security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into rule-devel

Browse Source
This commit is contained in:
Florian Roth
2022-08-26 22:49:54 +02:00
parent 7c486fcf83 bdbce73c9d
commit 33cd3e9fd9
66 changed files with 1001 additions and 646 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml
+16 -15
View File
@@ -1,24 +1,25 @@
title: Azure Application Gateway Modified or Deleted
id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6
description: Identifies when a application gateway is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
description: Identifies when a application gateway is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE
- MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE
condition: selection
falsepositives:
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Application gateway being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml
+16 -15
View File
@@ -1,24 +1,25 @@
title: Azure Application Security Group Modified or Deleted
id: 835747f1-9329-40b5-9cc3-97d465754ce6
description: Identifies when a application security group is modified or deleted.
author: Austin Songer
status: experimental
date: 2021/08/16
description: Identifies when a application security group is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE
condition: selection
falsepositives:
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Application security group being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_container_registry_created_or_deleted.yml
+19 -18
View File
@@ -1,27 +1,28 @@
title: Azure Container Registry Created or Deleted
id: 93e0ef48-37c8-49ed-a02c-038aab23628e
description: Detects when a Container Registry is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Detects when a Container Registry is created or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
level: low
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE
- MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE
condition: selection
falsepositives:
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: low
rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml
+16 -15
View File
@@ -1,24 +1,25 @@
title: Azure DNS Zone Modified or Deleted
id: af6925b0-8826-47f1-9324-337507a0babd
description: Identifies when DNS zone is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when DNS zone is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
properties.message|endswith:
- /WRITE
- /DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName|startswith: MICROSOFT.NETWORK/DNSZONES
operationName|endswith:
- /WRITE
- /DELETE
condition: selection
falsepositives:
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_firewall_modified_or_deleted.yml
+15 -14
View File
@@ -1,23 +1,24 @@
title: Azure Firewall Modified or Deleted
id: 512cf937-ea9b-4332-939c-4c2c94baadcd
description: Identifies when a firewall is created, modified, or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a firewall is created, modified, or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE
condition: selection
falsepositives:
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml
+19 -18
View File
@@ -1,27 +1,28 @@
title: Azure Firewall Rule Collection Modified or Deleted
id: 025c9fe7-db72-49f9-af0d-31341dd7dd57
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE
- MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE
condition: selection
falsepositives:
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml
+26 -25
View File
@@ -1,34 +1,35 @@
title: Azure Keyvault Key Modified or Deleted
id: 80eeab92-0979-4152-942d-96749e11df40
description: Identifies when a Keyvault Key is modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
description: Identifies when a Keyvault Key is modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION
condition: selection
falsepositives:
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Key being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
level: medium
rules/cloud/azure/azure_keyvault_modified_or_deleted.yml
+21 -20
View File
@@ -1,29 +1,30 @@
title: Azure Key Vault Modified or Deleted
id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d
description: Identifies when a key vault is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
description: Identifies when a key vault is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION
- MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE
condition: selection
falsepositives:
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Key Vault being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
level: medium
rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml
+25 -24
View File
@@ -1,33 +1,34 @@
title: Azure Keyvault Secrets Modified or Deleted
id: b831353c-1971-477b-abb6-2828edc3bca1
description: Identifies when secrets are modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/16
description: Identifies when secrets are modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
selection:
operationName:
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION
- MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION
condition: selection
falsepositives:
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Secrets being modified or deleted may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
- attack.credential_access
- attack.t1552
- attack.t1552.001
level: medium
rules/cloud/azure/azure_kubernetes_admission_controller.yml
+25 -25
View File
@@ -1,34 +1,34 @@
title: Azure Kubernetes Admission Controller
id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58
description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
author: Austin Songer @austinsonger
status: experimental
date: 2021/11/25
modified: 2021/11/26
description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
author: Austin Songer @austinsonger
date: 2021/11/25
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection1:
properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
properties.message|endswith:
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
selection2:
properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
properties.message|endswith:
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
condition: selection1 or selection2
level: medium
tags:
- attack.persistence
- attack.t1078
- attack.credential_access
- attack.t1552
- attack.t1552.007
selection1:
operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
operationName|endswith:
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
selection2:
operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO
operationName|endswith:
- /MUTATINGWEBHOOKCONFIGURATIONS/WRITE
- /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE
condition: selection1 or selection2
falsepositives:
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
- Azure Kubernetes Admissions Controller may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.persistence
- attack.t1078
- attack.credential_access
- attack.t1552
- attack.t1552.007
level: medium
rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml
+19 -19
View File
@@ -1,28 +1,28 @@
title: Azure Kubernetes Cluster Created or Deleted
id: 9541f321-7cba-4b43-80fc-fbd1fb922808
description: Detects when a Azure Kubernetes Cluster is created or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Detects when a Azure Kubernetes Cluster is created or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
level: low
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE
condition: selection
falsepositives:
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: low
rules/cloud/azure/azure_kubernetes_cronjob.yml
+28 -27
View File
@@ -1,34 +1,35 @@
title: Azure Kubernetes CronJob
id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a
description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
author: Austin Songer @austinsonger
status: experimental
date: 2021/11/22
description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
- https://kubernetes.io/docs/concepts/workloads/controllers/job/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
author: Austin Songer @austinsonger
date: 2021/11/22
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
product: azure
service: activitylogs
detection:
selection1:
properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
properties.message|endswith:
- /CRONJOBS/WRITE
- /JOBS/WRITE
selection2:
properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
properties.message|endswith:
- /CRONJOBS/WRITE
- /JOBS/WRITE
condition: selection1 or selection2
level: medium
tags:
- attack.persistence
- attack.privilege_escalation
- attack.execution
selection1:
operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH
operationName|endswith:
- /CRONJOBS/WRITE
- /JOBS/WRITE
selection2:
operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH
operationName|endswith:
- /CRONJOBS/WRITE
- /JOBS/WRITE
condition: selection1 or selection2
falsepositives:
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
- Azure Kubernetes CronJob/Job may be done by a system administrator.
- If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.persistence
- attack.privilege_escalation
- attack.execution
level: medium
rules/cloud/azure/azure_kubernetes_events_deleted.yml
+15 -15
View File
@@ -1,24 +1,24 @@
title: Azure Kubernetes Events Deleted
id: 225d8b09-e714-479c-a0e4-55e6f29adf35
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
author: Austin Songer @austinsonger
date: 2021/07/24
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.defense_evasion
- attack.t1562
- attack.t1562.001
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
condition: selection
falsepositives:
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.defense_evasion
- attack.t1562
- attack.t1562.001
level: medium
rules/cloud/azure/azure_kubernetes_network_policy_change.yml
+22 -21
View File
@@ -1,30 +1,31 @@
title: Azure Kubernetes Network Policy Change
id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Identifies when a Azure Kubernetes network policy is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE
condition: selection
falsepositives:
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
- attack.credential_access
level: medium
rules/cloud/azure/azure_kubernetes_pods_deleted.yml
+14 -13
View File
@@ -1,22 +1,23 @@
title: Azure Kubernetes Pods Deleted
id: b02f9591-12c3-4965-986a-88028629b2e1
description: Identifies the deletion of Azure Kubernetes Pods.
author: Austin Songer @austinsonger
status: experimental
date: 2021/07/24
description: Identifies the deletion of Azure Kubernetes Pods.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
author: Austin Songer @austinsonger
date: 2021/07/24
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection_operation_name:
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection_operation_name
level: medium
tags:
- attack.impact
selection:
operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
condition: selection
falsepositives:
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_kubernetes_role_access.yml
+25 -24
View File
@@ -1,33 +1,34 @@
title: Azure Kubernetes Sensitive Role Access
id: 818fee0c-e0ec-4e45-824e-83e4817b0887
description: Identifies when ClusterRoles/Roles are being modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Identifies when ClusterRoles/Roles are being modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION
condition: selection
falsepositives:
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml
+22 -22
View File
@@ -1,31 +1,31 @@
title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
level: medium
tags:
- attack.impact
- attack.credential_access
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE
condition: selection
falsepositives:
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
- attack.credential_access
level: medium
rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml
+20 -19
View File
@@ -1,28 +1,29 @@
title: Azure Kubernetes Secret or Config Object Access
id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE
condition: selection
falsepositives:
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml
+20 -19
View File
@@ -1,28 +1,29 @@
title: Azure Kubernetes Service Account Modified or Deleted
id: 12d027c3-b48c-4d9d-8bb6-a732200034b2
description: Identifies when a service account is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/07
description: Identifies when a service account is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
- https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
- https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1
- https://attack.mitre.org/matrices/enterprise/cloud/
author: Austin Songer @austinsonger
date: 2021/08/07
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE
- MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION
condition: selection
falsepositives:
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml
+17 -16
View File
@@ -1,25 +1,26 @@
title: Azure Network Firewall Policy Modified or Deleted
id: 83c17918-746e-4bd9-920b-8e098bf88c23
description: Identifies when a Firewall Policy is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/09/02
description: Identifies when a Firewall Policy is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/09/02
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION
- MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE
condition: selection
falsepositives:
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml
+17 -16
View File
@@ -1,25 +1,26 @@
title: Azure Firewall Rule Configuration Modified or Deleted
id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a Firewall Rule Configuration is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE
- MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE
condition: selection
falsepositives:
- Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml
+19 -18
View File
@@ -1,27 +1,28 @@
title: Azure Point-to-site VPN Modified or Deleted
id: d9557b75-267b-4b43-922f-a775e2d1f792
description: Identifies when a Point-to-site VPN is Modified or Deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a Point-to-site VPN is Modified or Deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION
- MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_network_security_modified_or_deleted.yml
+19 -18
View File
@@ -1,27 +1,28 @@
title: Azure Network Security Configuration Modified or Deleted
id: d22b4df4-5a67-4859-a578-8c9a0b5af9df
description: Identifies when a network security configuration is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a network security configuration is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE
condition: selection
falsepositives:
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml
+24 -23
View File
@@ -1,32 +1,33 @@
title: Azure Virtual Network Device Modified or Deleted
id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
- MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
- MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
- MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE
- MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE
- MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION
- MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE
- MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE
- MICROSOFT.NETWORK/VIRTUALHUBS/DELETE
- MICROSOFT.NETWORK/VIRTUALHUBS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE
- MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE
condition: selection
falsepositives:
- Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_new_cloudshell_created.yml
+13 -13
View File
@@ -1,22 +1,22 @@
title: Azure New CloudShell Created
id: 72af37e2-ec32-47dc-992b-bc288a2708cb
description: Identifies when a new cloudshell is created inside of Azure portal.
author: Austin Songer
status: experimental
date: 2021/09/21
description: Identifies when a new cloudshell is created inside of Azure portal.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021/09/21
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE
condition: selection
level: medium
tags:
- attack.execution
- attack.t1059
selection:
operationName: MICROSOFT.PORTAL/CONSOLES/WRITE
condition: selection
falsepositives:
- A new cloudshell may be created by a system administrator.
- A new cloudshell may be created by a system administrator.
tags:
- attack.execution
- attack.t1059
level: medium
rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml
+7 -6
View File
@@ -1,21 +1,22 @@
title: Azure Subscription Permission Elevation Via ActivityLogs
id: 09438caa-07b1-4870-8405-1dbafe3dad95
status: experimental
author: Austin Songer @austinsonger
date: 2021/11/26
description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
author: Austin Songer @austinsonger
date: 2021/11/26
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection1:
properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection1
level: high
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
condition: selection
falsepositives:
- If this was approved by System Administrator.
tags:
- attack.initial_access
- attack.t1078
level: high
rules/cloud/azure/azure_suppression_rule_created.yml
+14 -13
View File
@@ -1,22 +1,23 @@
title: Azure Suppression Rule Created
id: 92cc3e5d-eb57-419d-8c16-5c63f325a401
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
author: Austin Songer
status: experimental
date: 2021/08/16
description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer
date: 2021/08/16
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE
condition: selection
falsepositives:
- Suppression Rule being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Suppression Rule being created may be performed by a system administrator.
- Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml
+18 -17
View File
@@ -1,26 +1,27 @@
title: Azure Virtual Network Modified or Deleted
id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f
description: Identifies when a Virtual Network is modified or deleted in Azure.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a Virtual Network is modified or deleted in Azure.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message|startswith:
- MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/
- MICROSOFT.NETWORK/VIRTUALNETWORKS/
properties.message|endswith:
- /WRITE
- /DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName|startswith:
- MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/
- MICROSOFT.NETWORK/VIRTUALNETWORKS/
operationName|endswith:
- /WRITE
- /DELETE
condition: selection
falsepositives:
- Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml
+15 -14
View File
@@ -1,23 +1,24 @@
title: Azure VPN Connection Modified or Deleted
id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3
description: Identifies when a VPN connection is modified or deleted.
author: Austin Songer @austinsonger
status: experimental
date: 2021/08/08
description: Identifies when a VPN connection is modified or deleted.
references:
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
author: Austin Songer @austinsonger
date: 2021/08/08
modified: 2022/08/23
logsource:
product: azure
service: activitylogs
detection:
selection:
properties.message:
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE
condition: selection
level: medium
tags:
- attack.impact
selection:
operationName:
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE
- MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE
condition: selection
falsepositives:
- VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
- VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
- VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
tags:
- attack.impact
level: medium
rules/proxy/proxy_ua_bitsadmin_susp_ip.yml
+2 -1
View File
@@ -4,12 +4,13 @@ status: experimental
description: Detects Bitsadmin connections to IP addresses instead of FQDN names
author: Florian Roth
date: 2022/06/10
modified: 2022/08/24
logsource:
category: proxy
detection:
selection:
c-useragent|startswith: 'Microsoft BITS/'
cs-host|startswith:
cs-host|endswith:
- '1'
- '2'
- '3'
rules/windows/builtin/system/win_susp_service_installation_script.yml
+20 -20
View File
@@ -6,27 +6,27 @@ author: pH-T
date: 2022/03/18
modified: 2022/03/24
logsource:
product: windows
service: system
product: windows
service: system
detection:
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
suspicious1:
ImagePath|contains: ' /C '
suspicious2:
ImagePath|contains:
- 'powershell'
- 'wscript'
- 'cscript'
- 'mshta'
- 'rundll32'
condition: selection and all of suspicious*
selection:
Provider_Name: 'Service Control Manager'
EventID: 7045
suspicious1:
ImagePath|contains: ' /C '
suspicious2:
ImagePath|contains:
- 'powershell'
- 'wscript'
- 'cscript'
- 'mshta'
- 'rundll32'
condition: selection and all of suspicious*
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003
- attack.persistence
- attack.privilege_escalation
- car.2013-09-005
- attack.t1543.003
rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml
+6 -1
View File
@@ -5,7 +5,7 @@ notes:
- MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools.
status: experimental
date: 2019/10/27
modified: 2022/08/25
modified: 2022/08/26
author: Perez Diego (@darkquassar), oscd.community
references:
- Personal research, statistical analysis
@@ -89,6 +89,11 @@ detection:
TargetImage: 'System'
filter_powershell:
SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe'
filter_schtasks_conhost:
SourceImage:
- 'C:\Windows\System32\schtasks.exe'
- 'C:\Windows\SysWOW64\schtasks.exe'
TargetImage: 'C:\Windows\System32\conhost.exe'
condition: selection and not 1 of filter*
fields:
- ComputerName
rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml
+2 -1
View File
@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
references:
- https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/
date: 2022/07/28
modified: 2022/08/24
logsource:
product: windows
category: driver_load
@@ -22,7 +23,7 @@ detection:
driver_img:
ImageLoaded|endswith: '\aswArPot.sys'
driver_status:
- Signed: false
- Signed: 'false'
- SignatureStatus: Expired
condition: 1 of selection* or all of driver_*
falsepositives:
rules/windows/driver_load/driver_load_vuln_drivers.yml
+1 -1
View File
@@ -792,7 +792,7 @@ detection:
- '\semav6msr.sys'
- '\piddrv64.sys'
driver_status:
- Signed: false
- Signed: 'false'
- SignatureStatus: Expired
condition: 1 of selection* or all of driver_*
falsepositives:
rules/windows/file_event/file_event_win_msdt_autorun.yml
+29
View File
@@ -0,0 +1,29 @@
title: MSDT.exe Creates Files in Autorun Directory
id: 318557a5-150c-4c8d-b70e-a9910e199857
status: experimental
description: Detects msdt.exe creating files in suspicious directories
author: Vadim Varganov, Florian Roth
references:
- https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd
- https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
date: 2022/08/24
tags:
- attack.persistence
- attack.t1547.001
- cve.2022.30190
logsource:
category: file_event
product: windows
detection:
selection:
Image|endswith: '\msdt.exe'
TargetFilename|contains:
- '\Start Menu\Programs\Startup\'
- 'C:\Users\Public\'
- 'C:\PerfLogs\'
- '\Desktop\'
- 'C:\ProgramData\'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml
+4 -2
View File
@@ -8,7 +8,7 @@ references:
- https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/
- https://github.com/fox-it/LDAPFragger
date: 2019/03/24
modified: 2022/08/16
modified: 2022/08/24
logsource:
product: windows
category: file_event
@@ -26,7 +26,9 @@ detection:
- 'C:\Program Files\Cylance\Desktop\CylanceSvc.exe'
- 'C:\Windows\System32\wbem\WmiPrvSE.exe'
filter_begins:
Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
Image|startswith:
- 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe
- 'C:\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe
filter_ends:
Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe'
filter_domain_controller:
rules/windows/file_event/file_event_win_susp_powershell_profile.yml
+29
View File
@@ -0,0 +1,29 @@
title: PowerShell Profile Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
author: HieuTT35, Nasreddine Bencherchali
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
- https://persistence-info.github.io/Data/powershellprofile.html
date: 2019/10/24
modified: 2022/08/24
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith:
- '\Microsoft.PowerShell_profile.ps1'
- '\WindowsPowerShell\profile.ps1'
- '\PowerShell\profile.ps1'
- '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1'
- '\Program Files\PowerShell\7\profile.ps1'
condition: selection
falsepositives:
- System administrator create Powershell profile manually
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.013
rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml
-29
View File
@@ -1,29 +0,0 @@
title: Powershell Profile.ps1 Modification
id: b5b78988-486d-4a80-b991-930eff3ff8bf
status: test
description: Detects a change in profile.ps1 of the Powershell profile
author: HieuTT35
references:
- https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
date: 2019/10/24
modified: 2021/11/27
logsource:
product: windows
category: file_event
detection:
target1:
TargetFilename|contains|all:
- '\My Documents\PowerShell\'
- '\profile.ps1'
target2:
TargetFilename|contains|all:
- 'C:\Windows\System32\WindowsPowerShell\v1.0\'
- '\profile.ps1'
condition: target1 or target2
falsepositives:
- System administrator create Powershell profile manually
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.013
rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml
+25
View File
@@ -0,0 +1,25 @@
title: VsCode Powershell Profile Modification
id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502
related:
- id: b5b78988-486d-4a80-b991-930eff3ff8bf
type: similar
status: experimental
description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence
author: Nasreddine Bencherchali
references:
- https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2
date: 2022/08/24
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1'
condition: selection
falsepositives:
- Legitimate use of the profile by developers or administrators
level: high
tags:
- attack.persistence
- attack.privilege_escalation
- attack.t1546.013
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+59 -2
View File
@@ -6,9 +6,9 @@ references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
author: Nasreddine Bencherchali, Wietze Beukema (project and research)
author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex)
date: 2022/08/14
modified: 2022/08/17
modified: 2022/08/24
tags:
- attack.defense_evasion
- attack.persistence
@@ -356,6 +356,60 @@ detection:
- '\dpx.dll'
- '\fxsapi.dll'
- '\fxstiff.dll'
- '\xpsservices.dll'
- '\appvpolicy.dll'
- '\batmeter.dll'
- '\bootux.dll'
- '\cmutil.dll'
- '\configmanager2.dll'
- '\coredplus.dll'
- '\coreuicomponents.dll'
- '\cryptsp.dll'
- '\dmcommandlineutils.dll'
- '\drvstore.dll'
- '\dsprop.dll'
- '\dxcore.dll'
- '\edgeiso.dll'
- '\framedynos.dll'
- '\fveskybackup.dll'
- '\fvewiz.dll'
- '\gpapi.dll'
- '\icmp.dll'
- '\ifsutil.dll'
- '\iumsdk.dll'
- '\lockhostingframework.dll'
- '\lrwizdll.dll'
- '\mbaexmlparser.dll'
- '\mfc42u.dll'
- '\msiso.dll'
- '\msvcp110_win.dll'
- '\netapi32.dll'
- '\netjoin.dll'
- '\netprovfw.dll'
- '\opcservices.dll'
- '\pkeyhelper.dll'
- '\playsndsrv.dll'
- '\powrprof.dll'
- '\prntvpt.dll'
- '\profapi.dll'
- '\proximitycommon.dll'
- '\proximityservicepal.dll'
- '\rasdlg.dll'
- '\security.dll'
- '\sppcext.dll'
- '\srmtrace.dll'
- '\tpmcoreprovisioning.dll'
- '\umpdc.dll'
- '\unattend.dll'
- '\urlmon.dll'
- '\vdsutil.dll'
- '\version.dll'
- '\winbio.dll'
- '\windows.ui.immersive.dll'
- '\winscard.dll'
- '\winsync.dll'
- '\wscapi.dll'
- '\wsmsvc.dll'
filter_generic:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
@@ -367,6 +421,9 @@ detection:
User|contains: # covers many language settings
- 'AUTHORI'
- 'AUTORI'
filter_appvpolicy:
ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll
Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
+2 -2
View File
@@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g
references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
date: 2019/09/12
modified: 2022/08/16
modified: 2022/08/24
logsource:
category: network_connection
product: windows
@@ -15,7 +15,7 @@ detection:
DestinationPort:
- 5985
- 5986
Initiated: true # only matches of the initiating system can be evaluated
Initiated: 'true' # only matches of the initiating system can be evaluated
filter:
- User|contains: # covers many language settings for Network Service, please expand
- 'NETWORK SERVICE'
rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml
+24
View File
@@ -0,0 +1,24 @@
title: Disable Powershell Command History
id: 602f5669-6927-4688-84db-0d4b7afb2150
status: experimental
description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module
references:
- https://twitter.com/DissectMalware/status/1062879286749773824
author: Ali Alwashali
date: 2022/08/21
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- Remove-Module
- psreadline
condition: selection
falsepositives:
- Legitimate script that disables the command history
level: high
tags:
- attack.defense_evasion
- attack.t1070.003
rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml
+11 -2
View File
@@ -4,7 +4,7 @@ description: This rule looks for Windows Installer service (msiexec.exe) trying
status: experimental
author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community
date: 2020/10/13
modified: 2022/02/18
modified: 2022/08/25
references:
- https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg
tags:
@@ -32,11 +32,20 @@ detection:
filter_repair:
- CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
- ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option"
filter_autoupdater:
ParentImage|startswith:
- 'C:\ProgramData\Sophos\'
- 'C:\ProgramData\Avira\'
- 'C:\Program Files\Avast Software\'
- 'C:\Program Files (x86)\Avast Software\'
- 'C:\Program Files\Google\Update\'
- 'C:\Program Files (x86)\Google\Update\'
condition: ( (image_1 and user) or (image_2 and user and integrity_level) ) and not 1 of filter*
fields:
- IntegrityLevel
- User
- Image
falsepositives:
- System administrator Usage
- System administrator usage
- Anti virus products
level: medium
rules/windows/process_creation/proc_creation_win_malware_qbot.yml
+2 -2
View File
@@ -4,7 +4,7 @@ status: stable
description: Detects QBot like process executions
author: Florian Roth
date: 2019/10/01
modified: 2021/01/25
modified: 2022/08/24
tags:
- attack.execution
- attack.t1059.005
@@ -25,7 +25,7 @@ detection:
- 'regsvr32.exe'
- 'C:\ProgramData'
- '.tmp'
condition: selection1 or selection2 or selection3
condition: 1 of selection*
fields:
- CommandLine
- ParentCommandLine
rules/windows/process_creation/proc_creation_modify_group_policy_settings.yml → rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml
View File
rules/windows/process_creation/proc_creation_win_new_network_provider.yml
+33
View File
@@ -0,0 +1,33 @@
title: New Network Provider - CommandLine
id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
related:
- id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
type: similar
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
author: Nasreddine Bencherchali
date: 2022/08/23
status: experimental
references:
- https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
CommandLine|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
#- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection and not filter
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
tags:
- attack.credential_access
- attack.t1003
rules/windows/process_creation/proc_creation_win_public_folder_parent.yml
+21 -19
View File
@@ -4,28 +4,30 @@ status: experimental
description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder
author: Florian Roth
references:
- https://redcanary.com/blog/blackbyte-ransomware/
- https://redcanary.com/blog/blackbyte-ransomware/
date: 2022/02/25
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
ParentImage|startswith: 'C:\Users\Public\'
CommandLine|contains:
- 'powershell'
- 'cmd.exe /c '
- 'cmd /c '
- 'wscript.exe'
- 'cscript.exe'
- 'bitsadmin'
- 'certutil'
- 'mshta.exe'
condition: selection
selection:
ParentImage|startswith: 'C:\Users\Public\'
CommandLine|contains:
- 'powershell'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'cmd /c '
- 'cmd /k '
- 'wscript.exe'
- 'cscript.exe'
- 'bitsadmin'
- 'certutil'
- 'mshta.exe'
condition: selection
fields:
- ComputerName
- User
- CommandLine
- ComputerName
- User
- CommandLine
falsepositives:
- Unknown
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: DllRegisterServer Call From Non Rundll32
id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed
status: stable
description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could that the 'rundll32' utility has been renamed in order to avoid detection
description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection
author: Nasreddine Bencherchali
references:
- https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20
rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml
+20 -18
View File
@@ -4,29 +4,31 @@ status: experimental
description: Detects use of chcp to look up the system locale value as part of host discovery
author: '_pete_0, TheDFIRReport'
references:
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
- https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp
date: 2022/02/21
modified: 2022/04/21
logsource:
category: process_creation
product: windows
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains: ' /c '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
selection:
ParentImage|endswith: '\cmd.exe'
ParentCommandLine|contains:
- ' /c '
- ' /k '
Image|endswith: '\chcp.com'
CommandLine|endswith:
- 'chcp'
- 'chcp '
- 'chcp '
condition: selection
fields:
- CommandLine
- ParentCommandLine
- CommandLine
- ParentCommandLine
falsepositives:
- Unknown
- Unknown
level: high
tags:
- attack.discovery
- attack.t1614.001
- attack.discovery
- attack.t1614.001
rules/windows/process_creation/proc_creation_win_susp_del.yml
+8 -5
View File
@@ -1,29 +1,32 @@
title: Suspicious Del in CommandLine
id: 204b17ae-4007-471b-917b-b917b315c5db
status: experimental
description: suspicious command line to remove exe or dll
description: Detects suspicious command line to remove and 'exe' or 'dll'
author: frack113
date: 2021/12/02
modified: 2022/08/24
references:
- https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D
tags:
- attack.defense_evasion
- attack.t1070.004
- attack.t1070.004
logsource:
category: process_creation
product: windows
detection:
susp_del_exe:
CommandLine|contains|all:
- 'del *.exe'
- 'del '
- '\*.exe'
- '/f '
- '/q '
susp_del_dll:
CommandLine|contains|all:
- 'del *.dll'
# Example: cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit
- 'del '
- '\*.dll'
- 'C:\ProgramData\'
condition: susp_del_exe or susp_del_dll
#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml
+4 -3
View File
@@ -8,7 +8,7 @@ references:
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
author: Florian Roth
date: 2021/11/23
modified: 2022/07/21
modified: 2022/08/24
logsource:
category: process_creation
product: windows
@@ -20,10 +20,11 @@ detection:
- 'PAExec'
- 'accepteula'
- 'cmd /c '
- 'cmd /k '
condition: selection
falsepositives:
- Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
level: high
tags:
- attack.develop_capabilities
- attack.t1587.001
- attack.resource_development
- attack.t1587.001
rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml
+3
View File
@@ -13,6 +13,7 @@ tags:
- attack.t1053.005
author: Nasreddine Bencherchali
date: 2022/07/28
modified: 2022/08/24
logsource:
product: windows
category: process_creation
@@ -42,7 +43,9 @@ detection:
- 'regsvr32'
- 'rundll32'
- 'cmd /c '
- 'cmd /k '
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'powershell'
- 'mshta'
- 'wscript'
rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml
+5 -2
View File
@@ -9,6 +9,7 @@ tags:
- attack.t1053.005
author: Florian Roth
date: 2022/04/15
modified: 2022/08/24
logsource:
product: windows
category: process_creation
@@ -20,12 +21,14 @@ detection:
CommandLine|contains:
- 'powershell'
- 'cmd /c '
- 'cmd /k '
- 'cmd.exe /c '
selection1_all_folders:
- 'cmd.exe /k '
selection_all_folders:
CommandLine|contains:
- 'C:\ProgramData\'
- '%ProgramData%'
condition: all of selection*
condition: all of selection_*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml
+2 -1
View File
@@ -7,7 +7,7 @@ references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
date: 2020/10/12
modified: 2022/08/09
modified: 2022/08/24
logsource:
category: process_creation
product: windows
@@ -23,6 +23,7 @@ detection:
- 'bitsadmin'
- 'regsvr32'
- 'cmd.exe /c '
- 'cmd.exe /k '
- 'powershell'
- 'pwsh'
- 'certutil'
rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml
+52
View File
@@ -0,0 +1,52 @@
title: Usage of Suspicious Sysinternals Tools
id: f50f3c09-557d-492d-81db-9064a8d4e211
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: experimental
description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools
references:
- Internal Research
date: 2022/08/24
author: Nasreddine Bencherchali
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
TargetObject|endswith: '\EulaAccepted'
filter:
Image|endswith:
- '\PsExec.exe'
- '\PsExec64.exe'
- '\procdump.exe'
- '\procdump64.exe'
- '\handle.exe'
- '\handle64.exe'
- '\livekd.exe'
- '\livekd64.exe'
- '\procexp.exe'
- '\procexp64.exe'
- '\psloglist.exe'
- '\psloglist64.exe'
- '\pspasswd.exe'
- '\pspasswd64.exe'
- '\ADExplorer.exe'
- '\ADExplorer64.exe'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
tags:
- attack.resource_development
- attack.t1588.002
rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml
+35
View File
@@ -0,0 +1,35 @@
title: Usage of Suspicious Sysinternals Tools
id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d
related:
- id: 25ffa65d-76d8-4da5-a832-3f2b0136e133
type: derived
status: experimental
description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry
references:
- https://twitter.com/Moti_B/status/1008587936735035392
date: 2022/08/24
author: Nasreddine Bencherchali
logsource:
product: windows
category: registry_add
detection:
selection:
EventType: CreateKey
TargetObject|contains:
- '\PsExec'
- '\ProcDump'
- '\Handle'
- '\LiveKd'
- '\Process Explorer'
- '\PsLoglist'
- '\PsPasswd'
- '\Active Directory Explorer'
- '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400
TargetObject|endswith: '\EulaAccepted'
condition: selection
falsepositives:
- Legitimate use of SysInternals tools
level: medium
tags:
- attack.resource_development
- attack.t1588.002
rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml
+2 -2
View File
@@ -20,5 +20,5 @@ falsepositives:
- Programs that use the same Registry Key
level: low
tags:
- attack.resource_development
- attack.t1588.002
- attack.resource_development
- attack.t1588.002
rules/windows/registry/registry_event/registry_event_apt_pandemic.yml
+1 -1
View File
@@ -15,7 +15,7 @@ logsource:
category: registry_event
product: windows
detection:
selection:
selection:
TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance'
condition: selection
falsepositives:
rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml
+1
View File
@@ -10,6 +10,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
- https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript
date: 2019/10/25
modified: 2022/04/04
logsource:
rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml → rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml
+2 -1
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects disabling the CrashDump per registry (as used by HermeticWiper)
author: Tobias Michalski
date: 2022/02/24
modified: 2022/03/26
modified: 2022/08/23
references:
- https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/
logsource:
@@ -12,6 +12,7 @@ logsource:
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl'
Details: 'DWORD (0x00000000)'
condition: selection
rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml → rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml
+3 -2
View File
@@ -4,7 +4,7 @@ status: experimental
description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum
author: Sittikorn S, frack113
date: 2021/07/16
modified: 2022/06/29
modified: 2022/08/23
references:
- https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/
- https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
@@ -17,9 +17,10 @@ tags:
# - threat_group.Sourgum
logsource:
product: windows
category: registry_event
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith:
- CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default)
- CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default)
rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml
+5 -3
View File
@@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3
description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel
author: frack113, Nasreddine Bencherchali
date: 2022/07/04
modified: 2022/08/10
modified: 2022/08/26
status: experimental
references:
- https://twitter.com/WhichbufferArda/status/1543900539280293889
@@ -22,9 +22,11 @@ detection:
filter_iis:
Image|startswith: 'C:\Windows\winsxs\'
Image|endswith: '\TiWorker.exe' # many different TargetObjects
filter_fsmfd:
filter_svchost:
Image: 'C:\Windows\System32\svchost.exe'
TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
TargetObject|contains:
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter'
- '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\'
condition: selection and not 1 of filter*
falsepositives:
- Legitimate administrators disabling specific event log for troubleshooting
rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml → rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml
+3 -2
View File
@@ -6,7 +6,7 @@ description: Detects the installation of a plugin DLL via ServerLevelPluginDll p
references:
- https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83
date: 2017/05/08
modified: 2021/09/12
modified: 2022/08/23
author: Florian Roth
tags:
- attack.defense_evasion
@@ -14,9 +14,10 @@ tags:
- attack.t1112
logsource:
product: windows
category: registry_event
category: registry_set
detection:
selection:
EventType: SetValue
TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll'
condition: selection
fields:
rules/windows/registry/registry_set/registry_set_new_network_provider.yml
+34
View File
@@ -0,0 +1,34 @@
title: New Network Provider - Registry
id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701
related:
- id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77
type: similar
description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it
author: Nasreddine Bencherchali
date: 2022/08/23
status: experimental
references:
- https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade
- https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|contains|all:
- '\System\CurrentControlSet\Services\'
- '\NetworkProvider'
filter:
TargetObject|contains:
- '\System\CurrentControlSet\Services\WebClient\NetworkProvider'
- '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider'
- '\System\CurrentControlSet\Services\RDPNP\NetworkProvider'
#- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV
condition: selection and not filter
falsepositives:
- Other legitimate network providers used and not filtred in this rule
level: high
tags:
- attack.credential_access
- attack.t1003
rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml
+1
View File
@@ -6,6 +6,7 @@ author: Nasreddine Bencherchali
date: 2022/08/10
references:
- https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/
- https://persistence-info.github.io/Data/autodialdll.html
logsource:
category: registry_set
product: windows
rules/windows/registry/registry_set/registry_set_taskcache_entry.yml
+3 -1
View File
@@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d
description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious
status: experimental
date: 2021/06/18
modified: 2022/08/11
modified: 2022/08/24
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://labs.f-secure.com/blog/scheduled-task-tampering/
@@ -33,6 +33,8 @@ detection:
Image:
- 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe'
- 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe'
filter_msiexec:
Image: 'C:\Windows\System32\msiexec.exe'
condition: selection and not 1 of filter*
falsepositives:
- Unknown