From be0a3ad863f5b4db10eb5acf481e389da68fe318 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 10:22:46 +0200 Subject: [PATCH 1/8] Add missing definition section for EID 4697 --- ...n_hybridconnectionmgr_svc_installation.yml | 3 +- ...oke_obfuscation_clip_services_security.yml | 5 +- ...ation_obfuscated_iex_services_security.yml | 1 + ...ke_obfuscation_stdin_services_security.yml | 3 +- ...voke_obfuscation_var_services_security.yml | 1 + ...scation_via_compress_services_security.yml | 12 ++--- ...fuscation_via_rundll_services_security.yml | 3 +- ...bfuscation_via_stdin_services_security.yml | 3 +- ...scation_via_use_clip_services_security.yml | 1 + ...cation_via_use_mshta_services_security.yml | 3 +- ...ion_via_use_rundll32_services_security.yml | 1 + ..._obfuscation_via_var_services_security.yml | 1 + ...security_cobaltstrike_service_installs.yml | 1 + .../security/win_security_mal_creddumper.yml | 1 + .../win_security_mal_service_installs.yml | 1 + ...or_impacket_smb_psexec_service_install.yml | 1 + ...cobaltstrike_getsystem_service_install.yml | 1 + ...powershell_script_installed_as_service.yml | 1 + .../win_security_tap_driver_installation.yml | 1 + .../builtin/system/win_pcap_drivers.yml | 53 ++++++++++--------- .../proc_creation_win_apt_wocao.yml | 1 + 21 files changed, 59 insertions(+), 39 deletions(-) diff --git a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml index eb95ff0a5..dad0bc4d1 100644 --- a/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml +++ b/rules/windows/builtin/security/win_hybridconnectionmgr_svc_installation.yml @@ -13,6 +13,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 @@ -21,4 +22,4 @@ detection: condition: selection falsepositives: - Legitimate use of Hybrid Connection Manager via Azure function apps. -level: high +level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml index 332f8a4c0..67a89d083 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_clip_services_security.yml @@ -19,15 +19,16 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: Provider_Name: 'Microsoft-Windows-Security-Auditing' EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - '&&' - 'clipboard]::' - condition: selection + condition: selection falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml index d4bf55fd5..72e1b9b09 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_obfuscated_iex_services_security.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection_eid: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml index 028da309b..b011d03fa 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_stdin_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'cmd' - 'powershell' selection2: diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml index 08bb35cb3..17fea9ae4 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_var_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml index cb53ad051..67d033bf6 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_compress_services_security.yml @@ -2,12 +2,12 @@ title: Invoke-Obfuscation COMPRESS OBFUSCATION id: 7a922f1b-2635-4d6c-91ef-af228b198ad3 related: - id: 175997c5-803c-4b08-8bb0-70b099f47595 - type: derived + type: derived description: Detects Obfuscated Powershell via COMPRESS OBFUSCATION status: experimental author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/02/03 +modified: 2022/10/10 references: - https://github.com/Neo23x0/sigma/issues/1009 #(Task 19) tags: @@ -18,18 +18,18 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: - EventID: 4697 - ServiceFileName|contains|all: + EventID: 4697 + ServiceFileName|contains|all: - 'new-object' - 'text.encoding]::ascii' - 'readtoend' - selection2: ServiceFileName|contains: - 'system.io.compression.deflatestream' - 'system.io.streamreader' - condition: all of selection* + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml index b4d6ee2fd..6f1763fea 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_rundll_services_security.yml @@ -18,9 +18,10 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: - EventID: 4697 + EventID: 4697 ServiceFileName|contains|all: - 'rundll32.exe' - 'shell32.dll' diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml index e539fc6af..24f51d7b7 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_stdin_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'set' - '&&' ServiceFileName|contains: diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml index 302f7f1eb..291bd0de8 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_clip_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml index 4e451e116..3f5a8079b 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_mshta_services_security.yml @@ -18,10 +18,11 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 - ServiceFileName|contains|all: + ServiceFileName|contains|all: - 'mshta' - 'vbscript:createobject' - '.run' diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml index e63329502..593bbc86d 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_use_rundll32_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml index e6fedf46f..e973cca18 100644 --- a/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml +++ b/rules/windows/builtin/security/win_invoke_obfuscation_via_var_services_security.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml index 2570b4fbe..2b4bdb2fb 100644 --- a/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/security/win_security_cobaltstrike_service_installs.yml @@ -22,6 +22,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: event_id: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_mal_creddumper.yml b/rules/windows/builtin/security/win_security_mal_creddumper.yml index 9e3f3eaa5..43921309e 100644 --- a/rules/windows/builtin/security/win_security_mal_creddumper.yml +++ b/rules/windows/builtin/security/win_security_mal_creddumper.yml @@ -23,6 +23,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_mal_service_installs.yml b/rules/windows/builtin/security/win_security_mal_service_installs.yml index 9ba6ab03d..603aa9928 100644 --- a/rules/windows/builtin/security/win_security_mal_service_installs.yml +++ b/rules/windows/builtin/security/win_security_mal_service_installs.yml @@ -22,6 +22,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml index 9458b61d5..bee29b60e 100644 --- a/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml +++ b/rules/windows/builtin/security/win_security_metasploit_or_impacket_smb_psexec_service_install.yml @@ -19,6 +19,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml index f13e9b7b1..6609ea3fa 100644 --- a/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml +++ b/rules/windows/builtin/security/win_security_meterpreter_or_cobaltstrike_getsystem_service_install.yml @@ -18,6 +18,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection_id: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml index b9cd11de3..3b956de46 100644 --- a/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml +++ b/rules/windows/builtin/security/win_security_powershell_script_installed_as_service.yml @@ -16,6 +16,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/security/win_security_tap_driver_installation.yml b/rules/windows/builtin/security/win_security_tap_driver_installation.yml index c70802007..6e27ffa1b 100644 --- a/rules/windows/builtin/security/win_security_tap_driver_installation.yml +++ b/rules/windows/builtin/security/win_security_tap_driver_installation.yml @@ -14,6 +14,7 @@ tags: logsource: product: windows service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: EventID: 4697 diff --git a/rules/windows/builtin/system/win_pcap_drivers.yml b/rules/windows/builtin/system/win_pcap_drivers.yml index cb844e1f3..c9150c302 100644 --- a/rules/windows/builtin/system/win_pcap_drivers.yml +++ b/rules/windows/builtin/system/win_pcap_drivers.yml @@ -4,37 +4,38 @@ status: test description: Detects Windows Pcap driver installation based on a list of associated .sys files. author: Cian Heasley references: - - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more + - https://ragged-lab.blogspot.com/2020/06/capturing-pcap-driver-installations.html#more date: 2020/06/10 modified: 2021/11/27 logsource: - product: windows - service: security + product: windows + service: security + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: - selection: - EventID: 4697 - ServiceFileName|contains: - - 'pcap' - - 'npcap' - - 'npf' - - 'nm3' - - 'ndiscap' - - 'nmnt' - - 'windivert' - - 'USBPcap' - - 'pktmon' - condition: selection + selection: + EventID: 4697 + ServiceFileName|contains: + - 'pcap' + - 'npcap' + - 'npf' + - 'nm3' + - 'ndiscap' + - 'nmnt' + - 'windivert' + - 'USBPcap' + - 'pktmon' + condition: selection fields: - - EventID - - ServiceFileName - - Account_Name - - Computer_Name - - Originating_Computer - - ServiceName + - EventID + - ServiceFileName + - Account_Name + - Computer_Name + - Originating_Computer + - ServiceName falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.discovery - - attack.credential_access - - attack.t1040 + - attack.discovery + - attack.credential_access + - attack.t1040 diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index d25640739..e58ff94d0 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -23,6 +23,7 @@ tags: logsource: category: process_creation product: windows + definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697 detection: selection: CommandLine|contains: From 8b40e6fe217d25c5bce9d70c779e4accfc8f756f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 11:35:50 +0200 Subject: [PATCH 2/8] Add missing backslash and remove duplicate --- .../driver_load_vuln_drivers_names.yml | 51 +++++++++---------- 1 file changed, 25 insertions(+), 26 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 6011de40e..5561c78c5 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -16,6 +16,7 @@ references: - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries date: 2022/10/03 +modified: 2022/10/10 tags: - attack.privilege_escalation - attack.t1543.003 @@ -134,32 +135,30 @@ detection: - '\piddrv64.sys' # List below is based on Elastic Yara rules and samples from the "sample references" section https://github.com/elastic/protections-artifacts/search?q=VulnDriver # The names were taken from VT search of those samples - - 'BS_I2cIo.sys' # Version: 1.1.0.0 - - 'rtkio.sys' - - 'AMDRyzenMasterDriver.sys' # Version: 1.5.0.0 - - 'LHA.sys' - - 'kEvP64.sys' - - 'BSMI.sys' # Version: 1.0.0.3 - - 'TmComm.sys' # Version: 8.0.0.0 - - 'cpuz.sys' # Version: 1.0.4.3 - - 'ElbyCDIO.sys' # Version: 6.0.3.2 - - 'iQVW64.SYS' # Version: 1.4.0.0 - - 'vmdrv.sys' # Version: 10.0.10011.16384 - - 'HpPortIox64.sys' # Version: 1.2.0.9 - - 'AMDPowerProfiler.sys' # Version: 6.1.0.0 - - 'CorsairLLAccess64.sys' # Version: 1.0.18.0 - - 'RTCore64.sys' - - 'libnicm.sys' # Version: 3.1.12.0 - - 'procexp.Sys' # Version: 16.27.0.0 - - 'viragt.sys' # Version: 1.80.0.0 - - 'viragt64.sys' # Version: 1.0.0.11 - - 'AsrDrv106.sys' - - 'zamguard64.sys' - - 'zam64.sys' - - 'fidpcidrv64.sys' - - 'MsIo32.sys' - - 'winio64.sys' - - 'DirectIo64.sys' + - '\BS_I2cIo.sys' # Version: 1.1.0.0 + - '\rtkio.sys' + - '\AMDRyzenMasterDriver.sys' # Version: 1.5.0.0 + - '\LHA.sys' + - '\kEvP64.sys' + - '\BSMI.sys' # Version: 1.0.0.3 + - '\TmComm.sys' # Version: 8.0.0.0 + - '\cpuz.sys' # Version: 1.0.4.3 + - '\iQVW64.SYS' # Version: 1.4.0.0 + - '\vmdrv.sys' # Version: 10.0.10011.16384 + - '\HpPortIox64.sys' # Version: 1.2.0.9 + - '\AMDPowerProfiler.sys' # Version: 6.1.0.0 + - '\CorsairLLAccess64.sys' # Version: 1.0.18.0 + - '\RTCore64.sys' + - '\libnicm.sys' # Version: 3.1.12.0 + - '\procexp.Sys' # Version: 16.27.0.0 + - '\viragt.sys' # Version: 1.80.0.0 + - '\viragt64.sys' # Version: 1.0.0.11 + - '\AsrDrv106.sys' + - '\zamguard64.sys' + - '\zam64.sys' + - '\fidpcidrv64.sys' + - '\MsIo32.sys' + - '\winio64.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. From 5cbd355d95d484925c7ff967c97c05d57ad3865c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 10 Oct 2022 12:23:09 +0200 Subject: [PATCH 3/8] ZINC / Lazarus UAs --- rules/proxy/proxy_ua_apt.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_apt.yml b/rules/proxy/proxy_ua_apt.yml index 34eaba226..38ec032a3 100644 --- a/rules/proxy/proxy_ua_apt.yml +++ b/rules/proxy/proxy_ua_apt.yml @@ -6,7 +6,7 @@ author: Florian Roth, Markus Neis references: - Internal Research date: 2019/11/12 -modified: 2021/11/30 +modified: 2022/10/10 logsource: category: proxy detection: @@ -52,6 +52,8 @@ detection: - 'Mozilla/5.0 (X11; Linux i686; rv:22.0) Firefox/22.0' # BackdoorDiplomacy https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/ - 'Mozilla/5.0 Chrome/72.0.3626.109 Safari/537.36' # SideWalk malware used by Sparkling Goblin - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:FTS_06) Gecko/22.36.35.06 Firefox/2.0' # LitePower stager used by WRITE https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044/ + - 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/100.0.1185.39' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ + - 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; InfoPath.3; .NET4.0C; .NET4.0E)' # https://www.microsoft.com/security/blog/2022/09/29/zinc-weaponizing-open-source-software/ condition: selection fields: - ClientIP From 0d253472eba882835ed7b925f846422f390998ca Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 12:28:41 +0200 Subject: [PATCH 4/8] Update driver_load_vuln_drivers_names.yml --- .../driver_load_vuln_drivers_names.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 5561c78c5..0d6aa0c5a 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -159,6 +159,22 @@ detection: - '\fidpcidrv64.sys' - '\MsIo32.sys' - '\winio64.sys' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - '\capcom.sys' + - '\IOMap64.sys' + - '\ATSZIO64.sys' + - '\aswVmm.sys' + - '\FairplayKD.sys' + - '\pgldqpoc.sys' + - '\iqvw64e.sys' + - '\Monitor_win10_x64.sys' + - '\driver.sys' + - '\Mslo64.sys' + - '\pcdsrvc_x64.pkms' + - '\krpocesshacker.sys' + - '\HWiNFO64A.sys' + - '\rzpnk.sys' + - '\magdrvamd64.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. From 7e2f624b0ffe837d4d64a6d4958e522fb3775abc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 13:03:56 +0200 Subject: [PATCH 5/8] Update drivers list --- .../driver_load/driver_load_vuln_drivers.yml | 57 ++++++++++++++++++- .../driver_load_vuln_drivers_names.yml | 30 +++++++++- 2 files changed, 84 insertions(+), 3 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 9c37a3d38..20ca62f19 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -12,8 +12,15 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - https://github.com/tandasat/ExploitCapcom + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/ATSZIO.md + - https://github.com/Chigusa0w0/AsusDriversPrivEscala/blob/master/DRIVER7.md + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=21780 + - https://www.rapid7.com/db/modules/exploit/windows/local/razer_zwopenprocess/ + - https://www.unknowncheats.me/forum/downloads.php?do=file&id=25444 date: 2022/08/18 -modified: 2022/10/03 +modified: 2022/10/10 logsource: product: windows category: driver_load @@ -261,6 +268,18 @@ detection: - 'SHA1=5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'SHA1=b480c54391a2a2f917a44f91a5e9e4590648b332' - 'SHA1=4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA1=c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'SHA1=a7e9a4686aa7291331e2c8708882c8d81d05264f' + - 'SHA1=7ba19a701c8af76988006d616a5f77484c13cb0a' + - 'SHA1=4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - 'SHA1=00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'SHA1=fd833f3fe2fa396878033b9e6054725248bf9881' + - 'SHA1=db446af0e34259e95f4db112a9f06177e1eef4e0' + - 'SHA1=39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'SHA1=d0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - 'SHA1=7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'SHA1=f999709e5b00a68a0f4fa912619fe6548ad0c42d' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -499,6 +518,18 @@ detection: - 'SHA256=000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - 'SHA256=0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'SHA256=a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'SHA256=da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - 'SHA256=9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' + - 'SHA256=771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' + - 'SHA256=927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - 'SHA256=42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'SHA256=e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - 'SHA256=1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - 'SHA256=029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - 'SHA256=1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'SHA256=c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'SHA256=a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -742,6 +773,18 @@ detection: - '5fb9421be8a8b08ec395d05e00fd45eb753b593a' - 'b480c54391a2a2f917a44f91a5e9e4590648b332' - '4f7a8e26a97980544be634b26899afbefb0a833c' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'c1d5cf8c43e7679b782630e93f5e6420ca1749a7' + - 'a7e9a4686aa7291331e2c8708882c8d81d05264f' #ATSZIO.sys + - '7ba19a701c8af76988006d616a5f77484c13cb0a' + - '4243dbbf6e5719d723f24d0f862afd0fcb40bc35' + - '00b4e8b7644d1bf93f5ddb5740b444b445e81b02' + - 'fd833f3fe2fa396878033b9e6054725248bf9881' + - 'db446af0e34259e95f4db112a9f06177e1eef4e0' + - '39d7b121bc654a0de891225e0f8b7b5537c24931' + - 'd0a228ed8af190dec0c1a812e212f5e68ee3b43e' + - '7d2fc1a6729521e5c76f659e4c398e2061f7ed5e' + - 'f999709e5b00a68a0f4fa912619fe6548ad0c42d' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -990,6 +1033,18 @@ detection: - '000547560fea0dd4b477eb28bf781ea67bf83c748945ce8923f90fdd14eb7a4b' - '0af5ccb3d33a9ba92071c9637be6254030d61998733a5eb3583e865e17844e05' - 'a13054f349b7baa8c8a3fcbd31789807a493cc52224bbff5e412eb2bd52a6433' + # https://www.unknowncheats.me/forum/anti-cheat-bypass/334557-vulnerable-driver-megathread.html + - 'da6ca1fb539f825ca0f012ed6976baf57ef9c70143b7a1e88b4650bf7a925e24' + - '9c2977d63faa340b03e1bbfb8a6db19c0adfa60ff6579b888ece10022c94c3ec' #ATSZIO.sys + - '771a8d05f1af6214e0ef0886662be500ee910ab99f0154227067fddcfe08a3dd' #Driver7 + - '927c2a580d51a598177fa54c65e9d2610f5f212f1b6cb2fbf2740b64368f010a' + - '42851a01469ba97cdc38939b10cf9ea13237aa1f6c37b1ac84904c5a12a81fa0' + - 'e6db8a1c9d82d18b948c7135439fdeaa9bc02ea97509e3534de65e5481489220' + - '1062211314088012edb9fe65780e35e7b3144ac45021269fc993ef2931c8584b' + - '029dbf6d8dc920a32b3c7a2057513d3741b20b7f6e7aa23b113859a8049214df' + - '1d053020079124ac526d84affb17bf4a1563ecd872c83b4b6299c9aa6a732557' + - 'c059f1b2b73ecab48d62f469d48dbde74a80c4ada07f0bd3b417ec4e044fb522' + - 'a66d2fb7ef7350ea74d4290c57fb62bc59c6ea93f759d4ca93c3febca7aeb512' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 0d6aa0c5a..fa3fb3f26 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -15,6 +15,9 @@ references: - https://github.com/namazso/physmem_drivers - https://github.com/stong/CVE-2020-15368 - https://github.com/CaledoniaProject/drivers-binaries + - https://github.com/Chigusa0w0/AsusDriversPrivEscala + - https://www.welivesecurity.com/2022/01/11/signed-kernel-drivers-unguarded-gateway-windows-core/ + - https://eclypsium.com/2019/11/12/mother-of-all-drivers/ date: 2022/10/03 modified: 2022/10/10 tags: @@ -168,13 +171,36 @@ detection: - '\pgldqpoc.sys' - '\iqvw64e.sys' - '\Monitor_win10_x64.sys' - - '\driver.sys' + - '\srvnetbus.sys' - '\Mslo64.sys' - '\pcdsrvc_x64.pkms' - '\krpocesshacker.sys' - - '\HWiNFO64A.sys' + - '\HWiNFO64A.sys' # version <= 8.98, CVE-2018-8061 - '\rzpnk.sys' - '\magdrvamd64.sys' + # https://github.com/Chigusa0w0/AsusDriversPrivEscala + - '\driver7-x64.sys' + - '\driver7-x86-withoutdbg.sys' + - '\driver7-x86.sys' + # Other + - '\gmer.sys' + - '\PCADRVX64.sys' + # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) + - '\ActiveHealth.sys' + - '\CAM_V3.sys' + - '\GameFire.sys' + - '\OpenHardwareMonitor.sys' + - '\OpenHardwareMonitorLib.sys' + - '\OpenHardwareMonitorReport.sys' + - '\SmartDashboard.sys' + - '\SystemGauge.sys' + - '\SystemGaugeX7.sys' + - '\VideoNovaServerControllerService.sys' + - '\ellp_service.sys' + - '\hardwareproviders.sys' + - '\ohm.sys' + - '\sensorsview32_64.sys' + - '\touchpointanalyticsclient.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. From b2c012146ea63b3af25e23388eb5dfbad51be479 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 10 Oct 2022 17:21:17 +0200 Subject: [PATCH 6/8] rules: pchunter, process hacker --- .../proc_creation_win_susp_pchunter.yml | 47 ++++++++++++++++++ .../proc_creation_win_susp_process_hacker.yml | 48 +++++++++++++++++++ 2 files changed, 95 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_pchunter.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml new file mode 100644 index 000000000..72290f0d1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml @@ -0,0 +1,47 @@ +title: PCHunter Usage +id: fca949cc-79ca-446e-8064-01aa7e52ece5 +description: Detects suspicious use of PCHunter, a tool like Process Hacker to view and manipulate processes, kernel options and other low level stuff +status: experimental +references: + - http://www.xuetr.com/ + - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ +author: Florian Roth +date: 2022/10/10 +logsource: + category: process_creation + product: windows +detection: + selection_image: + Image|endswith: + - '\PCHunter64.exe' + - '\PCHunter32.exe' + selection_pe: + - OriginalFileName: 'PCHunter.exe' + - Description: 'Epoolsoft Windows Information View Tools' + selection_hashes: + - Hashes|contains: + - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025' + - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7' + - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32' + - 'IMPHASH=444D210CEA1FF8112F256A4997EED7FF' + - 'SHA1=3FB89787CB97D902780DA080545584D97FB1C2EB' + - 'MD5=228DD0C2E6287547E26FFBD973A40F14' + - 'SHA256=55F041BF4E78E9BFA6D4EE68BE40E496CE3A1353E1CA4306598589E19802522C' + - 'IMPHASH=0479F44DF47CFA2EF1CCC4416A538663' + selection_hash_values: + - md5: + - '228dd0c2e6287547e26ffbd973a40f14' + - '987b65cd9b9f4e9a1afd8f8b48cf64a7' + - sha1: + - '5f1cbc3d99558307bc1250d084fa968521482025' + - '3fb89787cb97d902780da080545584d97fb1c2eb' + - sha256: + - '2b214bddaab130c274de6204af6dba5aeec7433da99aa950022fa306421a6d32' + - '55f041bf4e78e9bfa6d4ee68be40e496ce3a1353e1ca4306598589e19802522c' + - imphash: + - '444d210cea1ff8112f256a4997eed7ff' + - '0479f44df47cfa2ef1ccc4416a538663' + condition: 1 of selection* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml new file mode 100644 index 000000000..1d545d897 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -0,0 +1,48 @@ +title: Process Hacker Usage +id: 811e0002-b13b-4a15-9d00-a613fce66e42 +description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff +status: experimental +references: + - https://processhacker.sourceforge.io/ + - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ +author: Florian Roth +date: 2022/10/10 +logsource: + category: process_creation + product: windows +detection: + selection_image: + Image|contains: '\ProcessHacker_' + selection_pe: + - OriginalFileName: + - 'ProcessHacker.exe' + - 'Process Hacker' + - Description: 'Process Hacker' + - Product: 'Process Hacker' + selection_hashes: + - Hashes|contains: + - 'MD5=68F9B52895F4D34E74112F3129B3B00D' + - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' + - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F' + - 'IMPHASH=04DE0AD9C37EB7BD52043D2ECAC958DF' + - 'MD5=B365AF317AE730A67C936F21432B9C71' + - 'SHA1=A0BDFAC3CE1880B32FF9B696458327CE352E3B1D' + - 'SHA256=BD2C2CF0631D881ED382817AFCCE2B093F4E412FFB170A719E2762F250ABFEA4' + - 'IMPHASH=3695333C60DEDECDCAFF1590409AA462' + selection_hash_values: + - md5: + - '68f9b52895f4d34e74112f3129b3b00d' + - 'b365af317ae730a67c936f21432b9c71' + - sha1: + - 'c5e2018bf7c0f314fed4fd7fe7e69fa2e648359e' + - 'a0bdfac3ce1880b32ff9b696458327ce352e3b1d' + - sha256: + - 'd4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f' + - 'bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4' + - imphash: + - '04de0ad9c37eb7bd52043d2ecac958df' + - '3695333c60dedecdcaff1590409aa462' + condition: 1 of selection* +falsepositives: + - Sometimes used by developers or system administrators for debugging purposes +level: high From bf28e42f01980bea0b5d90eb22b2a0201aba379a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 10 Oct 2022 17:33:14 +0200 Subject: [PATCH 7/8] Fix FP Found In Testing --- .../image_load_in_memory_powershell.yml | 6 +- .../image_load_susp_dbghelp_dbgcore_load.yml | 114 +++++++++--------- ...reated_alternate_powershell_hosts_pipe.yml | 6 +- .../posh_pm_alternate_powershell_hosts.yml | 10 +- .../proc_creation_win_susp_conhost.yml | 2 +- ...proc_creation_win_susp_winrm_execution.yml | 1 - 6 files changed, 74 insertions(+), 65 deletions(-) diff --git a/rules/windows/image_load/image_load_in_memory_powershell.yml b/rules/windows/image_load/image_load_in_memory_powershell.yml index 554148efc..2eed58f5a 100755 --- a/rules/windows/image_load/image_load_in_memory_powershell.yml +++ b/rules/windows/image_load/image_load_in_memory_powershell.yml @@ -7,7 +7,7 @@ status: experimental description: Detects loading of essential DLL used by PowerShell, but not by the process powershell.exe. Detects meterpreter's "load powershell" extension. author: Tom Kern, oscd.community, Natalia Shornikova, Tim Shelton date: 2019/11/14 -modified: 2022/04/21 +modified: 2022/10/10 references: - https://adsecurity.org/?p=2921 - https://github.com/p3nt4/PowerShdll @@ -23,7 +23,9 @@ detection: - '\System.Management.Automation.Dll' - '\System.Management.Automation.ni.Dll' filter: - - Image: 'C:\Windows\System32\dsac.exe' + - Image: + - 'C:\Windows\System32\dsac.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' #PowerShell 7 - Image|endswith: - '\powershell.exe' - '\powershell_ise.exe' diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index 36d307d82..2ff0422cc 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -4,68 +4,68 @@ status: test description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. author: Perez Diego (@darkquassar), oscd.community, Ecco references: - - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 + - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump + - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html + - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 modified: 2022/09/15 logsource: - category: image_load - product: windows + category: image_load + product: windows detection: - signedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Image|endswith: - - '\msbuild.exe' - - '\cmd.exe' - # - '\svchost.exe' triggered by installing common software - - '\rundll32.exe' - # - '\powershell.exe' triggered by installing common software - - '\word.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\outlook.exe' - - '\monitoringhost.exe' - - '\wmic.exe' - # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - - '\bash.exe' - - '\wscript.exe' - - '\cscript.exe' - - '\mshta.exe' - # - '\regsvr32.exe' triggered by installing common software - # - '\schtasks.exe' triggered by installing software - - '\dnx.exe' - - '\regsvcs.exe' - - '\sc.exe' - - '\scriptrunner.exe' - unsignedprocess: - ImageLoaded|endswith: - - '\dbghelp.dll' - - '\dbgcore.dll' - Signed: 'FALSE' - filter1: - - Image|contains: 'Visual Studio' - - CommandLine|contains: - - '-k LocalSystemNetworkRestricted' - - '-k UnistackSvcGroup -s WpnUserService' - filter2: # Not available in Sysmon, but in Aurora - CommandLine: - - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' - - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' - filter3: - CommandLine|startswith: 'C:\WINDOWS\winsxs\' - CommandLine|endswith: '\TiWorker.exe -Embedding' - condition: (signedprocess or unsignedprocess) and not 1 of filter* + signedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Image|endswith: + - '\msbuild.exe' + - '\cmd.exe' + # - '\svchost.exe' triggered by installing common software + - '\rundll32.exe' + # - '\powershell.exe' triggered by installing common software + - '\word.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\outlook.exe' + - '\monitoringhost.exe' + - '\wmic.exe' + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert + - '\bash.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\mshta.exe' + # - '\regsvr32.exe' triggered by installing common software + # - '\schtasks.exe' triggered by installing software + - '\dnx.exe' + - '\regsvcs.exe' + - '\sc.exe' + - '\scriptrunner.exe' + unsignedprocess: + ImageLoaded|endswith: + - '\dbghelp.dll' + - '\dbgcore.dll' + Signed: 'FALSE' + filter1: + - Image|contains: 'Visual Studio' + - CommandLine|contains: + - '-k LocalSystemNetworkRestricted' + - '-k UnistackSvcGroup -s WpnUserService' + filter2: # Not available in Sysmon, but in Aurora + CommandLine: + - 'C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv' + - 'C:\Windows\System32\svchost.exe -k WerSvcGroup' + filter3: + CommandLine|startswith: 'C:\WINDOWS\winsxs\' + CommandLine|endswith: '\TiWorker.exe -Embedding' + condition: (signedprocess or unsignedprocess) and not 1 of filter* fields: - - ComputerName - - User - - Image - - ImageLoaded + - ComputerName + - User + - Image + - ImageLoaded falsepositives: - - Unknown + - Unknown level: high tags: - - attack.credential_access - - attack.t1003.001 + - attack.credential_access + - attack.t1003.001 diff --git a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml index 7e0b89a94..2cf89d293 100644 --- a/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml +++ b/rules/windows/pipe_created/pipe_created_alternate_powershell_hosts_pipe.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html date: 2019/09/12 -modified: 2022/04/21 +modified: 2022/10/10 logsource: product: windows category: pipe_created @@ -36,7 +36,9 @@ detection: - 'C:\Program Files\Citrix\' - 'C:\Program Files\Microsoft\Exchange Server\' filter5: - Image: 'C:\Windows\system32\ServerManager.exe' + Image: + - 'C:\Windows\system32\ServerManager.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' # Powershell 7 condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 2ec92afbf..fa4bfe828 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/10/05 +modified: 2022/10/10 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html @@ -18,7 +18,13 @@ detection: selection: ContextInfo|contains: '*' filter: - ContextInfo|contains: 'powershell.exe' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + # This filter covers the following use cases + # - When powershell is called directly from commandline via keyword powershell or powershell.exe + # - Or called via path but not with full "".exe". Example: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell + ContextInfo|contains: + - '= powershell' # Host Application=...powershell.exe or Application hote=...powershell.exe in French Win10 event + - '= C:\Windows\System32\WindowsPowerShell\v1.0\powershell' + - '= C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell' filter_citrix: ContextInfo|contains: 'ConfigSyncRun.exe' filter_adace: # Active Directory Administrative Center Enhancements diff --git a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml index c04f74a1d..c0aa4efb4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_conhost.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_conhost.yml @@ -18,7 +18,7 @@ detection: ParentImage|endswith: '\conhost.exe' filter_provider: Provider_Name: 'SystemTraceProvider-Process' # FPs with Aurora - # Note that some of these git events occure because of a sppofed parent image + # Note that some of these git events occure because of a spoofed parent image filter_git: # Example FP: # ParentCommandLine: "C:\Program Files\Git\cmd\git.exe" show --textconv :path/to/file diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 7cba36749..b54b22876 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -23,7 +23,6 @@ detection: condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely - level: medium tags: - attack.defense_evasion From 0df87d76f2c73af42d1792d6e94d5d5aab958c34 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 10 Oct 2022 22:49:34 +0200 Subject: [PATCH 8/8] fix: duplicate, list with one entry --- .../proc_creation_win_pchunter_execution.yml | 24 ------------------- .../proc_creation_win_susp_pchunter.yml | 5 ++-- .../proc_creation_win_susp_process_hacker.yml | 2 +- 3 files changed, 4 insertions(+), 27 deletions(-) delete mode 100644 rules/windows/process_creation/proc_creation_win_pchunter_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml b/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml deleted file mode 100644 index a95004187..000000000 --- a/rules/windows/process_creation/proc_creation_win_pchunter_execution.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: PCHunter Execution -id: df5daa7b-c2d5-4a4d-972b-5f85febe56bc -status: experimental -description: Detects the execution PCHunter based on image and Original File Name fields. -references: - - http://www.xuetr.com/ - - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ -author: Nasreddine Bencherchali -date: 2022/10/05 -tags: - - attack.defense_evasion -logsource: - category: process_creation - product: windows -detection: - selection: - - Image|endswith: - - '\PCHunter32.exe' - - '\PCHunter64.exe' - - OriginalFileName: 'PCHunter.exe' - condition: selection -falsepositives: - - Unlikely -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml index 72290f0d1..d233a8713 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_pchunter.yml @@ -5,7 +5,8 @@ status: experimental references: - http://www.xuetr.com/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ -author: Florian Roth + - https://www.hexacorn.com/blog/2018/04/20/kernel-hacking-tool-you-might-have-never-heard-of-xuetr-pchunter/ +author: Florian Roth, Nasreddine Bencherchali date: 2022/10/10 logsource: category: process_creation @@ -19,7 +20,7 @@ detection: - OriginalFileName: 'PCHunter.exe' - Description: 'Epoolsoft Windows Information View Tools' selection_hashes: - - Hashes|contains: + Hashes|contains: - 'SHA1=5F1CBC3D99558307BC1250D084FA968521482025' - 'MD5=987B65CD9B9F4E9A1AFD8F8B48CF64A7' - 'SHA256=2B214BDDAAB130C274DE6204AF6DBA5AEEC7433DA99AA950022FA306421A6D32' diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 1d545d897..b54f27a17 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -20,7 +20,7 @@ detection: - Description: 'Process Hacker' - Product: 'Process Hacker' selection_hashes: - - Hashes|contains: + Hashes|contains: - 'MD5=68F9B52895F4D34E74112F3129B3B00D' - 'SHA1=C5E2018BF7C0F314FED4FD7FE7E69FA2E648359E' - 'SHA256=D4A0FE56316A2C45B9BA9AC1005363309A3EDC7ACF9E4DF64D326A0FF273E80F'