diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index dab3bf97c..8b62ecf56 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -1,24 +1,25 @@ title: Azure Application Gateway Modified or Deleted id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 -description: Identifies when a application gateway is modified or deleted. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a application gateway is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE - - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE + condition: selection falsepositives: - - Application gateway being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index a770842d0..bcbfa9edb 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -1,24 +1,25 @@ title: Azure Application Security Group Modified or Deleted id: 835747f1-9329-40b5-9cc3-97d465754ce6 -description: Identifies when a application security group is modified or deleted. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a application security group is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE + condition: selection falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index b394ce894..9e5c19e72 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Container Registry Created or Deleted id: 93e0ef48-37c8-49ed-a02c-038aab23628e -description: Detects when a Container Registry is created or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects when a Container Registry is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE - - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE - condition: selection -level: low -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE + condition: selection falsepositives: - - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: low diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 80d55642b..ba6de103b 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -1,24 +1,25 @@ title: Azure DNS Zone Modified or Deleted id: af6925b0-8826-47f1-9324-337507a0babd -description: Identifies when DNS zone is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when DNS zone is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message|startswith: MICROSOFT.NETWORK/DNSZONES - properties.message|endswith: - - /WRITE - - /DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName|startswith: MICROSOFT.NETWORK/DNSZONES + operationName|endswith: + - /WRITE + - /DELETE + condition: selection falsepositives: - - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 2d09758ae..55e14f6c8 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -1,23 +1,24 @@ title: Azure Firewall Modified or Deleted id: 512cf937-ea9b-4332-939c-4c2c94baadcd -description: Identifies when a firewall is created, modified, or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a firewall is created, modified, or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE + condition: selection falsepositives: - - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 30281498e..663451b18 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Firewall Rule Collection Modified or Deleted id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 -description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE + condition: selection falsepositives: - - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index fe2af9ae7..1f01e1047 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -1,34 +1,35 @@ title: Azure Keyvault Key Modified or Deleted id: 80eeab92-0979-4152-942d-96749e11df40 -description: Identifies when a Keyvault Key is modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when a Keyvault Key is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE - - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION + condition: selection falsepositives: - - Key being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index cc596dcbf..12cd43471 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -1,29 +1,30 @@ title: Azure Key Vault Modified or Deleted id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d -description: Identifies when a key vault is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when a key vault is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/WRITE - - MICROSOFT.KEYVAULT/VAULTS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION - - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION + - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE + condition: selection falsepositives: - - Key Vault being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 53f85064a..eea6c9415 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -1,33 +1,34 @@ title: Azure Keyvault Secrets Modified or Deleted id: b831353c-1971-477b-abb6-2828edc3bca1 -description: Identifies when secrets are modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when secrets are modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION + condition: selection falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 3e2dbbbae..9ea9e0829 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -1,34 +1,34 @@ title: Azure Kubernetes Admission Controller id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58 -description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. -author: Austin Songer @austinsonger status: experimental -date: 2021/11/25 -modified: 2021/11/26 +description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +author: Austin Songer @austinsonger +date: 2021/11/25 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - condition: selection1 or selection2 -level: medium -tags: - - attack.persistence - - attack.t1078 - - attack.credential_access - - attack.t1552 - - attack.t1552.007 + selection1: + operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + selection2: + operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + condition: selection1 or selection2 falsepositives: -- Azure Kubernetes Admissions Controller may be done by a system administrator. -- If known behavior is causing false positives, it can be exempted from the rule. + - Azure Kubernetes Admissions Controller may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.persistence + - attack.t1078 + - attack.credential_access + - attack.t1552 + - attack.t1552.007 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 6af9fe8ac..a23b6ea42 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -1,28 +1,28 @@ title: Azure Kubernetes Cluster Created or Deleted id: 9541f321-7cba-4b43-80fc-fbd1fb922808 -description: Detects when a Azure Kubernetes Cluster is created or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects when a Azure Kubernetes Cluster is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE - condition: selection -level: low -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE + condition: selection falsepositives: - - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: low diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 146f196aa..9ad66faa6 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -1,34 +1,35 @@ title: Azure Kubernetes CronJob id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a -description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -author: Austin Songer @austinsonger status: experimental -date: 2021/11/22 +description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + - https://kubernetes.io/docs/concepts/workloads/controllers/job/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ +author: Austin Songer @austinsonger +date: 2021/11/22 +modified: 2022/08/23 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - condition: selection1 or selection2 -level: medium -tags: - - attack.persistence - - attack.privilege_escalation - - attack.execution + selection1: + operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + operationName|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + selection2: + operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + operationName|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + condition: selection1 or selection2 falsepositives: - - Azure Kubernetes CronJob/Job may be done by a system administrator. - - If known behavior is causing false positives, it can be exempted from the rule. + - Azure Kubernetes CronJob/Job may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.persistence + - attack.privilege_escalation + - attack.execution +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index 7c4aefd91..27501276e 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -1,24 +1,24 @@ title: Azure Kubernetes Events Deleted id: 225d8b09-e714-479c-a0e4-55e6f29adf35 -description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. -author: Austin Songer @austinsonger status: experimental -date: 2021/07/24 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - condition: selection_operation_name -level: medium -tags: - - attack.defense_evasion - - attack.t1562 - - attack.t1562.001 + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + condition: selection falsepositives: -- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index e731c0d87..4c253a7da 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -1,30 +1,31 @@ title: Azure Kubernetes Network Policy Change id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 -description: Identifies when a Azure Kubernetes network policy is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index ac7d0e1df..e73fb5a25 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -1,22 +1,23 @@ title: Azure Kubernetes Pods Deleted id: b02f9591-12c3-4965-986a-88028629b2e1 -description: Identifies the deletion of Azure Kubernetes Pods. -author: Austin Songer @austinsonger status: experimental -date: 2021/07/24 +description: Identifies the deletion of Azure Kubernetes Pods. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +author: Austin Songer @austinsonger +date: 2021/07/24 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - condition: selection_operation_name -level: medium -tags: - - attack.impact + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + condition: selection falsepositives: -- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. -- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index b13335b6b..4b12ff466 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -1,33 +1,34 @@ title: Azure Kubernetes Sensitive Role Access id: 818fee0c-e0ec-4e45-824e-83e4817b0887 -description: Identifies when ClusterRoles/Roles are being modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when ClusterRoles/Roles are being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION + condition: selection falsepositives: - - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 923169ffe..7ca8555b4 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -1,31 +1,31 @@ title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 -description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE + condition: selection falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 3f24ab0ba..4da4dfa56 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -1,28 +1,29 @@ title: Azure Kubernetes Secret or Config Object Access id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c -description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection falsepositives: - - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 6a56ea6c6..1b1c33b0a 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -1,28 +1,29 @@ title: Azure Kubernetes Service Account Modified or Deleted id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 -description: Identifies when a service account is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a service account is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection falsepositives: - - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index 2a36bbdab..a5ba249b5 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -1,25 +1,26 @@ title: Azure Network Firewall Policy Modified or Deleted id: 83c17918-746e-4bd9-920b-8e098bf88c23 -description: Identifies when a Firewall Policy is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/09/02 +description: Identifies when a Firewall Policy is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/09/02 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION - - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION - - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection falsepositives: - - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index a2ab1da57..cdd431468 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -1,25 +1,26 @@ title: Azure Firewall Rule Configuration Modified or Deleted id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 -description: Identifies when a Firewall Rule Configuration is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Firewall Rule Configuration is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE + condition: selection falsepositives: - - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index c54bd0d56..8b7bcfe0a 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Point-to-site VPN Modified or Deleted id: d9557b75-267b-4b43-922f-a775e2d1f792 -description: Identifies when a Point-to-site VPN is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Point-to-site VPN is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection falsepositives: - - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index cd2f06382..cfc0a269d 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -1,27 +1,28 @@ title: Azure Network Security Configuration Modified or Deleted id: d22b4df4-5a67-4859-a578-8c9a0b5af9df -description: Identifies when a network security configuration is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a network security configuration is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection falsepositives: - - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 5eefd7274..413bd1cbb 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -1,32 +1,33 @@ title: Azure Virtual Network Device Modified or Deleted id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 -description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE - - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE - - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE - - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION - - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE - - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE - - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE - - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE - - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE - - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE - - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE + - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE + - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE + - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE + condition: selection falsepositives: - - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index faa1a2c7b..9fa3a59a7 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -1,22 +1,22 @@ title: Azure New CloudShell Created id: 72af37e2-ec32-47dc-992b-bc288a2708cb -description: Identifies when a new cloudshell is created inside of Azure portal. -author: Austin Songer status: experimental -date: 2021/09/21 +description: Identifies when a new cloudshell is created inside of Azure portal. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/09/21 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE - condition: selection -level: medium -tags: - - attack.execution - - attack.t1059 + selection: + operationName: MICROSOFT.PORTAL/CONSOLES/WRITE + condition: selection falsepositives: - - A new cloudshell may be created by a system administrator. - + - A new cloudshell may be created by a system administrator. +tags: + - attack.execution + - attack.t1059 +level: medium diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 37c184fd9..ed19e1b6f 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -1,21 +1,22 @@ title: Azure Subscription Permission Elevation Via ActivityLogs id: 09438caa-07b1-4870-8405-1dbafe3dad95 status: experimental -author: Austin Songer @austinsonger -date: 2021/11/26 description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +author: Austin Songer @austinsonger +date: 2021/11/26 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection1: - properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION - condition: selection1 -level: high + selection: + operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection falsepositives: - If this was approved by System Administrator. tags: - attack.initial_access - attack.t1078 +level: high diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index 7c079c960..87669808e 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -1,22 +1,23 @@ title: Azure Suppression Rule Created id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 -description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + condition: selection falsepositives: - - Suppression Rule being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index 40a1604f6..3c9974d55 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -1,26 +1,27 @@ title: Azure Virtual Network Modified or Deleted id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f -description: Identifies when a Virtual Network is modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Virtual Network is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message|startswith: - - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ - - MICROSOFT.NETWORK/VIRTUALNETWORKS/ - properties.message|endswith: - - /WRITE - - /DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName|startswith: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ + - MICROSOFT.NETWORK/VIRTUALNETWORKS/ + operationName|endswith: + - /WRITE + - /DELETE + condition: selection falsepositives: - - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index e7cc2e36b..75b953a00 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -1,23 +1,24 @@ title: Azure VPN Connection Modified or Deleted id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 -description: Identifies when a VPN connection is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a VPN connection is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE - - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE + condition: selection falsepositives: - - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml b/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml index af0556668..ce4b7f470 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml @@ -4,12 +4,13 @@ status: experimental description: Detects Bitsadmin connections to IP addresses instead of FQDN names author: Florian Roth date: 2022/06/10 +modified: 2022/08/24 logsource: category: proxy detection: selection: c-useragent|startswith: 'Microsoft BITS/' - cs-host|startswith: + cs-host|endswith: - '1' - '2' - '3' diff --git a/rules/windows/builtin/system/win_susp_service_installation_script.yml b/rules/windows/builtin/system/win_susp_service_installation_script.yml index 1b2b4fd9d..0f4c9ec47 100644 --- a/rules/windows/builtin/system/win_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/win_susp_service_installation_script.yml @@ -6,27 +6,27 @@ author: pH-T date: 2022/03/18 modified: 2022/03/24 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - Provider_Name: 'Service Control Manager' - EventID: 7045 - suspicious1: - ImagePath|contains: ' /C ' - suspicious2: - ImagePath|contains: - - 'powershell' - - 'wscript' - - 'cscript' - - 'mshta' - - 'rundll32' - condition: selection and all of suspicious* + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + suspicious1: + ImagePath|contains: ' /C ' + suspicious2: + ImagePath|contains: + - 'powershell' + - 'wscript' + - 'cscript' + - 'mshta' + - 'rundll32' + condition: selection and all of suspicious* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.privilege_escalation - - car.2013-09-005 - - attack.t1543.003 + - attack.persistence + - attack.privilege_escalation + - car.2013-09-005 + - attack.t1543.003 diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml b/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml index e1a49daaa..dfed28430 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_remote_thread_source.yml @@ -5,7 +5,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2022/08/25 +modified: 2022/08/26 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -89,6 +89,11 @@ detection: TargetImage: 'System' filter_powershell: SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + filter_schtasks_conhost: + SourceImage: + - 'C:\Windows\System32\schtasks.exe' + - 'C:\Windows\SysWOW64\schtasks.exe' + TargetImage: 'C:\Windows\System32\conhost.exe' condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml index c74c764eb..f1e5c9bbd 100644 --- a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ date: 2022/07/28 +modified: 2022/08/24 logsource: product: windows category: driver_load @@ -22,7 +23,7 @@ detection: driver_img: ImageLoaded|endswith: '\aswArPot.sys' driver_status: - - Signed: false + - Signed: 'false' - SignatureStatus: Expired condition: 1 of selection* or all of driver_* falsepositives: diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 6fe73a176..a3898ef84 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -792,7 +792,7 @@ detection: - '\semav6msr.sys' - '\piddrv64.sys' driver_status: - - Signed: false + - Signed: 'false' - SignatureStatus: Expired condition: 1 of selection* or all of driver_* falsepositives: diff --git a/rules/windows/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file_event/file_event_win_msdt_autorun.yml new file mode 100644 index 000000000..65151c6fb --- /dev/null +++ b/rules/windows/file_event/file_event_win_msdt_autorun.yml @@ -0,0 +1,29 @@ +title: MSDT.exe Creates Files in Autorun Directory +id: 318557a5-150c-4c8d-b70e-a9910e199857 +status: experimental +description: Detects msdt.exe creating files in suspicious directories +author: Vadim Varganov, Florian Roth +references: + - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd + - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ +date: 2022/08/24 +tags: + - attack.persistence + - attack.t1547.001 + - cve.2022.30190 +logsource: + category: file_event + product: windows +detection: + selection: + Image|endswith: '\msdt.exe' + TargetFilename|contains: + - '\Start Menu\Programs\Startup\' + - 'C:\Users\Public\' + - 'C:\PerfLogs\' + - '\Desktop\' + - 'C:\ProgramData\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml index 81b34659c..b7afdc19b 100755 --- a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -8,7 +8,7 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger date: 2019/03/24 -modified: 2022/08/16 +modified: 2022/08/24 logsource: product: windows category: file_event @@ -26,7 +26,9 @@ detection: - 'C:\Program Files\Cylance\Desktop\CylanceSvc.exe' - 'C:\Windows\System32\wbem\WmiPrvSE.exe' filter_begins: - Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + Image|startswith: + - 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + - 'C:\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe filter_ends: Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' filter_domain_controller: diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml new file mode 100644 index 000000000..737db2024 --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml @@ -0,0 +1,29 @@ +title: PowerShell Profile Modification +id: b5b78988-486d-4a80-b991-930eff3ff8bf +status: test +description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +author: HieuTT35, Nasreddine Bencherchali +references: + - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + - https://persistence-info.github.io/Data/powershellprofile.html +date: 2019/10/24 +modified: 2022/08/24 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\Microsoft.PowerShell_profile.ps1' + - '\WindowsPowerShell\profile.ps1' + - '\PowerShell\profile.ps1' + - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' + - '\Program Files\PowerShell\7\profile.ps1' + condition: selection +falsepositives: + - System administrator create Powershell profile manually +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml deleted file mode 100644 index ba07ecf39..000000000 --- a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Powershell Profile.ps1 Modification -id: b5b78988-486d-4a80-b991-930eff3ff8bf -status: test -description: Detects a change in profile.ps1 of the Powershell profile -author: HieuTT35 -references: - - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ -date: 2019/10/24 -modified: 2021/11/27 -logsource: - product: windows - category: file_event -detection: - target1: - TargetFilename|contains|all: - - '\My Documents\PowerShell\' - - '\profile.ps1' - target2: - TargetFilename|contains|all: - - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - - '\profile.ps1' - condition: target1 or target2 -falsepositives: - - System administrator create Powershell profile manually -level: high -tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.013 diff --git a/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml new file mode 100644 index 000000000..f85738a13 --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -0,0 +1,25 @@ +title: VsCode Powershell Profile Modification +id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 +related: + - id: b5b78988-486d-4a80-b991-930eff3ff8bf + type: similar +status: experimental +description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 +date: 2022/08/24 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1' + condition: selection +falsepositives: + - Legitimate use of the profile by developers or administrators +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 4a6bb9930..a37434bed 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -6,9 +6,9 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/08/17 +modified: 2022/08/24 tags: - attack.defense_evasion - attack.persistence @@ -356,6 +356,60 @@ detection: - '\dpx.dll' - '\fxsapi.dll' - '\fxstiff.dll' + - '\xpsservices.dll' + - '\appvpolicy.dll' + - '\batmeter.dll' + - '\bootux.dll' + - '\cmutil.dll' + - '\configmanager2.dll' + - '\coredplus.dll' + - '\coreuicomponents.dll' + - '\cryptsp.dll' + - '\dmcommandlineutils.dll' + - '\drvstore.dll' + - '\dsprop.dll' + - '\dxcore.dll' + - '\edgeiso.dll' + - '\framedynos.dll' + - '\fveskybackup.dll' + - '\fvewiz.dll' + - '\gpapi.dll' + - '\icmp.dll' + - '\ifsutil.dll' + - '\iumsdk.dll' + - '\lockhostingframework.dll' + - '\lrwizdll.dll' + - '\mbaexmlparser.dll' + - '\mfc42u.dll' + - '\msiso.dll' + - '\msvcp110_win.dll' + - '\netapi32.dll' + - '\netjoin.dll' + - '\netprovfw.dll' + - '\opcservices.dll' + - '\pkeyhelper.dll' + - '\playsndsrv.dll' + - '\powrprof.dll' + - '\prntvpt.dll' + - '\profapi.dll' + - '\proximitycommon.dll' + - '\proximityservicepal.dll' + - '\rasdlg.dll' + - '\security.dll' + - '\sppcext.dll' + - '\srmtrace.dll' + - '\tpmcoreprovisioning.dll' + - '\umpdc.dll' + - '\unattend.dll' + - '\urlmon.dll' + - '\vdsutil.dll' + - '\version.dll' + - '\winbio.dll' + - '\windows.ui.immersive.dll' + - '\winscard.dll' + - '\winsync.dll' + - '\wscapi.dll' + - '\wsmsvc.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' @@ -367,6 +421,9 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_appvpolicy: + ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll + Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 465b440ff..0b2e6f4f2 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html date: 2019/09/12 -modified: 2022/08/16 +modified: 2022/08/24 logsource: category: network_connection product: windows @@ -15,7 +15,7 @@ detection: DestinationPort: - 5985 - 5986 - Initiated: true # only matches of the initiating system can be evaluated + Initiated: 'true' # only matches of the initiating system can be evaluated filter: - User|contains: # covers many language settings for Network Service, please expand - 'NETWORK SERVICE' diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml new file mode 100644 index 000000000..0fd446068 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -0,0 +1,24 @@ +title: Disable Powershell Command History +id: 602f5669-6927-4688-84db-0d4b7afb2150 +status: experimental +description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module +references: + - https://twitter.com/DissectMalware/status/1062879286749773824 +author: Ali Alwashali +date: 2022/08/21 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Remove-Module + - psreadline + condition: selection +falsepositives: + - Legitimate script that disables the command history +level: high +tags: + - attack.defense_evasion + - attack.t1070.003 diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml index c59c9aaca..694d57530 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml @@ -4,7 +4,7 @@ description: This rule looks for Windows Installer service (msiexec.exe) trying status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -modified: 2022/02/18 +modified: 2022/08/25 references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg tags: @@ -32,11 +32,20 @@ detection: filter_repair: - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option" - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option" + filter_autoupdater: + ParentImage|startswith: + - 'C:\ProgramData\Sophos\' + - 'C:\ProgramData\Avira\' + - 'C:\Program Files\Avast Software\' + - 'C:\Program Files (x86)\Avast Software\' + - 'C:\Program Files\Google\Update\' + - 'C:\Program Files (x86)\Google\Update\' condition: ( (image_1 and user) or (image_2 and user and integrity_level) ) and not 1 of filter* fields: - IntegrityLevel - User - Image falsepositives: - - System administrator Usage + - System administrator usage + - Anti virus products level: medium diff --git a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml index b9720b5f5..db8b1bb7b 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml @@ -4,7 +4,7 @@ status: stable description: Detects QBot like process executions author: Florian Roth date: 2019/10/01 -modified: 2021/01/25 +modified: 2022/08/24 tags: - attack.execution - attack.t1059.005 @@ -25,7 +25,7 @@ detection: - 'regsvr32.exe' - 'C:\ProgramData' - '.tmp' - condition: selection1 or selection2 or selection3 + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_modify_group_policy_settings.yml rename to rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml diff --git a/rules/windows/process_creation/proc_creation_win_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml new file mode 100644 index 000000000..7fad53fee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml @@ -0,0 +1,33 @@ +title: New Network Provider - CommandLine +id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 +related: + - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 + type: similar +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +author: Nasreddine Bencherchali +date: 2022/08/23 +status: experimental +references: + - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\System\CurrentControlSet\Services\' + - '\NetworkProvider' + filter: + CommandLine|contains: + - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + condition: selection and not filter +falsepositives: + - Other legitimate network providers used and not filtred in this rule +level: high +tags: + - attack.credential_access + - attack.t1003 diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml index eda2ef47b..aa71e61ca 100644 --- a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -4,28 +4,30 @@ status: experimental description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder author: Florian Roth references: - - https://redcanary.com/blog/blackbyte-ransomware/ + - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/25 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|startswith: 'C:\Users\Public\' - CommandLine|contains: - - 'powershell' - - 'cmd.exe /c ' - - 'cmd /c ' - - 'wscript.exe' - - 'cscript.exe' - - 'bitsadmin' - - 'certutil' - - 'mshta.exe' - condition: selection + selection: + ParentImage|startswith: 'C:\Users\Public\' + CommandLine|contains: + - 'powershell' + - 'cmd.exe /c ' + - 'cmd.exe /k ' + - 'cmd /c ' + - 'cmd /k ' + - 'wscript.exe' + - 'cscript.exe' + - 'bitsadmin' + - 'certutil' + - 'mshta.exe' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 0f033ceb6..498857c98 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -1,7 +1,7 @@ title: DllRegisterServer Call From Non Rundll32 id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed status: stable -description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could that the 'rundll32' utility has been renamed in order to avoid detection +description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection author: Nasreddine Bencherchali references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index c3e68b05b..fabb0e86f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -4,29 +4,31 @@ status: experimental description: Detects use of chcp to look up the system locale value as part of host discovery author: '_pete_0, TheDFIRReport' references: - - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp + - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp date: 2022/02/21 modified: 2022/04/21 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\cmd.exe' - ParentCommandLine|contains: ' /c ' - Image|endswith: '\chcp.com' - CommandLine|endswith: - - 'chcp' - - 'chcp ' - - 'chcp ' - condition: selection + selection: + ParentImage|endswith: '\cmd.exe' + ParentCommandLine|contains: + - ' /c ' + - ' /k ' + Image|endswith: '\chcp.com' + CommandLine|endswith: + - 'chcp' + - 'chcp ' + - 'chcp ' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.discovery - - attack.t1614.001 + - attack.discovery + - attack.t1614.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_del.yml b/rules/windows/process_creation/proc_creation_win_susp_del.yml index c065e0976..40c8158f0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -1,29 +1,32 @@ title: Suspicious Del in CommandLine id: 204b17ae-4007-471b-917b-b917b315c5db status: experimental -description: suspicious command line to remove exe or dll +description: Detects suspicious command line to remove and 'exe' or 'dll' author: frack113 date: 2021/12/02 +modified: 2022/08/24 references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D tags: - attack.defense_evasion - - attack.t1070.004 + - attack.t1070.004 logsource: category: process_creation product: windows detection: susp_del_exe: CommandLine|contains|all: - - 'del *.exe' + - 'del ' + - '\*.exe' - '/f ' - '/q ' susp_del_dll: CommandLine|contains|all: - - 'del *.dll' + # Example: cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit + - 'del ' + - '\*.dll' - 'C:\ProgramData\' condition: susp_del_exe or susp_del_dll -#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml index 103bb2861..7da441b61 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml @@ -8,7 +8,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth date: 2021/11/23 -modified: 2022/07/21 +modified: 2022/08/24 logsource: category: process_creation product: windows @@ -20,10 +20,11 @@ detection: - 'PAExec' - 'accepteula' - 'cmd /c ' + - 'cmd /k ' condition: selection falsepositives: - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) level: high tags: - - attack.develop_capabilities - - attack.t1587.001 \ No newline at end of file + - attack.resource_development + - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml index 4aa76a302..e1e2e281d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml @@ -13,6 +13,7 @@ tags: - attack.t1053.005 author: Nasreddine Bencherchali date: 2022/07/28 +modified: 2022/08/24 logsource: product: windows category: process_creation @@ -42,7 +43,9 @@ detection: - 'regsvr32' - 'rundll32' - 'cmd /c ' + - 'cmd /k ' - 'cmd.exe /c ' + - 'cmd.exe /k ' - 'powershell' - 'mshta' - 'wscript' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml index 276f358ef..ede801918 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml @@ -9,6 +9,7 @@ tags: - attack.t1053.005 author: Florian Roth date: 2022/04/15 +modified: 2022/08/24 logsource: product: windows category: process_creation @@ -20,12 +21,14 @@ detection: CommandLine|contains: - 'powershell' - 'cmd /c ' + - 'cmd /k ' - 'cmd.exe /c ' - selection1_all_folders: + - 'cmd.exe /k ' + selection_all_folders: CommandLine|contains: - 'C:\ProgramData\' - '%ProgramData%' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index a0f27bec9..999d77e14 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2020/10/12 -modified: 2022/08/09 +modified: 2022/08/24 logsource: category: process_creation product: windows @@ -23,6 +23,7 @@ detection: - 'bitsadmin' - 'regsvr32' - 'cmd.exe /c ' + - 'cmd.exe /k ' - 'powershell' - 'pwsh' - 'certutil' diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml new file mode 100644 index 000000000..9bd765ad6 --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -0,0 +1,52 @@ +title: Usage of Suspicious Sysinternals Tools +id: f50f3c09-557d-492d-81db-9064a8d4e211 +related: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived +status: experimental +description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +references: + - Internal Research +date: 2022/08/24 +author: Nasreddine Bencherchali +logsource: + product: windows + category: registry_add +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\PsExec' + - '\ProcDump' + - '\Handle' + - '\LiveKd' + - '\Process Explorer' + - '\PsLoglist' + - '\PsPasswd' + - '\Active Directory Explorer' + TargetObject|endswith: '\EulaAccepted' + filter: + Image|endswith: + - '\PsExec.exe' + - '\PsExec64.exe' + - '\procdump.exe' + - '\procdump64.exe' + - '\handle.exe' + - '\handle64.exe' + - '\livekd.exe' + - '\livekd64.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\psloglist.exe' + - '\psloglist64.exe' + - '\pspasswd.exe' + - '\pspasswd64.exe' + - '\ADExplorer.exe' + - '\ADExplorer64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high +tags: + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml new file mode 100644 index 000000000..e1f5fddaa --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml @@ -0,0 +1,35 @@ +title: Usage of Suspicious Sysinternals Tools +id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d +related: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived +status: experimental +description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry +references: + - https://twitter.com/Moti_B/status/1008587936735035392 +date: 2022/08/24 +author: Nasreddine Bencherchali +logsource: + product: windows + category: registry_add +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\PsExec' + - '\ProcDump' + - '\Handle' + - '\LiveKd' + - '\Process Explorer' + - '\PsLoglist' + - '\PsPasswd' + - '\Active Directory Explorer' + - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400 + TargetObject|endswith: '\EulaAccepted' + condition: selection +falsepositives: + - Legitimate use of SysInternals tools +level: medium +tags: + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index 7f17c2c24..ce209be72 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -20,5 +20,5 @@ falsepositives: - Programs that use the same Registry Key level: low tags: - - attack.resource_development - - attack.t1588.002 \ No newline at end of file + - attack.resource_development + - attack.t1588.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index ae48ef5e2..ee4a492b2 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 9ceff48be..d605c7e6b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -10,6 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys + - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript date: 2019/10/25 modified: 2022/04/04 logsource: diff --git a/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml similarity index 90% rename from rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml rename to rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index be96ca227..a3c75e5a4 100644 --- a/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -4,7 +4,7 @@ status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) author: Tobias Michalski date: 2022/02/24 -modified: 2022/03/26 +modified: 2022/08/23 references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ logsource: @@ -12,6 +12,7 @@ logsource: category: registry_set detection: selection: + EventType: SetValue TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml similarity index 92% rename from rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml rename to rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 08a48fe20..7a9c52e09 100644 --- a/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -4,7 +4,7 @@ status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S, frack113 date: 2021/07/16 -modified: 2022/06/29 +modified: 2022/08/23 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -17,9 +17,10 @@ tags: # - threat_group.Sourgum logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default) - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index f5e047e88..75a52bd13 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/08/10 +modified: 2022/08/26 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -22,9 +22,11 @@ detection: filter_iis: Image|startswith: 'C:\Windows\winsxs\' Image|endswith: '\TiWorker.exe' # many different TargetObjects - filter_fsmfd: + filter_svchost: Image: 'C:\Windows\System32\svchost.exe' - TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' + TargetObject|contains: + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml similarity index 91% rename from rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml rename to rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml index 572e3ba60..38ea828ff 100755 --- a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml @@ -6,7 +6,7 @@ description: Detects the installation of a plugin DLL via ServerLevelPluginDll p references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 -modified: 2021/09/12 +modified: 2022/08/23 author: Florian Roth tags: - attack.defense_evasion @@ -14,9 +14,10 @@ tags: - attack.t1112 logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection fields: diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml new file mode 100644 index 000000000..49a746ff1 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -0,0 +1,34 @@ +title: New Network Provider - Registry +id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 +related: + - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 + type: similar +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +author: Nasreddine Bencherchali +date: 2022/08/23 +status: experimental +references: + - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains|all: + - '\System\CurrentControlSet\Services\' + - '\NetworkProvider' + filter: + TargetObject|contains: + - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + condition: selection and not filter +falsepositives: + - Other legitimate network providers used and not filtred in this rule +level: high +tags: + - attack.credential_access + - attack.t1003 diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index f5fbff59d..a83c505ae 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali date: 2022/08/10 references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ + - https://persistence-info.github.io/Data/autodialdll.html logsource: category: registry_set product: windows diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 5283cd144..eaa29e421 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/11 +modified: 2022/08/24 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -33,6 +33,8 @@ detection: Image: - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' + filter_msiexec: + Image: 'C:\Windows\System32\msiexec.exe' condition: selection and not 1 of filter* falsepositives: - Unknown