Merge pull request #2301 from SigmaHQ/rule-devel

refactor: reworked psexec / paexec rules

rules/windows/image_load/image_load_wsman_provider_image_load.yml

@@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
 status: experimental
 date: 2020/06/24
-modified: 2021/11/17
+modified: 2021/11/23
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.execution
@@ -30,10 +30,12 @@ detection:
             - Microsoft.WSMan.Management.dll
     filter_ps:
         Image|endswith: '\powershell.exe'
+    filter_bits: # not available in Sysmon data, but Aurora logs
+        CommandLine|contains: 'svchost.exe -k netsvcs -p -s BITS'
     respond_server:
         Image|endswith: '\svchost.exe'
         OriginalFileName: 'WsmWmiPl.dll'
-    condition: (request_client and not filter_ps) or respond_server
+    condition: (request_client and not filter_ps and not filter_bits) or respond_server
 falsepositives:
     - Unknown
 level: medium

rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml

@@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784
 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it.
 status: experimental
 date: 2020/10/20
-modified: 2021/11/20
+modified: 2021/11/23
 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
 tags:
     - attack.credential_access
@@ -28,6 +28,7 @@ detection:
         Image|startswith: 
             - 'C:\Windows\System32\'
             - 'C:\Windows\explorer.exe'
+            - 'C:\Program Files\'
     condition: selection and not filter
 falsepositives:
     - other legitimate processes loading those DLLs in your environment.

rules/windows/process_creation/win_susp_psexex_paexec_escalate_system.yml

@@ -0,0 +1,29 @@
+title: PsExec/PAExec Escalation to LOCAL SYSTEM
+id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
+status: experimental
+description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
+references:
+    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
+    - https://www.poweradmin.com/paexec/
+    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
+author: Florian Roth
+date: 2021/11/23
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_cmd_to_system: # Escalation to LOCAL_SYSTEM
+        CommandLine|endswith: ' -s cmd.exe'
+    selection_supporting_flags:
+        CommandLine|contains:
+            - 'PsExec'
+            - 'PAExec'
+            - 'accepteula'
+            - 'cmd /c '
+    condition: selection_supporting_flags and selection_cmd_to_system 
+falsepositives:
+    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) 
+level: high
+tags:
+    - attack.develop_capabilities
+    - attack.t1587.001

rules/windows/process_creation/win_susp_psexex_paexec_flags.yml

@@ -8,21 +8,21 @@ references:
     - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
 author: Florian Roth
 date: 2021/05/22
+modified: 2021/11/23
 logsource:
     category: process_creation
     product: windows
 detection:
     selection_flags_1: # Escalation to LOCAL_SYSTEM
-        CommandLine|contains|all: 
-            - '\\127.0.0.1'
-            - ' -s '
-            - 'cmd.exe'
+        CommandLine|endswith: 
+            - ' -s cmd.exe'
+            - ' -s -i cmd.exe'
     selection_flags_2:
         CommandLine|contains|all: # Accepting EULA in commandline - often used in automated attacks
-            - ' /accepteula '
-            - 'cmd /c '
+            - 'accepteula'
             - ' -u '
             - ' -p '
+            - ' \\'
     filter:
         CommandLine|contains: 
             - 'paexec'