Merge branch 'SigmaHQ:master' into master

2022-10-11 11:29:48 +02:00
parent 4a2a6037de a55cea92e0
commit 2d5939e33b
33 changed files with 355 additions and 156 deletions
@@ -6,7 +6,7 @@ author: Florian Roth, Markus Neis
 references:
  - Internal Research
 date: 2019/11/12
-modified: 2021/11/30
+modified: 2022/10/10
 logsource:
  category: proxy
 detection:
@@ -52,6 +52,8 @@ detection:
      - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0'    # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
      - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36'    # SideWalk malware used by Sparkling Goblin
      - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0'  # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/
+      - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
+      - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/
  condition: selection
 fields:
  - ClientIP
@@ -13,6 +13,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -21,4 +22,4 @@ detection:
    condition: selection
 falsepositives:
    - Legitimate use of Hybrid Connection Manager via Azure function apps.
-level: high
+level: high
@@ -19,15 +19,16 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        Provider_Name: 'Microsoft-Windows-Security-Auditing'
        EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
           - 'cmd'
           - '&&'
           - 'clipboard]::'
-    condition: selection 
+    condition: selection
 falsepositives:
    - Unknown
 level: high
@@ -16,6 +16,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection_eid:
        EventID: 4697
@@ -18,10 +18,11 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
            - 'cmd'
            - 'powershell'
    selection2:
@@ -18,6 +18,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -2,12 +2,12 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION
 id: 7a922f1b-2635-4d6c-91ef-af228b198ad3
 related:
    - id: 175997c5-803c-4b08-8bb0-70b099f47595
-      type: derived  
+      type: derived
 description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION
 status: experimental
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2022/02/03
+modified: 2022/10/10
 references:
    - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19)
 tags:
@@ -18,18 +18,18 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
-        EventID: 4697 
-        ServiceFileName|contains|all: 
+        EventID: 4697
+        ServiceFileName|contains|all:
            - 'new-object'
            - 'text.encoding]::ascii'
            - 'readtoend'
-    selection2:
        ServiceFileName|contains:
            - 'system.io.compression.deflatestream'
            - 'system.io.streamreader'
-    condition: all of selection*
+    condition: selection
 falsepositives:
    - Unknown
 level: medium
@@ -18,9 +18,10 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
-        EventID: 4697 
+        EventID: 4697
        ServiceFileName|contains|all:
            - 'rundll32.exe'
            - 'shell32.dll'
@@ -18,10 +18,11 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
            - 'set'
            - '&&'
        ServiceFileName|contains:
@@ -18,6 +18,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -18,10 +18,11 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
-        ServiceFileName|contains|all: 
+        ServiceFileName|contains|all:
            - 'mshta'
            - 'vbscript:createobject'
            - '.run'
@@ -18,6 +18,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -18,6 +18,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -22,6 +22,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    event_id:
        EventID: 4697
@@ -23,6 +23,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -22,6 +22,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -19,6 +19,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -18,6 +18,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection_id:
        EventID: 4697
@@ -16,6 +16,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -14,6 +14,7 @@ tags:
 logsource:
    product: windows
    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        EventID: 4697
@@ -4,37 +4,38 @@ status: test
 description: Detects Windows Pcap driver installation based on a list of associated .sys files.
 author: Cian Heasley
 references:
-  - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
+    - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more
 date: 2020/06/10
 modified: 2021/11/27
 logsource:
-  product: windows
-  service: security
+    product: windows
+    service: security
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
-  selection:
-    EventID: 4697
-    ServiceFileName|contains:
-      - 'pcap'
-      - 'npcap'
-      - 'npf'
-      - 'nm3'
-      - 'ndiscap'
-      - 'nmnt'
-      - 'windivert'
-      - 'USBPcap'
-      - 'pktmon'
-  condition: selection
+    selection:
+        EventID: 4697
+        ServiceFileName|contains:
+            - 'pcap'
+            - 'npcap'
+            - 'npf'
+            - 'nm3'
+            - 'ndiscap'
+            - 'nmnt'
+            - 'windivert'
+            - 'USBPcap'
+            - 'pktmon'
+    condition: selection
 fields:
-  - EventID
-  - ServiceFileName
-  - Account_Name
-  - Computer_Name
-  - Originating_Computer
-  - ServiceName
+    - EventID
+    - ServiceFileName
+    - Account_Name
+    - Computer_Name
+    - Originating_Computer
+    - ServiceName
 falsepositives:
-  - Unknown
+    - Unknown
 level: medium
 tags:
-  - attack.discovery
-  - attack.credential_access
-  - attack.t1040
+    - attack.discovery
+    - attack.credential_access
+    - attack.t1040
@@ -12,8 +12,15 @@ references:
    - https://github.com/namazso/physmem_drivers
    - https://github.com/stong/CVE-2020-15368
    - https://github.com/CaledoniaProject/drivers-binaries
+    - https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+    - https://github.com/tandasat/ExploitCapcom
+    - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md
+    - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md
+    - https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780
+    - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/
+    - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444
 date: 2022/08/18
-modified: 2022/10/03
+modified: 2022/10/10
 logsource:
    product: windows
    category: driver_load
@@ -261,6 +268,18 @@ detection:
            - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a'
            - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332'
            - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c'
+            # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+            - 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7'
+            - 'SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f'
+            - 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a'
+            - 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35'
+            - 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02'
+            - 'SHA1=fd833f3fe2fa396878033b9e6054725248bf9881'
+            - 'SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0'
+            - 'SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931'
+            - 'SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e'
+            - 'SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e'
+            - 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d'
            # The list below is from https://github.com/namazso/physmem_drivers
            - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748'
            - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA'
@@ -499,6 +518,18 @@ detection:
            - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
            - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
            - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
+            # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+            - 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24'
+            - 'SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec'
+            - 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd'
+            - 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a'
+            - 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0'
+            - 'SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220'
+            - 'SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b'
+            - 'SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df'
+            - 'SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557'
+            - 'SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522'
+            - 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512'
    selection_other:
        - SHA1:
            # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT
@@ -742,6 +773,18 @@ detection:
            - '5fb9421be8a8b08ec395d05e00fd45eb753b593a'
            - 'b480c54391a2a2f917a44f91a5e9e4590648b332'
            - '4f7a8e26a97980544be634b26899afbefb0a833c'
+            # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+            - 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7'
+            - 'a7e9a4686aa7291331e2c8708882c8d81d05264f' #ATSZIO.sys
+            - '7ba19a701c8af76988006d616a5f77484c13cb0a'
+            - '4243dbbf6e5719d723f24d0f862afd0fcb40bc35'
+            - '00b4e8b7644d1bf93f5ddb5740b444b445e81b02'
+            - 'fd833f3fe2fa396878033b9e6054725248bf9881'
+            - 'db446af0e34259e95f4db112a9f06177e1eef4e0'
+            - '39d7b121bc654a0de891225e0f8b7b5537c24931'
+            - 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e'
+            - '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e'
+            - 'f999709e5b00a68a0f4fa912619fe6548ad0c42d'
        - SHA256:
            # The list below is from https://github.com/namazso/physmem_drivers
            - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162'
@@ -990,6 +1033,18 @@ detection:
            - '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b'
            - '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05'
            - 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433'
+            # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+            - 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24'
+            - '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' #ATSZIO.sys
+            - '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' #Driver7
+            - '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a'
+            - '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0'
+            - 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220'
+            - '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b'
+            - '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df'
+            - '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557'
+            - 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522'
+            - 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512'
    condition: 1 of selection*
 falsepositives:
    - Unknown
@@ -15,7 +15,11 @@ references:
    - https://github.com/namazso/physmem_drivers
    - https://github.com/stong/CVE-2020-15368
    - https://github.com/CaledoniaProject/drivers-binaries
+    - https://github.com/Chigusa0w0/AsusDriversPrivEscala
+    - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/
+    - https://eclypsium.com/2019/11/12/mother-of-all-drivers/
 date: 2022/10/03
+modified: 2022/10/10
 tags:
    - attack.privilege_escalation
    - attack.t1543.003
@@ -134,32 +138,69 @@ detection:
            - '\piddrv64.sys'
            # List below is based on Elastic Yara rules and samples from the "sample references" section https://github.com/elastic/protections-artifacts/search?q=VulnDriver
            # The names were taken from VT search of those samples
-            - 'BS_I2cIo.sys' # Version: 1.1.0.0
-            - 'rtkio.sys'
-            - 'AMDRyzenMasterDriver.sys' # Version: 1.5.0.0
-            - 'LHA.sys'
-            - 'kEvP64.sys'
-            - 'BSMI.sys' # Version: 1.0.0.3
-            - 'TmComm.sys' # Version: 8.0.0.0
-            - 'cpuz.sys' # Version: 1.0.4.3
-            - 'ElbyCDIO.sys' # Version: 6.0.3.2
-            - 'iQVW64.SYS' # Version: 1.4.0.0
-            - 'vmdrv.sys' # Version: 10.0.10011.16384
-            - 'HpPortIox64.sys' # Version: 1.2.0.9
-            - 'AMDPowerProfiler.sys' # Version: 6.1.0.0
-            - 'CorsairLLAccess64.sys' # Version: 1.0.18.0
-            - 'RTCore64.sys'
-            - 'libnicm.sys' # Version: 3.1.12.0
-            - 'procexp.Sys' # Version: 16.27.0.0
-            - 'viragt.sys' # Version: 1.80.0.0
-            - 'viragt64.sys' # Version: 1.0.0.11
-            - 'AsrDrv106.sys'
-            - 'zamguard64.sys'
-            - 'zam64.sys'
-            - 'fidpcidrv64.sys'
-            - 'MsIo32.sys'
-            - 'winio64.sys'
-            - 'DirectIo64.sys'
+            - '\BS_I2cIo.sys' # Version: 1.1.0.0
+            - '\rtkio.sys'
+            - '\AMDRyzenMasterDriver.sys' # Version: 1.5.0.0
+            - '\LHA.sys'
+            - '\kEvP64.sys'
+            - '\BSMI.sys' # Version: 1.0.0.3
+            - '\TmComm.sys' # Version: 8.0.0.0
+            - '\cpuz.sys' # Version: 1.0.4.3
+            - '\iQVW64.SYS' # Version: 1.4.0.0
+            - '\vmdrv.sys' # Version: 10.0.10011.16384
+            - '\HpPortIox64.sys' # Version: 1.2.0.9
+            - '\AMDPowerProfiler.sys' # Version: 6.1.0.0
+            - '\CorsairLLAccess64.sys' # Version: 1.0.18.0
+            - '\RTCore64.sys'
+            - '\libnicm.sys' # Version: 3.1.12.0
+            - '\procexp.Sys' # Version: 16.27.0.0
+            - '\viragt.sys' # Version: 1.80.0.0
+            - '\viragt64.sys' # Version: 1.0.0.11
+            - '\AsrDrv106.sys'
+            - '\zamguard64.sys'
+            - '\zam64.sys'
+            - '\fidpcidrv64.sys'
+            - '\MsIo32.sys'
+            - '\winio64.sys'
+            # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html
+            - '\capcom.sys'
+            - '\IOMap64.sys'
+            - '\ATSZIO64.sys'
+            - '\aswVmm.sys'
+            - '\FairplayKD.sys'
+            - '\pgldqpoc.sys'
+            - '\iqvw64e.sys'
+            - '\Monitor_win10_x64.sys'
+            - '\srvnetbus.sys'
+            - '\Mslo64.sys'
+            - '\pcdsrvc_x64.pkms'
+            - '\krpocesshacker.sys'
+            - '\HWiNFO64A.sys' # version <= 8.98, CVE-2018-8061
+            - '\rzpnk.sys'
+            - '\magdrvamd64.sys'
+            # https://github.com/Chigusa0w0/AsusDriversPrivEscala
+            - '\driver7-x64.sys'
+            - '\driver7-x86-withoutdbg.sys'
+            - '\driver7-x86.sys'
+            # Other
+            - '\gmer.sys'
+            - '\PCADRVX64.sys'
+            # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/)
+            - '\ActiveHealth.sys'
+            - '\CAM_V3.sys'
+            - '\GameFire.sys'
+            - '\OpenHardwareMonitor.sys'
+            - '\OpenHardwareMonitorLib.sys'
+            - '\OpenHardwareMonitorReport.sys'
+            - '\SmartDashboard.sys'
+            - '\SystemGauge.sys'
+            - '\SystemGaugeX7.sys'
+            - '\VideoNovaServerControllerService.sys'
+            - '\ellp_service.sys'
+            - '\hardwareproviders.sys'
+            - '\ohm.sys'
+            - '\sensorsview32_64.sys'
+            - '\touchpointanalyticsclient.sys'
    condition: selection
 falsepositives:
    - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version.
@@ -7,7 +7,7 @@ status: experimental
 description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension.
 author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton
 date: 2019/11/14
-modified: 2022/04/21
+modified: 2022/10/10
 references:
    - https://adsecurity.org/?p=2921
    - https://github.com/p3nt4/PowerShdll
@@ -23,7 +23,9 @@ detection:
            - '\System.Management.Automation.Dll'
            - '\System.Management.Automation.ni.Dll'
    filter:
-        - Image: 'C:\Windows\System32\dsac.exe'
+        - Image:
+            - 'C:\Windows\System32\dsac.exe'
+            - 'C:\Program Files\PowerShell\7\pwsh.exe' #PowerShell 7
        - Image|endswith:
            - '\powershell.exe'
            - '\powershell_ise.exe'
@@ -4,68 +4,68 @@ status: test
 description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine.
 author: Perez Diego (@darkquassar), oscd.community, Ecco
 references:
-  - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
-  - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
-  - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
+    - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump
+    - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html
+    - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6
 date: 2019/10/27
 modified: 2022/09/15
 logsource:
-  category: image_load
-  product: windows
+    category: image_load
+    product: windows
 detection:
-  signedprocess:
-    ImageLoaded|endswith:
-      - '\dbghelp.dll'
-      - '\dbgcore.dll'
-    Image|endswith:
-      - '\msbuild.exe'
-      - '\cmd.exe'
-      # - '\svchost.exe'  triggered by installing common software
-      - '\rundll32.exe'
-      # - '\powershell.exe'  triggered by installing common software
-      - '\word.exe'
-      - '\excel.exe'
-      - '\powerpnt.exe'
-      - '\outlook.exe'
-      - '\monitoringhost.exe'
-      - '\wmic.exe'
-      # - '\msiexec.exe'  an installer installing a program using one of those DLL will raise an alert
-      - '\bash.exe'
-      - '\wscript.exe'
-      - '\cscript.exe'
-      - '\mshta.exe'
-      # - '\regsvr32.exe'  triggered by installing common software
-      # - '\schtasks.exe'  triggered by installing software
-      - '\dnx.exe'
-      - '\regsvcs.exe'
-      - '\sc.exe'
-      - '\scriptrunner.exe'
-  unsignedprocess:
-    ImageLoaded|endswith:
-      - '\dbghelp.dll'
-      - '\dbgcore.dll'
-    Signed: 'FALSE'
-  filter1:
-    - Image|contains: 'Visual Studio'
-    - CommandLine|contains:
-      - '-k LocalSystemNetworkRestricted'
-      - '-k UnistackSvcGroup -s WpnUserService'
-  filter2:   # Not available in Sysmon, but in Aurora
-    CommandLine:
-      - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv'
-      - 'C:\Windows\System32\svchost.exe -k WerSvcGroup'
-  filter3:
-    CommandLine|startswith: 'C:\WINDOWS\winsxs\'
-    CommandLine|endswith: '\TiWorker.exe -Embedding'
-  condition: (signedprocess or unsignedprocess) and not 1 of filter*
+    signedprocess:
+        ImageLoaded|endswith:
+            - '\dbghelp.dll'
+            - '\dbgcore.dll'
+        Image|endswith:
+            - '\msbuild.exe'
+            - '\cmd.exe'
+            # - '\svchost.exe'  triggered by installing common software
+            - '\rundll32.exe'
+            # - '\powershell.exe'  triggered by installing common software
+            - '\word.exe'
+            - '\excel.exe'
+            - '\powerpnt.exe'
+            - '\outlook.exe'
+            - '\monitoringhost.exe'
+            - '\wmic.exe'
+            # - '\msiexec.exe'  an installer installing a program using one of those DLL will raise an alert
+            - '\bash.exe'
+            - '\wscript.exe'
+            - '\cscript.exe'
+            - '\mshta.exe'
+            # - '\regsvr32.exe'  triggered by installing common software
+            # - '\schtasks.exe'  triggered by installing software
+            - '\dnx.exe'
+            - '\regsvcs.exe'
+            - '\sc.exe'
+            - '\scriptrunner.exe'
+    unsignedprocess:
+        ImageLoaded|endswith:
+            - '\dbghelp.dll'
+            - '\dbgcore.dll'
+        Signed: 'FALSE'
+    filter1:
+        - Image|contains: 'Visual Studio'
+        - CommandLine|contains:
+            - '-k LocalSystemNetworkRestricted'
+            - '-k UnistackSvcGroup -s WpnUserService'
+    filter2:   # Not available in Sysmon, but in Aurora
+        CommandLine:
+            - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv'
+            - 'C:\Windows\System32\svchost.exe -k WerSvcGroup'
+    filter3:
+        CommandLine|startswith: 'C:\WINDOWS\winsxs\'
+        CommandLine|endswith: '\TiWorker.exe -Embedding'
+    condition: (signedprocess or unsignedprocess) and not 1 of filter*
 fields:
-  - ComputerName
-  - User
-  - Image
-  - ImageLoaded
+    - ComputerName
+    - User
+    - Image
+    - ImageLoaded
 falsepositives:
-  - Unknown
+    - Unknown
 level: high
 tags:
-  - attack.credential_access
-  - attack.t1003.001
+    - attack.credential_access
+    - attack.t1003.001
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton
 references:
    - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html
 date: 2019/09/12
-modified: 2022/04/21
+modified: 2022/10/10
 logsource:
    product: windows
    category: pipe_created
@@ -36,7 +36,9 @@ detection:
            - 'C:\Program Files\Citrix\'
            - 'C:\Program Files\Microsoft\Exchange Server\'
    filter5:
-        Image: 'C:\Windows\system32\ServerManager.exe'
+        Image:
+            - 'C:\Windows\system32\ServerManager.exe'
+            - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7
    condition: selection and not 1 of filter*
 fields:
    - ComputerName
@@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc
 description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe
 status: test
 date: 2019/08/11
-modified: 2022/10/05
+modified: 2022/10/10
 author: Roberto Rodriguez @Cyb3rWard0g
 references:
    - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html
@@ -18,7 +18,13 @@ detection:
    selection:
        ContextInfo|contains: '*'
    filter:
-        ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
+        # This filter covers the following use cases
+        #   - When powershell is called directly from commandline via keyword powershell or powershell.exe
+        #   - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell
+        ContextInfo|contains:
+            - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event
+            - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell'
+            - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell'
    filter_citrix:
        ContextInfo|contains: 'ConfigSyncRun.exe'
    filter_adace:  # Active Directory Administrative Center Enhancements
@@ -23,6 +23,7 @@ tags:
 logsource:
    category: process_creation
    product: windows
+    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
 detection:
    selection:
        CommandLine|contains:
@@ -1,24 +0,0 @@
-title: PCHunter Execution
-id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc
-status: experimental
-description: Detects the execution PCHunter based on image and Original File Name fields.
-references:
-    - http://www.xuetr.com/
-    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
-author: Nasreddine Bencherchali
-date: 2022/10/05
-tags:
-    - attack.defense_evasion
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection:
-        - Image|endswith:
-            - '\PCHunter32.exe'
-            - '\PCHunter64.exe'
-        - OriginalFileName: 'PCHunter.exe'
-    condition: selection
-falsepositives:
-    - Unlikely
-level: high
@@ -18,7 +18,7 @@ detection:
        ParentImage|endswith: '\conhost.exe'
    filter_provider:
        Provider_Name: 'SystemTraceProvider-Process'  # FPs with Aurora
-    # Note that some of these git events occure because of a sppofed parent image
+    # Note that some of these git events occure because of a spoofed parent image
    filter_git:
        # Example FP:
        #   ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file
@@ -0,0 +1,48 @@
+title: PCHunter Usage
+id: fca949cc-79ca-446e-8064-01aa7e52ece5
+description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff
+status: experimental
+references:
+    - http://www.xuetr.com/
+    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
+    - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/
+author: Florian Roth, Nasreddine Bencherchali
+date: 2022/10/10
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image:
+        Image|endswith:
+            - '\PCHunter64.exe'
+            - '\PCHunter32.exe'
+    selection_pe:
+        - OriginalFileName: 'PCHunter.exe'
+        - Description: 'Epoolsoft Windows Information View Tools'
+    selection_hashes:
+        Hashes|contains:
+            - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025'
+            - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7'
+            - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32'
+            - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF'
+            - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB'
+            - 'MD5=228DD0C2E6287547E26FFBD973A40F14'
+            - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C'
+            - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663'
+    selection_hash_values:
+        - md5:
+            - '228dd0c2e6287547e26ffbd973a40f14'
+            - '987b65cd9b9f4e9a1afd8f8b48cf64a7'
+        - sha1:
+            - '5f1cbc3d99558307bc1250d084fa968521482025'
+            - '3fb89787cb97d902780da080545584d97fb1c2eb'
+        - sha256:
+            - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32'
+            - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c'
+        - imphash:
+            - '444d210cea1ff8112f256a4997eed7ff'
+            - '0479f44df47cfa2ef1ccc4416a538663'
+    condition: 1 of selection*
+falsepositives:
+    - Unlikely
+level: high
@@ -0,0 +1,48 @@
+title: Process Hacker Usage
+id: 811e0002-b13b-4a15-9d00-a613fce66e42
+description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff
+status: experimental
+references:
+    - https://processhacker.sourceforge.io/
+    - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/
+author: Florian Roth
+date: 2022/10/10
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_image:
+        Image|contains: '\ProcessHacker_'
+    selection_pe:
+        - OriginalFileName: 
+            - 'ProcessHacker.exe'
+            - 'Process Hacker'
+        - Description: 'Process Hacker'
+        - Product: 'Process Hacker'
+    selection_hashes:
+        Hashes|contains:
+            - 'MD5=68F9B52895F4D34E74112F3129B3B00D'
+            - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E'
+            - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'
+            - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF'
+            - 'MD5=B365AF317AE730A67C936F21432B9C71'
+            - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D'
+            - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4'
+            - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462'
+    selection_hash_values:
+        - md5:
+            - '68f9b52895f4d34e74112f3129b3b00d'
+            - 'b365af317ae730a67c936f21432b9c71'
+        - sha1:
+            - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e'
+            - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d'
+        - sha256:
+            - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f'
+            - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4'
+        - imphash:
+            - '04de0ad9c37eb7bd52043d2ecac958df'
+            - '3695333c60dedecdcaff1590409aa462'
+    condition: 1 of selection*
+falsepositives:
+    - Sometimes used by developers or system administrators for debugging purposes
+level: high
@@ -23,7 +23,6 @@ detection:
  condition: all of selection*
 falsepositives:
  - Legitimate use for administartive purposes. Unlikely
-
 level: medium
 tags:
  - attack.defense_evasion