Small Update and New Rule

2022-06-16 23:37:50 +01:00
parent 4b17d2df48
commit 2ab106ddee
7 changed files with 83 additions and 34 deletions
@@ -9,12 +9,13 @@ tags:
    - attack.t1137.003
 author: Tobias Michalski
 date: 2021/06/10
+modified: 2022/06/16
 logsource:
    product: windows
    category: file_event
 detection:
    selection:
-        Image: '\outlook.exe'
+        Image|endswith: '\outlook.exe'
        TargetFilename|contains: '\appdata\local\microsoft\FORMS\'
    condition: selection
 fields:
@@ -7,17 +7,17 @@ references:
    - https://twitter.com/vanitasnk/status/1437329511142420483?s=21
 author: Florian Roth, Sittikorn S
 date: 2021/09/10
-modified: 2021/09/13
+modified: 2022/06/16
 logsource:
    product: windows
    category: file_event
 detection:
    selection:
-        Image: '\winword.exe'
+        Image|endswith: '\winword.exe'
        TargetFilename|endswith: '.cab'
        TargetFilename|contains: '\Windows\INetCache'
    selection_inf:
-        Image: '\winword.exe'
+        Image|endswith: '\winword.exe'
        TargetFilename|contains|all:
        - '\AppData\Local\Temp\'
        - '.inf'
@@ -0,0 +1,24 @@
+title: Use of OpenConsole
+id: 814c95cc-8192-4378-a70a-f1aafd877af1
+description: Detects usage of OpenConsole binary as a LOLBIN to launch other binaries to bypass application Whitelisting
+status: experimental
+references:
+    - https://twitter.com/nas_bench/status/1537563834478645252
+author: Nasreddine Bencherchali
+date: 2022/06/16
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - OriginalFileName: 'OpenConsole.exe'
+        - Image|endswith: '\OpenConsole.exe'
+    filter:
+        Image|startswith: 'C:\Program Files\WindowsApps\Microsoft.WindowsTerminal' # We exclude the default path for WindowsTerminal
+    condition: selection and not filter
+falsepositives:
+    - Legitimate use by an administrator
+level: medium
+tags:
+    - attack.execution
+    - attack.t1059
@@ -13,7 +13,7 @@ tags:
    - attack.defense_evasion
 status: experimental
 date: 2021/08/23
-modified: 2022/06/02
+modified: 2022/06/16
 logsource:
  product: windows
  category: process_creation
@@ -23,7 +23,7 @@ detection:
    - Image|endswith: '\wbem\WMIC.exe'
    - CommandLine|contains: 'wmic '
  selection2:
-    ParentImage:
+    ParentImage|endswith:
      - '\winword.exe'
      - '\excel.exe'
      - '\powerpnt.exe'
@@ -8,7 +8,7 @@ references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
 author: Nasreddine Bencherchali @nas_bench
 date: 2021/12/18
-modified: 2022/05/13
+modified: 2022/06/16
 tags:
    - attack.discovery
    - attack.t1087
@@ -18,25 +18,23 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
-        OriginalFileName: 'psloglist'
-    selection2:
-        Image|endswith:
+    selection_img:
+        - OriginalFileName: 'psloglist.exe'
+        - Image|endswith:
          - '\psloglist.exe'
          - '\psloglist64.exe'
-    flags:
-        CommandLine|contains:
-          - '-d'
-          - '/d'
-          - '-x'
-          - '/x'
-          - '-s'
-          - '/s'
-    other:
+    selection_flgs:
        CommandLine|contains|all:
            - 'security'
            - 'accepteula'
-    condition: (1 of selection*) or (flags and other)
+        CommandLine|contains:
+          - ' -d'
+          - ' /d'
+          - ' -x'
+          - ' /x'
+          - ' -s'
+          - ' /s'
+    condition: 1 of selection*
 falsepositives:
    - Another tool that uses the command line switches of PsLogList
    - Legitimate use of PsLogList by an administrator
@@ -1,10 +1,10 @@
-title: Suspicious Shells Spawn by WinRM
+title: Suspicious Processes Spawned by WinRM
 id: 5cc2cda8-f261-4d88-a2de-e9e193c86716
-description: Detects suspicious shell spawn from WinRM host process
+description: Detects suspicious processes including shells spawnd from WinRM host process
 status: experimental
 author: Andreas Hunkeler (@Karneades), Markus Neis
 date: 2021/05/20
-modified: 2021/05/22
+modified: 2022/06/16
 tags:
    - attack.t1190
    - attack.initial_access
@@ -15,16 +15,17 @@ logsource:
    product: windows
 detection:
    selection:
-        ParentImage: '*\wsmprovhost.exe'
-        Image:
-            - '*\cmd.exe'
-            - '*\sh.exe'
-            - '*\bash.exe'
-            - '*\powershell.exe'
-            - '*\schtasks.exe'
-            - '*\certutil.exe'
-            - '*\whoami.exe'
-            - '*\bitsadmin.exe'
+        ParentImage|endswith: '\wsmprovhost.exe'
+        Image|endswith:
+            - '\cmd.exe'
+            - '\sh.exe'
+            - '\bash.exe'
+            - '\powershell.exe'
+            - '\wsl.exe'
+            - '\schtasks.exe'
+            - '\certutil.exe'
+            - '\whoami.exe'
+            - '\bitsadmin.exe'
    condition: selection
 falsepositives:
    - Legitimate WinRM usage
@@ -0,0 +1,25 @@
+title: Use of Sysinternals PsService
+id: 3371f518-5fe3-4cf6-a14b-2a0ae3fd8a4f
+description: Detects usage of Sysinternals PsService for service reconnaissance or tamper
+status: experimental
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/psservice
+author: Nasreddine Bencherchali
+date: 2022/06/16
+tags:
+    - attack.discovery
+    - attack.persistence
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - OriginalFileName: 'psservice.exe'
+        - Image|endswith:
+          - '\PsService.exe'
+          - '\PsService64.exe'
+    condition: selection
+falsepositives:
+    - Legitimate use of PsService by an administrator
+level: medium