diff --git a/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml b/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml new file mode 100644 index 000000000..82ed285c9 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml @@ -0,0 +1,26 @@ +title: Suspicious MSExchangeMailboxReplication ASPX Write +id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9 +status: experimental +description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +author: Florian Roth +date: 2022/02/25 +tags: + - attack.initial_access + - attack.t1190 + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\MSExchangeMailboxReplication.exe' + TargetFilename|endswith: + - '.aspx' + - '.asp' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml new file mode 100644 index 000000000..053380a11 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -0,0 +1,27 @@ +title: Hermetic Wiper TG Process Patterns +id: 2f974656-6d83-4059-bbdf-68ac5403422f +status: experimental +description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +author: Florian Roth +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\policydefinitions\postgresql.exe' + selection2: + - CommandLine|contains: + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' + condition: 1 of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml new file mode 100644 index 000000000..eda2ef47b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -0,0 +1,31 @@ +title: Parent in Public Folder Suspicious Process +id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a +status: experimental +description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|startswith: 'C:\Users\Public\' + CommandLine|contains: + - 'powershell' + - 'cmd.exe /c ' + - 'cmd /c ' + - 'wscript.exe' + - 'cscript.exe' + - 'bitsadmin' + - 'certutil' + - 'mshta.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml new file mode 100644 index 000000000..0600c2f67 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml @@ -0,0 +1,29 @@ +title: BlackByte Ransomware Patterns +id: 999e8307-a775-4d5f-addc-4855632335be +status: experimental +description: This command line patterns found in BlackByte Ransomware operations +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|startswith: 'C:\Users\Public\' + CommandLine|contains: ' -single ' + selection2: + CommandLine|contains: + - 'del C:\Windows\System32\Taskmgr.exe' + - ';Set-Service -StartupType Disabled $' + - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' + - ' do start wordpad.exe /p ' + condition: 1 of selection* +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 393336942..013a9d11d 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth date: 2022/01/13 -modified: 2022/01/27 +modified: 2022/02/25 logsource: category: process_creation product: windows @@ -21,6 +21,9 @@ detection: filter_iexplorer: ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' CommandLine|contains: '.cpl' + filter_msiexec: + ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' + CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml new file mode 100644 index 000000000..9f84037f1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml @@ -0,0 +1,25 @@ +title: ScreenConnect Backstage Mode Anomaly +id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 +description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode +status: experimental +references: + - https://www.mandiant.com/resources/telegram-malware-iranian-espionage + - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +tags: + - attack.command_and_control + - attack.t1219 +author: Florian Roth +date: 2022/02/25 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'ScreenConnect.ClientService.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + condition: selection +falsepositives: + - Case in which administrators are allowed to use ScreenConnect's Backstage mode +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml new file mode 100644 index 000000000..6cc5e378c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml @@ -0,0 +1,67 @@ +title: CrackMapExec Command Line Flags +id: 42a993dd-bb3e-48c8-b372-4d6684c4106c +status: experimental +description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +author: Florian Roth +references: + - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local + - https://www.mandiant.com/resources/telegram-malware-iranian-espionage + - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz + - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection_special: + CommandLine|contains: + - ' -M pe_inject ' + selection_execute: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -x ' + selection_hash: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -p ' + - " -H 'NTHASH'" + selection_module_mssql: + CommandLine|contains|all: + - ' mssql ' + - ' -u ' + - ' -p ' + - ' -M ' + - ' -d ' + selection_module_smb1: + CommandLine|contains|all: + - ' smb ' + - ' -u ' + - ' -H ' + - ' -M ' + - ' -o ' + selection_module_smb2: + CommandLine|contains|all: + - ' smb ' + - ' -u ' + - ' -p ' + - ' --local-auth' + part_localauth_1: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -p ' + part_localauth_2: + CommandLine|contains|all: + - ' 10.' + - ' 192.168.' + - '/24 ' + condition: 1 of selection* or all of part_localauth* +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index f1ac530cb..4836faf1c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -8,20 +8,20 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 date: 2020/10/10 -modified: 2021/11/27 +modified: 2022/02/25 logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: '\sqlps.exe' - selection2: + selection_2: ParentImage|endswith: '\sqlps.exe' - selection3: + selection_3: OriginalFileName: '\sqlps.exe' - reduction: + filter: ParentImage|endswith: '\sqlagent.exe' - condition: selection1 or selection2 or selection3 and not reduction + condition: 1 of selection_* and not filter falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml index ef0cb72bd..c0e9579cf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml @@ -7,20 +7,20 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 date: 2020/10/13 -modified: 2021/11/27 +modified: 2022/02/25 logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: '\sqltoolsps.exe' - selection2: + selection_2: ParentImage|endswith: '\sqltoolsps.exe' - selection3: + selection_3: OriginalFileName: '\sqltoolsps.exe' - reduction: + filter: ParentImage|endswith: '\smss.exe' - condition: selection1 or selection2 or selection3 and not reduction + condition: 1 of selection_* and not filter falsepositives: - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml new file mode 100644 index 000000000..9b89cc9c4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -0,0 +1,19 @@ +title: Suspicious Windows Update Agent Empty Cmdline +id: 52d097e2-063e-4c9c-8fbb-855c8948d135 +status: experimental +description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/26 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\Wuauclt.exe' + CommandLine|endswith: '\Wuauclt.exe' + condition: selection +falsepositives: + - Unknown +level: high