13 Rules from THP - Backlog Rules (old)
This commit is contained in:
Roberto Rodriguez
@@ -0,0 +1,23 @@
|
||||
title: First Time Seen Remote Named Pipe - Zeek
|
||||
id: bae2865c-5565-470d-b505-9496c87d0c30
|
||||
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
|
||||
author: OTR (Open Threat Research)
|
||||
references:
|
||||
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
|
||||
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
|
||||
- https://twitter.com/_dirkjan/status/1309214379003588608
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.002
|
||||
date: 2018/11/28
|
||||
logsource:
|
||||
product: zeek
|
||||
service: smb_files
|
||||
detection:
|
||||
selection:
|
||||
path: \\*\IPC$
|
||||
name: spoolss
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- 'Domain Controllers acting as printer servers too? :)'
|
||||
level: medium
|
||||
@@ -0,0 +1,25 @@
|
||||
title: DCERPC SMB Spoolss Named Pipe
|
||||
id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e
|
||||
description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled.
|
||||
status: experimental
|
||||
references:
|
||||
- https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1
|
||||
- https://dirkjanm.io/a-different-way-of-abusing-zerologon/
|
||||
- https://twitter.com/_dirkjan/status/1309214379003588608
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.002
|
||||
date: 2018/11/28
|
||||
author: OTR (Open Threat Research)
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID: 5145
|
||||
ShareName: \\*\IPC$
|
||||
RelativeTargetName: spoolss
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- 'Domain Controllers acting as printer servers too? :)'
|
||||
level: medium
|
||||
@@ -0,0 +1,26 @@
|
||||
title: SMB Create Remote File Admin Share
|
||||
id: b210394c-ba12-4f89-9117-44a2464b9511
|
||||
description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$).
|
||||
status: experimental
|
||||
date: 2020/08/06
|
||||
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.002
|
||||
references:
|
||||
- https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml
|
||||
- https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection:
|
||||
EventID: 5145
|
||||
ShareName: '*C$'
|
||||
AccessMask: '0x2'
|
||||
filter:
|
||||
SubjectUserName: '*$'
|
||||
condition: selection and not filter
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: high
|
||||
@@ -0,0 +1,35 @@
|
||||
title: Sysmon Channel Reference Deletion
|
||||
id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc
|
||||
status: experimental
|
||||
description: Potential threat actor tampering with Sysmon manifest and eventually disabling it
|
||||
references:
|
||||
- https://twitter.com/Flangvik/status/1283054508084473861
|
||||
- https://twitter.com/SecurityJosh/status/1283027365770276866
|
||||
- https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html
|
||||
- https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
date: 2020/07/14
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1112
|
||||
logsource:
|
||||
product: windows
|
||||
service: security
|
||||
detection:
|
||||
selection1:
|
||||
EventID: 4657
|
||||
ObjectName|contains:
|
||||
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
|
||||
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
|
||||
ObjectValueName: 'Enabled'
|
||||
NewValue: '0'
|
||||
selection2:
|
||||
EventID: 4663
|
||||
ObjectName|contains:
|
||||
- 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}'
|
||||
- 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational'
|
||||
AccessMask: 0x10000
|
||||
condition: selection1 or selection 2
|
||||
falsepositives:
|
||||
- unknown
|
||||
level: critical
|
||||
@@ -0,0 +1,30 @@
|
||||
title: WMI Script Host Process Image Loaded
|
||||
id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8
|
||||
description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process.
|
||||
status: experimental
|
||||
date: 2020/09/02
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.privilege_escalation
|
||||
- attack.persistence
|
||||
- attack.t1546.003
|
||||
references:
|
||||
- https://twitter.com/HunterPlaybook/status/1301207718355759107
|
||||
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/
|
||||
- https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html
|
||||
logsource:
|
||||
category: image_load
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ImageLoaded|endswith:
|
||||
- '\scrcons.exe'
|
||||
- '\vbscript.dll'
|
||||
- '\wbemdisp.dll'
|
||||
- '\wshom.ocx'
|
||||
- '\scrrun.dll'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
@@ -0,0 +1,38 @@
|
||||
title: Suspicious WSMAN Provider Image Loads
|
||||
id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94
|
||||
description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution.
|
||||
status: experimental
|
||||
date: 2020/06/24
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.003
|
||||
references:
|
||||
- https://twitter.com/chadtilbury/status/1275851297770610688
|
||||
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
|
||||
- https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture
|
||||
- https://github.com/bohops/WSMan-WinRM
|
||||
logsource:
|
||||
category: image_load
|
||||
product: windows
|
||||
detection:
|
||||
request_client:
|
||||
- ImageLoaded|endswith:
|
||||
- '\WsmSvc.dll'
|
||||
- '\WsmAuto.dll'
|
||||
- '\Microsoft.WSMan.Management.ni.dll'
|
||||
- OriginalFileName:
|
||||
- WsmSvc.dll
|
||||
- WSMANAUTOMATION.DLL
|
||||
- Microsoft.WSMan.Management.dll
|
||||
filter_ps:
|
||||
Image|endswith: '\powershell.exe'
|
||||
respond_server:
|
||||
Image|endswith: '\svchost.exe'
|
||||
OriginalFileName: 'WsmWmiPl.dll'
|
||||
condition: (request_client and not filter_ps) or respond_server
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: medium
|
||||
@@ -0,0 +1,21 @@
|
||||
title: Wuauclt Network Connection
|
||||
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
|
||||
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connectionxs. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule.
|
||||
status: experimental
|
||||
date: 2020/10/12
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
references:
|
||||
- https://dtm.uk/wuauclt/
|
||||
logsource:
|
||||
category: network_connection
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
Image|contains: wuauclt
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Legitimate use of wuauclt.exe over the network.
|
||||
level: critical
|
||||
@@ -0,0 +1,26 @@
|
||||
title: Suspicious Non PowerShell WSMAN COM Provider
|
||||
id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7
|
||||
description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application.
|
||||
status: experimental
|
||||
date: 2020/06/24
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.execution
|
||||
- attack.t1059.001
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.003
|
||||
references:
|
||||
- https://twitter.com/chadtilbury/status/1275851297770610688
|
||||
- https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/
|
||||
- https://github.com/bohops/WSMan-WinRM
|
||||
logsource:
|
||||
product: windows
|
||||
service: powershell
|
||||
detection:
|
||||
selection_one:
|
||||
Message: '*ProviderName=WSMan*'
|
||||
selection_two:
|
||||
Message: '*HostApplication=*powershell*'
|
||||
condition: selection_one and not selection_two
|
||||
falsepositives:
|
||||
level: medium
|
||||
@@ -0,0 +1,25 @@
|
||||
title: DCOM Excel Execution
|
||||
id: 6a5d969f-c808-4cfb-a490-9bbe58b31d89
|
||||
description: Detects Excel application started via the DCOMLaunch service and through automation.
|
||||
status: experimental
|
||||
date: 2020/09/17
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.lateral_movement
|
||||
- attack.t1021.003
|
||||
references:
|
||||
- https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/
|
||||
- https://twitter.com/Mordor_Project/status/1307070347850772481
|
||||
- https://twitter.com/MDSecLabs/status/1306610061242925056
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
ParentCommandLine|contains: DcomLaunch
|
||||
OriginalFileName: Excel.exe
|
||||
CommandLine|Contains: automation
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
@@ -0,0 +1,24 @@
|
||||
title: Proxy Execution via Wuauclt
|
||||
id: c649a6c7-cd8c-4a78-9c04-000fc76df954
|
||||
description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code.
|
||||
status: experimental
|
||||
date: 2020/10/12
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1218
|
||||
references:
|
||||
- https://dtm.uk/wuauclt/
|
||||
logsource:
|
||||
category: process_creation
|
||||
product: windows
|
||||
detection:
|
||||
selection_one:
|
||||
- Image|contains: wuauclt
|
||||
- OriginalFileName: wuauclt.exe
|
||||
selection_two:
|
||||
CommandLine|Contains: '*wuauclt*UpdateDeploymentProvider*.dll*RunHandlerComServer'
|
||||
condition: selection_one and selection_two
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
@@ -0,0 +1,21 @@
|
||||
title: Wdigest CredGuard Registry Modification
|
||||
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
|
||||
description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials.
|
||||
status: experimental
|
||||
date: 2019/08/25
|
||||
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.defense_evasion
|
||||
- attack.t1112
|
||||
references:
|
||||
- https://teamhydra.blog/2020/08/25/bypassing-credential-guard/
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|endswith: '\IsCredGuardEnabled'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
- Unknown
|
||||
level: critical
|
||||
@@ -0,0 +1,25 @@
|
||||
title: Enabling COR Profiler Environment Variables
|
||||
id: ad89044a-8f49-4673-9a55-cbd88a1b374f
|
||||
description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured.
|
||||
status: experimental
|
||||
date: 2020/09/10
|
||||
author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research)
|
||||
tags:
|
||||
- attack.persistence
|
||||
- attack.privilege_escalation
|
||||
- attack.defense_evasion
|
||||
- attack.t1574.012
|
||||
references:
|
||||
- https://twitter.com/jamieantisocial/status/1304520651248668673
|
||||
- https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors
|
||||
- https://www.sans.org/cyber-security-summit/archives
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
detection:
|
||||
selection:
|
||||
TargetObject|endswith:
|
||||
- '*\COR_ENABLE_PROFILING'
|
||||
- '*\COR_PROFILER'
|
||||
condition: selection
|
||||
level: critical
|
||||
+2
-3
@@ -1,4 +1,4 @@
|
||||
title: Wdigest Registry Modification
|
||||
title: Wdigest Enable UseLogonCredential
|
||||
id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd
|
||||
description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials
|
||||
status: experimental
|
||||
@@ -10,11 +10,10 @@ tags:
|
||||
references:
|
||||
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
|
||||
logsource:
|
||||
category: registry_event
|
||||
product: windows
|
||||
service: sysmon
|
||||
detection:
|
||||
selection:
|
||||
EventID: 13
|
||||
TargetObject: '*WDigest\\UseLogonCredential'
|
||||
condition: selection
|
||||
falsepositives:
|
||||
Reference in New Issue
Block a user