diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 34eaba226..38ec032a3 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -6,7 +6,7 @@ author: Florian Roth, Markus Neis references: - Internal Research date: 2019/11/12 -modified: 2021/11/30 +modified: 2022/10/10 logsource: category: proxy detection: @@ -52,6 +52,8 @@ detection: - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ condition: selection fields: - ClientIP diff --git a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml index eb95ff0a5..dad0bc4d1 100644 --- a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 @@ -21,4 +22,4 @@ detection: condition: selection falsepositives: - Legitimate use of Hybrid Connection Manager via Azure function apps. -level: high +level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml index 332f8a4c0..67a89d083 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml @@ -19,15 +19,16 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: Provider_Name: 'Microsoft-Windows-Security-Auditing' EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - '&&' - 'clipboard]::' - condition: selection + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml index d4bf55fd5..72e1b9b09 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection_eid: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml index 028da309b..b011d03fa 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - 'powershell' selection2: diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml index 08bb35cb3..17fea9ae4 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml index cb53ad051..67d033bf6 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml @@ -2,12 +2,12 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/02/03 +modified: 2022/10/10 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -18,18 +18,18 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: - EventID: 4697 - ServiceFileName|contains|all: + EventID: 4697 + ServiceFileName|contains|all: - 'new-object' - 'text.encoding]::ascii' - 'readtoend' - selection2: ServiceFileName|contains: - 'system.io.compression.deflatestream' - 'system.io.streamreader' - condition: all of selection* + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml index b4d6ee2fd..6f1763fea 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml @@ -18,9 +18,10 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: - EventID: 4697 + EventID: 4697 ServiceFileName|contains|all: - 'rundll32.exe' - 'shell32.dll' diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml index e539fc6af..24f51d7b7 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'set' - '&&' ServiceFileName|contains: diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml index 302f7f1eb..291bd0de8 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml index 4e451e116..3f5a8079b 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'mshta' - 'vbscript:createobject' - '.run' diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml index e63329502..593bbc86d 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml index e6fedf46f..e973cca18 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 2570b4fbe..2b4bdb2fb 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -22,6 +22,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: event_id: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 9e3f3eaa5..43921309e 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -23,6 +23,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 9ba6ab03d..603aa9928 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -22,6 +22,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index 9458b61d5..bee29b60e 100644 --- a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -19,6 +19,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index f13e9b7b1..6609ea3fa 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection_id: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index b9cd11de3..3b956de46 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index c70802007..6e27ffa1b 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml index cb844e1f3..c9150c302 100644 --- a/rules/windows/builtin/system/win_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_pcap_drivers.yml @@ -4,37 +4,38 @@ status: test description: Detects Windows Pcap driver installation based on a list of associated .sys files. author: Cian Heasley references: - - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more + - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more date: 2020/06/10 modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: - selection: - EventID: 4697 - ServiceFileName|contains: - - 'pcap' - - 'npcap' - - 'npf' - - 'nm3' - - 'ndiscap' - - 'nmnt' - - 'windivert' - - 'USBPcap' - - 'pktmon' - condition: selection + selection: + EventID: 4697 + ServiceFileName|contains: + - 'pcap' + - 'npcap' + - 'npf' + - 'nm3' + - 'ndiscap' + - 'nmnt' + - 'windivert' + - 'USBPcap' + - 'pktmon' + condition: selection fields: - - EventID - - ServiceFileName - - Account_Name - - Computer_Name - - Originating_Computer - - ServiceName + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.discovery - - attack.credential_access - - attack.t1040 + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 9c37a3d38..20ca62f19 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -12,8 +12,15 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - https://github.com/tandasat/ExploitCapcom + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780 + - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/ + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444 date: 2022/08/18 -modified: 2022/10/03 +modified: 2022/10/10 logsource: product: windows category: driver_load @@ -261,6 +268,18 @@ detection: - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332' - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f' + - 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a' + - 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'SHA1=fd833f3fe2fa396878033b9e6054725248bf9881' + - 'SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0' + - 'SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - 'SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -499,6 +518,18 @@ detection: - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - 'SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' + - 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' + - 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - 'SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - 'SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - 'SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -742,6 +773,18 @@ detection: - '5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'b480c54391a2a2f917a44f91a5e9e4590648b332' - '4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'a7e9a4686aa7291331e2c8708882c8d81d05264f' #ATSZIO.sys + - '7ba19a701c8af76988006d616a5f77484c13cb0a' + - '4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - '00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'fd833f3fe2fa396878033b9e6054725248bf9881' + - 'db446af0e34259e95f4db112a9f06177e1eef4e0' + - '39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'f999709e5b00a68a0f4fa912619fe6548ad0c42d' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -990,6 +1033,18 @@ detection: - '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' #ATSZIO.sys + - '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' #Driver7 + - '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 6011de40e..fa3fb3f26 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -15,7 +15,11 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://github.com/Chigusa0w0/AsusDriversPrivEscala + - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ + - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ date: 2022/10/03 +modified: 2022/10/10 tags: - attack.privilege_escalation - attack.t1543.003 @@ -134,32 +138,69 @@ detection: - '\piddrv64.sys' # List below is based on Elastic Yara rules and samples from the "sample references" section https://github.com/elastic/protections-artifacts/search?q=VulnDriver # The names were taken from VT search of those samples - - 'BS_I2cIo.sys' # Version: 1.1.0.0 - - 'rtkio.sys' - - 'AMDRyzenMasterDriver.sys' # Version: 1.5.0.0 - - 'LHA.sys' - - 'kEvP64.sys' - - 'BSMI.sys' # Version: 1.0.0.3 - - 'TmComm.sys' # Version: 8.0.0.0 - - 'cpuz.sys' # Version: 1.0.4.3 - - 'ElbyCDIO.sys' # Version: 6.0.3.2 - - 'iQVW64.SYS' # Version: 1.4.0.0 - - 'vmdrv.sys' # Version: 10.0.10011.16384 - - 'HpPortIox64.sys' # Version: 1.2.0.9 - - 'AMDPowerProfiler.sys' # Version: 6.1.0.0 - - 'CorsairLLAccess64.sys' # Version: 1.0.18.0 - - 'RTCore64.sys' - - 'libnicm.sys' # Version: 3.1.12.0 - - 'procexp.Sys' # Version: 16.27.0.0 - - 'viragt.sys' # Version: 1.80.0.0 - - 'viragt64.sys' # Version: 1.0.0.11 - - 'AsrDrv106.sys' - - 'zamguard64.sys' - - 'zam64.sys' - - 'fidpcidrv64.sys' - - 'MsIo32.sys' - - 'winio64.sys' - - 'DirectIo64.sys' + - '\BS_I2cIo.sys' # Version: 1.1.0.0 + - '\rtkio.sys' + - '\AMDRyzenMasterDriver.sys' # Version: 1.5.0.0 + - '\LHA.sys' + - '\kEvP64.sys' + - '\BSMI.sys' # Version: 1.0.0.3 + - '\TmComm.sys' # Version: 8.0.0.0 + - '\cpuz.sys' # Version: 1.0.4.3 + - '\iQVW64.SYS' # Version: 1.4.0.0 + - '\vmdrv.sys' # Version: 10.0.10011.16384 + - '\HpPortIox64.sys' # Version: 1.2.0.9 + - '\AMDPowerProfiler.sys' # Version: 6.1.0.0 + - '\CorsairLLAccess64.sys' # Version: 1.0.18.0 + - '\RTCore64.sys' + - '\libnicm.sys' # Version: 3.1.12.0 + - '\procexp.Sys' # Version: 16.27.0.0 + - '\viragt.sys' # Version: 1.80.0.0 + - '\viragt64.sys' # Version: 1.0.0.11 + - '\AsrDrv106.sys' + - '\zamguard64.sys' + - '\zam64.sys' + - '\fidpcidrv64.sys' + - '\MsIo32.sys' + - '\winio64.sys' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - '\capcom.sys' + - '\IOMap64.sys' + - '\ATSZIO64.sys' + - '\aswVmm.sys' + - '\FairplayKD.sys' + - '\pgldqpoc.sys' + - '\iqvw64e.sys' + - '\Monitor_win10_x64.sys' + - '\srvnetbus.sys' + - '\Mslo64.sys' + - '\pcdsrvc_x64.pkms' + - '\krpocesshacker.sys' + - '\HWiNFO64A.sys' # version <= 8.98, CVE-2018-8061 + - '\rzpnk.sys' + - '\magdrvamd64.sys' + # https://github.com/Chigusa0w0/AsusDriversPrivEscala + - '\driver7-x64.sys' + - '\driver7-x86-withoutdbg.sys' + - '\driver7-x86.sys' + # Other + - '\gmer.sys' + - '\PCADRVX64.sys' + # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) + - '\ActiveHealth.sys' + - '\CAM_V3.sys' + - '\GameFire.sys' + - '\OpenHardwareMonitor.sys' + - '\OpenHardwareMonitorLib.sys' + - '\OpenHardwareMonitorReport.sys' + - '\SmartDashboard.sys' + - '\SystemGauge.sys' + - '\SystemGaugeX7.sys' + - '\VideoNovaServerControllerService.sys' + - '\ellp_service.sys' + - '\hardwareproviders.sys' + - '\ohm.sys' + - '\sensorsview32_64.sys' + - '\touchpointanalyticsclient.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml index 554148efc..2eed58f5a 100755 --- a/rules/windows/image_load/image_load_in_memory_powershell.yml +++ b/rules/windows/image_load/image_load_in_memory_powershell.yml @@ -7,7 +7,7 @@ status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2022/04/21 +modified: 2022/10/10 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -23,7 +23,9 @@ detection: - '\System.Management.Automation.Dll' - '\System.Management.Automation.ni.Dll' filter: - - Image: 'C:\Windows\System32\dsac.exe' + - Image: + - 'C:\Windows\System32\dsac.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' #PowerShell 7 - Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 36d307d82..2ff0422cc 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -4,68 +4,68 @@ status: test description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. author: Perez Diego (@darkquassar), oscd.community, Ecco references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 modified: 2022/09/15 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - signedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' - # - '\svchost.exe' triggered by installing common software - - '\rundll32.exe' - # - '\powershell.exe' triggered by installing common software - - '\word.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - # - '\regsvr32.exe' triggered by installing common software - # - '\schtasks.exe' triggered by installing software - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - unsignedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Signed: 'FALSE' - filter1: - - Image|contains: 'Visual Studio' - - CommandLine|contains: - - '-k LocalSystemNetworkRestricted' - - '-k UnistackSvcGroup -s WpnUserService' - filter2: # Not available in Sysmon, but in Aurora - CommandLine: - - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' - filter3: - CommandLine|startswith: 'C:\WINDOWS\winsxs\' - CommandLine|endswith: '\TiWorker.exe -Embedding' - condition: (signedprocess or unsignedprocess) and not 1 of filter* + signedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\msbuild.exe' + - '\cmd.exe' + # - '\svchost.exe' triggered by installing common software + - '\rundll32.exe' + # - '\powershell.exe' triggered by installing common software + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\monitoringhost.exe' + - '\wmic.exe' + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + - '\bash.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + # - '\regsvr32.exe' triggered by installing common software + # - '\schtasks.exe' triggered by installing software + - '\dnx.exe' + - '\regsvcs.exe' + - '\sc.exe' + - '\scriptrunner.exe' + unsignedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Signed: 'FALSE' + filter1: + - Image|contains: 'Visual Studio' + - CommandLine|contains: + - '-k LocalSystemNetworkRestricted' + - '-k UnistackSvcGroup -s WpnUserService' + filter2: # Not available in Sysmon, but in Aurora + CommandLine: + - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' + - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' + filter3: + CommandLine|startswith: 'C:\WINDOWS\winsxs\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not 1 of filter* fields: - - ComputerName - - User - - Image - - ImageLoaded + - ComputerName + - User + - Image + - ImageLoaded falsepositives: - - Unknown + - Unknown level: high tags: - - attack.credential_access - - attack.t1003.001 + - attack.credential_access + - attack.t1003.001 diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml index 7e0b89a94..2cf89d293 100644 --- a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2022/04/21 +modified: 2022/10/10 logsource: product: windows category: pipe_created @@ -36,7 +36,9 @@ detection: - 'C:\Program Files\Citrix\' - 'C:\Program Files\Microsoft\Exchange Server\' filter5: - Image: 'C:\Windows\system32\ServerManager.exe' + Image: + - 'C:\Windows\system32\ServerManager.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 2ec92afbf..fa4bfe828 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/10/05 +modified: 2022/10/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html @@ -18,7 +18,13 @@ detection: selection: ContextInfo|contains: '*' filter: - ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + # This filter covers the following use cases + # - When powershell is called directly from commandline via keyword powershell or powershell.exe + # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + ContextInfo|contains: + - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' filter_citrix: ContextInfo|contains: 'ConfigSyncRun.exe' filter_adace: # Active Directory Administrative Center Enhancements diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index d25640739..e58ff94d0 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -23,6 +23,7 @@ tags: logsource: category: process_creation product: windows + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml b/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml deleted file mode 100644 index a95004187..000000000 --- a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: PCHunter Execution -id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc -status: experimental -description: Detects the execution PCHunter based on image and Original File Name fields. -references: - - http://www.xuetr.com/ - - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -author: Nasreddine Bencherchali -date: 2022/10/05 -tags: - - attack.defense_evasion -logsource: - category: process_creation - product: windows -detection: - selection: - - Image|endswith: - - '\PCHunter32.exe' - - '\PCHunter64.exe' - - OriginalFileName: 'PCHunter.exe' - condition: selection -falsepositives: - - Unlikely -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index c04f74a1d..c0aa4efb4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\conhost.exe' filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - # Note that some of these git events occure because of a sppofed parent image + # Note that some of these git events occure because of a spoofed parent image filter_git: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml new file mode 100644 index 000000000..d233a8713 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml @@ -0,0 +1,48 @@ +title: PCHunter Usage +id: fca949cc-79ca-446e-8064-01aa7e52ece5 +description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff +status: experimental +references: + - http://www.xuetr.com/ + - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ + - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +author: Florian Roth, Nasreddine Bencherchali +date: 2022/10/10 +logsource: + category: process_creation + product: windows +detection: + selection_image: + Image|endswith: + - '\PCHunter64.exe' + - '\PCHunter32.exe' + selection_pe: + - OriginalFileName: 'PCHunter.exe' + - Description: 'Epoolsoft Windows Information View Tools' + selection_hashes: + Hashes|contains: + - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025' + - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7' + - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32' + - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF' + - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB' + - 'MD5=228DD0C2E6287547E26FFBD973A40F14' + - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C' + - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663' + selection_hash_values: + - md5: + - '228dd0c2e6287547e26ffbd973a40f14' + - '987b65cd9b9f4e9a1afd8f8b48cf64a7' + - sha1: + - '5f1cbc3d99558307bc1250d084fa968521482025' + - '3fb89787cb97d902780da080545584d97fb1c2eb' + - sha256: + - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' + - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' + - imphash: + - '444d210cea1ff8112f256a4997eed7ff' + - '0479f44df47cfa2ef1ccc4416a538663' + condition: 1 of selection* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml new file mode 100644 index 000000000..b54f27a17 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -0,0 +1,48 @@ +title: Process Hacker Usage +id: 811e0002-b13b-4a15-9d00-a613fce66e42 +description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff +status: experimental +references: + - https://processhacker.sourceforge.io/ + - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ +author: Florian Roth +date: 2022/10/10 +logsource: + category: process_creation + product: windows +detection: + selection_image: + Image|contains: '\ProcessHacker_' + selection_pe: + - OriginalFileName: + - 'ProcessHacker.exe' + - 'Process Hacker' + - Description: 'Process Hacker' + - Product: 'Process Hacker' + selection_hashes: + Hashes|contains: + - 'MD5=68F9B52895F4D34E74112F3129B3B00D' + - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' + - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' + - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' + - 'MD5=B365AF317AE730A67C936F21432B9C71' + - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' + - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' + - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' + selection_hash_values: + - md5: + - '68f9b52895f4d34e74112f3129b3b00d' + - 'b365af317ae730a67c936f21432b9c71' + - sha1: + - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' + - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' + - sha256: + - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' + - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' + - imphash: + - '04de0ad9c37eb7bd52043d2ecac958df' + - '3695333c60dedecdcaff1590409aa462' + condition: 1 of selection* +falsepositives: + - Sometimes used by developers or system administrators for debugging purposes +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 7cba36749..b54b22876 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -23,7 +23,6 @@ detection: condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely - level: medium tags: - attack.defense_evasion