From 3d609cfdf37aa45039c0be354c802f11d468071f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 10:31:58 +0100 Subject: [PATCH 01/10] rule: ScreenConnect anomaly https://www.mandiant.com/resources/telegram-malware-iranian-espionage --- ...roc_creation_win_screenconnect_anomaly.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml diff --git a/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml new file mode 100644 index 000000000..9f84037f1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_screenconnect_anomaly.yml @@ -0,0 +1,25 @@ +title: ScreenConnect Backstage Mode Anomaly +id: 7b582f1a-b318-4c6a-bf4e-66fe49bf55a5 +description: Detects suspicious sub processes started by the ScreenConnect client service, which indicates the use of the so-called Backstage mode +status: experimental +references: + - https://www.mandiant.com/resources/telegram-malware-iranian-espionage + - https://docs.connectwise.com/ConnectWise_Control_Documentation/Get_started/Host_client/View_menu/Backstage_mode +tags: + - attack.command_and_control + - attack.t1219 +author: Florian Roth +date: 2022/02/25 +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'ScreenConnect.ClientService.exe' + Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + condition: selection +falsepositives: + - Case in which administrators are allowed to use ScreenConnect's Backstage mode +level: high From b0b675b004b3663d18991cd55d22ba306d08f850 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 11:39:19 +0100 Subject: [PATCH 02/10] rule: CrackMapExec flags rule --- ...c_creation_win_susp_crackmapexec_flags.yml | 67 +++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml new file mode 100644 index 000000000..6cc5e378c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml @@ -0,0 +1,67 @@ +title: CrackMapExec Command Line Flags +id: 42a993dd-bb3e-48c8-b372-4d6684c4106c +status: experimental +description: This rule detect common flag combinations used by CrackMapExec in order to detect its use even if the binary has been replaced. +author: Florian Roth +references: + - https://mpgn.gitbook.io/crackmapexec/smb-protocol/authentication/checking-credentials-local + - https://www.mandiant.com/resources/telegram-malware-iranian-espionage + - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=mssql-mimikatz + - https://www.infosecmatter.com/crackmapexec-module-library/?cmem=smb-pe_inject +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection_special: + CommandLine|contains: + - ' -M pe_inject ' + selection_execute: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -x ' + selection_hash: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -p ' + - " -H 'NTHASH'" + selection_module_mssql: + CommandLine|contains|all: + - ' mssql ' + - ' -u ' + - ' -p ' + - ' -M ' + - ' -d ' + selection_module_smb1: + CommandLine|contains|all: + - ' smb ' + - ' -u ' + - ' -H ' + - ' -M ' + - ' -o ' + selection_module_smb2: + CommandLine|contains|all: + - ' smb ' + - ' -u ' + - ' -p ' + - ' --local-auth' + part_localauth_1: + CommandLine|contains|all: + - ' --local-auth' + - ' -u ' + - ' -p ' + part_localauth_2: + CommandLine|contains|all: + - ' 10.' + - ' 192.168.' + - '/24 ' + condition: 1 of selection* or all of part_localauth* +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high From 7baf0144216fda349deacddf0b68199b80f6aab5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 15:24:36 +0100 Subject: [PATCH 03/10] rule: BlackByte ransomware --- .../proc_creation_win_ransom_blackbyte.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml diff --git a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml new file mode 100644 index 000000000..63dd62cc8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml @@ -0,0 +1,29 @@ +title: BlackByte Ransomware Patterns +id: 999e8307-a775-4d5f-addc-4855632335be +status: experimental +description: This command line patterns found in BlackByte Ransomware operations +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|startswith: 'C:\Users\Public\' + CommandLine|endswith: ' -single' + selection2: + CommandLine|contains: + - 'del C:\Windows\System32\Taskmgr.exe' + - ';Set-Service -StartupType Disabled $' + - 'powershell -command "$x =[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(' + - ' do start wordpad.exe /p ' + condition: 1 of selection* +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high From 775279423d3675c583c6ca9fad494f599697e248 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 25 Feb 2022 15:39:26 +0100 Subject: [PATCH 04/10] Fix detection --- .../proc_creation_win_susp_use_of_sqlps_bin.yml | 12 ++++++------ .../proc_creation_win_susp_use_of_sqltoolsps_bin.yml | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml index f1ac530cb..4836faf1c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqlps_bin.yml @@ -8,20 +8,20 @@ references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 date: 2020/10/10 -modified: 2021/11/27 +modified: 2022/02/25 logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: '\sqlps.exe' - selection2: + selection_2: ParentImage|endswith: '\sqlps.exe' - selection3: + selection_3: OriginalFileName: '\sqlps.exe' - reduction: + filter: ParentImage|endswith: '\sqlagent.exe' - condition: selection1 or selection2 or selection3 and not reduction + condition: 1 of selection_* and not filter falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml index ef0cb72bd..c0e9579cf 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_sqltoolsps_bin.yml @@ -7,20 +7,20 @@ references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - https://twitter.com/pabraeken/status/993298228840992768 date: 2020/10/13 -modified: 2021/11/27 +modified: 2022/02/25 logsource: category: process_creation product: windows detection: - selection1: + selection_1: Image|endswith: '\sqltoolsps.exe' - selection2: + selection_2: ParentImage|endswith: '\sqltoolsps.exe' - selection3: + selection_3: OriginalFileName: '\sqltoolsps.exe' - reduction: + filter: ParentImage|endswith: '\smss.exe' - condition: selection1 or selection2 or selection3 and not reduction + condition: 1 of selection_* and not filter falsepositives: - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. level: medium From d6d206d6d634bf84698561bcd472cde017b171e4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 16:02:42 +0100 Subject: [PATCH 05/10] rules: BlackByte rule update, and some generic rules --- .../file_event_susp_exchange_aspx_write.yml | 26 ++++++++++++++++ ...proc_creation_win_public_folder_parent.yml | 31 +++++++++++++++++++ .../proc_creation_win_ransom_blackbyte.yml | 2 +- ...proc_creation_win_susp_wuauclt_cmdline.yml | 19 ++++++++++++ 4 files changed, 77 insertions(+), 1 deletion(-) create mode 100644 rules/windows/file_event/file_event_susp_exchange_aspx_write.yml create mode 100644 rules/windows/process_creation/proc_creation_win_public_folder_parent.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml diff --git a/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml b/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml new file mode 100644 index 000000000..82ed285c9 --- /dev/null +++ b/rules/windows/file_event/file_event_susp_exchange_aspx_write.yml @@ -0,0 +1,26 @@ +title: Suspicious MSExchangeMailboxReplication ASPX Write +id: 7280c9f3-a5af-45d0-916a-bc01cb4151c9 +status: experimental +description: Detects suspicious activity in which the MSExchangeMailboxReplication process writes .asp and .apsx files to disk, which could be a sign of ProxyShell exploitation +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +author: Florian Roth +date: 2022/02/25 +tags: + - attack.initial_access + - attack.t1190 + - attack.persistence + - attack.t1505.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\MSExchangeMailboxReplication.exe' + TargetFilename|endswith: + - '.aspx' + - '.asp' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml new file mode 100644 index 000000000..1034e0b6a --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -0,0 +1,31 @@ +title: Parent in Public Folder Suspicious Process +id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a +status: experimental +description: This suspicious processes with parent images located in the C:\Users\Public folder +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|startswith: 'C:\Users\Public\' + CommandLine|contains: + - 'powershell' + - 'cmd.exe /c ' + - 'cmd /c ' + - 'wscript.exe' + - 'cscript.exe' + - 'bitsadmin' + - 'certutil' + - 'mshta.exe' + condition: selection +fields: + - ComputerName + - User + - CommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml index 63dd62cc8..0600c2f67 100644 --- a/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml +++ b/rules/windows/process_creation/proc_creation_win_ransom_blackbyte.yml @@ -12,7 +12,7 @@ logsource: detection: selection1: Image|startswith: 'C:\Users\Public\' - CommandLine|endswith: ' -single' + CommandLine|contains: ' -single ' selection2: CommandLine|contains: - 'del C:\Windows\System32\Taskmgr.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml new file mode 100644 index 000000000..9b89cc9c4 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -0,0 +1,19 @@ +title: Suspicious Windows Update Agent Empty Cmdline +id: 52d097e2-063e-4c9c-8fbb-855c8948d135 +status: experimental +description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags +author: Florian Roth +references: + - https://redcanary.com/blog/blackbyte-ransomware/ +date: 2022/02/26 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\Wuauclt.exe' + CommandLine|endswith: '\Wuauclt.exe' + condition: selection +falsepositives: + - Unknown +level: high From 9d06c3cfe7b0e8b3293ec09f691f95d3641abeae Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:17:01 +0000 Subject: [PATCH 06/10] Filters false positive from msiexec.exe --- .../proc_creation_win_run_executable_invalid_extension.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 393336942..00cb41176 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth date: 2022/01/13 -modified: 2022/01/27 +modified: 2022/02/25 logsource: category: process_creation product: windows @@ -21,6 +21,9 @@ detection: filter_iexplorer: ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' CommandLine|contains: '.cpl' + filter_msiexec: + ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' + CommandLine|beginswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image From eec5b1458cd978c6fd7b94b20a3f60c3dc4598ec Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 17:29:16 +0100 Subject: [PATCH 07/10] docs: wording change --- .../process_creation/proc_creation_win_public_folder_parent.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml index 1034e0b6a..eda2ef47b 100644 --- a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -1,7 +1,7 @@ title: Parent in Public Folder Suspicious Process id: 69bd9b97-2be2-41b6-9816-fb08757a4d1a status: experimental -description: This suspicious processes with parent images located in the C:\Users\Public folder +description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder author: Florian Roth references: - https://redcanary.com/blog/blackbyte-ransomware/ From 744813ff8772fd5e2c062c05ff2137de92349d42 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 25 Feb 2022 17:29:32 +0100 Subject: [PATCH 08/10] rule: Hermetic Wiper group activity --- ...eation_win_mal_hermetic_wiper_activity.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml new file mode 100644 index 000000000..053380a11 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -0,0 +1,27 @@ +title: Hermetic Wiper TG Process Patterns +id: 2f974656-6d83-4059-bbdf-68ac5403422f +status: experimental +description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +author: Florian Roth +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia +date: 2022/02/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\policydefinitions\postgresql.exe' + selection2: + - CommandLine|contains: + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' + condition: 1 of selection* +falsepositives: + - Unknown +level: high From f6caaf795ae79004a0117180e65f828f2002f795 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:32:33 +0000 Subject: [PATCH 09/10] oof, misspelled detection type --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 00cb41176..5d459eb26 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: '.cpl' filter_msiexec: ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' - CommandLine|beginswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + CommandLine|beginwith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image From 6d29b4c4a5b2961c18c6ed02f73192f29d1e1aa3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 25 Feb 2022 16:34:32 +0000 Subject: [PATCH 10/10] oof, misspelled detection type 2 --- .../proc_creation_win_run_executable_invalid_extension.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml index 5d459eb26..013a9d11d 100644 --- a/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_run_executable_invalid_extension.yml @@ -23,7 +23,7 @@ detection: CommandLine|contains: '.cpl' filter_msiexec: ParentImage|endswith: ':\Windows\SysWOW64\msiexec.exe' - CommandLine|beginwith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' + CommandLine|startswith: 'C:\Windows\syswow64\MsiExec.exe -Embedding' condition: selection and not 1 of filter* fields: - Image