From 2cb540f95ed2d02f7d8a2bf84d9bf4a5962f156d Mon Sep 17 00:00:00 2001 From: Roberto Rodriguez Date: Tue, 13 Oct 2020 03:33:55 -0400 Subject: [PATCH] 13 Rules from THP - Backlog Rules (old) --- .../zeek_dce_rpc_smb_spoolss_named_pipe.yml | 23 +++++++++++ .../win_dce_rpc_smb_spoolss_named_pipe.yml | 25 ++++++++++++ .../win_smb_file_creation_admin_shares.yml | 26 +++++++++++++ .../win_sysmon_channel_reference_deletion.yml | 35 +++++++++++++++++ ...cons_imageload_wmi_scripteventconsumer.yml | 30 +++++++++++++++ .../sysmon_wsman_provider_image_load.yml | 38 +++++++++++++++++++ .../sysmon_wuauclt_network_connection.yml | 21 ++++++++++ ...shell_wsman_com_provider_no_powershell.yml | 26 +++++++++++++ .../sysmon_dcom_excel_execution.yml | 25 ++++++++++++ .../sysmon_proxy_execution_wuauclt.yml | 24 ++++++++++++ ...ysmon_disable_wdigest_credential_guard.yml | 21 ++++++++++ ...on_enabling_cor_profiler_env_variables.yml | 25 ++++++++++++ ...mon_wdigest_enable_uselogoncredential.yml} | 5 +-- 13 files changed, 321 insertions(+), 3 deletions(-) create mode 100644 rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml create mode 100644 rules/windows/builtin/win_smb_file_creation_admin_shares.yml create mode 100644 rules/windows/builtin/win_sysmon_channel_reference_deletion.yml create mode 100644 rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml create mode 100644 rules/windows/image_load/sysmon_wsman_provider_image_load.yml create mode 100644 rules/windows/network_connection/sysmon_wuauclt_network_connection.yml create mode 100644 rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml create mode 100644 rules/windows/process_creation/sysmon_dcom_excel_execution.yml create mode 100644 rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml create mode 100644 rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml create mode 100644 rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml rename rules/windows/{sysmon/sysmon_wdigest_registry_modification.yml => registry_event/sysmon_wdigest_enable_uselogoncredential.yml} (89%) diff --git a/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml new file mode 100644 index 000000000..dfa15acba --- /dev/null +++ b/rules/network/zeek/zeek_dce_rpc_smb_spoolss_named_pipe.yml @@ -0,0 +1,23 @@ +title: First Time Seen Remote Named Pipe - Zeek +id: bae2865c-5565-470d-b505-9496c87d0c30 +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +author: OTR (Open Threat Research) +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +tags: + - attack.lateral_movement + - attack.t1021.002 +date: 2018/11/28 +logsource: + product: zeek + service: smb_files +detection: + selection: + path: \\*\IPC$ + name: spoolss + condition: selection +falsepositives: + - 'Domain Controllers acting as printer servers too? :)' +level: medium \ No newline at end of file diff --git a/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml new file mode 100644 index 000000000..040b921f8 --- /dev/null +++ b/rules/windows/builtin/win_dce_rpc_smb_spoolss_named_pipe.yml @@ -0,0 +1,25 @@ +title: DCERPC SMB Spoolss Named Pipe +id: 214e8f95-100a-4e04-bb31-ef6cba8ce07e +description: Detects the use of the spoolss named pipe over SMB. This can be used to trigger the authentication via NTLM of any machine that has the spoolservice enabled. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 + - https://dirkjanm.io/a-different-way-of-abusing-zerologon/ + - https://twitter.com/_dirkjan/status/1309214379003588608 +tags: + - attack.lateral_movement + - attack.t1021.002 +date: 2018/11/28 +author: OTR (Open Threat Research) +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName: \\*\IPC$ + RelativeTargetName: spoolss + condition: selection +falsepositives: + - 'Domain Controllers acting as printer servers too? :)' +level: medium diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml new file mode 100644 index 000000000..7aeec0e0a --- /dev/null +++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml @@ -0,0 +1,26 @@ +title: SMB Create Remote File Admin Share +id: b210394c-ba12-4f89-9117-44a2464b9511 +description: Look for non-system accounts SMB accessing a file with write (0x2) access mask via administrative share (i.e C$). +status: experimental +date: 2020/08/06 +author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.t1021.002 +references: + - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml + - https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + ShareName: '*C$' + AccessMask: '0x2' + filter: + SubjectUserName: '*$' + condition: selection and not filter +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml new file mode 100644 index 000000000..2387d06b8 --- /dev/null +++ b/rules/windows/builtin/win_sysmon_channel_reference_deletion.yml @@ -0,0 +1,35 @@ +title: Sysmon Channel Reference Deletion +id: 18beca67-ab3e-4ee3-ba7a-a46ca8d7d0cc +status: experimental +description: Potential threat actor tampering with Sysmon manifest and eventually disabling it +references: + - https://twitter.com/Flangvik/status/1283054508084473861 + - https://twitter.com/SecurityJosh/status/1283027365770276866 + - https://securityjosh.github.io/2020/04/23/Mute-Sysmon.html + - https://gist.github.com/Cyb3rWard0g/cf08c38c61f7e46e8404b38201ca01c8 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/07/14 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + service: security +detection: + selection1: + EventID: 4657 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + ObjectValueName: 'Enabled' + NewValue: '0' + selection2: + EventID: 4663 + ObjectName|contains: + - 'WINEVT\Publishers\{5770385f-c22a-43e0-bf4c-06f5698ffbd9}' + - 'WINEVT\Channels\Microsoft-Windows-Sysmon/Operational' + AccessMask: 0x10000 + condition: selection1 or selection 2 +falsepositives: + - unknown +level: critical \ No newline at end of file diff --git a/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml new file mode 100644 index 000000000..4e2ea2e45 --- /dev/null +++ b/rules/windows/image_load/sysmon_scrcons_imageload_wmi_scripteventconsumer.yml @@ -0,0 +1,30 @@ +title: WMI Script Host Process Image Loaded +id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 +description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. +status: experimental +date: 2020/09/02 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.persistence + - attack.t1546.003 +references: + - https://twitter.com/HunterPlaybook/status/1301207718355759107 + - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ + - https://threathunterplaybook.com/notebooks/windows/08_lateral_movement/WIN-200902020333.html +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\scrcons.exe' + - '\vbscript.dll' + - '\wbemdisp.dll' + - '\wshom.ocx' + - '\scrrun.dll' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/image_load/sysmon_wsman_provider_image_load.yml b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml new file mode 100644 index 000000000..953e556e8 --- /dev/null +++ b/rules/windows/image_load/sysmon_wsman_provider_image_load.yml @@ -0,0 +1,38 @@ +title: Suspicious WSMAN Provider Image Loads +id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 +description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. +status: experimental +date: 2020/06/24 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.003 +references: + - https://twitter.com/chadtilbury/status/1275851297770610688 + - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ + - https://docs.microsoft.com/en-us/windows/win32/winrm/windows-remote-management-architecture + - https://github.com/bohops/WSMan-WinRM +logsource: + category: image_load + product: windows +detection: + request_client: + - ImageLoaded|endswith: + - '\WsmSvc.dll' + - '\WsmAuto.dll' + - '\Microsoft.WSMan.Management.ni.dll' + - OriginalFileName: + - WsmSvc.dll + - WSMANAUTOMATION.DLL + - Microsoft.WSMan.Management.dll + filter_ps: + Image|endswith: '\powershell.exe' + respond_server: + Image|endswith: '\svchost.exe' + OriginalFileName: 'WsmWmiPl.dll' + condition: (request_client and not filter_ps) or respond_server +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml new file mode 100644 index 000000000..e9e0b4466 --- /dev/null +++ b/rules/windows/network_connection/sysmon_wuauclt_network_connection.yml @@ -0,0 +1,21 @@ +title: Wuauclt Network Connection +id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connectionxs. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. +status: experimental +date: 2020/10/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1218 +references: + - https://dtm.uk/wuauclt/ +logsource: + category: network_connection + product: windows +detection: + selection: + Image|contains: wuauclt + condition: selection +falsepositives: + - Legitimate use of wuauclt.exe over the network. +level: critical diff --git a/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml new file mode 100644 index 000000000..bba5b4a22 --- /dev/null +++ b/rules/windows/powershell/powershell_wsman_com_provider_no_powershell.yml @@ -0,0 +1,26 @@ +title: Suspicious Non PowerShell WSMAN COM Provider +id: df9a0e0e-fedb-4d6c-8668-d765dfc92aa7 +description: Detects suspicious use of the WSMAN provider without PowerShell.exe as the host application. +status: experimental +date: 2020/06/24 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.execution + - attack.t1059.001 + - attack.lateral_movement + - attack.t1021.003 +references: + - https://twitter.com/chadtilbury/status/1275851297770610688 + - https://bohops.com/2020/05/12/ws-management-com-another-approach-for-winrm-lateral-movement/ + - https://github.com/bohops/WSMan-WinRM +logsource: + product: windows + service: powershell +detection: + selection_one: + Message: '*ProviderName=WSMan*' + selection_two: + Message: '*HostApplication=*powershell*' + condition: selection_one and not selection_two +falsepositives: +level: medium diff --git a/rules/windows/process_creation/sysmon_dcom_excel_execution.yml b/rules/windows/process_creation/sysmon_dcom_excel_execution.yml new file mode 100644 index 000000000..99c647369 --- /dev/null +++ b/rules/windows/process_creation/sysmon_dcom_excel_execution.yml @@ -0,0 +1,25 @@ +title: DCOM Excel Execution +id: 6a5d969f-c808-4cfb-a490-9bbe58b31d89 +description: Detects Excel application started via the DCOMLaunch service and through automation. +status: experimental +date: 2020/09/17 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.lateral_movement + - attack.t1021.003 +references: + - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-2-dcom/ + - https://twitter.com/Mordor_Project/status/1307070347850772481 + - https://twitter.com/MDSecLabs/status/1306610061242925056 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentCommandLine|contains: DcomLaunch + OriginalFileName: Excel.exe + CommandLine|Contains: automation + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml new file mode 100644 index 000000000..5462153ac --- /dev/null +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -0,0 +1,24 @@ +title: Proxy Execution via Wuauclt +id: c649a6c7-cd8c-4a78-9c04-000fc76df954 +description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. +status: experimental +date: 2020/10/12 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1218 +references: + - https://dtm.uk/wuauclt/ +logsource: + category: process_creation + product: windows +detection: + selection_one: + - Image|contains: wuauclt + - OriginalFileName: wuauclt.exe + selection_two: + CommandLine|Contains: '*wuauclt*UpdateDeploymentProvider*.dll*RunHandlerComServer' + condition: selection_one and selection_two +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml new file mode 100644 index 000000000..07ffdf7ce --- /dev/null +++ b/rules/windows/registry_event/sysmon_disable_wdigest_credential_guard.yml @@ -0,0 +1,21 @@ +title: Wdigest CredGuard Registry Modification +id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd +description: Detects potential malicious modification of the property value of IsCredGuardEnabled from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to disable Cred Guard on a system. This is usually used with UseLogonCredential to manipulate the caching credentials. +status: experimental +date: 2019/08/25 +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +tags: + - attack.defense_evasion + - attack.t1112 +references: + - https://teamhydra.blog/2020/08/25/bypassing-credential-guard/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\IsCredGuardEnabled' + condition: selection +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml new file mode 100644 index 000000000..33060bd78 --- /dev/null +++ b/rules/windows/registry_event/sysmon_enabling_cor_profiler_env_variables.yml @@ -0,0 +1,25 @@ +title: Enabling COR Profiler Environment Variables +id: ad89044a-8f49-4673-9a55-cbd88a1b374f +description: This rule detects cor_enable_profiling and cor_profiler environment variables being set and configured. +status: experimental +date: 2020/09/10 +author: Jose Rodriguez (@Cyb3rPandaH), OTR (Open Threat Research) +tags: + - attack.persistence + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1574.012 +references: + - https://twitter.com/jamieantisocial/status/1304520651248668673 + - https://www.slideshare.net/JamieWilliams130/started-from-the-bottom-exploiting-data-sources-to-uncover-attck-behaviors + - https://www.sans.org/cyber-security-summit/archives +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: + - '*\COR_ENABLE_PROFILING' + - '*\COR_PROFILER' + condition: selection +level: critical \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_wdigest_registry_modification.yml b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml similarity index 89% rename from rules/windows/sysmon/sysmon_wdigest_registry_modification.yml rename to rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml index ff3588f30..3316cb1f8 100644 --- a/rules/windows/sysmon/sysmon_wdigest_registry_modification.yml +++ b/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml @@ -1,4 +1,4 @@ -title: Wdigest Registry Modification +title: Wdigest Enable UseLogonCredential id: 1a2d6c47-75b0-45bd-b133-2c0be75349fd description: Detects potential malicious modification of the property value of UseLogonCredential from HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest to enable clear-text credentials status: experimental @@ -10,11 +10,10 @@ tags: references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html logsource: + category: registry_event product: windows - service: sysmon detection: selection: - EventID: 13 TargetObject: '*WDigest\\UseLogonCredential' condition: selection falsepositives: