From 16d4d0b6ea9414958b0e61f8a9017e0623950da2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Apr 2023 18:59:24 +0200 Subject: [PATCH 1/4] Update test_rules.py --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 7b6d59eb6..634c1c0c9 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -33,7 +33,7 @@ class TestRules(unittest.TestCase): # Don't use trademarks in rules - they require non-ASCII characters to be used on we don't want them in our rules TRADE_MARKS = {"MITRE ATT&CK", "ATT&CK"} - path_to_rules_ = ["rules", "rules-emerging-threats", "rules-placeholder", "rules-threat-hunting", "rules-compliance"] + path_to_rules_ = ["../rules", "../rules-emerging-threats", "../rules-placeholder", "../rules-threat-hunting", "../rules-compliance"] path_to_rules = [] for path_ in path_to_rules_: path_to_rules.append(os.path.join(os.path.dirname(os.path.realpath(__file__)), path_)) From 1ed9743e7c09c5a61ea72806546f22111326d62d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Apr 2023 19:18:38 +0200 Subject: [PATCH 2/4] fix: test issues --- ...ndstorm_aspera_faspex_susp_child_process.yml | 4 ++-- ...ndstorm_manage_engine_susp_child_process.yml | 6 +++--- ...cut_print_management_exploitation_pc_app.yml | 17 ++++++++++++++++- tests/test_rules.py | 2 +- 4 files changed, 22 insertions(+), 7 deletions(-) diff --git a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index d79870ce9..ff2f20698 100644 --- a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) date: 2023/04/20 +modified: 2023/04/25 tags: - attack.execution logsource: @@ -76,8 +77,7 @@ detection: - 'localgroup Administrators' - '/add' selection_child_net: - CommandLine|contains: - - 'net' # Covers net1 + CommandLine|contains: 'net' # Covers net1 CommandLine|contains|all: - 'user' - '/add' diff --git a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 0ad2329bf..0335b7a4a 100644 --- a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) date: 2023/04/20 +modified: 2023/04/25 tags: - attack.execution logsource: @@ -78,8 +79,7 @@ detection: - 'localgroup Administrators' - '/add' selection_child_net: - CommandLine|contains: - - 'net' # Covers net1 + CommandLine|contains: 'net' # Covers net1 CommandLine|contains|all: - 'user' - '/add' @@ -116,7 +116,7 @@ detection: - 'download.microsoft.com' - 'manageengine.com' - 'msiexec' - condition: all of selection_parent_path and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main + condition: all of selection_parent_* and (all of selection_special_child_powershell_* or all of selection_special_child_lsass_* or 1 of selection_child_*) and not filter_main falsepositives: - Unlikely level: critical diff --git a/rules-emerging-threats/2023/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml b/rules-emerging-threats/2023/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml index 93821d2de..b6aa10f7a 100644 --- a/rules-emerging-threats/2023/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml +++ b/rules-emerging-threats/2023/PaperCut-Print-Management-Exploitation/proc_creation_win_papercut_print_management_exploitation_pc_app.yml @@ -1,5 +1,5 @@ title: PaperCut MF/NG Potential Exploitation -id: de1bd0b6-6d59-417c-86d9-a44114aede3b +id: 0934ac71-a331-4e98-a034-d49c491fbbcb status: test description: Detects suspicious child processes of "pc-app.exe". Which could indicate potential exploitation of PaperCut references: @@ -7,6 +7,7 @@ references: - https://github.com/huntresslabs/threat-intel/blob/main/2023/2023-04/20-PaperCut/win_susp_papercut_code_execution.yml author: Nasreddine Bencherchali (Nextron Systems), Huntress DE&TH Team (idea) date: 2023/04/20 +modified: 2023/04/25 tags: - attack.execution logsource: @@ -16,9 +17,23 @@ detection: selection: ParentImage|endswith: '\pc-app.exe' Image|endswith: + - '\bash.exe' + - '\calc.exe' + - '\certutil.exe' - '\cmd.exe' + - '\csc.exe' + - '\cscript.exe' + - '\dllhost.exe' + - '\mshta.exe' + - '\msiexec.exe' - '\powershell.exe' - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\scriptrunner.exe' + - '\wmic.exe' + - '\wscript.exe' + - '\wsl.exe' condition: selection falsepositives: - Legitimate administration activity diff --git a/tests/test_rules.py b/tests/test_rules.py index 634c1c0c9..e726415c9 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -759,7 +759,7 @@ class TestRules(unittest.TestCase): def test_file_names(self): faulty_rules = [] name_lst = [] - filename_pattern = re.compile(r'[a-z0-9_]{10,70}\.yml') + filename_pattern = re.compile(r'[a-z0-9_]{10,80}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) if filename in name_lst: From ae41afb8ccca8198f975bc3efcf48a43d675832e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Apr 2023 20:15:15 +0200 Subject: [PATCH 3/4] fix: issues with tests --- ...nt_sandstorm_log4j_wstomcat_execution.yml} | 0 .../builtin/security/win_pass_the_hash.yml | 32 ------------------- ..._registry_management_using_reg_utility.yml | 30 ----------------- ...=> win_security_exploit_cve_2020_1472.yml} | 14 ++++---- .../win_security_potential_pass_the_hash.yml | 32 +++++++++++++++++++ ...ity_remote_registry_management_via_reg.yml | 30 +++++++++++++++++ .../win_security_susp_interactive_logons.yml | 31 ++++++++++++++++++ .../security/win_susp_interactive_logons.yml | 31 ------------------ 8 files changed, 100 insertions(+), 100 deletions(-) rename rules-emerging-threats/2023/Mint-Sandstorm/{proc_creation_win_apt_mint_sandstorm_log4J_wstomcat_execution.yml => proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml} (100%) delete mode 100644 rules-placeholder/windows/builtin/security/win_pass_the_hash.yml delete mode 100644 rules-placeholder/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml rename rules-placeholder/windows/builtin/security/{win_privesc_cve_2020_1472.yml => win_security_exploit_cve_2020_1472.yml} (70%) create mode 100644 rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml create mode 100644 rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml create mode 100644 rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml delete mode 100644 rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml diff --git a/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4J_wstomcat_execution.yml b/rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml similarity index 100% rename from rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4J_wstomcat_execution.yml rename to rules-emerging-threats/2023/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_log4j_wstomcat_execution.yml diff --git a/rules-placeholder/windows/builtin/security/win_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_pass_the_hash.yml deleted file mode 100644 index 321d0997a..000000000 --- a/rules-placeholder/windows/builtin/security/win_pass_the_hash.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Pass the Hash Activity -id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 -status: test -description: Detects the attack technique pass the hash which is used to move laterally inside the network -author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) -references: - - https://github.com/iadgov/Event-Forwarding-Guidance/tree/master/Events -date: 2017/03/08 -modified: 2021/11/27 -logsource: - product: windows - service: security - definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 -detection: - selection: - EventID: - - 4624 - - 4625 - LogonType: '3' - LogonProcessName: 'NtLmSsp' - WorkstationName: '%Workstations%' - ComputerName: '%Workstations%' - filter: - TargetUserName: 'ANONYMOUS LOGON' - condition: selection and not filter -falsepositives: - - Administrator activity -level: medium -tags: - - attack.lateral_movement - - car.2016-04-004 - - attack.t1550.002 diff --git a/rules-placeholder/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml b/rules-placeholder/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml deleted file mode 100644 index 86a109be7..000000000 --- a/rules-placeholder/windows/builtin/security/win_remote_registry_management_using_reg_utility.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Remote Registry Management Using Reg Utility -id: 68fcba0d-73a5-475e-a915-e8b4c576827e -status: test -description: Remote registry management using REG utility from non-admin workstation -author: Teymur Kheirkhabarov, oscd.community -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment -date: 2019/10/22 -modified: 2021/11/27 -logsource: - product: windows - service: security -detection: - selection_1: - EventID: 5145 - RelativeTargetName|contains: '\winreg' - filter: - IpAddress: '%Admins_Workstations%' - condition: selection_1 and not filter -falsepositives: - - Legitimate usage of remote registry management by administrator -level: medium -tags: - - attack.defense_evasion - - attack.t1112 - - attack.discovery - - attack.t1012 - - attack.credential_access - - attack.t1552.002 - - attack.s0075 diff --git a/rules-placeholder/windows/builtin/security/win_privesc_cve_2020_1472.yml b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml similarity index 70% rename from rules-placeholder/windows/builtin/security/win_privesc_cve_2020_1472.yml rename to rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml index 2a8eebdbd..7a1894d11 100644 --- a/rules-placeholder/windows/builtin/security/win_privesc_cve_2020_1472.yml +++ b/rules-placeholder/windows/builtin/security/win_security_exploit_cve_2020_1472.yml @@ -1,16 +1,16 @@ -title: 'Possible Zerologon (CVE-2020-1472) Exploitation' +title: Potential Zerologon (CVE-2020-1472) Exploitation id: dd7876d8-0f09-11eb-adc1-0242ac120002 status: experimental -description: Detects Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) +description: Detects potential Netlogon Elevation of Privilege Vulnerability aka Zerologon (CVE-2020-1472) references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 - https://www.logpoint.com/en/blog/detecting-zerologon-vulnerability-in-logpoint/ -author: 'Aleksandr Akhremchik, @aleqs4ndr, ocsd.community' +author: Aleksandr Akhremchik, @aleqs4ndr, ocsd.community date: 2020/10/15 -modified: 2021/07/07 +modified: 2023/04/25 tags: - - attack.t1068 - attack.privilege_escalation + - attack.t1068 logsource: product: windows service: security @@ -19,9 +19,9 @@ detection: EventID: 4742 SubjectUserName: 'ANONYMOUS LOGON' TargetUserName: '%DC-MACHINE-NAME%' # DC machine account name that ends with '$' - filter: + filter_main: PasswordLastSet: '-' - condition: selection and not filter + condition: selection and not filter_main falsepositives: - Automatic DC computer account password change - Legitimate DC computer account password change diff --git a/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml new file mode 100644 index 000000000..91c472f3a --- /dev/null +++ b/rules-placeholder/windows/builtin/security/win_security_potential_pass_the_hash.yml @@ -0,0 +1,32 @@ +title: Potential Pass the Hash Activity +id: f8d98d6c-7a07-4d74-b064-dd4a3c244528 +status: test +description: Detects the attack technique pass the hash which is used to move laterally inside the network +references: + - https://github.com/nsacyber/Event-Forwarding-Guidance/tree/6e92d622fa33da911f79e7633da4263d632f9624/Events +author: Ilias el Matani (rule), The Information Assurance Directorate at the NSA (method) +date: 2017/03/08 +modified: 2023/04/25 +tags: + - attack.lateral_movement + - attack.t1550.002 + - car.2016-04-004 +logsource: + product: windows + service: security + definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625 +detection: + selection: + EventID: + - 4624 + - 4625 + LogonType: 3 + LogonProcessName: 'NtLmSsp' + WorkstationName: '%Workstations%' + ComputerName: '%Workstations%' + filter: + TargetUserName: 'ANONYMOUS LOGON' + condition: selection and not filter +falsepositives: + - Administrator activity +level: medium diff --git a/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml new file mode 100644 index 000000000..f2776c7b7 --- /dev/null +++ b/rules-placeholder/windows/builtin/security/win_security_remote_registry_management_via_reg.yml @@ -0,0 +1,30 @@ +title: Remote Registry Management Using Reg Utility +id: 68fcba0d-73a5-475e-a915-e8b4c576827e +status: test +description: Remote registry management using REG utility from non-admin workstation +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment +author: Teymur Kheirkhabarov, oscd.community +date: 2019/10/22 +modified: 2023/04/25 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.discovery + - attack.s0075 + - attack.t1012 + - attack.t1112 + - attack.t1552.002 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5145 + RelativeTargetName|contains: '\winreg' + filter_main: + IpAddress: '%Admins_Workstations%' + condition: selection and not filter_main +falsepositives: + - Legitimate usage of remote registry management by administrator +level: medium diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml new file mode 100644 index 000000000..4610cca44 --- /dev/null +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -0,0 +1,31 @@ +title: Interactive Logon to Server Systems +id: 3ff152b2-1388-4984-9cd9-a323323fdadf +status: test +description: Detects interactive console logons to Server Systems +author: Florian Roth (Nextron Systems) +date: 2017/03/17 +modified: 2023/04/25 +tags: + - attack.lateral_movement + - attack.t1078 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 528 + - 529 + - 4624 + - 4625 + LogonType: 2 + ComputerName: + - '%ServerSystems%' + - '%DomainControllers%' + filter_main: + LogonProcessName: 'Advapi' + ComputerName: '%Workstations%' + condition: selection and not filter +falsepositives: + - Administrative activity via KVM or ILO board +level: medium diff --git a/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml deleted file mode 100644 index ecd0b9f93..000000000 --- a/rules-placeholder/windows/builtin/security/win_susp_interactive_logons.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Interactive Logon to Server Systems -id: 3ff152b2-1388-4984-9cd9-a323323fdadf -status: test -description: Detects interactive console logons to Server Systems -author: Florian Roth (Nextron Systems) -date: 2017/03/17 -modified: 2021/11/27 -logsource: - product: windows - service: security -detection: - selection: - EventID: - - 528 - - 529 - - 4624 - - 4625 - LogonType: 2 - ComputerName: - - '%ServerSystems%' - - '%DomainControllers%' - filter: - LogonProcessName: Advapi - ComputerName: '%Workstations%' - condition: selection and not filter -falsepositives: - - Administrative activity via KVM or ILO board -level: medium -tags: - - attack.lateral_movement - - attack.t1078 From 9df83b23c811308455c278f35636fa8b4197a4fa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 25 Apr 2023 20:23:08 +0200 Subject: [PATCH 4/4] Update win_security_susp_interactive_logons.yml --- .../builtin/security/win_security_susp_interactive_logons.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml index 4610cca44..a98690e27 100644 --- a/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml +++ b/rules-placeholder/windows/builtin/security/win_security_susp_interactive_logons.yml @@ -25,7 +25,7 @@ detection: filter_main: LogonProcessName: 'Advapi' ComputerName: '%Workstations%' - condition: selection and not filter + condition: selection and not filter_main falsepositives: - Administrative activity via KVM or ILO board level: medium