From 2710bf4710f21ad42ddbc0caa82ed0b2bf2ae3f2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 11 Apr 2023 13:04:22 +0200 Subject: [PATCH] feat: new rules, updates and fp fixes (#4162) --- ...eation_win_powershell_base64_shellcode.yml | 10 +-- ...oit_cve_2023_23397_outlook_remote_file.yml | 49 +++++++++++ ...ient_security_susp_failed_guest_logon.yml} | 0 .../file_event_win_bloodhound_collection.yml | 16 ++-- ...e_event_win_shell_write_susp_directory.yml | 43 +++++----- .../posh_ps_amsi_null_bits_bypass.yml | 5 +- .../posh_ps_apt_silence_eda.yml | 4 +- ...win_susp_proc_access_lsass_susp_source.yml | 8 +- ...c_creation_win_conhost_uncommon_parent.yml | 24 +++--- .../proc_creation_win_mofcomp_execution.yml | 8 +- ..._creation_win_powershell_audio_capture.yml | 12 ++- ...tion_win_powershell_base64_encoded_cmd.yml | 35 ++++---- ...win_powershell_base64_frombase64string.yml | 9 +- ...roc_creation_win_powershell_base64_iex.yml | 11 ++- ..._creation_win_powershell_base64_invoke.yml | 19 +++-- ...ion_win_powershell_base64_mppreference.yml | 3 +- ...shell_base64_reflection_assembly_load.yml} | 0 ...ase64_reflection_assembly_load_obfusc.yml} | 9 +- ...tion_win_powershell_base64_wmi_classes.yml | 4 +- ...in_powershell_cmdline_reversed_strings.yml | 4 +- ..._powershell_cmdline_special_characters.yml | 49 ++++------- ...in_powershell_reverse_shell_connection.yml | 14 ++-- ..._rundll32_webdav_client_susp_execution.yml | 4 + .../proc_creation_win_susp_non_exe_image.yml | 83 ++++++++++--------- ...win_uac_bypass_cmstp_com_object_access.yml | 16 ++-- ...ve_2023_23397_outlook_reminder_trigger.yml | 27 ++++++ tests/logsource.json | 1 + tests/thor.yml | 5 ++ 28 files changed, 281 insertions(+), 191 deletions(-) rename {rules/windows/process_creation => rules-deprecated/windows}/proc_creation_win_powershell_base64_shellcode.yml (72%) create mode 100644 rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml rename rules/windows/builtin/smbclient/{win_susp_failed_guest_logon.yml => security/win_smbclient_security_susp_failed_guest_logon.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_base64_reflective_assembly_load.yml => proc_creation_win_powershell_base64_reflection_assembly_load.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_base64_load.yml => proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml} (85%) create mode 100644 rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml b/rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml similarity index 72% rename from rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml rename to rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml index 7778f93c4..d88daf47c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_shellcode.yml +++ b/rules-deprecated/windows/proc_creation_win_powershell_base64_shellcode.yml @@ -1,12 +1,12 @@ -title: PowerShell Base64 Encoded Shellcode +title: Potential PowerShell Base64 Encoded Shellcode id: 2d117e49-e626-4c7c-bd1f-c3c0147774c8 -status: stable -description: Detects Base64 encoded Shellcode +status: deprecated +description: Detects potential powershell Base64 encoded Shellcode references: - https://twitter.com/cyb3rops/status/1063072865992523776 author: Florian Roth (Nextron Systems) date: 2018/11/17 -modified: 2023/01/26 +modified: 2023/04/06 tags: - attack.defense_evasion - attack.t1027 @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: medium diff --git a/rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml b/rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml new file mode 100644 index 000000000..32ca69dc0 --- /dev/null +++ b/rules/windows/builtin/smbclient/connectivity/win_smbclient_connectivity_exploit_cve_2023_23397_outlook_remote_file.yml @@ -0,0 +1,49 @@ +title: Potential CVE-2023-23397 Exploitation Attempt - SMB +id: de96b824-02b0-4241-9356-7e9b47f04bac +status: experimental +description: Detects (failed) outbound connection attempts to internet facing SMB servers. This could be a sign of potential exploitation attempts of CVE-2023-23397. +references: + - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/05 +tags: + - attack.exfiltration + - cve.2023.23397 +logsource: + product: windows + service: smbclient-connectivity +detection: + selection: + # Author Note: You could adapt this rule to use the "ServerName" field and uncomment the commented EventIDs. But you need to provide your own filter for "trusted server names" + EventID: + #- 30800 # The server name cannot be resolved. (Doesn't contain the "ServerAddress" field) + - 30803 # Failed to establish a network connection. + - 30804 # A network connection was disconnected. + - 30806 # The client re-established its session to the server. + #- 31001 # Error (Doesn't contain the "ServerAddress" field) + filter_main_local_ips: + ServerAddress|startswith: + - '10.' #10.0.0.0/8 + - '192.168.' #192.168.0.0/16 + - '172.16.' #172.16.0.0/12 + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.' #127.0.0.0/8 + - '169.254.' #169.254.0.0/16 + condition: selection and not 1 of filter_main_* +falsepositives: + - Some false positives may occur from external trusted servers. Apply additional filters accordingly +level: medium diff --git a/rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml b/rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml similarity index 100% rename from rules/windows/builtin/smbclient/win_susp_failed_guest_logon.yml rename to rules/windows/builtin/smbclient/security/win_smbclient_security_susp_failed_guest_logon.yml diff --git a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml index 9eace9927..ee9448d56 100644 --- a/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml +++ b/rules/windows/file/file_event/file_event_win_bloodhound_collection.yml @@ -6,7 +6,7 @@ references: - https://academy.hackthebox.com/course/preview/active-directory-bloodhound/bloodhound--data-collection author: C.J. May date: 2022/08/09 -modified: 2023/02/13 +modified: 2023/03/29 tags: - attack.discovery - attack.t1087.001 @@ -20,9 +20,9 @@ logsource: product: windows category: file_event detection: - selection_1: + selection: TargetFilename|endswith: - - '_BloodHound.zip' + - 'BloodHound.zip' - '_computers.json' - '_containers.json' - '_domains.json' @@ -30,15 +30,11 @@ detection: - '_groups.json' - '_ous.json' - '_users.json' - selection_2: - TargetFilename|contains|all: - - 'BloodHound' - - '.zip' - filter_ms_winapps: + filter_optional_ms_winapps: Image|endswith: '\svchost.exe' TargetFilename|startswith: 'C:\Program Files\WindowsApps\Microsoft.' TargetFilename|endswith: '\pocket_containers.json' - condition: 1 of selection_* and not 1 of filter_* + condition: selection and not 1 of filter_optional_* falsepositives: - - Unknown + - Some false positives may arise in some environment and this may require some tuning. Add addional filters or reduce level depending on the level of noise level: high diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml index 21d5aab7b..4cc8f3f91 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_directory.yml @@ -1,44 +1,43 @@ -title: Windows Shell File Write to Suspicious Folder +title: Windows Shell/Scripting Application File Write to Suspicious Folder id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 status: experimental -description: Detects a Windows executable that writes files to suspicious folders +description: Detects Windows shells and scripting applications that write files to suspicious folders references: - Internal Research author: Florian Roth (Nextron Systems) date: 2021/11/20 -modified: 2023/01/05 +modified: 2023/03/29 logsource: category: file_event product: windows detection: - selection_shells: + selection_1: Image|endswith: + - '\bash.exe' - '\cmd.exe' + - '\cscript.exe' + - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml - '\powershell.exe' - '\pwsh.exe' - - '\wscript.exe' - - '\cscript.exe' - '\sh.exe' - - '\bash.exe' - - '\msbuild.exe' # https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/defense_evasion_execution_msbuild_started_by_office_app.toml + - '\wscript.exe' TargetFilename|startswith: - - 'C:\Users\Public' - - 'C:\PerfLogs' - selection_program: + - 'C:\PerfLogs\' + - 'C:\Users\Public\' + selection_2: Image|endswith: - - '\schtasks.exe' - - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ - - '\mshta.exe' - # - '\rundll32.exe' - - '\forfiles.exe' - - '\scriptrunner.exe' - '\certutil.exe' + - '\forfiles.exe' + - '\mshta.exe' + #- '\rundll32.exe' # Potential FP + - '\schtasks.exe' + - '\scriptrunner.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ TargetFilename|contains: - - 'C:\Users\Public' - - 'C:\PerfLogs' - - '\AppData\' - - 'C:\Windows\Temp' - condition: 1 of selection* + - 'C:\PerfLogs\' + - 'C:\Users\Public\' + - 'C:\Windows\Temp\' + condition: 1 of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml index ab873afa4..cb204f555 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_amsi_null_bits_bypass.yml @@ -9,16 +9,17 @@ references: - https://github.com/r00t-3xp10it/hacking-material-books/blob/43cb1e1932c16ff1f58b755bc9ab6b096046853f/obfuscation/simple_obfuscation.md#amsi-bypass-using-null-bits-satoshi author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/04 +modified: 2023/04/03 tags: - attack.defense_evasion - attack.t1562.001 logsource: product: windows - service: powershell + category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - ScriptBlockLogging|contains: + ScriptBlockText|contains: - "if(0){{{0}}}' -f $(0 -as [char]) +" - "#" condition: selection diff --git a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml index 65c1adbec..4460862a9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml @@ -6,7 +6,7 @@ references: - https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf author: Alina Stepchenkova, Group-IB, oscd.community date: 2019/11/01 -modified: 2022/10/05 +modified: 2023/04/03 tags: - attack.execution - attack.t1059.001 @@ -19,7 +19,7 @@ tags: - attack.s0363 logsource: product: windows - service: powershell + category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: empire: diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index 6fc85ceb4..c64758523 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -10,7 +10,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2021/11/27 -modified: 2023/03/28 +modified: 2023/04/11 tags: - attack.credential_access - attack.t1003.001 @@ -96,10 +96,12 @@ detection: - '\AppData\Local\Temp\' - '\vs_bootstrapper_' GrantedAccess: '0x1410' - filter_optional_chrome: + filter_optional_chrome_update: SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' SourceImage|endswith: '.tmp\GoogleUpdate.exe' - GrantedAccess: '0x410' + GrantedAccess: + - '0x410' + - '0x1410' filter_optional_keybase: SourceImage|startswith: 'C:\Users\' SourceImage|endswith: \AppData\Local\Keybase\keybase.exe diff --git a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml index fec10ccfa..cd0b375b7 100644 --- a/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_conhost_uncommon_parent.yml @@ -17,21 +17,21 @@ detection: selection: Image|endswith: '\conhost.exe' ParentImage|endswith: - - '\svchost.exe' - - '\lsass.exe' - - '\services.exe' - - '\smss.exe' - - '\winlogon.exe' - '\explorer.exe' - # - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p' - - '\rundll32.exe' - - '\regsvr32.exe' - - '\userinit.exe' - - '\wininit.exe' - - '\spoolsv.exe' - # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe # - '\csrss.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/csrss.exe # - '\ctfmon.exe' # Seen several times in a testing environment + # - '\dllhost.exe' # FP on clean system from grandparent 'svchost.exe -k DcomLaunch -p' + - '\lsass.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\services.exe' + - '\smss.exe' + - '\spoolsv.exe' + - '\svchost.exe' + - '\userinit.exe' + # - '\wermgr.exe' # Legitimate parent as seen in EchoTrail https://www.echotrail.io/insights/search/wermgr.exe + - '\wininit.exe' + - '\winlogon.exe' filter_main_svchost: ParentCommandLine|contains: - '-k apphost -s AppHostSvc' diff --git a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index 75e75eae3..792747907 100644 --- a/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 -modified: 2023/03/30 +modified: 2023/04/11 tags: - attack.execution - attack.t1218 @@ -41,7 +41,11 @@ detection: ParentImage: 'C:\Windows\System32\wbem\WmiPrvSE.exe' CommandLine|contains: 'C:\Windows\TEMP\' CommandLine|endswith: '.mof' - condition: all of selection_* and not 1 of filter_main_* + filter_optional_null_parent: + # Sometimes the parent information isn't available from the Microsoft-Windows-Security-Auditing provder. + CommandLine|contains: 'C:\Windows\TEMP\' + CommandLine|endswith: '.mof' + condition: all of selection_* and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml index c1a16a52b..dcaa24956 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_audio_capture.yml @@ -5,9 +5,10 @@ description: Detects audio capture via PowerShell Cmdlet. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html -author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community + - https://github.com/frgnca/AudioDeviceCmdlets +author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/24 -modified: 2021/11/27 +modified: 2023/04/06 tags: - attack.collection - attack.t1123 @@ -16,7 +17,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' + CommandLine|contains: + - 'WindowsAudioDevice-Powershell-Cmdlet' + - 'Toggle-AudioDevice' + - 'Get-AudioDevice ' + - 'Set-AudioDevice ' + - 'Write-AudioDevice ' condition: selection falsepositives: - Legitimate audio capture by legitimate user. diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml index 2c5181df2..0e988b879 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml @@ -6,7 +6,7 @@ references: - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community date: 2018/09/03 -modified: 2021/03/02 +modified: 2023/04/06 tags: - attack.execution - attack.t1059.001 @@ -14,17 +14,18 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli_enc: CommandLine|contains: ' -e' # covers -en and -enc - selection2: - CommandLine|contains: ' JAB' - selection3: - CommandLine|contains|all: - - ' -w' - - ' hidden ' - selection4: + selection_cli_content: CommandLine|contains: - - ' BA^J' + - ' JAB' - ' SUVYI' - ' SQBFAFgA' - ' aQBlAHgA' @@ -33,11 +34,11 @@ detection: - ' IAB' - ' UwB' - ' cwB' - selection5: - CommandLine|contains: '.exe -ENCOD ' - falsepositive1: - CommandLine|contains|all: - - ' -ExecutionPolicy' - - 'remotesigned ' - condition: ((selection and selection2) or (selection and selection2 and selection3) or (selection and selection4) or selection5) and not falsepositive1 + selection_standalone: + CommandLine|contains: + - '.exe -ENCOD ' + - ' BA^J e-' # Reversed + filter_optional_remote_signed: + CommandLine|contains: ' -ExecutionPolicy remotesigned ' + condition: selection_img and (all of selection_cli_* or selection_standalone) and not 1 of filter_optional_* level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml index 288a7832a..1d07b99ae 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_frombase64string.yml @@ -1,10 +1,12 @@ -title: PowerShell Base64 Encoded FromBase64String Keyword +title: PowerShell Base64 Encoded FromBase64String Cmdlet id: fdb62a13-9a81-4e5c-a38f-ea93a16f6d7c status: test description: Detects usage of a base64 encoded "FromBase64String" cmdlet in a process command line +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2019/08/24 -modified: 2023/01/31 +modified: 2023/04/06 tags: - attack.defense_evasion - attack.t1140 @@ -22,9 +24,6 @@ detection: - 'oAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnA' - '6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZw' condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml index 502560e2a..36fc922c2 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_iex.yml @@ -1,10 +1,12 @@ -title: PowerShell Base64 Encoded IEX Keyword +title: PowerShell Base64 Encoded IEX Cmdlet id: 88f680b8-070e-402c-ae11-d2914f2257f1 status: test -description: Detects usage of a base64 encoded "IEX" string in a process command line +description: Detects usage of a base64 encoded "IEX" cmdlet in a process command line +references: + - Internal Research author: Florian Roth (Nextron Systems) date: 2019/08/23 -modified: 2023/02/18 +modified: 2023/04/06 tags: - attack.execution - attack.t1059.001 @@ -39,9 +41,6 @@ detection: - 'kARQBYACAAKABOAGUAdw' - 'JAEUAWAAgACgATgBlAHcA' condition: selection -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml index a3134bb1e..a63db9670 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_invoke.yml @@ -7,9 +7,9 @@ status: test description: Detects UTF-8 and UTF-16 Base64 encoded powershell 'Invoke-' calls references: - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ -author: pH-T (Nextron Systems), Harjot Singh, '@cyb3rjy0t' +author: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t date: 2022/05/20 -modified: 2023/01/27 +modified: 2023/04/06 tags: - attack.execution - attack.t1059.001 @@ -19,7 +19,16 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli_enc: + CommandLine|contains: ' -e' + selection_cli_invoke: CommandLine|contains: # Invoke- # UTF-16LE @@ -30,7 +39,7 @@ detection: - 'SW52b2tlL' - 'ludm9rZS' - 'JbnZva2Ut' - condition: selection + condition: all of selection_* falsepositives: - - Unlikely + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml index d1bcb0500..8389cc06b 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_mppreference.yml @@ -38,6 +38,5 @@ detection: - 'zAGUAdAAtAG0AcABwAHIAZQBmAGUAcgBlAG4AYwBlACAA' condition: selection falsepositives: - - Possible Admin Activity - - Other Cmdlets that may use the same parameters + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_powershell_base64_reflective_assembly_load.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml index 71e064393..00e8e7b6c 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_reflection_assembly_load_obfusc.yml @@ -1,20 +1,21 @@ -title: Suspicious Encoded Obfuscated LOAD String +title: Suspicious Encoded And Obfuscated Reflection Assembly Load Function Call id: 9c0295ce-d60d-40bd-bd74-84673b7592b1 related: - id: 62b7ccc9-23b4-471e-aa15-6da3663c4d59 type: similar status: test -description: Detects suspicious base64 encoded and obbfuscated LOAD string often used for reflection.assembly load +description: Detects suspicious base64 encoded and obfuscated "LOAD" keyword used in .NET "reflection.assembly" references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar - https://thedfirreport.com/2022/05/09/seo-poisoning-a-gootloader-story/ + - https://learn.microsoft.com/en-us/dotnet/api/system.appdomain.load?view=net-7.0 author: pH-T (Nextron Systems) date: 2022/03/01 -modified: 2022/05/20 +modified: 2023/04/06 tags: - attack.execution - - attack.t1059.001 - attack.defense_evasion + - attack.t1059.001 - attack.t1027 logsource: category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml index a6ff57a54..9d7dfd871 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_base64_wmi_classes.yml @@ -4,10 +4,10 @@ related: - id: 47688f1b-9f51-4656-b013-3cc49a166a36 type: obsoletes status: experimental -description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", ""...etc. +description: Detects calls to base64 encoded WMI class such as "Win32_Shadowcopy", "Win32_ScheduledJob", etc. references: - https://github.com/Neo23x0/Raccine/blob/20a569fa21625086433dcce8bb2765d0ea08dcb6/yara/mal_revil.yar -author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali +author: Christian Burkard (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/01/30 tags: - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml index dfc7df627..52eab14a8 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_reversed_strings.yml @@ -51,13 +51,13 @@ detection: - 'maerts' - 'hcaerof' - 'retupmoc' - filter_ansible: + filter_optional_ansible: # Check FP Example: https://github.com/SigmaHQ/sigma/pull/2720 ParentImage: 'C:\Windows\System32\cmd.exe' CommandLine|contains|all: - '-EncodedCommand' - 'rahc' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index 7161651e6..10edeb555 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -1,4 +1,4 @@ -title: Suspicious PowerShell Command Line +title: Potential PowerShell Command Line Obfuscation id: d7bcd677-645d-4691-a8d4-7a5602b780d1 status: test description: Detects the PowerShell command lines with special characters @@ -6,50 +6,37 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp) date: 2020/10/15 -modified: 2022/12/18 +modified: 2023/04/06 tags: + - attack.execution - attack.defense_evasion - attack.t1027 - - attack.execution - attack.t1059.001 logsource: category: process_creation product: windows detection: - selection_1: - Image|endswith: + selection_img: + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' - selection_2: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' - selection_3: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*' - selection_4: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' - selection_5: - Image|endswith: - - '\powershell.exe' - - '\pwsh.exe' - CommandLine|re: '.*`.*`.*`.*`.*`.*' - filter_amazonSSM: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_re: + # TODO: Optimize for PySIGMA + - CommandLine|re: '.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*\+.*' + - CommandLine|re: '.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*\{.*' + - CommandLine|re: '.*\^.*\^.*\^.*\^.*\^.*' + - CommandLine|re: '.*`.*`.*`.*`.*`.*' + filter_optional_amazonSSM: ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe - filter_windef_atp: + filter_optional_defender_atp: CommandLine|contains: - 'new EventSource("Microsoft.Windows.Sense.Client.Management"' - 'public static extern bool InstallELAMCertificateInfo(SafeFileHandle handle);' - condition: (1 of selection_*) and not filter_amazonSSM and not (selection_3 and filter_windef_atp) + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - - Unlikely - - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) + - Amazon SSM Document Worker - Windows Defender ATP level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index bd19bc629..62a9d9264 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -1,14 +1,14 @@ title: Potential Powershell ReverseShell Connection id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be status: stable -description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell. +description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell and other. references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 -author: FPT.EagleEye, wagga +author: FPT.EagleEye, wagga, Nasreddine Bencherchali (Nextron Systems) date: 2021/03/03 -modified: 2023/01/09 +modified: 2023/04/05 tags: - attack.execution - attack.t1059.001 @@ -25,10 +25,10 @@ detection: - '\pwsh.exe' selection_cli: CommandLine|contains|all: - - ' System.Net.Sockets.TCPClient' - - '.GetBytes' - - '.Write' + - ' Net.Sockets.TCPClient' + - '.GetStream(' + - '.Write(' condition: all of selection_* falsepositives: - - Administrative might use this function to check network connectivity + - In rare administrative cases, this function might be used to check network connectivity level: high diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml index d7dbd8a98..7a86e11f4 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml @@ -7,8 +7,11 @@ references: - https://twitter.com/aceresponder/status/1636116096506818562 - https://www.mdsec.co.uk/2023/03/exploiting-cve-2023-23397-microsoft-outlook-elevation-of-privilege-vulnerability/ - https://www.pwndefend.com/2023/03/15/the-long-game-persistent-hash-theft/ + - https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2023/03/Figure-7-sample-webdav-process-create-event.png + - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ author: Nasreddine Bencherchali (Nextron Systems), Florian Roth (Nextron Systems) date: 2023/03/16 +modified: 2023/04/05 tags: - attack.exfiltration - attack.t1048.003 @@ -19,6 +22,7 @@ logsource: detection: selection: ParentImage|endswith: '\svchost.exe' + ParentCommandLine|contains: '-s WebClient' Image|endswith: '\rundll32.exe' CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' CommandLine|re: '://\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}' diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index 0e54a93fc..b2bfb18d0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -6,7 +6,7 @@ references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ author: Max Altgelt (Nextron Systems) date: 2021/12/09 -modified: 2023/01/25 +modified: 2023/04/11 tags: - attack.defense_evasion logsource: @@ -17,82 +17,87 @@ detection: Image|endswith: - '.exe' - '.tmp' # sadly many installers use this extension - filter_null: - Image: null - filter_image: # Windows utilities without extension + - '.scr' + filter_main_image: # Windows utilities without extension Image: - 'System' - 'Registry' - 'MemCompression' - 'vmmem' - filter_empty: - Image: - - '-' - - '' - filter_starts: + filter_main_msi_installers: Image|startswith: 'C:\Windows\Installer\MSI' - filter_pstarts: - ParentImage|startswith: - - 'C:\ProgramData\Avira\' - - 'C:\Windows\System32\DriverStore\FileRepository\' - filter_screensaver: - Image|endswith: '.scr' - filter_nvidia: - Image|contains: 'NVIDIA\NvBackend\' - Image|endswith: '.dat' - filter_com: + filter_main_driver_store: + Image|startswith: 'C:\Windows\System32\DriverStore\FileRepository\' + filter_main_msi_rollbackfiles: + Image|startswith: 'C:\Config.Msi\' + Image|endswith: + - '.rbf' + - '.rbs' + filter_main_windows_helper: + ParentImage|startswith: C:\Windows\Temp\ + Image|startswith: 'C:\Windows\Temp\Helper\' + filter_main_com: Image|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' Image|endswith: '.com' - filter_winscp: + filter_optional_empty: + Image: + - '-' + - '' + filter_optional_null: + Image: null + filter_optional_avira: + ParentImage|startswith: 'C:\ProgramData\Avira\' + filter_optional_nvidia: + Image|contains: 'NVIDIA\NvBackend\' + Image|endswith: '.dat' + filter_optional_winscp: Image|endswith: '\WinSCP.com' - filter_vscode: + filter_optional_vscode: Image|contains|all: - 'C:\Users\' - '\AppData\' - '.tmp' - 'CodeSetup' - filter_libreoffice: + filter_optional_libreoffice: Image|endswith: '\program\soffice.bin' - filter_emc_networker: + filter_optional_emc_networker: Image: - 'C:\Program Files\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi' - 'C:\Program Files (x86)\EMC NetWorker\Management\GST\apache\cgi-bin\update_jnlp.cgi' - filter_winpakpro: + filter_optional_winpakpro: Image|startswith: - 'C:\Program Files (x86)\WINPAKPRO\' - 'C:\Program Files\WINPAKPRO\' Image|endswith: '.ngn' - filter_myq_server: + filter_optional_myq_server: Image: - 'C:\Program Files (x86)\MyQ\Server\pcltool.dll' - 'C:\Program Files\MyQ\Server\pcltool.dll' - filter_visualstudio: + filter_optional_visualstudio: Image|startswith: - 'C:\Program Files\Microsoft Visual Studio\' - 'C:\Program Files (x86)\Microsoft Visual Studio' Image|endswith: '.com' - filter_msi_rollbackfiles: - Image|startswith: 'C:\Config.Msi\' - Image|endswith: - - '.rbf' - - '.rbs' - filter_wsl: + filter_optional_wsl: Image|contains|all: - '\AppData\Local\Packages\' - '\LocalState\rootfs\' - filter_lzma_exe: + filter_optional_lzma_exe: Image|endswith: '\LZMA_EXE' - filter_windows_helper: - ParentImage|startswith: C:\Windows\Temp\ - Image|startswith: 'C:\Windows\Temp\Helper\' - filter_dell_dock: + filter_optional_dell_dock: ParentImage|startswith: 'C:\Windows\Temp\' ParentImage|endswith: '\TBT_Dock_Firmware\GetDockVer32W.exe' - filter_firefox_crashreporter: + filter_optional_firefox_crashreporter: Image|startswith: 'C:\Program Files\Mozilla Firefox\tobedeleted\' - condition: not known_image_extension and not 1 of filter* + filter_optional_office_c2r: + ParentImage: 'C:\Windows\UUS\amd64\MoUsoCoreWorker.exe' + Image|startswith: 'C:\$Extend\$Deleted\' + CommandLine|contains|all: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exe' + - '/update UPDATEORCHESTRATOR displaylevel=False' + condition: not known_image_extension and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml index 8a277b9f2..188619e79 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml @@ -24,20 +24,16 @@ logsource: detection: selection: ParentImage|endswith: '\DllHost.exe' + ParentCommandLine|contains: + - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll + - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL + - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll + - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll + - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl IntegrityLevel: - 'High' - 'System' - ParentCommandLine|contains: - - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' - - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' - - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' - - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' condition: selection -fields: - - CommandLine - - ParentCommandLine - - Hashes falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high diff --git a/rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml b/rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml new file mode 100644 index 000000000..3e2a1f2a0 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_exploit_cve_2023_23397_outlook_reminder_trigger.yml @@ -0,0 +1,27 @@ +title: Outlook Task/Note Reminder Received +id: fc06e655-d98c-412f-ac76-05c2698b1cb2 +status: experimental +description: Detects changes to the registry values related to outlook that indicates that a reminder was triggered for a Note or Task item. This could be a sign of exploitation of CVE-2023-23397. Further investigation is required to determine the success of an exploitation. +references: + - https://www.microsoft.com/en-us/security/blog/2023/03/24/guidance-for-investigating-attacks-using-cve-2023-23397/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/04/05 +tags: + - attack.persistence + - attack.t1137 +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains|all: + - '\SOFTWARE\Microsoft\Office\' + - '\Outlook\' + TargetObject|contains: + - '\Tasks\' + - '\Notes\' + EventType: SetValue + condition: selection +falsepositives: + - Legitimate reminders received for a task or a note will also trigger this rule. +level: low diff --git a/tests/logsource.json b/tests/logsource.json index a3f8d50e6..970d57b6f 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -65,6 +65,7 @@ "shell-core":["Name", "AppID", "Flags"], "smbclient-security":["Reason", "Status", "ShareNameLength", "ShareName", "ObjectNameLength", "ObjectName", "UserNameLength", "UserName", "ServerNameLength", "ServerName"], + "smbclient-connectivity":[], "taskscheduler":["TaskName", "UserContext", "Path", "ProcessID", "Priority", "UserName"], "terminalservices-localsessionmanager":["User", "SessionID", "Address"], "iis":["date", "time", "c-ip", "cs-username", "s-sitename", "s-computername", "s-ip", "cs-method", diff --git a/tests/thor.yml b/tests/thor.yml index bdc8238a2..1c11391c9 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -345,6 +345,11 @@ logsources: service: smbclient-security sources: - "WinEventLog:Microsoft-Windows-SmbClient/Security" + windows-smbclient-connectivity: + product: windows + service: smbclient-connectivity + sources: + - "WinEventLog:Microsoft-Windows-SmbClient/Connectivity" windows-printservice-operational: product: windows service: printservice-operational