5,7 +5,7 @@ description: Remove the Zone.Identifier alternate data stream which identifies t date: 2022/02/01 author: frack113 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.005/T1553.005.md#atomic-test-3---remove-the-zoneidentifier-alternate-data-stream - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/unblock-file?view=powershell-7.2 logsource: product: windows diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml index 543556f4c..61d59550f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_wallpaper.yml @@ -7,7 +7,7 @@ description: | An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1491.001/T1491.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1491.001/T1491.001.md logsource: product: windows category: ps_script @@ -17,7 +17,7 @@ detection: ScriptBlockText|contains|all: - 'Get-ItemProperty' - 'Registry::' - - 'HKEY_CURRENT_USER\Control Panel\Desktop\' + - 'HKEY_CURRENT_USER\Control Panel\Desktop\' - 'WallPaper' selection_2: ScriptBlockText|contains: SystemParametersInfo(20,0,*,3) @@ -28,4 +28,3 @@ level: low tags: - attack.impact - attack.t1491.001 - diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml index c4c5f8087..4e0728998 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_pnpentity.yml @@ -4,9 +4,9 @@ status: experimental author: frack113 date: 2021/08/23 modified: 2021/10/16 -description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. +description: Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1120/T1120.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1120/T1120.md tags: - attack.discovery - attack.t1120 @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - Admin script -level: low \ No newline at end of file +level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml index 862a0d9c0..e63f2ede9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_win32_shadowcopy.yml @@ -5,7 +5,7 @@ author: frack113 date: 2021/12/26 description: Deletes Windows Volume Shadow Copies with PowerShell code and Get-WMIObject. This technique is used by numerous ransomware families such as Sodinokibi/REvil references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-5---windows---delete-volume-shadow-copies-via-wmi-with-powershell logsource: product: windows category: ps_script @@ -15,7 +15,7 @@ detection: ScriptBlockText|contains|all: - 'Get-WmiObject' - 'Win32_Shadowcopy' - - '.Delete()' + - '.Delete()' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml index 9a91946a9..b17c227c1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_windowstyle.yml @@ -1,9 +1,9 @@ title: Suspicious PowerShell WindowStyle Option id: 313fbb0a-a341-4682-848d-6d6f8c4fab7c status: experimental -references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.003/T1564.003.md description: Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.003/T1564.003.md tags: - attack.defense_evasion - attack.t1564.003 @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index fd0683f26..88651cd46 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -6,7 +6,7 @@ date: 2021/07/20 modified: 2021/10/16 description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1074.001/T1074.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md tags: - attack.collection - attack.t1074.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml index fbcd8478d..867179538 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml @@ -7,7 +7,7 @@ status: experimental description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow. author: frack113, elhoim references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ date: 2022/01/16 diff --git a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml index ca8e0cb52..fca3e1fb2 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_test_netconnection.yml @@ -5,7 +5,7 @@ description: | Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1571/T1571.md#atomic-test-1---testing-usage-of-uncommonly-used-port-with-powershell - https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=windowsserver2022-ps author: frack113 date: 2022/01/23 @@ -25,8 +25,8 @@ detection: - ' 80 ' condition: selection and not filter falsepositives: - - Legitimate administrative script + - Legitimate administrative script level: medium tags: - - attack.command_and_control - - attack.t1571 + - attack.command_and_control + - attack.t1571 diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index fd7a92dea..e605ad891 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -4,9 +4,9 @@ status: experimental author: frack113 date: 2021/08/03 modified: 2021/10/16 -description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. +description: Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.006/T1070.006.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.006/T1070.006.md - https://www.offensive-security.com/metasploit-unleashed/timestomp/ tags: - attack.defense_evasion diff --git a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml index 4bd240c6b..f5e7a3213 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_trigger_profiles.yml @@ -6,7 +6,7 @@ date: 2021/08/18 modified: 2021/10/16 description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.013/T1546.013.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md tags: - attack.privilege_escalation - attack.t1546.013 @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_upload.yml b/rules/windows/powershell/powershell_script/posh_ps_upload.yml index 96fb18f0d..c10fa78bc 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_upload.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_upload.yml @@ -3,7 +3,7 @@ id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb status: experimental description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 author: frack113 diff --git a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml index 1b0fee330..f38527907 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_win32_product_install_msi.yml @@ -5,7 +5,7 @@ description: Detects the execution of an MSI file using PowerShell and the WMI W author: frack113 date: 2022/04/24 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.007/T1218.007.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md logsource: product: windows category: ps_script diff --git a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml index 2131f6bd8..3185d93ed 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_wmi_persistence.yml @@ -6,8 +6,8 @@ date: 2021/08/19 modified: 2021/10/16 description: Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.003/T1546.003.md - - https://github.com/EmpireProject/Empire/blob/master/data/module_source/persistence/Persistence.psm1#L545 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.003/T1546.003.md + - https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/data/module_source/persistence/Persistence.psm1#L545 tags: - attack.privilege_escalation - attack.t1546.003 @@ -30,4 +30,4 @@ detection: condition: selection_ioc falsepositives: - Unknown -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump.yml b/rules/windows/process_access/proc_access_win_lsass_memdump.yml index 6ae6c2ee1..1b9c6a1f3 100755 --- a/rules/windows/process_access/proc_access_win_lsass_memdump.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump.yml @@ -8,7 +8,7 @@ modified: 2022/03/20 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.001/T1003.001.md - https://research.splunk.com/endpoint/windows_possible_credential_dumping/ tags: - attack.credential_access @@ -43,4 +43,4 @@ detection: condition: selection and not 1 of filter* falsepositives: - False positives are present when looking for 0x1410. Exclusions may be required. -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml index 8aa0e4c52..1a3377113 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_evasion.yml @@ -4,9 +4,9 @@ status: experimental description: Detects a possible process memory dump that uses the white-listed filename like TrolleyExpress.exe as a way to dump the lsass process memory without Microsoft Defender interference author: Florian Roth references: - - https://twitter.com/_xpn_/status/1491557187168178176 - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz - - https://twitter.com/mrd0x/status/1460597833917251595 + - https://twitter.com/_xpn_/status/1491557187168178176 + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz + - https://twitter.com/mrd0x/status/1460597833917251595 date: 2022/02/10 tags: - attack.credential_access @@ -18,8 +18,8 @@ logsource: detection: selection: TargetImage|endswith: '\lsass.exe' - SourceImage|endswith: - - '\TrolleyExpress.exe' # Citrix + SourceImage|endswith: + - '\TrolleyExpress.exe' # Citrix - '\ProcessDump.exe' # Cisco Jabber - '\dump64.exe' # Visual Studio GrantedAccess|endswith: @@ -47,9 +47,9 @@ detection: - 'BA' - 'DA' - 'FA' - - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - 'FF' condition: selection falsepositives: - Unlikely, since these tools shouldn't access lsass.exe at all -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml index ea79a4243..3942dce45 100644 --- a/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml +++ b/rules/windows/process_access/proc_access_win_lsass_memdump_indicators.yml @@ -4,8 +4,8 @@ status: experimental description: Detects a possible process memory dump based on a keyword in the file name of the accessing process author: Florian Roth references: - - https://twitter.com/_xpn_/status/1491557187168178176 - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz + - https://twitter.com/_xpn_/status/1491557187168178176 + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz date: 2022/02/10 tags: - attack.credential_access @@ -43,9 +43,9 @@ detection: - 'BA' - 'DA' - 'FA' - - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - 'FF' condition: selection falsepositives: - Rare programs that contain the word dump in their name and access lsass -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index 1581ff428..244424d94 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -49,7 +49,7 @@ detection: - 'BA' - 'DA' - 'FA' - - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c # Absolute paths to programs that cause false positives filter_absolute: SourceImage: diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 91a48a9c2..e84103481 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -46,7 +46,7 @@ detection: - 'BA' - 'DA' - 'FA' - - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/master/ATPMiniDump/ATPMiniDump.c + - '0x14C2' # https://github.com/b4rtik/ATPMiniDump/blob/76304f93b390af3bb66e4f451ca16562a479bdc9/ATPMiniDump/ATPMiniDump.c - 'FF' SourceImage|contains: - '\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index dbad9aca2..d47b9f6e6 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -6,8 +6,8 @@ author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Na references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW - - https://github.com/carlospolop/PEASS-ng/blob/master/winPEAS/winPEASbat/winPEAS.bat - - https://github.com/gladiatx0r/Powerless/blob/master/Powerless.bat + - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat + - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat date: 2020/10/13 modified: 2022/06/20 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml index badd22c44..87264d4f3 100644 --- a/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml +++ b/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml @@ -5,7 +5,7 @@ author: frack113 date: 2021/09/01 description: Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1564.004/T1564.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1564.004/T1564.004.md tags: - attack.defense_evasion - attack.t1564.004 @@ -37,7 +37,7 @@ detection: - ' /y ' - ' /d ' - ' /o ' - condition: selection_stream and (1 of selection_tools_*) + condition: selection_stream and (1 of selection_tools_*) falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_anydesk.yml b/rules/windows/process_creation/proc_creation_win_anydesk.yml index ab64b9b31..801280cb9 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk.yml @@ -2,11 +2,11 @@ title: Use of Anydesk Remote Access Software id: b52e84a3-029e-4529-b09b-71d19dd27e94 status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: frack113 date: 2022/02/11 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml index 275c219cf..f4bd71b95 100644 --- a/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_anydesk_susp_folder.yml @@ -2,11 +2,11 @@ title: Use of Anydesk Remote Access Software from Suspicious Folder id: 065b00ca-5d5c-4557-ac95-64a6d0b64d86 status: experimental description: | - An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. - These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. - Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1219/T1219.md#atomic-test-2---anydesk-files-detected-test-on-windows author: Florian Roth date: 2022/05/20 logsource: diff --git a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml index 4fa710af6..a1b7ff41a 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml @@ -3,10 +3,9 @@ id: 7ba08e95-1e0b-40cd-9db5-b980555e42fd description: Suspicious behaviours related to an actor tracked by Microsoft as SOURGUM author: MSTIC, FPT.EagleEye status: experimental -level: high references: - https://www.virustotal.com/gui/file/c299063e3eae8ddc15839767e83b9808fd43418dc5a1af7e4f44b97ba53fbd3d/detection - - https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SOURGUM_IOC.yaml + - https://github.com/Azure/Azure-Sentinel/blob/43e9be273dca321295190bfc4902858e009d4a35/Detections/MultipleDataSources/SOURGUM_IOC.yaml - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ date: 2021/06/15 modified: 2021/07/30 @@ -19,23 +18,22 @@ logsource: product: windows category: process_creation detection: - selection1: - Image|contains: 'windows\system32\Physmem.sys' - selection2: + selection: Image|contains: + - 'windows\system32\Physmem.sys' - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini' - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini' - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini' - selection3: + registry_image: Image|contains: - 'windows\system32\filepath2' - 'windows\system32\ime' - registry_command: CommandLine|contains: 'reg add' registry_key: CommandLine|contains: - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32' - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32' - condition: selection1 or selection2 or (selection3 and registry_command and registry_key) + condition: selection or all of registry_* falsepositives: - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_automated_collection.yml b/rules/windows/process_creation/proc_creation_win_automated_collection.yml index 05550d6de..389cb93dc 100644 --- a/rules/windows/process_creation/proc_creation_win_automated_collection.yml +++ b/rules/windows/process_creation/proc_creation_win_automated_collection.yml @@ -5,8 +5,8 @@ author: frack113 date: 2021/07/28 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.001/T1552.001.md logsource: category: process_creation product: windows @@ -40,4 +40,4 @@ tags: - attack.collection - attack.t1119 - attack.credential_access - - attack.t1552.001 \ No newline at end of file + - attack.t1552.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index c0cd5a8d3..7af331728 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -5,7 +5,7 @@ author: frack113 date: 2021/07/30 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md tags: - attack.collection - attack.t1119 @@ -14,14 +14,18 @@ logsource: category: process_creation detection: selection_image: - Image|endswith: + - Image|endswith: - '\tree.com' - '\WMIC.exe' - '\doskey.exe' - '\sc.exe' + - OriginalFileName: + - 'wmic.exe' + - 'DOSKEY.EXE' + - 'sc.exe' selection_redirect: ParentCommandLine|contains: ' > %TEMP%\' - condition: selection_image and selection_redirect + condition: all of selection* falsepositives: - Unknown level: medium