From 6e43a294a2af95aceb61ca62a22fdf8aca1ddbd3 Mon Sep 17 00:00:00 2001 From: Pawel Mazur Date: Sun, 28 Nov 2021 16:48:37 +0100 Subject: [PATCH 01/40] Linux Auditd - Discovery of Capabilities files --- .../lnx_auditd_capabilities_discovery.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_capabilities_discovery.yml diff --git a/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml new file mode 100644 index 000000000..9bb7e098a --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_capabilities_discovery.yml @@ -0,0 +1,29 @@ +title: Linux Capabilities Discovery +id: fe10751f-1995-40a5-aaa2-c97ccb4123fe +description: Detects attempts to discover the files with setuid/setgid capabilitiy on them. That would allow adversary to escalate their privileges. +author: 'Pawel Mazur' +status: experimental +date: 2021/11/28 +references: + - https://man7.org/linux/man-pages/man8/getcap.8.html + - https://www.hackingarticles.in/linux-privilege-escalation-using-capabilities/ + - https://mn3m.info/posts/suid-vs-capabilities/ + - https://int0x33.medium.com/day-44-linux-capabilities-privilege-escalation-via-openssl-with-selinux-enabled-and-enforced-74d2bec02099 +logsource: + product: linux + service: auditd +detection: + getcap: + type: EXECVE + a0: getcap + a1: '-r' + a2: '/' + condition: getcap +tags: + - attack.collection + - attack.privilege_escalation + - attack.t1123 + - attack.t1548 +falsepositives: + - None +level: low \ No newline at end of file From 80485d94f27f81743724bcfbcae43a087bad7f5c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 29 Nov 2021 13:07:39 +0100 Subject: [PATCH 02/40] docs: Tscon description change --- .../windows/process_creation/win_susp_tscon_localsystem.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index d04687d1e..fde70c9fc 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -1,13 +1,14 @@ -title: Suspicious TSCON Start +title: Suspicious TSCON Start as SYSTEM id: 9847f263-4a81-424f-970c-875dab15b79b status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM references: - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 + - https://www.ired.team/offensive-security/lateral-movement/t1076-rdp-hijacking-for-lateral-movement author: Florian Roth date: 2018/03/17 -modified: 2021/08/26 +modified: 2021/11/29 tags: - attack.command_and_control - attack.t1219 From 97d2ce0297875b51174076630945de5e727bf61b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 29 Nov 2021 16:03:03 +0100 Subject: [PATCH 03/40] NPPSpy file creation rule --- .../file_event/file_event_hktl_nppspy.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/file_event/file_event_hktl_nppspy.yml diff --git a/rules/windows/file_event/file_event_hktl_nppspy.yml b/rules/windows/file_event/file_event_hktl_nppspy.yml new file mode 100644 index 000000000..ed4a60dac --- /dev/null +++ b/rules/windows/file_event/file_event_hktl_nppspy.yml @@ -0,0 +1,23 @@ +title: NPPSpy Hacktool Usage +id: cad1fe90-2406-44dc-bd03-59d0b58fe722 +status: experimental +description: Detects the use of NPPSpy hacktool that stores cleartext passwords of users that logged in to a local file +author: Florian Roth +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md#atomic-test-2---credential-dumping-with-nppspy + - https://twitter.com/0gtweet/status/1465282548494487554 +date: 2021/11/29 +tags: + - attack.credential_access +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\NPPSpy.txt' + - '\NPPSpy.dll' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 09712e73885d796ec175091e4bf42f1cad679caf Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 29 Nov 2021 16:05:53 +0100 Subject: [PATCH 04/40] add win_pc_susp_regsvr32_image --- .../win_pc_susp_regsvr32_image.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_susp_regsvr32_image.yml diff --git a/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml new file mode 100644 index 000000000..dc43c5d12 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml @@ -0,0 +1,22 @@ +title: Suspicious Regsvr32 Execution With Image Extension +id: 089fc3d2-71e8-4763-a8a5-c97fbb0a403e +status: experimental +description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file +references: + - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ +tags: + - attack.defense_evasion + - attack.t1218.010 +author: frack113 +date: 2021/11/29 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\regsvr32.exe' + CommandLine|endswith: '.jpg' # can add other + condition: selection +falsepositives: + - unknown +level: high From f0c6dbdc84280af95e7b33b3a413ef4c803975ba Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 19:20:00 +0000 Subject: [PATCH 05/40] adding amazon ec2 to list of false positives --- .../powershell_script/powershell_malicious_commandlets.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 8b414ae90..36caa1cbb 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -10,7 +10,7 @@ tags: - attack.t1086 #an old one author: Sean Metcalf (source), Florian Roth (rule), Bartlomiej Czyz @bczyz1 (update), oscd.community (update) date: 2017/03/05 -modified: 2021/10/16 +modified: 2021/11/29 logsource: product: windows category: ps_script @@ -115,6 +115,7 @@ detection: - "Invoke-AllChecks" false_positives: ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + ScriptBlockText:contains: "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1" # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - Penetration testing From 48a45b06eb7f0f8d9ac8bdd09dfa3d6e4a9e3a9f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 19:23:31 +0000 Subject: [PATCH 06/40] fixing format --- .../powershell_script/powershell_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 36caa1cbb..7632b7a8c 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -115,7 +115,7 @@ detection: - "Invoke-AllChecks" false_positives: ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - ScriptBlockText:contains: "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1" # false positive form Amazon EC2 + ScriptBlockText:contains: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - Penetration testing From c20a6daa73f76047910d3ee36b507187acaffe13 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 19:59:26 +0000 Subject: [PATCH 07/40] adding wildcard to netlogon to be a bit more inclusive. --- .../sysmon_logon_scripts_userinitmprlogonscript_proc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml index 5b5e197b5..b78fef5f9 100644 --- a/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/sysmon_logon_scripts_userinitmprlogonscript_proc.yml @@ -6,7 +6,7 @@ author: Tom Ueltschi (@c_APT_ure) references: - https://attack.mitre.org/techniques/T1037/ date: 2019/01/12 -modified: 2021/11/27 +modified: 2021/11/29 logsource: category: process_creation product: windows @@ -17,7 +17,7 @@ detection: Image|endswith: '\explorer.exe' exec_exclusion2: CommandLine|contains: - - 'netlogon.bat' + - 'netlogon*.bat' - 'UsrLogon.cmd' create_keywords_cli: CommandLine|contains: 'UserInitMprLogonScript' From 0c283ab7678299ee00672012e1e4399b555262dc Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 21:51:19 +0000 Subject: [PATCH 08/40] adding false positive filter for amazon ssm-document-worker --- .../process_creation/win_powershell_xor_commandline.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index a218ecf5e..8e6063397 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -17,7 +17,10 @@ detection: - "bxor" - "join" - "char" - condition: selection and filter + false_positives: + ParentImage: + - C:\Program Files\Amazon\SSM\ssm-document-worker.exe + condition: selection and filter and not false_positives falsepositives: - unknown level: medium From 44f791680f6c7932b831573e0cde0c27f2ae30cb Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 22:57:26 +0000 Subject: [PATCH 09/40] adding filter for FP /Format:List which is a specific format --- rules/windows/process_creation/win_xsl_script_processing.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index be4bb30d0..90b71db41 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -15,7 +15,9 @@ detection: - Image|endswith: '\wmic.exe' CommandLine|contains: '/format' # wmic process list /FORMAT /? - Image|endswith: '\msxsl.exe' - condition: selection + false_positives: + - CommandLine|contains: '/Format:List' + condition: selection and not false_positives falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - msxsl.exe is not installed by default, so unlikely. From 14f11c905d3e38634784aa2c53c8cbff05c85a4d Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 29 Nov 2021 23:02:48 +0000 Subject: [PATCH 10/40] adding additional entries that are static --- .../process_creation/win_xsl_script_processing.yml | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index 90b71db41..bd2102923 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md date: 2019/10/21 -modified: 2021/11/27 +modified: 2021/11/29 logsource: category: process_creation product: windows @@ -17,10 +17,19 @@ detection: - Image|endswith: '\msxsl.exe' false_positives: - CommandLine|contains: '/Format:List' + - CommandLine|contains: '/Format:htable' + - CommandLine|contains: '/Format:hform' + - CommandLine|contains: '/Format:table' + - CommandLine|contains: '/Format:mof' + - CommandLine|contains: '/Format:value' + - CommandLine|contains: '/Format:rawxml' + - CommandLine|contains: '/Format:xml' + - CommandLine|contains: '/Format:csv' condition: selection and not false_positives falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - msxsl.exe is not installed by default, so unlikely. + - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium tags: - attack.defense_evasion From e54bd6b03c344563b0c95afd84a5db8fc7567911 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 30 Nov 2021 10:16:35 +0100 Subject: [PATCH 11/40] Fix TrendMicro OSCE FP --- .../sysmon_registry_persistence_search_order.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index ae9db5aef..f13401381 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/09/16 +modified: 2021/11/30 tags: - attack.persistence - attack.t1546.015 @@ -39,7 +39,9 @@ detection: Details|contains|all: - '\AppData\Roaming\Dropbox\' - '\DropboxExt64.*.dll' - condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 ) + filter4: + Details|endswith: TmopIEPlg.dll #TrendMicro osce + condition: selection and not ( filter1 or ( filterOneDrive and filterOneDrive2 ) or filter2 or filter3 or filter4 ) falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level level: medium From 03e549e33520341db49115ec68b8a0910b846660 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 30 Nov 2021 10:36:12 +0100 Subject: [PATCH 12/40] Fix FP Kaspersky Security Center Web Console --- rules/windows/process_creation/win_service_stop.yml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_service_stop.yml b/rules/windows/process_creation/win_service_stop.yml index 6cc71eb1b..55d9ca5fa 100644 --- a/rules/windows/process_creation/win_service_stop.yml +++ b/rules/windows/process_creation/win_service_stop.yml @@ -4,7 +4,7 @@ description: Detects a windows service to be stopped status: experimental author: Jakob Weinzettl, oscd.community date: 2019/10/23 -modified: 2021/08/14 +modified: 2021/11/30 tags: - attack.impact - attack.t1489 @@ -18,7 +18,12 @@ detection: - '\net.exe' - '\net1.exe' CommandLine|contains: 'stop' - condition: selection + filter: + CommandLine: 'sc stop KSCWebConsoleMessageQueue' # kaspersky Security Center Web Console double space between sc and stop + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings + condition: selection and not filter fields: - ComputerName - User From 5c1b3f8362c4388db3a3e97e82f39aefd40d4ad3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 30 Nov 2021 15:03:53 +0100 Subject: [PATCH 13/40] Add Provider_Name --- .../windows/builtin/win_apt_carbonpaper_turla.yml | 3 ++- .../builtin/win_apt_chafer_mar18_system.yml | 3 ++- rules/windows/builtin/win_apt_stonedrill.yml | 3 ++- .../windows/builtin/win_apt_turla_service_png.yml | 3 ++- .../builtin/win_cobaltstrike_service_installs.yml | 3 ++- rules/windows/builtin/win_hack_smbexec.yml | 3 ++- .../win_invoke_obfuscation_clip_services.yml | 8 ++++---- ...n_invoke_obfuscation_clip_services_security.yml | 8 ++++---- .../win_invoke_obfuscation_stdin_services.yml | 8 ++++---- .../win_invoke_obfuscation_var_services.yml | 8 ++++---- ...in_invoke_obfuscation_via_compress_services.yml | 8 ++++---- .../win_invoke_obfuscation_via_rundll_services.yml | 8 ++++---- .../win_invoke_obfuscation_via_stdin_services.yml | 8 ++++---- ...in_invoke_obfuscation_via_use_clip_services.yml | 8 ++++---- ...n_invoke_obfuscation_via_use_mshta_services.yml | 8 ++++---- ...nvoke_obfuscation_via_use_rundll32_services.yml | 8 ++++---- .../win_invoke_obfuscation_via_var_services.yml | 8 ++++---- rules/windows/builtin/win_mal_creddumper.yml | 3 ++- ...cobaltstrike_getsystem_service_installation.yml | 3 ++- rules/windows/builtin/win_moriya_rootkit.yml | 3 ++- .../win_powershell_script_installed_as_service.yml | 6 +++--- .../windows/builtin/win_rare_service_installs.yml | 5 +++-- rules/windows/builtin/win_susp_proceshacker.yml | 2 ++ .../builtin/win_tap_driver_installation.yml | 3 ++- ...les_with_credential_data_via_network_shares.yml | 3 ++- rules/windows/builtin/win_usb_device_plugged.yml | 3 ++- .../win_user_added_to_local_administrators.yml | 3 ++- ..._privileged_service_lsaregisterlogonprocess.yml | 3 ++- rules/windows/builtin/win_user_creation.yml | 3 ++- rules/windows/builtin/win_user_driver_loaded.yml | 3 ++- .../win_vssaudit_secevent_source_registration.yml | 14 +++++++------- rules/windows/builtin/win_vul_cve_2020_1472.yml | 3 ++- .../builtin/win_wmiprvse_wbemcomn_dll_hijack.yml | 3 ++- 33 files changed, 95 insertions(+), 74 deletions(-) diff --git a/rules/windows/builtin/win_apt_carbonpaper_turla.yml b/rules/windows/builtin/win_apt_carbonpaper_turla.yml index d7122e028..189973a8a 100755 --- a/rules/windows/builtin/win_apt_carbonpaper_turla.yml +++ b/rules/windows/builtin/win_apt_carbonpaper_turla.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ date: 2017/03/31 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: - 'srservice' diff --git a/rules/windows/builtin/win_apt_chafer_mar18_system.yml b/rules/windows/builtin/win_apt_chafer_mar18_system.yml index 8eb58c4b5..47cf659f1 100644 --- a/rules/windows/builtin/win_apt_chafer_mar18_system.yml +++ b/rules/windows/builtin/win_apt_chafer_mar18_system.yml @@ -18,13 +18,14 @@ tags: - attack.t1071 # an old one - attack.t1071.004 date: 2018/03/23 -modified: 2021/09/19 +modified: 2021/11/30 author: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community logsource: product: windows service: system detection: selection_service: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: - 'SC Scheduled Scan' diff --git a/rules/windows/builtin/win_apt_stonedrill.yml b/rules/windows/builtin/win_apt_stonedrill.yml index 3950f8d5c..d85d40dc3 100755 --- a/rules/windows/builtin/win_apt_stonedrill.yml +++ b/rules/windows/builtin/win_apt_stonedrill.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://securelist.com/blog/research/77725/from-shamoon-to-stonedrill/ date: 2017/03/07 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: NtsSrv ServiceFileName|endswith: ' LocalService' diff --git a/rules/windows/builtin/win_apt_turla_service_png.yml b/rules/windows/builtin/win_apt_turla_service_png.yml index 69a8e3872..9c9a8a47c 100644 --- a/rules/windows/builtin/win_apt_turla_service_png.yml +++ b/rules/windows/builtin/win_apt_turla_service_png.yml @@ -6,12 +6,13 @@ author: Florian Roth references: - https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ date: 2018/11/23 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: 'WerFaultSvc' condition: selection diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 3e43af17a..7e7a6f2a7 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -8,7 +8,7 @@ references: - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/05/26 -modified: 2021/09/21 +modified: 2021/09/30 tags: - attack.execution - attack.privilege_escalation @@ -21,6 +21,7 @@ logsource: service: system detection: selection_id: + Provider_Name: 'Service Control Manager' EventID: 7045 selection1: ImagePath|contains|all: diff --git a/rules/windows/builtin/win_hack_smbexec.yml b/rules/windows/builtin/win_hack_smbexec.yml index 9d401a6de..c733d9db6 100644 --- a/rules/windows/builtin/win_hack_smbexec.yml +++ b/rules/windows/builtin/win_hack_smbexec.yml @@ -6,12 +6,13 @@ author: Omer Faruk Celik references: - https://blog.ropnop.com/using-credentials-to-own-windows-boxes-part-2-psexec-and-services/ date: 2018/03/20 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: system detection: service_installation: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: 'BTOBTO' ServiceFileName|endswith: '\execute.bat' diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml index c71bb902e..eb4a21217 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/09/16 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml index 78e39d465..b0c93b1f6 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_clip_services_security.yml @@ -7,7 +7,7 @@ description: Detects Obfuscated use of Clip.exe to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/13 -modified: 2021/09/16 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 26) tags: @@ -20,11 +20,11 @@ logsource: product: windows service: security detection: - selection_eventid: - EventID: 4697 selection: + Provider_Name: 'Service Control Manager' + EventID: 4697 ServiceFileName|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml index 1df942347..2d94cee7b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_stdin_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of stdin to execute PowerShell status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/09/17 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 25) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_var_services.yml b/rules/windows/builtin/win_invoke_obfuscation_var_services.yml index c94706f07..b1a682084 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_var_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_var_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated use of Environment Variables to execute PowerShe status: experimental author: Jonathan Cheong, oscd.community date: 2020/10/15 -modified: 2021/09/17 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 24) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: all of them + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml index 04f8fbb61..7b8e90921 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_compress_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/08/09 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -19,8 +19,8 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection and selection_eventid \ No newline at end of file + condition: selection \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml index 2855fa003..ac4a5241d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_rundll_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via RUNDLL LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 23) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml index f6a21dffb..483e6e36b 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_stdin_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via Stdin in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/12 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task28) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml index a569fc7ae..30e6cf454 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_clip_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Clip.exe in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task29) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml index 71b54142a..03356573d 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_mshta_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use MSHTA in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task31) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml index 75b42d484..6dd90eb21 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_use_rundll32_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2020/10/09 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task30) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml b/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml index 7d8bc8d12..63960a89c 100644 --- a/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml +++ b/rules/windows/builtin/win_invoke_obfuscation_via_var_services.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via VAR++ LAUNCHER status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/13 -modified: 2021/09/18 +modified: 2021/11/30 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task27) tags: @@ -16,11 +16,11 @@ logsource: product: windows service: system detection: - selection_eventid: - EventID: 7045 selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 ImagePath|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c' # FPs with |\/r - condition: selection and selection_eventid + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_mal_creddumper.yml b/rules/windows/builtin/win_mal_creddumper.yml index b2a16a3af..93f1da11a 100644 --- a/rules/windows/builtin/win_mal_creddumper.yml +++ b/rules/windows/builtin/win_mal_creddumper.yml @@ -4,7 +4,7 @@ description: Detects well-known credential dumping tools execution via service e status: experimental author: Florian Roth, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community date: 2017/03/05 -modified: 2021/09/21 +modified: 2021/11/30 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -24,6 +24,7 @@ logsource: service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains: - 'fgexec' diff --git a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml index cc967c73c..e37714662 100644 --- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml +++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml @@ -4,7 +4,7 @@ description: Detects the use of getsystem Meterpreter/Cobalt Strike command by d status: experimental author: Teymur Kheirkhabarov, Ecco, Florian Roth date: 2019/10/26 -modified: 2021/09/21 +modified: 2021/11/30 references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/ @@ -18,6 +18,7 @@ logsource: service: system detection: selection_id: + Provider_Name: 'Service Control Manager' EventID: 7045 selection: # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 7f6387601..f92fe4eeb 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -4,7 +4,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's status: experimental author: Bhabesh Raj date: 2021/05/06 -modified: 2021/09/21 +modified: 2021/11/30 references: - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 tags: @@ -16,6 +16,7 @@ logsource: service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName: ZzNetSvc condition: selection diff --git a/rules/windows/builtin/win_powershell_script_installed_as_service.yml b/rules/windows/builtin/win_powershell_script_installed_as_service.yml index 30fa2700a..70d19e55b 100644 --- a/rules/windows/builtin/win_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/win_powershell_script_installed_as_service.yml @@ -4,7 +4,7 @@ description: Detects powershell script installed as a Service status: experimental author: oscd.community, Natalia Shornikova date: 2020/10/06 -modified: 2021/09/21 +modified: 2021/11/30 references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse tags: @@ -15,12 +15,12 @@ logsource: service: system detection: service_creation: + Provider_Name: 'Service Control Manager' EventID: 7045 - powershell_as_service: ImagePath|contains: - 'powershell' - 'pwsh' - condition: service_creation and powershell_as_service + condition: service_creation falsepositives: - Unknown level: high diff --git a/rules/windows/builtin/win_rare_service_installs.yml b/rules/windows/builtin/win_rare_service_installs.yml index 6684e2fda..5d8565399 100644 --- a/rules/windows/builtin/win_rare_service_installs.yml +++ b/rules/windows/builtin/win_rare_service_installs.yml @@ -4,15 +4,16 @@ status: test description: Detects rare service installs that only appear a few times per time frame and could reveal password dumpers, backdoor installs or other types of malicious services author: Florian Roth date: 2017/03/08 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 timeframe: 7d - condition: selection | count() by ServiceFileName < 5 + condition: selection | count() by ServiceName < 5 falsepositives: - Software installation - Software updates diff --git a/rules/windows/builtin/win_susp_proceshacker.yml b/rules/windows/builtin/win_susp_proceshacker.yml index aa59623eb..120b477da 100644 --- a/rules/windows/builtin/win_susp_proceshacker.yml +++ b/rules/windows/builtin/win_susp_proceshacker.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/1kwpeter/status/1397816101455765504 author: Florian Roth date: 2021/05/27 +modified: 2021/11/30 tags: - attack.execution - attack.privilege_escalation @@ -16,6 +17,7 @@ logsource: service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ServiceName|startswith: 'ProcessHacker' AccountName: 'LocalSystem' diff --git a/rules/windows/builtin/win_tap_driver_installation.yml b/rules/windows/builtin/win_tap_driver_installation.yml index a7e1f470a..5dafe8ebd 100644 --- a/rules/windows/builtin/win_tap_driver_installation.yml +++ b/rules/windows/builtin/win_tap_driver_installation.yml @@ -4,7 +4,7 @@ description: Well-known TAP software installation. Possible preparation for data status: experimental author: Daniil Yugoslavskiy, Ian Davis, oscd.community date: 2019/10/24 -modified: 2021/09/21 +modified: 2021/11/30 tags: - attack.exfiltration - attack.t1048 @@ -13,6 +13,7 @@ logsource: service: system detection: selection: + Provider_Name: 'Service Control Manager' EventID: 7045 ImagePath|contains: 'tap0901' condition: selection diff --git a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml index 2bed3b359..f8b084ce8 100644 --- a/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml +++ b/rules/windows/builtin/win_transferring_files_with_credential_data_via_network_shares.yml @@ -6,12 +6,13 @@ author: Teymur Kheirkhabarov, oscd.community references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment date: 2019/10/22 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: security detection: selection: + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 5145 RelativeTargetName|contains: - '\mimidrv' diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index 954cecd06..95ef20e3d 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -7,10 +7,11 @@ references: - https://df-stream.com/2014/01/the-windows-7-event-log-and-usb-device/ - https://www.techrepublic.com/article/how-to-track-down-usb-flash-drive-usage-in-windows-10s-event-viewer/ date: 2017/11/09 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: driver-framework + definition: mapping Provider_Name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' detection: selection: EventID: diff --git a/rules/windows/builtin/win_user_added_to_local_administrators.yml b/rules/windows/builtin/win_user_added_to_local_administrators.yml index 99bb4e2da..56f6374f0 100644 --- a/rules/windows/builtin/win_user_added_to_local_administrators.yml +++ b/rules/windows/builtin/win_user_added_to_local_administrators.yml @@ -5,7 +5,7 @@ description: This rule triggers on user accounts that are added to the local Adm status: stable author: Florian Roth date: 2017/03/14 -modified: 2021/07/07 +modified: 2021/11/30 tags: - attack.privilege_escalation - attack.t1078 @@ -16,6 +16,7 @@ logsource: service: security detection: selection: + provider_Name: Microsoft-Windows-Security-Auditing EventID: 4732 selection_group1: TargetUserName|startswith: 'Administr' diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 51ad7f78d..f243911f0 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -11,12 +11,13 @@ tags: - attack.t1558.003 author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 -modified: 2021/08/14 +modified: 2021/11/30 logsource: product: windows service: security detection: selection: + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4673 Service: 'LsaRegisterLogonProcess()' Keywords: '0x8010000000000000' #failure diff --git a/rules/windows/builtin/win_user_creation.yml b/rules/windows/builtin/win_user_creation.yml index 1750bbb7b..9a6bfb0c4 100644 --- a/rules/windows/builtin/win_user_creation.yml +++ b/rules/windows/builtin/win_user_creation.yml @@ -6,12 +6,13 @@ author: Patrick Bareiss references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ date: 2019/04/18 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: security detection: selection: + provider_Name: Microsoft-Windows-Security-Auditing EventID: 4720 condition: selection fields: diff --git a/rules/windows/builtin/win_user_driver_loaded.yml b/rules/windows/builtin/win_user_driver_loaded.yml index edcd4172c..9ecaa925c 100644 --- a/rules/windows/builtin/win_user_driver_loaded.yml +++ b/rules/windows/builtin/win_user_driver_loaded.yml @@ -7,12 +7,13 @@ references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 date: 2019/04/08 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: security detection: selection_1: + Provider_Name: Microsoft-Windows-Security-Auditing EventID: 4673 PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' diff --git a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml index 671289078..5892cc489 100644 --- a/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml +++ b/rules/windows/builtin/win_vssaudit_secevent_source_registration.yml @@ -3,7 +3,7 @@ id: e9faba72-4974-4ab2-a4c5-46e25ad59e9b description: Detects the registration of the security event source VSSAudit. It would usually trigger when volume shadow copy operations happen. status: experimental date: 2020/10/20 -modified: 2021/11/26 +modified: 2021/11/30 author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) tags: - attack.credential_access @@ -14,13 +14,13 @@ logsource: product: windows service: security detection: - selection_one: - EventID: 4904 + selection: + Provider_Name: Microsoft-Windows-Security-Auditing AuditSourceName: VSSAudit - selection_two: - EventID: 4905 - AuditSourceName: VSSAudit - condition: selection_one or selection_two + EventID: + - 4904 + - 4905 + condition: selection falsepositives: - Legitimate use of VSSVC. Maybe backup operations. It would usually be done by C:\Windows\System32\VSSVC.exe. level: low \ No newline at end of file diff --git a/rules/windows/builtin/win_vul_cve_2020_1472.yml b/rules/windows/builtin/win_vul_cve_2020_1472.yml index bff52b97e..0913067bd 100644 --- a/rules/windows/builtin/win_vul_cve_2020_1472.yml +++ b/rules/windows/builtin/win_vul_cve_2020_1472.yml @@ -6,7 +6,7 @@ references: - https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc author: NVISO date: 2020/09/15 -modified: 2021/08/09 +modified: 2021/11/30 tags: - attack.privilege_escalation - attack.t1548 @@ -15,6 +15,7 @@ logsource: service: system detection: selection: + Provider_Name: NetLogon # Active Directory: NetLogon ETW GUID {F33959B4-DBEC-11D2-895B-00C04F79AB69} EventID: 5829 condition: selection fields: diff --git a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml index 083a98ded..5103cdee5 100644 --- a/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml +++ b/rules/windows/builtin/win_wmiprvse_wbemcomn_dll_hijack.yml @@ -6,12 +6,13 @@ author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) references: - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-201009173318.html date: 2020/10/12 -modified: 2021/11/27 +modified: 2021/11/30 logsource: product: windows service: security detection: selection: + Provider_Name: Microsoft-Windows-Eventlog EventID: 5145 RelativeTargetName|endswith: '\wbem\wbemcomn.dll' filter: From 24d73a5f8a7efaa32d95b03a0e202c2f52891ae0 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 30 Nov 2021 15:10:36 +0100 Subject: [PATCH 14/40] Add definition info --- rules/windows/builtin/win_usb_device_plugged.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_usb_device_plugged.yml b/rules/windows/builtin/win_usb_device_plugged.yml index 95ef20e3d..cf9013bb7 100644 --- a/rules/windows/builtin/win_usb_device_plugged.yml +++ b/rules/windows/builtin/win_usb_device_plugged.yml @@ -11,7 +11,7 @@ modified: 2021/11/30 logsource: product: windows service: driver-framework - definition: mapping Provider_Name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + definition: mapping Provider_Name 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' detection: selection: EventID: From fa26f5f7f54906b1e705e60e1f6396cb7dcddefc Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 30 Nov 2021 14:21:38 +0000 Subject: [PATCH 15/40] simplifying format --- .../win_xsl_script_processing.yml | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index bd2102923..de22303eb 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -16,15 +16,16 @@ detection: CommandLine|contains: '/format' # wmic process list /FORMAT /? - Image|endswith: '\msxsl.exe' false_positives: - - CommandLine|contains: '/Format:List' - - CommandLine|contains: '/Format:htable' - - CommandLine|contains: '/Format:hform' - - CommandLine|contains: '/Format:table' - - CommandLine|contains: '/Format:mof' - - CommandLine|contains: '/Format:value' - - CommandLine|contains: '/Format:rawxml' - - CommandLine|contains: '/Format:xml' - - CommandLine|contains: '/Format:csv' + CommandLine|contains: + - '/Format:List' + - '/Format:htable' + - '/Format:hform' + - '/Format:table' + - '/Format:mof' + - '/Format:value' + - '/Format:rawxml' + - '/Format:xml' + - '/Format:csv' condition: selection and not false_positives falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. From 00560f3162fd790a3565346a171d84e53946359c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 30 Nov 2021 19:10:14 +0100 Subject: [PATCH 16/40] Add zircolite config --- tools/config/zircolite.yml | 94 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 tools/config/zircolite.yml diff --git a/tools/config/zircolite.yml b/tools/config/zircolite.yml new file mode 100644 index 000000000..af73a56fb --- /dev/null +++ b/tools/config/zircolite.yml @@ -0,0 +1,94 @@ +title: Zircolite +order: 20 +backends: + - sqlite +logsources: + windows-application: + product: windows + service: application + conditions: + Channel: Application + windows-security: + product: windows + service: security + conditions: + Channel: Security + windows-system: + product: windows + service: system + conditions: + Channel: System + windows-sysmon: + product: windows + service: sysmon + conditions: + Channel: 'Microsoft-Windows-Sysmon/Operational' + windows-powershell: + product: windows + service: powershell + conditions: + Channel: 'Microsoft-Windows-PowerShell/Operational' + windows-classicpowershell: + product: windows + service: powershell-classic + conditions: + Channel: 'Windows PowerShell' + windows-dns-server: + product: windows + service: dns-server + conditions: + Channel: 'DNS Server' + windows-driver-framework: + product: windows + service: driver-framework + conditions: + Provider_Name: 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' + windows-dhcp: + product: windows + service: dhcp + conditions: + Provider_Name: 'Microsoft-Windows-DHCP-Server/Operational' + windows-ntlm: + product: windows + service: ntlm + conditions: + Provider_Name: 'Microsoft-Windows-NTLM/Operational' + windows-defender: + product: windows + service: windefend + conditions: + Channel: 'Microsoft-Windows-Windows Defender/Operational' + windows-printservice-admin: + product: windows + service: printservice-admin + conditions: + Channel: 'Microsoft-Windows-PrintService/Admin' + windows-printservice-operational: + product: windows + service: printservice-operational + conditions: + Channel: 'Microsoft-Windows-PrintService/Operational' + windows-smbclient-security: + product: windows + service: smbclient-security + conditions: + Channel: 'Microsoft-Windows-SmbClient/Security' + windows-applocker: + product: windows + service: applocker + conditions: + Channel: + - 'Microsoft-Windows-AppLocker/MSI and Script' + - 'Microsoft-Windows-AppLocker/EXE and DLL' + - 'Microsoft-Windows-AppLocker/Packaged app-Deployment' + - 'Microsoft-Windows-AppLocker/Packaged app-Execution' + windows-msexchange-management: + product: windows + service: msexchange-management + conditions: + Channel: 'MSExchange Management' + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + Channel: 'Microsoft-ServiceBus-Client' From 0384f8fb52108be15ee24c9667d575e23823d68c Mon Sep 17 00:00:00 2001 From: Matthew Green Date: Wed, 1 Dec 2021 15:07:06 +1100 Subject: [PATCH 17/40] Update win_renamed_binary.yml --- rules/windows/process_creation/win_renamed_binary.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 84dbbbf99..9e3905684 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -16,6 +16,7 @@ detection: selection: OriginalFileName: - 'cmd.exe' + - 'CONHOST.EXE' - 'powershell.exe' - 'powershell_ise.exe' - 'psexec.exe' @@ -38,6 +39,7 @@ detection: filter: Image|endswith: - '\cmd.exe' + - '\conhost.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\psexec.exe' From 80a1b02fe506b6263509ec754ed9d0fd07d3712e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 1 Dec 2021 06:54:30 +0100 Subject: [PATCH 18/40] Update win_renamed_binary.yml --- rules/windows/process_creation/win_renamed_binary.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_renamed_binary.yml b/rules/windows/process_creation/win_renamed_binary.yml index 9e3905684..0f827f6d0 100644 --- a/rules/windows/process_creation/win_renamed_binary.yml +++ b/rules/windows/process_creation/win_renamed_binary.yml @@ -8,7 +8,7 @@ references: - https://mgreen27.github.io/posts/2019/05/12/BinaryRename.html - https://mgreen27.github.io/posts/2019/05/29/BinaryRename2.html date: 2019/06/15 -modified: 2021/11/27 +modified: 2021/12/01 logsource: category: process_creation product: windows From 7fad4768e442322f997a519d0579f684f492520e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 1 Dec 2021 14:20:05 +0100 Subject: [PATCH 19/40] rule: APT UA - new user agent --- rules/proxy/proxy_ua_apt.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 904feabfe..34eaba226 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -6,7 +6,7 @@ author: Florian Roth, Markus Neis references: - Internal Research date: 2019/11/12 -modified: 2021/11/27 +modified: 2021/11/30 logsource: category: proxy detection: @@ -51,6 +51,7 @@ detection: - 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;SV1;' # Mustang Panda https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/ - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ condition: selection fields: - ClientIP From 6927b0e69fa539b0cb1bbc7feb356c651fea2c88 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 13:29:15 +0000 Subject: [PATCH 20/40] Fixing added backslashes that are generated by sigma backend --- tools/sigma/backends/hawk.py | 52 +++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 22 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 4c4a37c5f..e0d846645 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -61,6 +61,7 @@ class HAWKBackend(SingleTextQueryBackend): def generateNode(self, node, notNode=False): #print(type(node)) #print(node) + #print("Not: ", notNode) if type(node) == sigma.parser.condition.ConditionAND: return self.generateANDNode(node, notNode) elif type(node) == sigma.parser.condition.ConditionOR: @@ -95,6 +96,8 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) value = self.generateValueNode(node, False).replace("*", "EEEESTAREEE") + if value[-2:] == "\\\\": + value = value[:-2] value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") if value[0:2] == ".*": @@ -110,16 +113,6 @@ class HAWKBackend(SingleTextQueryBackend): raise TypeError("Node type %s was not expected in Sigma parse tree" % (str(type(node)))) def generateANDNode(self, node, notNode=False): - """ - generated = [ self.generateNode(val) for val in node ] - filtered = [ g for g in generated if g is not None ] - if filtered: - if self.sort_condition_lists: - filtered = sorted(filtered) - return self.andToken.join(filtered) - else: - return None - """ ret = { "id" : "and", "key": "And", "children" : [ ] } generated = [ self.generateNode(val, notNode) for val in node ] filtered = [ g for g in generated if g is not None ] @@ -127,7 +120,6 @@ class HAWKBackend(SingleTextQueryBackend): if self.sort_condition_lists: filtered = sorted(filtered) ret['children'] = filtered - # return json.dumps(ret)# self.orToken.join(filtered) return ret else: return None @@ -187,7 +179,7 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['description'] = key if key.lower() in ("logname","source"): self.logname = value - elif type(value) == str and "*" in value: + if type(value) == str and "*" in value: value = value.replace("*", "EEEESTAREEE") value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") @@ -199,32 +191,44 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet["args"]["comparison"]["value"] = "!=" else: nodeRet['args']['comparison']['value'] = "=" + if value[-2:] == "\\\\": + value = value[:-2] nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" # return "%s regex %s" % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet elif type(value) is str: - #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" nodeRet['args']['str']['value'] = value # return json.dumps(nodeRet) return nodeRet elif type(value) is int: nodeRet['return'] = "int" nodeRet['args']['int'] = { "value" : value } + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" del nodeRet['args']['str'] #return self.mapExpression % (self.cleanKey(key), self.generateValueNode(value, True)) #return json.dumps(nodeRet) return nodeRet else: - #return self.mapExpression % (self.cleanKey(key), self.generateNode(value)) nodeRet['args']['str']['value'] = value + if notNode: + nodeRet["args"]["comparison"]["value"] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" #return json.dumps(nodeRet) return nodeRet elif type(value) == list: return self.generateMapItemListNode(key, value, notNode) elif isinstance(value, SigmaTypeModifier): - return self.generateMapItemTypedNode(key, value) + return self.generateMapItemTypedNode(key, value, notNode) elif value is None: #return self.nullExpression % (key, ) #print("Performing null") @@ -253,6 +257,10 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['key'] = self.cleanKey(key).lower() nodeRet['description'] = key nodeRet['rule_id'] = str(uuid.uuid4()) + if notNode: + nodeRet['args']['comparison']['value'] = "!=" + else: + nodeRet['args']['comparison']['value'] = "=" if item is None: nodeRet['args']['str']['value'] = 'null' ret['children'].append( nodeRet ) @@ -264,12 +272,15 @@ class HAWKBackend(SingleTextQueryBackend): item = item[2:] if item[-2:] == ".*": item = item[:-2] - nodeRet['args']['str']['value'] = item # self.generateValueNode(item, True) + if item[-2:] == "\\\\": + item = item[:-2] + nodeRet['args']['str']['value'] = item nodeRet['args']['str']['regex'] = "true" if notNode: nodeRet["args"]["comparison"]["value"] = "!=" else: nodeRet['args']['comparison']['value'] = "=" + #print(item) ret['children'].append( nodeRet ) else: nodeRet['args']['str']['value'] = self.generateValueNode(item, True) @@ -292,6 +303,9 @@ class HAWKBackend(SingleTextQueryBackend): value = value[2:] if value[-2:] == ".*": value = value[:-2] + # print(value) + if value[-2:] == "\\\\": + value = value[:-2] nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: @@ -534,12 +548,6 @@ class HAWKBackend(SingleTextQueryBackend): def generateQuery(self, parsed, sigmaparser): self.sigmaparser = sigmaparser result = self.generateNode(parsed.parsedSearch) - """ - if any("flow" in i for i in self.parsedlogsource): - aql_database = "flows" - else: - aql_database = "events" - """ prefix = "" ret = '[ { "id" : "and", "key": "And", "children" : [' ret2 = ' ] } ]' From 1150e071215ae745382a610e4e2d222a0590c61a Mon Sep 17 00:00:00 2001 From: phantinuss Date: Mon, 29 Nov 2021 13:44:17 +0100 Subject: [PATCH 21/40] fix: typo --- .../process_creation/win_commandline_path_traversal_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml index 0ddf5aa89..3b377a1c2 100644 --- a/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/win_commandline_path_traversal_evasion.yml @@ -1,4 +1,4 @@ -title: Command Line Path Traversial Evasion +title: Command Line Path Traversal Evasion status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard From 204c62799194c7cfab6d07d07446a1800953674b Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 1 Dec 2021 15:13:28 +0100 Subject: [PATCH 22/40] add PE files because of CVE-2020-1599 --- rules/windows/builtin/win_susp_mshta_execution.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_mshta_execution.yml b/rules/windows/builtin/win_susp_mshta_execution.yml index 72db499df..5f26daec7 100644 --- a/rules/windows/builtin/win_susp_mshta_execution.yml +++ b/rules/windows/builtin/win_susp_mshta_execution.yml @@ -8,8 +8,9 @@ references: - https://0x00sec.org/t/clientside-exploitation-in-2018-how-pentesting-has-changed/7356 - https://docs.microsoft.com/en-us/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script - https://medium.com/tsscyber/pentesting-and-hta-bypassing-powershell-constrained-language-mode-53a42856c997 + - https://twitter.com/mattifestation/status/1326228491302563846 date: 2019/02/22 -modified: 2021/11/27 +modified: 2021/12/01 logsource: category: process_creation product: windows @@ -25,6 +26,8 @@ detection: - '.xls' - '.doc' - '.zip' + - '.dll' + - '.exe' condition: selection1 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment @@ -33,3 +36,6 @@ tags: - attack.defense_evasion - attack.t1140 - attack.t1218.005 + - attack.execution + - attack.t1059.007 + - cve.2020.1599 From 96295a717cf836bc88b409081ddd313a6f2b1ff5 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 15:35:51 +0000 Subject: [PATCH 23/40] Adding filter for read only accesslist, attack cannot be triggered --- rules/windows/file_event/sysmon_susp_desktop_ini.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 46d7ed89b..be6e0069e 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -2,11 +2,11 @@ title: Suspicious desktop.ini Action id: 81315b50-6b60-4d8f-9928-3466e1022515 status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. -author: Maxime Thiebaut (@0xThiebaut) +author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2021/11/27 +modified: 2021/11/29 logsource: product: windows category: file_event @@ -16,11 +16,18 @@ detection: - 'C:\Windows\explorer.exe' - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\System32\mmc.exe' + AccessList|contains: + - 'WriteData' + - 'DELETE' + - 'WriteDAC' + - 'AppendData' + - 'AddSubdirectory' selection: TargetFilename|endswith: '\desktop.ini' condition: selection and not filter falsepositives: - Operations performed through Windows SCCM or equivalent + - read only access list authority level: medium tags: - attack.persistence From 677bdd976823287fc54c99172600ac5c1219df30 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 15:37:11 +0000 Subject: [PATCH 24/40] oof, adding to selection and not filter --- rules/windows/file_event/sysmon_susp_desktop_ini.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index be6e0069e..45822b534 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -16,14 +16,14 @@ detection: - 'C:\Windows\explorer.exe' - 'C:\Windows\System32\msiexec.exe' - 'C:\Windows\System32\mmc.exe' + selection: + TargetFilename|endswith: '\desktop.ini' AccessList|contains: - 'WriteData' - 'DELETE' - 'WriteDAC' - 'AppendData' - 'AddSubdirectory' - selection: - TargetFilename|endswith: '\desktop.ini' condition: selection and not filter falsepositives: - Operations performed through Windows SCCM or equivalent From 1e9715668421a30237f76466a3d4aebb6c4cf7d7 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 17:29:00 +0000 Subject: [PATCH 25/40] Fixing conflict where both selection and filter have the same value. --- .../sysmon_powershell_network_connection.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/network_connection/sysmon_powershell_network_connection.yml b/rules/windows/network_connection/sysmon_powershell_network_connection.yml index 49ef08e91..b728c7afb 100755 --- a/rules/windows/network_connection/sysmon_powershell_network_connection.yml +++ b/rules/windows/network_connection/sysmon_powershell_network_connection.yml @@ -5,7 +5,7 @@ description: Detects a Powershell process that opens network connections - check extend filters with company's ip range') author: Florian Roth date: 2017/03/13 -modified: 2021/06/14 +modified: 2021/12/01 references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o tags: @@ -41,7 +41,6 @@ detection: - '172.30.' - '172.31.' - '127.0.0.1' - DestinationIsIpv6: 'false' User: 'NT AUTHORITY\SYSTEM' User|contains|all: # other languages - 'AUT' From 3aca9ad2ef7b9c94f81de59f155d7d8857f6f907 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 18:01:36 +0000 Subject: [PATCH 26/40] fixing false positive due to direct calls to xcopy and cmd.exe --- .../process_creation/win_susp_copy_system32.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index 2fe048583..fd508a63b 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -2,21 +2,19 @@ title: Suspicious Copy From or To System32 id: fff9d2b7-e11c-4a69-93d3-40ef66189767 status: test description: Detects a suspicious copy command that copies a system program from System32 to another directory on disk - sometimes used to use LOLBINs like certutil or desktopimgdownldr to a different location with a different name -author: Florian Roth, Markus Neis +author: Florian Roth, Markus Neis, Tim Shelton (HAWK.IO) references: - https://www.hybrid-analysis.com/sample/8da5b75b6380a41eee3a399c43dfe0d99eeefaa1fd21027a07b1ecaa4cd96fdd?environmentId=120 date: 2020/07/03 -modified: 2021/11/27 +modified: 2021/12/30 logsource: category: process_creation product: windows detection: selection: CommandLine|contains: - - ' /c copy' - - 'xcopy' - CommandLine|contains|all: - - '\System32\' + - 'xcopy*\System32\' + - 'cmd.exe*/c*copy*\System32\' condition: selection fields: - CommandLine @@ -24,6 +22,7 @@ fields: falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/ + - False positive when c:\windows\SYSTEM32\cmd.exe is called directly : C:\Windows\System32\cmd.exe /c copy file1 file2 level: medium tags: - attack.defense_evasion From 86250b4acb42a4141420a44e4226097a59ef9352 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 18:15:39 +0000 Subject: [PATCH 27/40] fixing lint err --- rules/windows/process_creation/win_susp_copy_system32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_copy_system32.yml b/rules/windows/process_creation/win_susp_copy_system32.yml index fd508a63b..cfa12305a 100644 --- a/rules/windows/process_creation/win_susp_copy_system32.yml +++ b/rules/windows/process_creation/win_susp_copy_system32.yml @@ -22,7 +22,7 @@ fields: falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment - Admin scripts like https://www.itexperience.net/sccm-batch-files-and-32-bits-processes-on-64-bits-os/ - - False positive when c:\windows\SYSTEM32\cmd.exe is called directly : C:\Windows\System32\cmd.exe /c copy file1 file2 + - False positive when cmd.exe and xcopy.exe are called directly # C:\Windows\System32\cmd.exe /c copy file1 file2 level: medium tags: - attack.defense_evasion From 7626b73b8e872c3e5aade84fedfa83088a35236e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 18:33:48 +0000 Subject: [PATCH 28/40] Duplicate matching causes confusion. Converting to simplified selection (matching) and false positive (filtering) phases --- rules/windows/builtin/win_lm_namedpipe.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index 4717ece59..fb29d1d8e 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -6,7 +6,7 @@ author: Samir Bousseaden references: - https://twitter.com/menasec1/status/1104489274387451904 date: 2019/04/03 -modified: 2021/11/27 +modified: 2021/12/01 logsource: product: windows service: security @@ -15,9 +15,7 @@ detection: selection1: EventID: 5145 ShareName: \\\*\IPC$ - selection2: - EventID: 5145 - ShareName: \\\*\IPC$ + false_positives: RelativeTargetName: - 'atsvc' - 'samr' @@ -36,7 +34,7 @@ detection: - 'HydraLsPipe' - 'TermSrv_API_service' - 'MsFteWds' - condition: selection1 and not selection2 + condition: selection1 and not false_positives falsepositives: - update the excluded named pipe to filter out any newly observed legit named pipe level: high From d90ddc097e0bc63f983f4e96c39f7cf5b2f5dbe6 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 18:36:38 +0000 Subject: [PATCH 29/40] adding additional filter for lsass: ShareName=\\*\IPC$ | ShareLocalPath= | RelativeTargetName=lsass | AccessMask=0x2019f --- rules/windows/builtin/win_lm_namedpipe.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_lm_namedpipe.yml b/rules/windows/builtin/win_lm_namedpipe.yml index fb29d1d8e..573eada64 100644 --- a/rules/windows/builtin/win_lm_namedpipe.yml +++ b/rules/windows/builtin/win_lm_namedpipe.yml @@ -20,6 +20,7 @@ detection: - 'atsvc' - 'samr' - 'lsarpc' + - 'lsass' - 'winreg' - 'netlogon' - 'srvsvc' From 1ebd75754fa5a3d2bc125138212cbbd0633546cb Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 21:15:41 +0000 Subject: [PATCH 30/40] omgosh fix err in syntax on this.... sooo sorry! --- .../powershell_script/powershell_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 7632b7a8c..5491b7ab9 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -115,7 +115,7 @@ detection: - "Invoke-AllChecks" false_positives: ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - ScriptBlockText:contains: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 + ScriptBlockText|contains: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - Penetration testing From bd13c7b77b59e6ca719de455192c61ec4184ecc2 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 21:27:31 +0000 Subject: [PATCH 31/40] fixing yaml formatting --- .../powershell_script/powershell_malicious_commandlets.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index 5491b7ab9..dcd74c258 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -114,8 +114,9 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - ScriptBlockText|contains: Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - ScriptBlockText|contains: C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 + ScriptBlockText|contains + - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 + - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives falsepositives: - Penetration testing From 0e55a06e6e133d8cf9c8a9ddb67573f0fdb5ca92 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 1 Dec 2021 23:14:57 +0000 Subject: [PATCH 32/40] adding missing : --- .../powershell_script/powershell_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml index dcd74c258..751c93c74 100644 --- a/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/powershell_malicious_commandlets.yml @@ -114,7 +114,7 @@ detection: - "Invoke-Mimikittenz" - "Invoke-AllChecks" false_positives: - ScriptBlockText|contains + ScriptBlockText|contains: - Get-SystemDriveInfo # http://bheltborg.dk/Windows/WinSxS/amd64_microsoft-windows-maintenancediagnostic_31bf3856ad364e35_10.0.10240.16384_none_91ef7543a4514b5e/CL_Utility.ps1 - C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Scripts\Set-Wallpaper.ps1 # false positive form Amazon EC2 condition: select_Malicious and not false_positives From 686035d66e884e520de36860b5aa6ac321b327c9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 2 Dec 2021 06:41:49 +0100 Subject: [PATCH 33/40] Order selection filter --- rules/windows/file_event/sysmon_susp_desktop_ini.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 45822b534..76df7dffe 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -11,11 +11,6 @@ logsource: product: windows category: file_event detection: - filter: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\System32\mmc.exe' selection: TargetFilename|endswith: '\desktop.ini' AccessList|contains: @@ -24,6 +19,11 @@ detection: - 'WriteDAC' - 'AppendData' - 'AddSubdirectory' + filter: + Image: + - 'C:\Windows\explorer.exe' + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\System32\mmc.exe' condition: selection and not filter falsepositives: - Operations performed through Windows SCCM or equivalent From 9597cc8063c0535b0c9820a0a91dda4482d2d9d1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 2 Dec 2021 12:55:42 +0100 Subject: [PATCH 34/40] fix: filter condition in SystemDrawing Load rule --- .../image_load/sysmon_susp_system_drawing_load.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml index ab2e276fd..0b05cdafa 100644 --- a/rules/windows/image_load/sysmon_susp_system_drawing_load.yml +++ b/rules/windows/image_load/sysmon_susp_system_drawing_load.yml @@ -3,7 +3,7 @@ id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. status: experimental date: 2020/05/02 -modified: 2021/11/27 +modified: 2021/12/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.collection @@ -31,9 +31,11 @@ detection: - 'C:\Windows\System32\' - 'C:\Windows\Microsoft.NET\' - 'C:\Windows\ImmersiveControlPanel\' - - 'C:\Windows\System32\NhNotifSys.exe' + filter2: + Image: - 'C:\Users\\*\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' - condition: selection and not filter + - 'C:\Windows\System32\NhNotifSys.exe' + condition: selection and not 1 of filter* falsepositives: - unknown level: medium \ No newline at end of file From 6aed1a0d2a82710bc6629c1d48f6a5a821bd0bd4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 2 Dec 2021 14:57:06 +0100 Subject: [PATCH 35/40] fix: FPs noticed with Aurora --- .../process_access/sysmon_cred_dump_lsass_access.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml index c105bc675..c4936c79b 100755 --- a/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/sysmon_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2021/11/30 +modified: 2021/12/02 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -68,6 +68,13 @@ detection: GrantedAccess: - '0x1410' - '0x410' + filter8: + SourceImage|endswith: + - '\thor.exe' + - '\thor64.exe' + GrantedAccess: + - '0x40' + - '0x1010' filter_generic: SourceImage|startswith: - 'C:\Program Files\' From b1f7cf21dd8c3771421a666160a5ad1d233478dc Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 2 Dec 2021 14:55:12 +0000 Subject: [PATCH 36/40] adding tomcat8 to allowed kerberos outbound. --- .../sysmon_suspicious_outbound_kerberos_connection.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml index b98915d14..0566f2b82 100755 --- a/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/network_connection/sysmon_suspicious_outbound_kerberos_connection.yml @@ -6,7 +6,7 @@ author: Ilyas Ochkov, oscd.community references: - https://github.com/GhostPack/Rubeus date: 2019/10/24 -modified: 2021/11/27 +modified: 2021/12/02 logsource: category: network_connection product: windows @@ -20,6 +20,7 @@ detection: - '\opera.exe' - '\chrome.exe' - '\firefox.exe' + - '\tomcat\bin\tomcat8.exe' condition: selection and not filter falsepositives: - Other browsers From 384862b90643d957539c3aaab9324407edb5ae7a Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 2 Dec 2021 15:13:23 +0000 Subject: [PATCH 37/40] When command begins with C:\Windows\System32\cmd.exe it will always match susp_del_exe # ex - C:\Windows\System32\cmd.exe" /c del /f /q "C:\Program Files (x86)\Software Package\Client\tmpDir\" --- .../process_creation/process_creation_susp_del.yml | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_del.yml b/rules/windows/process_creation/process_creation_susp_del.yml index 61f615648..7ca3e7950 100644 --- a/rules/windows/process_creation/process_creation_susp_del.yml +++ b/rules/windows/process_creation/process_creation_susp_del.yml @@ -3,7 +3,7 @@ id: 204b17ae-4007-471b-917b-b917b315c5db status: experimental description: suspicious command line to remove exe or dll author: frack113 -date: 2021/10/26 +date: 2021/12/02 references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D tags: @@ -15,17 +15,15 @@ logsource: detection: susp_del_exe: CommandLine|contains|all: - - 'del ' + - 'del *.exe' - '/f ' - '/q ' - - '.exe' susp_del_dll: CommandLine|contains|all: - - 'del ' + - 'del *.dll' - 'C:\ProgramData\' - - '.dll' condition: susp_del_exe or susp_del_dll #cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - unknown -level: medium \ No newline at end of file +level: medium From fc2e2aa4c5761fbd49932d67d883b75829746138 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 2 Dec 2021 20:38:58 +0000 Subject: [PATCH 38/40] adding filter for false positive. no risk to sysmon operation --- rules/windows/sysmon/sysmon_config_modification_error.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/sysmon/sysmon_config_modification_error.yml b/rules/windows/sysmon/sysmon_config_modification_error.yml index 9d97fafb4..7403155f3 100644 --- a/rules/windows/sysmon/sysmon_config_modification_error.yml +++ b/rules/windows/sysmon/sysmon_config_modification_error.yml @@ -4,7 +4,7 @@ description: Someone try to hide from Sysmon status: experimental author: frack113 date: 2021/06/04 -modified: 2021/11/12 +modified: 2021/12/02 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md - https://talesfrominfosec.blogspot.com/2017/12/killing-sysmon-silently.html @@ -20,8 +20,8 @@ detection: - 'Failed to open service configuration with error' - 'Failed to connect to the driver to update configuration' selection_filter: - Description: 'Failed to open service configuration with error 19' - condition: selection_error + Description: 'Failed to open service configuration with error 19 - Last error: The media is write protected.' + condition: selection_error and not selection_filter falsepositives: - legitimate administrative action -level: high \ No newline at end of file +level: high From 8ea102ae727b562ccec696811101ed5a0ee14cf9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Dec 2021 14:37:25 +0100 Subject: [PATCH 39/40] fix: FPs with desktop.ini writes --- rules/windows/file_event/sysmon_susp_desktop_ini.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_desktop_ini.yml b/rules/windows/file_event/sysmon_susp_desktop_ini.yml index 46d7ed89b..f22f6151f 100755 --- a/rules/windows/file_event/sysmon_susp_desktop_ini.yml +++ b/rules/windows/file_event/sysmon_susp_desktop_ini.yml @@ -6,16 +6,16 @@ author: Maxime Thiebaut (@0xThiebaut) references: - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2021/11/27 +modified: 2021/12/03 logsource: product: windows category: file_event detection: filter: - Image: - - 'C:\Windows\explorer.exe' - - 'C:\Windows\System32\msiexec.exe' - - 'C:\Windows\System32\mmc.exe' + Image|startswith: + - 'C:\Windows\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' selection: TargetFilename|endswith: '\desktop.ini' condition: selection and not filter From 6852e56ff5d3c67a6ace5cf63be78772f9493596 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 3 Dec 2021 15:48:26 +0100 Subject: [PATCH 40/40] refactor: increase level to high - BITSADMIN PowerShell combo --- rules/windows/process_creation/win_powershell_bitsjob.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yml b/rules/windows/process_creation/win_powershell_bitsjob.yml index 3e7d95137..d0e460407 100644 --- a/rules/windows/process_creation/win_powershell_bitsjob.yml +++ b/rules/windows/process_creation/win_powershell_bitsjob.yml @@ -7,7 +7,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md date: 2018/10/30 -modified: 2021/11/27 +modified: 2021/12/03 logsource: category: process_creation product: windows @@ -22,7 +22,7 @@ fields: - CommandLine falsepositives: - Unknown -level: medium +level: high tags: - attack.defense_evasion - attack.persistence