From 2acebc90f233695fe8da9e1fb4b9230261a5f968 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 12 Feb 2024 12:29:36 +0100 Subject: [PATCH] Merge PR #4702 from @nasbench - Rule tuning and updates fix: Dllhost.EXE Initiated Network Connection To Non-Local IP Address - Add additional filter fix: Outbound RDP Connections Over Non-Standard Tools - Update filters fix: Rundll32 Execution With Uncommon DLL Extension - Error in filter logic remove: Suspicious Non-Browser Network Communication With Reddit API update: BITS Transfer Job Download From File Sharing Domains - Add additional domains update: Dfsvc.EXE Initiated Network Connection Over Uncommon Port - Update image and list of ports update: HH.EXE Initiated HTTP Network Connection - Update list of ports update: Microsoft Binary Suspicious Communication Endpoint - Enhance list of paths and filters update: Msiexec.EXE Initiated Network Connection Over HTTP - Update destination ports update: Network Connection Initiated To Mega.nz - Update domains update: Office Application Initiated Network Connection Over Uncommon Ports - Update list of ports update: Office Application Initiated Network Connection To Non-Local IP - update list of filters update: Potential Dead Drop Resolvers - Update domains and filters update: Remote CHM File Download/Execution Via HH.EXE - Enhance logic update: Suspicious Download From File-Sharing Website Via Bitsadmin - Add additional domains update: Suspicious File Download From File Sharing Domain Via Curl.EXE - Add additional domains update: Suspicious File Download From File Sharing Websites - Add additional domains update: Suspicious File Downloaded From File-Sharing Website Via Certutil.EXE - Add additional domains update: Suspicious Remote AppX Package Locations - Add additional domains update: Unusual File Download From File Sharing Websites - Add additional domains --- ...tion_win_reddit_api_non_browser_access.yml | 4 +- ...net_connection_win_dfsvc_non_local_ip.yml} | 0 ...et_connection_win_dfsvc_uncommon_ports.yml | 15 ++-- .../net_connection_win_hh_http_connection.yml | 10 +-- ...tion_win_powershell_network_connection.yml | 8 +- .../proc_creation_win_net_execution.yml | 20 ++--- ...win_appxdeployment_server_susp_domains.yml | 5 +- ..._new_transfer_via_file_sharing_domains.yml | 6 +- ...haring_domains_download_susp_extension.yml | 6 +- ...ing_domains_download_unusual_extension.yml | 6 +- .../net_connection_win_addinutil.yml | 4 +- ...tion_win_certutil_initiated_connection.yml | 2 +- ...t_connection_win_dllhost_non_local_ip.yml} | 21 ++--- .../net_connection_win_domain_mega_nz.yml | 28 +++++++ ...ml => net_connection_win_domain_ngrok.yml} | 13 +++- ...et_connection_win_domain_ngrok_tunnel.yml} | 13 +++- .../net_connection_win_eqnedt.yml | 2 +- ..._win_excel_outbound_network_connection.yml | 49 ------------ .../net_connection_win_imewdbld.yml | 3 +- .../net_connection_win_mega_nz.yml | 24 ------ ...ml => net_connection_win_msiexec_http.yml} | 14 ++-- .../net_connection_win_notepad.yml | 30 +++++++ ...nection_win_notepad_network_connection.yml | 27 ------- ...ction_win_office_outbound_non_local_ip.yml | 78 +++++++++++++++++++ ...t_connection_win_office_uncommon_ports.yml | 43 ++++++++++ .../net_connection_win_python.yml | 3 +- ...n_rdp_outbound_over_non_standard_tools.yml | 20 ++--- .../net_connection_win_rdp_reverse_tunnel.yml | 8 +- ...nnection_win_regsvr32_network_activity.yml | 2 +- ...nnection_win_susp_crypto_mining_pools.yml} | 0 ...nnection_win_susp_dead_drop_resolvers.yml} | 49 +++++++++--- ...nection_win_susp_devtunnel_connection.yml} | 0 ...usp_file_sharing_domains_susp_folders.yml} | 25 +++--- ...in_susp_google_api_non_browser_access.yml} | 8 +- ...on_win_susp_remote_powershell_session.yml} | 25 +++--- ...connection_win_wordpad_uncommon_ports.yml} | 17 ++-- ...itsadmin_download_file_sharing_domains.yml | 6 +- ...certutil_download_file_sharing_domains.yml | 6 +- ...url_download_susp_file_sharing_domains.yml | 5 +- ...in_hh_chm_remote_download_or_execution.yml | 7 +- ...net_use_network_connections_discovery.yml} | 0 .../proc_creation_win_net_user_add.yml | 4 - ...et_user_default_accounts_manipulation.yml} | 0 ..._win_net_view_share_and_sessions_enum.yml} | 0 ...owershell_base64_encoded_cmd_patterns.yml} | 0 ..._win_powershell_base64_encoded_obfusc.yml} | 0 ...ion_win_powershell_base64_hidden_flag.yml} | 0 ...on_win_powershell_remove_mppreference.yml} | 0 ...on_win_rundll32_uncommon_dll_extension.yml | 35 +++++---- ...get_download_susp_file_sharing_domains.yml | 6 +- ...et_bypass_uac_using_silentcleanup_task.yml | 15 ++-- ...egistry_set_terminal_server_suspicious.yml | 2 +- ...registry_set_terminal_server_tampering.yml | 2 +- 53 files changed, 431 insertions(+), 245 deletions(-) rename {rules/windows/network_connection => deprecated/windows}/net_connection_win_reddit_api_non_browser_access.yml (96%) rename rules-threat-hunting/windows/network_connection/{net_connection_win_dfsvc_suspicious_ip.yml => net_connection_win_dfsvc_non_local_ip.yml} (100%) rename {rules => rules-threat-hunting}/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml (52%) rename rules/windows/network_connection/net_connection_win_hh.yml => rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml (60%) rename {rules => rules-threat-hunting}/windows/network_connection/net_connection_win_powershell_network_connection.yml (84%) mode change 100755 => 100644 rename rules/windows/process_creation/proc_creation_win_net_susp_execution.yml => rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml (82%) rename rules/windows/network_connection/{net_connection_win_dllhost_net_connections.yml => net_connection_win_dllhost_non_local_ip.yml} (76%) create mode 100644 rules/windows/network_connection/net_connection_win_domain_mega_nz.yml rename rules/windows/network_connection/{net_connection_win_ngrok_domains.yml => net_connection_win_domain_ngrok.yml} (59%) rename rules/windows/network_connection/{net_connection_win_ngrok_tunnel.yml => net_connection_win_domain_ngrok_tunnel.yml} (61%) delete mode 100644 rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml delete mode 100644 rules/windows/network_connection/net_connection_win_mega_nz.yml rename rules/windows/network_connection/{net_connection_win_msiexec.yml => net_connection_win_msiexec_http.yml} (53%) create mode 100644 rules/windows/network_connection/net_connection_win_notepad.yml delete mode 100755 rules/windows/network_connection/net_connection_win_notepad_network_connection.yml create mode 100644 rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml create mode 100644 rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml rename rules/windows/network_connection/{net_connection_win_crypto_mining_pools.yml => net_connection_win_susp_crypto_mining_pools.yml} (100%) rename rules/windows/network_connection/{net_connection_win_dead_drop_resolvers.yml => net_connection_win_susp_dead_drop_resolvers.yml} (79%) rename rules/windows/network_connection/{net_connection_win_devtunnel_connection.yml => net_connection_win_susp_devtunnel_connection.yml} (100%) rename rules/windows/network_connection/{net_connection_win_binary_susp_com.yml => net_connection_win_susp_file_sharing_domains_susp_folders.yml} (71%) mode change 100755 => 100644 rename rules/windows/network_connection/{net_connection_win_google_api_non_browser_access.yml => net_connection_win_susp_google_api_non_browser_access.yml} (91%) rename rules/windows/network_connection/{net_connection_win_remote_powershell_session_network.yml => net_connection_win_susp_remote_powershell_session.yml} (65%) mode change 100755 => 100644 rename rules/windows/network_connection/{net_connection_win_office_susp_ports.yml => net_connection_win_wordpad_uncommon_ports.yml} (65%) rename rules/windows/process_creation/{proc_creation_win_net_network_connections_discovery.yml => proc_creation_win_net_use_network_connections_discovery.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_net_default_accounts_manipulation.yml => proc_creation_win_net_user_default_accounts_manipulation.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_net_share_and_sessions_enum.yml => proc_creation_win_net_view_share_and_sessions_enum.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_encoded_cmd_patterns.yml => proc_creation_win_powershell_base64_encoded_cmd_patterns.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_encoded_obfusc.yml => proc_creation_win_powershell_base64_encoded_obfusc.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_hidden_b64_cmd.yml => proc_creation_win_powershell_base64_hidden_flag.yml} (100%) rename rules/windows/process_creation/{proc_creation_win_powershell_tamper_defender_remove_mppreference.yml => proc_creation_win_powershell_remove_mppreference.yml} (100%) diff --git a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml b/deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml similarity index 96% rename from rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml rename to deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml index 14fe0fb50..49b45eb45 100644 --- a/rules/windows/network_connection/net_connection_win_reddit_api_non_browser_access.yml +++ b/deprecated/windows/net_connection_win_reddit_api_non_browser_access.yml @@ -1,6 +1,6 @@ title: Suspicious Non-Browser Network Communication With Reddit API id: d7b09985-95a3-44be-8450-b6eadf49833e -status: experimental +status: deprecated # In favour of 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 description: Detects an a non-browser process interacting with the Reddit API which could indicate use of a covert C2 such as RedditC2 references: - https://github.com/kleiton0x00/RedditC2 @@ -8,7 +8,7 @@ references: - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Gavin Knapp date: 2023/02/16 -modified: 2023/04/18 +modified: 2024/02/02 tags: - attack.command_and_control - attack.t1102 diff --git a/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml similarity index 100% rename from rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_suspicious_ip.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_non_local_ip.yml diff --git a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml similarity index 52% rename from rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml index 29f02674e..f1c77fe1e 100644 --- a/rules/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_dfsvc_uncommon_ports.yml @@ -1,11 +1,12 @@ -title: Dfsvc.EXE Network Connection To Uncommon Ports +title: Dfsvc.EXE Initiated Network Connection Over Uncommon Port id: 4c5fba4a-9ef6-4f16-823d-606246054741 status: experimental -description: Detects network connections from "dfsvc.exe" used to handled ClickOnce applications to uncommon ports +description: Detects an initiated network connection over uncommon ports from "dfsvc.exe". A utility used to handled ClickOnce applications. references: - https://posts.specterops.io/less-smartscreen-more-caffeine-ab-using-clickonce-for-trusted-code-execution-1446ea8051c5 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/12 +modified: 2024/01/31 tags: - attack.execution - attack.t1203 @@ -14,14 +15,18 @@ logsource: product: windows detection: selection: + Image|contains: ':\Windows\Microsoft.NET\' Image|endswith: '\dfsvc.exe' Initiated: 'true' filter_main_known_ports: DestinationPort: - 80 - 443 - - 445 - condition: selection and not 1 of filter_main_* + filter_optional_dns_ipv6: + # Based on VT. More than 140 binaries made communication over DNS + DestinationIsIpv6: 'true' + DestinationPort: 53 + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Unknown -level: medium +level: high diff --git a/rules/windows/network_connection/net_connection_win_hh.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml similarity index 60% rename from rules/windows/network_connection/net_connection_win_hh.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml index 8ffdad5a3..0f7387bf5 100644 --- a/rules/windows/network_connection/net_connection_win_hh.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_hh_http_connection.yml @@ -1,10 +1,11 @@ -title: HH.EXE Network Connections +title: HH.EXE Initiated HTTP Network Connection id: 468a8cea-2920-4909-a593-0cbe1d96674a related: - id: f57c58b3-ee69-4ef5-9041-455bf39aaa89 type: derived status: test -description: Detects network connections made by the "hh.exe" process, which could indicate the execution/download of remotely hosted .chm files +description: | + Detects a network connection initiated by the "hh.exe" process to HTTP destination ports, which could indicate the execution/download of remotely hosted .chm files. references: - https://www.splunk.com/en_us/blog/security/follina-for-protocol-handlers.html - https://github.com/redcanaryco/atomic-red-team/blob/1cf4dd51f83dcb0ebe6ade902d6157ad2dbc6ac8/atomics/T1218.001/T1218.001.md @@ -13,6 +14,7 @@ date: 2022/10/05 tags: - attack.defense_evasion - attack.t1218.001 + - detection.threat_hunting logsource: category: network_connection product: windows @@ -23,9 +25,7 @@ detection: DestinationPort: - 80 - 443 - - 135 - - 445 condition: selection falsepositives: - - Unknown + - False positive is expected from launching "hh.exe" for the first time on a machine in a while or simply from help files containing reference to external sources. Best correlate this with process creation and file events. level: medium diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml old mode 100755 new mode 100644 similarity index 84% rename from rules/windows/network_connection/net_connection_win_powershell_network_connection.yml rename to rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml index 878ab20cd..45e54eafc --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules-threat-hunting/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -1,7 +1,10 @@ -title: PowerShell Initiated Network Connection +title: Network Connection Initiated By PowerShell Process id: 1f21ec3f-810d-4b0e-8045-322202e22b4b status: experimental -description: Detects a PowerShell process that initiates network connections. Check for suspicious target ports and target systems. +description: | + Detects a network connection that was initiated from a PowerShell process. + Often times malicious powershell scripts download additional payloads or communicate back to command and control channels via uncommon ports or IPs. + Use this rule as a basis for hunting for anomalies. references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth (Nextron Systems) @@ -10,6 +13,7 @@ modified: 2023/09/07 tags: - attack.execution - attack.t1059.001 + - detection.threat_hunting logsource: category: network_connection product: windows diff --git a/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml similarity index 82% rename from rules/windows/process_creation/proc_creation_win_net_susp_execution.yml rename to rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml index 02df7717e..c365ccaea 100644 --- a/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml +++ b/rules-threat-hunting/windows/process_creation/proc_creation_win_net_execution.yml @@ -1,7 +1,7 @@ -title: Net.exe Execution +title: Net.EXE Execution id: 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac status: test -description: Detects execution of Net.exe, whether suspicious or benign. +description: Detects execution of "Net.EXE". references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html @@ -25,6 +25,7 @@ tags: - attack.lateral_movement - attack.t1021.002 - attack.s0039 + - detection.threat_hunting logsource: category: process_creation product: windows @@ -38,20 +39,15 @@ detection: - 'net1.exe' selection_cli: CommandLine|contains: + - ' accounts' - ' group' - ' localgroup' + - ' share' + - ' start' + - ' stop ' - ' user' - ' view' - - ' share' - - ' accounts' - - ' stop ' - - ' start' condition: all of selection_* -fields: - - ComputerName - - User - - CommandLine - - ParentCommandLine falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. + - Likely level: low diff --git a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml index c0c2e1b1e..34f841c40 100644 --- a/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml +++ b/rules/windows/builtin/appxdeployment_server/win_appxdeployment_server_susp_domains.yml @@ -9,7 +9,7 @@ references: - https://news.sophos.com/en-us/2021/11/11/bazarloader-call-me-back-attack-abuses-windows-10-apps-mechanism/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/11 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion logsource: @@ -26,10 +26,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -40,6 +42,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml index c13e5ade7..7291d4f85 100644 --- a/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml +++ b/rules/windows/builtin/bits_client/win_bits_client_new_transfer_via_file_sharing_domains.yml @@ -6,9 +6,10 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1197/T1197.md - https://twitter.com/malmoeb/status/1535142803075960832 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022/06/28 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.persistence @@ -27,10 +28,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -41,6 +44,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 9ae751186..a48002d98 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -9,9 +9,10 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022/08/24 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.s0139 @@ -29,10 +30,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -43,6 +46,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 7e7f9a16c..3157d7de2 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -8,9 +8,10 @@ description: Detects the download of suspicious file type from a well-known file references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022/08/24 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.s0139 @@ -28,10 +29,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -42,6 +45,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/network_connection/net_connection_win_addinutil.yml b/rules/windows/network_connection/net_connection_win_addinutil.yml index a2ab3099e..dc83002d9 100644 --- a/rules/windows/network_connection/net_connection_win_addinutil.yml +++ b/rules/windows/network_connection/net_connection_win_addinutil.yml @@ -1,7 +1,9 @@ title: Network Connection Initiated By AddinUtil.EXE id: 5205613d-2a63-4412-a895-3a2458b587b3 status: experimental -description: Detects network connections made by the Add-In deployment cache updating utility (AddInutil.exe), which could indicate command and control communication. +description: | + Detects a network connection initiated by the Add-In deployment cache updating utility "AddInutil.exe". + This could indicate a potential command and control communication as this tool doesn't usually initiate network activity. references: - https://www.blue-prints.blog/content/blog/posts/lolbin/addinutil-lolbas.html author: Michael McKinley (@McKinleyMike), Tony Latteri (@TheLatteri) diff --git a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml index a74070e48..90c3d4288 100644 --- a/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml +++ b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -2,7 +2,7 @@ title: Connection Initiated Via Certutil.EXE id: 0dba975d-a193-4ed1-a067-424df57570d1 status: test description: | - Detects a network connection initiated by the certutil.exe tool. + Detects a network connection initiated by the certutil.exe utility. Attackers can abuse the utility in order to download malware or additional payloads. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil diff --git a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml b/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml similarity index 76% rename from rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml rename to rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml index 29bc5b10f..5604899e8 100644 --- a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_dllhost_non_local_ip.yml @@ -1,13 +1,16 @@ -title: Dllhost Internet Connection +title: Dllhost.EXE Initiated Network Connection To Non-Local IP Address id: cfed2f44-16df-4bf3-833a-79405198b277 status: test -description: Detects Dllhost that communicates with public IP addresses +description: | + Detects dllhost initiating a network connection to a non-local IP address. + Aside from Microsoft own IP range that needs to be excluded. Network communication from Dllhost will depend entirely on the hosted DLL. + An initial baseline is recommended before deployment. references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: bartblaze date: 2020/07/13 -modified: 2023/01/20 +modified: 2024/01/31 tags: - attack.defense_evasion - attack.t1218 @@ -20,7 +23,7 @@ detection: selection: Image|endswith: '\dllhost.exe' Initiated: 'true' - filter_ipv4: + filter_main_ipv4: DestinationIp|startswith: - '10.' - '192.168.' @@ -42,16 +45,15 @@ detection: - '172.31.' - '169.254.' # link-local address - '127.' # loopback address - filter_ipv6: + filter_main_ipv6: DestinationIp|startswith: - '::1' # IPv6 loopback variant - '0:0:0:0:0:0:0:1' # IPv6 loopback variant - 'fe80:' # link-local address - 'fc' # private address range fc00::/7 - 'fd' # private address range fc00::/7 - filter_msrange: + filter_main_msrange: DestinationIp|startswith: - # Subnet: 20.184.0.0/13 - '20.184.' - '20.185.' - '20.186.' @@ -60,14 +62,15 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '20.223.' - '23.79.' - '51.10.' - # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' - '52.239.' - condition: selection and not 1 of filter_* + - '204.79.197' + condition: selection and not 1 of filter_main_* falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces level: medium diff --git a/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml new file mode 100644 index 000000000..fc9711e7b --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_domain_mega_nz.yml @@ -0,0 +1,28 @@ +title: Network Connection Initiated To Mega.nz +id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 +status: test +description: | + Detects a network connection initiated by a binary to "api.mega.co.nz". + Attackers were seen abusing file sharing websites similar to "mega.nz" in order to upload/download additional payloads. +references: + - https://megatools.megous.com/ + - https://www.mandiant.com/resources/russian-targeting-gov-business +author: Florian Roth (Nextron Systems) +date: 2021/12/06 +modified: 2024/02/01 +tags: + - attack.exfiltration + - attack.t1567.001 +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + DestinationHostname|endswith: + - 'mega.co.nz' + - 'mega.nz' + condition: selection +falsepositives: + - Legitimate MEGA installers and utilities are expected to communicate with this domain. Exclude hosts that are known to be allowed to use this tool. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_ngrok_domains.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml similarity index 59% rename from rules/windows/network_connection/net_connection_win_ngrok_domains.yml rename to rules/windows/network_connection/net_connection_win_domain_ngrok.yml index a6098d9fc..4f7be14ae 100644 --- a/rules/windows/network_connection/net_connection_win_ngrok_domains.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok.yml @@ -1,7 +1,13 @@ -title: Communication To Ngrok Domains +title: Process Initiated Network Connection To Ngrok Domain id: 18249279-932f-45e2-b37a-8925f2597670 +related: + - id: 1d08ac94-400d-4469-a82f-daee9a908849 + type: similar status: test -description: Detects an executable accessing ngrok domains, which could be a sign of forbidden data exfiltration by malicious actors +description: | + Detects an executable initiating a network connection to "ngrok" domains. + Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. + While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. references: - https://ngrok.com/ - https://ngrok.com/blog-post/new-ngrok-domains @@ -27,5 +33,6 @@ detection: - '.ngrok.io' condition: selection falsepositives: - - Legitimate use of ngrok domains + - Legitimate use of the ngrok service. +# Note: The level of this rule is related to your internal policy. level: high diff --git a/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml similarity index 61% rename from rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml rename to rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml index c93dc58d6..cf0a21dc4 100644 --- a/rules/windows/network_connection/net_connection_win_ngrok_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_domain_ngrok_tunnel.yml @@ -1,12 +1,19 @@ -title: Communication To Ngrok Tunneling Service +title: Communication To Ngrok Tunneling Service Initiated id: 1d08ac94-400d-4469-a82f-daee9a908849 +related: + - id: 18249279-932f-45e2-b37a-8925f2597670 + type: similar status: test -description: Detects an executable accessing an ngrok tunneling endpoint, which could be a sign of forbidden exfiltration of data exfiltration by malicious actors +description: | + Detects an executable initiating a network connection to "ngrok" tunneling domains. + Attackers were seen using this "ngrok" in order to store their second stage payloads and malware. + While communication with such domains can be legitimate, often times is a sign of either data exfiltration by malicious actors or additional download. references: - https://twitter.com/hakluke/status/1587733971814977537/photo/1 - https://ngrok.com/docs/secure-tunnels/tunnels/ssh-reverse-tunnel-agent author: Florian Roth (Nextron Systems) date: 2022/11/03 +modified: 2024/02/02 tags: - attack.exfiltration - attack.command_and_control @@ -31,5 +38,5 @@ detection: - 'tunnel.in.ngrok.com' condition: selection falsepositives: - - Legitimate use of ngrok + - Legitimate use of the ngrok service. level: high diff --git a/rules/windows/network_connection/net_connection_win_eqnedt.yml b/rules/windows/network_connection/net_connection_win_eqnedt.yml index 4123aede3..cbb2f9c99 100755 --- a/rules/windows/network_connection/net_connection_win_eqnedt.yml +++ b/rules/windows/network_connection/net_connection_win_eqnedt.yml @@ -18,5 +18,5 @@ detection: Image|endswith: '\eqnedt32.exe' condition: selection falsepositives: - - Unknown + - Unlikely level: high diff --git a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml b/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml deleted file mode 100644 index a12b1f02a..000000000 --- a/rules/windows/network_connection/net_connection_win_excel_outbound_network_connection.yml +++ /dev/null @@ -1,49 +0,0 @@ -title: Excel Network Connections -id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 -status: test -description: | - Detects an Excel process that opens suspicious network connections to non-private IP addresses, and attempts to cover CVE-2021-42292. - You will likely have to tune this rule for your organization, but it is certainly something you should look for and could have applications for malicious activity beyond CVE-2021-42292. -references: - - https://corelight.com/blog/detecting-cve-2021-42292 -author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth '@Neo23x0", Tim Shelton -date: 2021/11/10 -modified: 2022/06/27 -tags: - - attack.execution - - attack.t1203 -logsource: - category: network_connection - product: windows -detection: - selection: - Image|endswith: '\excel.exe' - Initiated: 'true' - DestinationIsIpv6: 'false' - filter: - DestinationIp|startswith: - - '10.' - - '192.168.' - - '172.16.' - - '172.17.' - - '172.18.' - - '172.19.' - - '172.20.' - - '172.21.' - - '172.22.' - - '172.23.' - - '172.24.' - - '172.25.' - - '172.26.' - - '172.27.' - - '172.28.' - - '172.29.' - - '172.30.' - - '172.31.' - - '127.0.0.1' - condition: selection and not filter -falsepositives: - - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. - - Office documents commonly have templates that refer to external addresses, like sharepoint.ourcompany.com may have to be tuned. - - It is highly recommended to baseline your activity and tune out common business use cases. -level: medium diff --git a/rules/windows/network_connection/net_connection_win_imewdbld.yml b/rules/windows/network_connection/net_connection_win_imewdbld.yml index d100266d3..9fd366966 100644 --- a/rules/windows/network_connection/net_connection_win_imewdbld.yml +++ b/rules/windows/network_connection/net_connection_win_imewdbld.yml @@ -4,7 +4,8 @@ related: - id: 863218bd-c7d0-4c52-80cd-0a96c09f54af type: derived status: test -description: Detects network connections initiated by IMEWDBLD. This might indicate potential abuse to download arbitrary files via this utility +description: | + Detects a network connection initiated by IMEWDBLD.EXE. This might indicate potential abuse of the utility as a LOLBIN in order to download arbitrary files or additional payloads. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-10---windows---powershell-download - https://lolbas-project.github.io/lolbas/Binaries/IMEWDBLD/ diff --git a/rules/windows/network_connection/net_connection_win_mega_nz.yml b/rules/windows/network_connection/net_connection_win_mega_nz.yml deleted file mode 100644 index 83c9e88e0..000000000 --- a/rules/windows/network_connection/net_connection_win_mega_nz.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Communication To Mega.nz -id: fdeebdf0-9f3f-4d08-84a6-4c4d13e39fe4 -status: test -description: Detects an executable accessing mega.co.nz, which could be a sign of forbidden file sharing use of data exfiltration by malicious actors -references: - - https://megatools.megous.com/ - - https://www.mandiant.com/resources/russian-targeting-gov-business -author: Florian Roth (Nextron Systems) -date: 2021/12/06 -modified: 2022/12/25 -tags: - - attack.exfiltration - - attack.t1567.001 -logsource: - category: network_connection - product: windows -detection: - selection: - Initiated: 'true' - DestinationHostname|endswith: 'api.mega.co.nz' - condition: selection -falsepositives: - - Legitimate use of mega.nz uploaders and tools -level: high diff --git a/rules/windows/network_connection/net_connection_win_msiexec.yml b/rules/windows/network_connection/net_connection_win_msiexec_http.yml similarity index 53% rename from rules/windows/network_connection/net_connection_win_msiexec.yml rename to rules/windows/network_connection/net_connection_win_msiexec_http.yml index 404fac4c2..db7f471c6 100644 --- a/rules/windows/network_connection/net_connection_win_msiexec.yml +++ b/rules/windows/network_connection/net_connection_win_msiexec_http.yml @@ -1,14 +1,15 @@ -title: Msiexec Initiated Connection +title: Msiexec.EXE Initiated Network Connection Over HTTP id: 8e5e38e4-5350-4c0b-895a-e872ce0dd54f status: test description: | - Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. - Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi) + Detects an initiated network connection by "Msiexec.exe" over port 80 or 443. + Adversaries might abuse "msiexec.exe" to install and execute remotely hosted packages. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md author: frack113 date: 2022/01/16 +modified: 2024/02/01 tags: - attack.defense_evasion - attack.t1218.007 @@ -19,7 +20,10 @@ detection: selection: Initiated: 'true' Image|endswith: '\msiexec.exe' + DestinationPort: + - 80 + - 443 condition: selection falsepositives: - - Legitimate msiexec over networks -level: medium + - Some rare installers were seen communicating with external servers for additional information. While its a very rare occurrence in some environments an initial baseline might be required. +level: high diff --git a/rules/windows/network_connection/net_connection_win_notepad.yml b/rules/windows/network_connection/net_connection_win_notepad.yml new file mode 100644 index 000000000..e7c6138f7 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_notepad.yml @@ -0,0 +1,30 @@ +title: Network Connection Initiated Via Notepad.EXE +id: e81528db-fc02-45e8-8e98-4e84aba1f10b +status: test +description: | + Detects a network connection that is initiated by the "notepad.exe" process. + This might be a sign of process injection from a beacon process or something similar. + Notepad rarely initiates a network communication except when printing documents for example. +references: + - https://web.archive.org/web/20200219102749/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf + - https://www.cobaltstrike.com/blog/why-is-notepad-exe-connecting-to-the-internet +author: EagleEye Team +date: 2020/05/14 +modified: 2024/02/02 +tags: + - attack.command_and_control + - attack.execution + - attack.defense_evasion + - attack.t1055 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: '\notepad.exe' + filter_optional_printing: + DestinationPort: 9100 + condition: selection and not 1 of filter_optional_* +falsepositives: + - Printing documents via notepad might cause communication with the printer via port 9100 or similar. +level: high diff --git a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml b/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml deleted file mode 100755 index 3ab1760c8..000000000 --- a/rules/windows/network_connection/net_connection_win_notepad_network_connection.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Notepad Making Network Connection -id: e81528db-fc02-45e8-8e98-4e84aba1f10b -status: test -description: Detects suspicious network connection by Notepad -references: - - https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1492186586.pdf - - https://blog.cobaltstrike.com/2013/08/08/why-is-notepad-exe-connecting-to-the-internet/ -author: EagleEye Team -date: 2020/05/14 -modified: 2022/10/05 -tags: - - attack.command_and_control - - attack.execution - - attack.defense_evasion - - attack.t1055 -logsource: - category: network_connection - product: windows -detection: - selection: - Image|endswith: '\notepad.exe' - filter: - DestinationPort: 9100 - condition: selection and not filter -falsepositives: - - Unknown -level: high diff --git a/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml new file mode 100644 index 000000000..367366b15 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_office_outbound_non_local_ip.yml @@ -0,0 +1,78 @@ +title: Office Application Initiated Network Connection To Non-Local IP +id: 75e33ce3-ae32-4dcc-9aa8-a2a3029d6f84 +status: test +description: | + Detects an office application (Word, Excel, PowerPoint) that initiate a network connection to a non-private IP addresses. + This rule aims to detect traffic similar to one seen exploited in CVE-2021-42292. + This rule will require an initial baseline and tuning that is specific to your organization. +references: + - https://corelight.com/blog/detecting-cve-2021-42292 +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io', Florian Roth (Nextron Systems), Tim Shelton +date: 2021/11/10 +modified: 2024/01/31 +tags: + - attack.execution + - attack.t1203 +logsource: + category: network_connection + product: windows +detection: + selection: + Image|endswith: + - '\excel.exe' + - '\powerpnt.exe' + - '\winword.exe' + - '\wordview.exe' + Initiated: 'true' + filter_main_ipv4: + DestinationIp|startswith: + - '10.' + - '192.168.' + - '172.16.' + - '172.17.' + - '172.18.' + - '172.19.' + - '172.20.' + - '172.21.' + - '172.22.' + - '172.23.' + - '172.24.' + - '172.25.' + - '172.26.' + - '172.27.' + - '172.28.' + - '172.29.' + - '172.30.' + - '172.31.' + - '127.0.0.1' + filter_main_ipv6: + DestinationIp|startswith: + - '::1' # IPv6 loopback variant + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_main_msrange: + DestinationIp|startswith: + - '20.184.' + - '20.185.' + - '20.186.' + - '20.187.' + - '20.188.' + - '20.189.' + - '20.190.' + - '20.191.' + - '20.223.' + - '23.79.' + - '51.10.' + - '51.103.' + - '51.104.' + - '51.105.' + - '52.239.' + - '204.79.197' + condition: selection and not 1 of filter_main_* +falsepositives: + - You may have to tune certain domains out that Excel may call out to, such as microsoft or other business use case domains. + - Office documents commonly have templates that refer to external addresses, like "sharepoint.ourcompany.com" may have to be tuned. + - It is highly recommended to baseline your activity and tune out common business use cases. +level: medium diff --git a/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml new file mode 100644 index 000000000..be5deb3f0 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_office_uncommon_ports.yml @@ -0,0 +1,43 @@ +title: Office Application Initiated Network Connection Over Uncommon Ports +id: 3b5ba899-9842-4bc2-acc2-12308498bf42 +status: experimental +description: Detects an office suit application (Word, Excel, PowerPoint, Outlook) communicating to target systems over uncommon ports. +references: + - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit +author: X__Junior (Nextron Systems) +date: 2023/07/12 +modified: 2024/01/31 +tags: + - attack.defense_evasion + - attack.command_and_control +logsource: + category: network_connection + product: windows +detection: + selection: + Initiated: 'true' + Image|endswith: + - '\excel.exe' + - '\outlook.exe' + - '\powerpnt.exe' + - '\winword.exe' + - '\wordview.exe' + filter_main_common_ports: + DestinationPort: + - 53 # DNS + - 80 # HTTP + - 139 # NETBIOS + - 443 # HTTPS + - 445 # SMB + filter_main_outlook_ports: + Image|contains: ':\Program Files\Microsoft Office\' + Image|endswith: '\OUTLOOK.EXE' + DestinationPort: + - 465 # SMTP + - 587 # SMTP + - 993 # IMAP + - 995 # POP3 + condition: selection and not 1 of filter_main_* +falsepositives: + - Other ports can be used, apply additional filters accordingly +level: medium diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index b05cf39a9..bd6f12678 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -14,6 +14,7 @@ tags: logsource: category: network_connection product: windows + definition: 'Requirements: Field enrichment is required for the filters to work. As field such as CommandLine and ParentImage are not available by default on this event type' detection: selection: Initiated: 'true' @@ -36,5 +37,5 @@ detection: SourceIp: 127.0.0.1 condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Legitimate python script + - Legitimate python scripts using the socket library or similar will trigger this. Apply additional filters and perform an initial baseline before deploying. level: medium diff --git a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index d213229ac..a8e98160b 100644 --- a/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -1,7 +1,9 @@ title: Outbound RDP Connections Over Non-Standard Tools id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test -description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement +description: | + Detects Non-Standard tools initiating a connection over port 3389 indicating possible lateral movement. + An initial baseline is required before using this utility to exclude third party RDP tooling that you might use. references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis @@ -19,12 +21,12 @@ detection: DestinationPort: 3389 Initiated: 'true' filter_main_mstsc: - Image|endswith: - - ':\Windows\System32\mstsc.exe' - - ':\Windows\SysWOW64\mstsc.exe' + Image: + - 'C:\Windows\System32\mstsc.exe' + - 'C:\Windows\SysWOW64\mstsc.exe' filter_optional_dns: # https://github.com/SigmaHQ/sigma/pull/2249 - Image|endswith: ':\Windows\System32\dns.exe' + Image: 'C:\Windows\System32\dns.exe' SourcePort: 53 Protocol: 'udp' filter_optional_avast: @@ -34,7 +36,7 @@ detection: filter_optional_sysinternals_rdcman: Image|endswith: '\RDCMan.exe' filter_optional_chrome: - Image|endswith: ':\Program Files\Google\Chrome\Application\chrome.exe' + Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe' filter_optional_third_party: Image|endswith: - '\FSAssessment.exe' @@ -63,9 +65,9 @@ detection: filter_optional_firefox: Image: 'C:\Program Files\Mozilla Firefox\firefox.exe' filter_optional_tsplus: # Some RAS - Image|endswith: - - ':\Program Files\TSplus\Java\bin\HTML5service.exe' - - ':\Program Files (x86)\TSplus\Java\bin\HTML5service.exe' + Image: + - 'C:\Program Files\TSplus\Java\bin\HTML5service.exe' + - 'C:\Program Files (x86)\TSplus\Java\bin\HTML5service.exe' filter_optional_null: Image: null filter_optional_empty: diff --git a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml index d2e43c75c..1d5fe3a61 100755 --- a/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_reverse_tunnel.yml @@ -3,7 +3,7 @@ id: 5f699bc5-5446-4a4a-a0b7-5ef2885a3eb4 status: test description: Detects svchost hosting RDP termsvcs communicating with the loopback address and on TCP port 3389 references: - - https://twitter.com/SBousseaden/status/1096148422984384514 + - https://twitter.com/cyb3rops/status/1096842275437625346 author: Samir Bousseaden date: 2019/02/16 modified: 2022/10/09 @@ -17,14 +17,14 @@ logsource: category: network_connection product: windows detection: - selection: + selection_img: Image|endswith: '\svchost.exe' Initiated: 'true' SourcePort: 3389 - selection2: + selection_destination: - DestinationIp|startswith: '127.' - DestinationIp: '::1' - condition: selection and selection2 + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml index 15b084a10..1a4c8601e 100644 --- a/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml +++ b/rules/windows/network_connection/net_connection_win_regsvr32_network_activity.yml @@ -1,7 +1,7 @@ title: Network Connection Initiated By Regsvr32.EXE id: c7e91a02-d771-4a6d-a700-42587e0b1095 status: test -description: Detects network connections initiated by Regsvr32.exe +description: Detects a network connection initiated by "Regsvr32.exe" references: - https://pentestlab.blog/2017/05/11/applocker-bypass-regsvr32/ - https://oddvar.moe/2017/12/13/applocker-case-study-how-insecure-is-it-really-part-1/ diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml b/rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml similarity index 100% rename from rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml rename to rules/windows/network_connection/net_connection_win_susp_crypto_mining_pools.yml diff --git a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml b/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml similarity index 79% rename from rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml rename to rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml index da647799f..1dbe3a634 100644 --- a/rules/windows/network_connection/net_connection_win_dead_drop_resolvers.yml +++ b/rules/windows/network_connection/net_connection_win_susp_dead_drop_resolvers.yml @@ -1,11 +1,19 @@ title: Potential Dead Drop Resolvers id: 297ae038-edc2-4b2e-bb3e-7c5fc94dd5c7 +related: + - id: d7b09985-95a3-44be-8450-b6eadf49833e + type: obsoletes status: test -description: Detects an executable, which is not an internet browser, making DNS request to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. +description: | + Detects an executable, which is not an internet browser or known application, initiating network connections to legit popular websites, which were seen to be used as dead drop resolvers in previous attacks. + In this context attackers leverage known websites such as "facebook", "youtube", etc. In order to pass through undetected. references: - https://content.fireeye.com/apt-41/rpt-apt41 - https://securelist.com/the-tetrade-brazilian-banking-malware/97779/ - https://blog.bushidotoken.net/2021/04/dead-drop-resolvers-espionage-inspired.html + - https://github.com/kleiton0x00/RedditC2 + - https://twitter.com/kleiton0x7e/status/1600567316810551296 + - https://www.linkedin.com/posts/kleiton-kurti_github-kleiton0x00redditc2-abusing-reddit-activity-7009939662462984192-5DbI/?originalSubdomain=al author: Sorina Ionescu, X__Junior (Nextron Systems) date: 2022/08/17 modified: 2024/02/06 @@ -41,6 +49,7 @@ detection: - 'imgur.com' - 'livejournal.com' - 'mediafire.com' + - 'mega.co.nz' - 'mega.nz' - 'onedrive.com' - 'paste.ee' @@ -97,8 +106,15 @@ detection: - '\msedge.exe' - '\msedgewebview2.exe' filter_main_safari: + Image|contains: + - 'C:\Program Files (x86)\Safari\' + - 'C:\Program Files\Safari\' Image|endswith: '\safari.exe' filter_main_defender: + Image|contains: + - 'C:\Program Files\Windows Defender Advanced Threat Protection\' + - 'C:\Program Files\Windows Defender\' + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' Image|endswith: - '\MsMpEng.exe' # Microsoft Defender executable - '\MsSense.exe' # Windows Defender Advanced Threat Protection Service Executable @@ -108,8 +124,8 @@ detection: - 'C:\Program Files (x86)\PRTG Network Monitor\PRTG Probe.exe' - 'C:\Program Files\PRTG Network Monitor\PRTG Probe.exe' filter_main_brave: - Image|endswith: '\brave.exe' Image|startswith: 'C:\Program Files\BraveSoftware\' + Image|endswith: '\brave.exe' filter_main_maxthon: Image|contains: '\AppData\Local\Maxthon\' Image|endswith: '\maxthon.exe' @@ -129,8 +145,9 @@ detection: - 'C:\Program Files\Naver\Naver Whale\' - 'C:\Program Files (x86)\Naver\Naver Whale\' Image|endswith: '\whale.exe' - filter_main_tor: - Image|contains: '\Tor Browser\' + # Note: The TOR browser shouldn't be something you allow in your corporate network. + # filter_main_tor: + # Image|contains: '\Tor Browser\' filter_main_whaterfox: Image|startswith: - 'C:\Program Files\Waterfox\' @@ -169,7 +186,8 @@ detection: Image|startswith: - 'C:\Program Files (x86)\WindowsApps\' - 'C:\Program Files\WindowsApps\' - Image|endswith: 'WhatsApp.exe' + Image|endswith: '\WhatsApp.exe' + DestinationHostname|endswith: 'facebook.com' filter_main_telegram: Image|contains: '\AppData\Roaming\Telegram Desktop\' Image|endswith: '\Telegram.exe' @@ -182,14 +200,24 @@ detection: Image|startswith: - 'C:\Program Files (x86)\Dropbox\Client\' - 'C:\Program Files\Dropbox\Client\' - Image|endswith: '\Dropbox.exe' + Image|endswith: + - '\Dropbox.exe' + - '\DropboxInstaller.exe' DestinationHostname|endswith: 'dropbox.com' filter_main_mega: - Image|contains: '\AppData\Local\MEGAsync\' - Image|endswith: 'MEGAsync.exe' - DestinationHostname|endswith: 'mega.nz' + Image|endswith: + # Note: This is a basic/best effort filter in order to avoid FP with the MEGA installer and executable. + # In practice please apply exact path to avoid basic path bypass techniques. + - '\MEGAsync.exe' + - '\MEGAsyncSetup32_*RC.exe' # Beta versions + - '\MEGAsyncSetup32.exe' # Installers 32bit + - '\MEGAsyncSetup64.exe' # Installers 64bit + - '\MEGAupdater.exe' + DestinationHostname|endswith: + - 'mega.co.nz' + - 'mega.nz' filter_main_googledrive: - Image|startswith: + Image|contains: - 'C:\Program Files\Google\Drive File Stream\' - 'C:\Program Files (x86)\Google\Drive File Stream\' Image|endswith: 'GoogleDriveFS.exe' @@ -205,4 +233,5 @@ detection: condition: selection and not 1 of filter_main_* falsepositives: - One might need to exclude other internet browsers found in it's network or other applications like ones mentioned above from Microsoft Defender. + - Ninite contacting githubusercontent.com level: high diff --git a/rules/windows/network_connection/net_connection_win_devtunnel_connection.yml b/rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml similarity index 100% rename from rules/windows/network_connection/net_connection_win_devtunnel_connection.yml rename to rules/windows/network_connection/net_connection_win_susp_devtunnel_connection.yml diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml old mode 100755 new mode 100644 similarity index 71% rename from rules/windows/network_connection/net_connection_win_binary_susp_com.yml rename to rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml index dafc0b988..e0db8b576 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_susp_file_sharing_domains_susp_folders.yml @@ -4,7 +4,7 @@ related: - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 type: obsoletes status: test -description: Detects an executable in the Windows folder accessing suspicious domains +description: Detects executables located in potentially suspicious directories initiating network connections towards file sharing domains. references: - https://twitter.com/M_haggis/status/900741347035889665 - https://twitter.com/M_haggis/status/1032799638213066752 @@ -13,7 +13,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2018/08/30 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.lateral_movement - attack.t1105 @@ -22,12 +22,14 @@ logsource: product: windows detection: selection_paths: - - Image|startswith: - - 'C:\PerfLogs' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Windows\' - - Image|contains: '\AppData\Temp\' + Image|contains: + - ':\PerfLogs\' + - ':\Temp\' + - ':\Users\Public\' + - ':\Windows\System32\Tasks\' + - ':\Windows\Tasks\' + - ':\Windows\Temp\' + - '\AppData\Temp\' selection_domains: Initiated: 'true' DestinationHostname|endswith: @@ -38,10 +40,13 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' + - 'mega.co.nz' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -52,11 +57,11 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' condition: all of selection_* falsepositives: - - Unknown - - '@subTee in your network' + - Some installers located in the temp directory might communicate with the Github domains in order to download additional software. Baseline these cases or move the github domain to a lower level hunting rule. level: high diff --git a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml b/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml similarity index 91% rename from rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml rename to rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml index e504b85dd..ecaf81e8e 100644 --- a/rules/windows/network_connection/net_connection_win_google_api_non_browser_access.yml +++ b/rules/windows/network_connection/net_connection_win_susp_google_api_non_browser_access.yml @@ -1,7 +1,8 @@ title: Suspicious Non-Browser Network Communication With Google API id: 7e9cf7b6-e827-11ed-a05b-0242ac120003 status: experimental -description: Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) +description: | + Detects a non-browser process interacting with the Google API which could indicate the use of a covert C2 such as Google Sheet C2 (GC2-sheet) references: - https://github.com/looCiprian/GC2-sheet - https://youtu.be/n2dFlSaBBKo @@ -19,10 +20,11 @@ logsource: category: network_connection detection: selection: - DestinationHostname|contains: # Other googleapis should be added as the GC2 tool evolves + DestinationHostname|contains: + # Note: Please add additional google API related domains that might be abused. + - 'drive.googleapis.com' - 'oauth2.googleapis.com' - 'sheets.googleapis.com' - - 'drive.googleapis.com' - 'www.googleapis.com' filter_optional_brave: Image|endswith: '\brave.exe' diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml old mode 100755 new mode 100644 similarity index 65% rename from rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml rename to rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml index 059fcffa8..82a8222e1 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_susp_remote_powershell_session.yml @@ -1,12 +1,14 @@ -title: Remote PowerShell Session (Network) +title: Potential Remote PowerShell Session Initiated id: c539afac-c12a-46ed-b1bd-5a5567c9f045 status: test -description: Detects remote PowerShell connections by monitoring network outbound connections to ports 5985 or 5986 from a non-network service account. +description: | + Detects a process that initiated a network connection over ports 5985 or 5986 from a non-network service account. + This could potentially indicates a remote PowerShell connection. references: - https://threathunterplaybook.com/hunts/windows/190511-RemotePwshExecution/notebook.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/09/12 -modified: 2023/01/09 +modified: 2024/02/02 tags: - attack.execution - attack.t1059.001 @@ -21,27 +23,28 @@ detection: - 5985 - 5986 Initiated: 'true' # only matches of the initiating system can be evaluated - filter_generic: + SourceIsIpv6: 'false' + filter_main_service_users: - User|contains: # covers many language settings for Network Service. Please expand - 'NETWORK SERVICE' - 'NETZWERKDIENST' - - 'SERVIZIO DI RETE' - 'SERVICIO DE RED' + - 'SERVIZIO DI RETE' - User|contains|all: - 'SERVICE R' - 'SEAU' - - SourceIp|startswith: '0:0:' - - Image: - - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' - - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' - filter_localhost: + filter_main_localhost: SourceIp: - '::1' - '127.0.0.1' DestinationIp: - '::1' - '127.0.0.1' - condition: selection and not 1 of filter_* + filter_optional_avast: + Image: + - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' + - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. - Network Service user name of a not-covered localization diff --git a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml similarity index 65% rename from rules/windows/network_connection/net_connection_win_office_susp_ports.yml rename to rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml index 1290c81b1..cabee0aba 100644 --- a/rules/windows/network_connection/net_connection_win_office_susp_ports.yml +++ b/rules/windows/network_connection/net_connection_win_wordpad_uncommon_ports.yml @@ -1,7 +1,9 @@ -title: Suspicious Office Outbound Connections -id: 3b5ba899-9842-4bc2-acc2-12308498bf42 +title: Suspicious Wordpad Outbound Connections +id: 786cdae8-fefb-4eb2-9227-04e34060db01 status: experimental -description: Detects office suit applications communicating to target systems on uncommon ports +description: | + Detects a network connection initiated by "wordpad.exe" over uncommon destination ports. + This might indicate potential process injection activity from a beacon or similar mechanisms. references: - https://blogs.blackberry.com/en/2023/07/romcom-targets-ukraine-nato-membership-talks-at-nato-summit author: X__Junior (Nextron Systems) @@ -15,13 +17,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\excel.exe' - - '\outlook.exe' - - '\powerpnt.exe' - - '\winword.exe' - - '\wordpad.exe' - - '\wordview.exe' + Initiated: 'true' + Image|endswith: '\wordpad.exe' filter_main_ports: DestinationPort: - 80 diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml index 0a3562b6d..6404a63a6 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_file_sharing_domains.yml @@ -8,9 +8,10 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Bitsadmin/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Florian Roth (Nextron Systems) date: 2022/06/28 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.persistence @@ -38,10 +39,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -52,6 +55,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml index bbcb67ce3..854e18c7e 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_download_file_sharing_domains.yml @@ -13,9 +13,10 @@ references: - https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/ - https://twitter.com/egre55/status/1087685529016193025 - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.t1027 @@ -39,10 +40,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -53,6 +56,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml index e22aa4380..0a7cdcc02 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download_susp_file_sharing_domains.yml @@ -7,7 +7,7 @@ references: - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/05 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.execution logsource: @@ -26,10 +26,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -40,6 +42,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml index 804183f55..ce18c5800 100644 --- a/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hh_chm_remote_download_or_execution.yml @@ -8,7 +8,7 @@ references: - https://www.zscaler.com/blogs/security-research/unintentional-leak-glimpse-attack-vectors-apt37 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/29 -modified: 2023/04/12 +modified: 2024/01/31 tags: - attack.defense_evasion - attack.t1218.001 @@ -20,7 +20,10 @@ detection: - OriginalFileName: 'HH.exe' - Image|endswith: '\hh.exe' selection_cli: - CommandLine|contains: 'http' + CommandLine|contains: + - 'http://' + - 'https://' + - '\\\\' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml b/rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml rename to rules/windows/process_creation/proc_creation_win_net_use_network_connections_discovery.yml diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add.yml b/rules/windows/process_creation/proc_creation_win_net_user_add.yml index 4aa5c466d..35a4b8092 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add.yml @@ -30,10 +30,6 @@ detection: - 'user' - 'add' condition: all of selection_* -fields: - - ComputerName - - User - - CommandLine falsepositives: - Legitimate user creation. - Better use event IDs for user creation rather than command line rules. diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml rename to rules/windows/process_creation/proc_creation_win_net_user_default_accounts_manipulation.yml diff --git a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml rename to rules/windows/process_creation/proc_creation_win_net_view_share_and_sessions_enum.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd_patterns.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_obfusc.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_hidden_flag.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml rename to rules/windows/process_creation/proc_creation_win_powershell_remove_mppreference.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml index ec3a464e1..8725e532d 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_uncommon_dll_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth (Nextron Systems), Yassine Oukessou date: 2022/01/13 -modified: 2024/02/08 +modified: 2024/02/09 tags: - attack.defense_evasion - attack.t1218.011 @@ -22,20 +22,25 @@ detection: filter_main_empty: CommandLine: '' filter_main_known_extension: - CommandLine|contains: - # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage. - - '.cpl ' - - '.cpl,' - - '.cpl"' - - ".cpl'" - - '.dll ' - - '.dll,' - - '.dll"' - - ".dll'" - - '.inf ' - - '.inf,' - - '.inf"' - - ".inf'" + - CommandLine|contains: + # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage. + - '.cpl ' + - '.cpl,' + - '.cpl"' + - ".cpl'" + - '.dll ' + - '.dll,' + - '.dll"' + - ".dll'" + - '.inf ' + - '.inf,' + - '.inf"' + - ".inf'" + - CommandLine|endswith: + # Note: This aims to cover: single and double quotes in addition to spaces and comma "," usage. + - '.cpl' + - '.dll' + - '.inf' filter_main_localserver: CommandLine|contains: ' -localserver ' filter_main_zzzzInvokeManagedCustomActionOutOfProc: diff --git a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml index cbdeac7e8..005aef2c9 100644 --- a/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml +++ b/rules/windows/process_creation/proc_creation_win_wget_download_susp_file_sharing_domains.yml @@ -5,9 +5,10 @@ description: Detects potentially suspicious file downloads from file sharing dom references: - https://labs.withsecure.com/publications/fin7-target-veeam-servers - https://github.com/WithSecureLabs/iocs/blob/344203de742bb7e68bd56618f66d34be95a9f9fc/FIN7VEEAM/iocs.csv + - https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/05 -modified: 2023/08/17 +modified: 2024/02/09 tags: - attack.execution logsource: @@ -26,10 +27,12 @@ detection: - 'ddns.net' - 'dl.dropboxusercontent.com' - 'ghostbin.co' + - 'glitch.me' - 'gofile.io' - 'hastebin.com' - 'mediafire.com' - 'mega.nz' + - 'onrender.com' - 'paste.ee' - 'pastebin.com' - 'pastebin.pl' @@ -40,6 +43,7 @@ detection: - 'sendspace.com' - 'storage.googleapis.com' - 'storjshare.io' + - 'supabase.co' - 'temp.sh' - 'transfer.sh' - 'ufile.io' diff --git a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml index 483160889..7e9b5f361 100644 --- a/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml +++ b/rules/windows/registry/registry_set/registry_set_bypass_uac_using_silentcleanup_task.yml @@ -1,13 +1,17 @@ title: Bypass UAC Using SilentCleanup Task id: 724ea201-6514-4f38-9739-e5973c34f49a status: test -description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC +description: | + Detects the setting of the environement variable "windir" to a non default value. + Attackers often abuse this variable in order to trigger a UAC bypass via the "SilentCleanup" task. + The SilentCleanup task located in %windir%\system32\cleanmgr.exe is an auto-elevated task that can be abused to elevate any file with administrator privileges without prompting UAC. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ -author: frack113 + - https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign +author: frack113, Nextron Systems date: 2022/01/06 -modified: 2023/08/17 +modified: 2024/01/30 tags: - attack.privilege_escalation - attack.defense_evasion @@ -18,8 +22,9 @@ logsource: detection: selection: TargetObject|endswith: '\Environment\windir' - Details|contains: '&REM' - condition: selection + filter_main_default: + Details: '%SystemRoot%' + condition: selection and not 1 of filter_main_* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml index b9c139bfb..b1ad77fb2 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_suspicious.yml @@ -8,7 +8,7 @@ description: | Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections', etc. references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html diff --git a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml index d7d9eb7a9..e2130531b 100644 --- a/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml +++ b/rules/windows/registry/registry_set/registry_set_terminal_server_tampering.yml @@ -12,7 +12,7 @@ description: | Detects tampering of RDP Terminal Service/Server sensitive settings. Such as allowing unauthorized users access to a system via the 'fAllowUnsolicited' or enabling RDP via 'fDenyTSConnections'...etc references: - - https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key + - https://web.archive.org/web/20200929062532/https://blog.menasec.net/2019/02/threat-hunting-rdp-hijacking-via.html # Related to RDP hijacking via the "ServiceDll" key - http://woshub.com/rds-shadow-how-to-connect-to-a-user-session-in-windows-server-2012-r2/ # Related to the Shadow RPD technique - https://twitter.com/SagieSec/status/1469001618863624194?t=HRf0eA0W1YYzkTSHb-Ky1A&s=03 # Related to the Shadow RPD technique - https://threathunterplaybook.com/hunts/windows/190407-RegModEnableRDPConnections/notebook.html