feat: updates and new rules related to fin7

2023-05-05 01:26:06 +02:00
parent 796fa721fd
commit 24ed6be065
18 changed files with 445 additions and 72 deletions
@@ -0,0 +1,27 @@
+title: PowerShell Script With File Hostname Resolving Capabilities
+id: fbc5e92f-3044-4e73-a5c6-1c4359b539de
+status: experimental
+description: Detects powershell scripts that have capabilities to read files, loop through them and resolve dns host entries.
+references:
+    - https://www.fortypoundhead.com/showcontent.asp?artid=24022
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/05
+tags:
+    - attack.exfiltration
+    - attack.t1020
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains:
+            - 'Get-content '
+            - 'foreach'
+            - '[System.Net.Dns]::GetHostEntry'
+            - 'Out-File'
+    condition: selection
+falsepositives:
+    - The same functionality can be implemented by admin scripts, correlate with name and creator
+level: medium
@@ -1,33 +1,31 @@
-title: Windows PowerShell Upload Web Request
+title: PowerShell Script With File Upload Capabilities
 id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb
 status: experimental
-description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command
+description: Detects powershell scripts leveraging the "Invoke-WebRequest" cmdlet to send data via either "PUT" or "POST" method.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1020/T1020.md
    - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
    - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2
 author: frack113
 date: 2022/01/07
-modified: 2023/01/02
+modified: 2023/05/04
 tags:
    - attack.exfiltration
    - attack.t1020
 logsource:
    product: windows
    category: ps_script
-    definition: 'Requirements: Script Block Logging must be enabled'
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
 detection:
    selection_cmdlet:
        ScriptBlockText|contains:
            - 'Invoke-WebRequest'
            - 'iwr '
    selection_flag:
-        ScriptBlockText|contains: '-Method '
-    selection_verb:
        ScriptBlockText|contains:
-            - ' Put '
-            - ' Post '
+            - '-Method Put'
+            - '-Method Post'
    condition: all of selection_*
 falsepositives:
-    - Legitimate script
-level: medium
+    - Unknown
+level: low
@@ -1,29 +0,0 @@
-title: Powershell Trigger Profiles by Add_Content
-id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
-status: test
-description: Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles.
-references:
-    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
-author: frack113
-date: 2021/08/18
-modified: 2022/12/25
-tags:
-    - attack.privilege_escalation
-    - attack.t1546.013
-logsource:
-    product: windows
-    category: ps_script
-    definition: 'Requirements: Script Block Logging must be enabled'
-detection:
-    selection:
-        ScriptBlockText|contains|all:
-            - 'Add-Content'
-            - '$profile'
-            - '-Value'
-        ScriptBlockText|contains:
-            - 'Start-Process'
-            - '""'  #cleanup action
-    condition: selection
-falsepositives:
-    - Unknown
-level: medium
@@ -0,0 +1,35 @@
+title: Potential Persistence Via PowerShell User Profile Using Add-Content
+id: 05b3e303-faf0-4f4a-9b30-46cc13e69152
+status: test
+description: Detects calls to "Add-Content" cmdlet in order to modify the content of the user profile and potentially adding suspicious commands for persistence
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1546.013/T1546.013.md
+author: frack113, Nasreddine Bencherchali (Nextron Systems)
+date: 2021/08/18
+modified: 2023/05/04
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1546.013
+logsource:
+    product: windows
+    category: ps_script
+    definition: 'Requirements: Script Block Logging must be enabled'
+detection:
+    selection_add:
+        ScriptBlockText|contains: 'Add-Content $profile'
+    selection_options:
+        ScriptBlockText|contains:
+            # Note: You can add more suspicious values
+            - '-Value "IEX '
+            - '-Value "Invoke-Expression'
+            - '-Value "Invoke-WebRequest'
+            - '-Value "Start-Process'
+            - "-Value 'IEX "
+            - "-Value 'Invoke-Expression"
+            - "-Value 'Invoke-WebRequest"
+            - "-Value 'Start-Process"
+    condition: selection
+falsepositives:
+    - Legitimate administration and tuning scripts that aims to add functionality to a user powershell session
+level: medium
@@ -0,0 +1,26 @@
+title: Veeam Backup Servers Credential Dumping Script Execution
+id: 976d6e6f-a04b-4900-9713-0134a353e38b
+status: experimental
+description: Detects execution of a powershell script that contains calls to the "Veeam.Backup" class, in order to dump credential stored.
+references:
+    - https://www.pwndefend.com/2021/02/15/retrieving-passwords-from-veeam-backup-servers/
+    - https://labs.withsecure.com/publications/fin7-target-veeam-servers
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/05/04
+tags:
+    - attack.credential_access
+logsource:
+    product: windows
+    category: ps_script
+    definition: bade5735-5ab0-4aa7-a642-a11be0e40872
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - '[Credentials]'
+            - '[Veeam.Backup.Common.ProtectedStorage]::GetLocalString'
+            - 'Invoke-Sqlcmd'
+            - 'Veeam Backup and Replication'
+    condition: selection
+falsepositives:
+    - Administrators backup scripts (must be investigated)
+level: high