From 3890f6b4312c03770fbfe55be2c3ca77c9e31977 Mon Sep 17 00:00:00 2001 From: Ali Alwashali Date: Sun, 21 Aug 2022 14:49:51 +0300 Subject: [PATCH 01/27] posh_ps_disable_psreadline_command_history --- ..._ps_disable_psreadline_command_history.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml new file mode 100644 index 000000000..9fefb91f5 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -0,0 +1,22 @@ +title: Disable Powershell Command History +id: 602f5669-6927-4688-84db-0d4b7afb2150 +status: experimental +description: Powershell command history can be disabled by removing psreadline module +references: + - https://twitter.com/DissectMalware/status/1062879286749773824 +author: Ali Alwashali +date: 2022/08/21 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: 'Remove-Module psreadline' + condition: selection +falsepositives: + - Legitimate script +level: medium +tags: + - attack.lateral_movement + - attack.t1021.006 From 2a55d4fcee407137d7e42d3f49954d3a35ad98ec Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 23 Aug 2022 19:43:38 +0200 Subject: [PATCH 02/27] Clean up --- .../registry_set_crashdump_disabled.yml} | 0 .../registry_set_cve_2021_31979_cve_2021_33771_exploits.yml} | 0 .../registry_set_dns_serverlevelplugindll.yml} | 0 3 files changed, 0 insertions(+), 0 deletions(-) rename rules/windows/registry/{registry_event/registry_event_crashdump_disabled.yml => registry_set/registry_set_crashdump_disabled.yml} (100%) rename rules/windows/registry/{registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml => registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml} (100%) rename rules/windows/registry/{registry_event/registry_event_dns_serverlevelplugindll.yml => registry_set/registry_set_dns_serverlevelplugindll.yml} (100%) diff --git a/rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml similarity index 100% rename from rules/windows/registry/registry_event/registry_event_crashdump_disabled.yml rename to rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml diff --git a/rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml similarity index 100% rename from rules/windows/registry/registry_event/registry_event_cve_2021_31979_cve_2021_33771_exploits.yml rename to rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml diff --git a/rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml similarity index 100% rename from rules/windows/registry/registry_event/registry_event_dns_serverlevelplugindll.yml rename to rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml From f733105daab8443b544c563eea011d656ff47979 Mon Sep 17 00:00:00 2001 From: Ben Montour <8712103+benmontour@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:20:26 -0500 Subject: [PATCH 03/27] renamed properties.message to operationName --- ...pplication_gateway_modified_or_deleted.yml | 30 +++++------ ...ion_security_group_modified_or_deleted.yml | 30 +++++------ ..._container_registry_created_or_deleted.yml | 36 ++++++------- .../azure_dns_zone_modified_or_deleted.yml | 30 +++++------ .../azure_firewall_modified_or_deleted.yml | 28 +++++----- ...ll_rule_collection_modified_or_deleted.yml | 36 ++++++------- ...azure_keyvault_key_modified_or_deleted.yml | 50 ++++++++--------- .../azure_keyvault_modified_or_deleted.yml | 40 +++++++------- ...e_keyvault_secrets_modified_or_deleted.yml | 48 ++++++++--------- .../azure_kubernetes_admission_controller.yml | 48 ++++++++--------- ..._kubernetes_cluster_created_or_deleted.yml | 37 +++++++------ .../cloud/azure/azure_kubernetes_cronjob.yml | 54 +++++++++---------- .../azure/azure_kubernetes_events_deleted.yml | 29 +++++----- ...azure_kubernetes_network_policy_change.yml | 42 +++++++-------- .../azure/azure_kubernetes_pods_deleted.yml | 26 ++++----- .../azure/azure_kubernetes_role_access.yml | 48 ++++++++--------- ...rnetes_rolebinding_modified_or_deleted.yml | 43 ++++++++------- ...ernetes_secret_or_config_object_access.yml | 38 ++++++------- ...es_service_account_modified_or_deleted.yml | 38 ++++++------- ...rk_firewall_policy_modified_or_deleted.yml | 32 +++++------ ...work_firewall_rule_modified_or_deleted.yml | 32 +++++------ ...re_network_p2s_vpn_modified_or_deleted.yml | 36 ++++++------- ...e_network_security_modified_or_deleted.yml | 36 ++++++------- ...ork_virtual_device_modified_or_deleted.yml | 46 ++++++++-------- .../azure/azure_new_cloudshell_created.yml | 25 +++++---- ...permissions_elevation_via_activitylogs.yml | 12 ++--- .../azure/azure_suppression_rule_created.yml | 26 ++++----- ...re_virtual_network_modified_or_deleted.yml | 34 ++++++------ ...ure_vpn_connection_modified_or_deleted.yml | 28 +++++----- 29 files changed, 517 insertions(+), 521 deletions(-) diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index dab3bf97c..ef8ebebc8 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -1,24 +1,24 @@ title: Azure Application Gateway Modified or Deleted id: ad87d14e-7599-4633-ba81-aeb60cfe8cd6 -description: Identifies when a application gateway is modified or deleted. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a application gateway is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE - - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/WRITE + - MICROSOFT.NETWORK/APPLICATIONGATEWAYS/DELETE + condition: selection falsepositives: - - Application gateway being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application gateway being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application gateway modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index a770842d0..1dc692624 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -1,24 +1,24 @@ title: Azure Application Security Group Modified or Deleted id: 835747f1-9329-40b5-9cc3-97d465754ce6 -description: Identifies when a application security group is modified or deleted. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a application security group is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE - - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/APPLICATIONSECURITYGROUPS/DELETE + condition: selection falsepositives: - - Application security group being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Application security group being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application security group modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index b394ce894..93361db37 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -1,27 +1,27 @@ title: Azure Container Registry Created or Deleted id: 93e0ef48-37c8-49ed-a02c-038aab23628e -description: Detects when a Container Registry is created or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects when a Container Registry is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE - - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE - condition: selection -level: low -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/WRITE + - MICROSOFT.CONTAINERREGISTRY/REGISTRIES/DELETE + condition: selection falsepositives: - - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Container Registry being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Container Registry created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: low diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 80d55642b..886d2bece 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -1,24 +1,24 @@ title: Azure DNS Zone Modified or Deleted id: af6925b0-8826-47f1-9324-337507a0babd -description: Identifies when DNS zone is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when DNS zone is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message|startswith: MICROSOFT.NETWORK/DNSZONES - properties.message|endswith: - - /WRITE - - /DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName|endswith: + - /WRITE + - /DELETE + operationName|startswith: MICROSOFT.NETWORK/DNSZONES + condition: selection falsepositives: - - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - DNS zone modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 2d09758ae..609d5d479 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -1,23 +1,23 @@ title: Azure Firewall Modified or Deleted id: 512cf937-ea9b-4332-939c-4c2c94baadcd -description: Identifies when a firewall is created, modified, or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a firewall is created, modified, or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/AZUREFIREWALLS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/DELETE + condition: selection falsepositives: - - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 30281498e..8102e8764 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -1,27 +1,27 @@ title: Azure Firewall Rule Collection Modified or Deleted id: 025c9fe7-db72-49f9-af0d-31341dd7dd57 -description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE - - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/APPLICATIONRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NATRULECOLLECTIONS/DELETE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/WRITE + - MICROSOFT.NETWORK/AZUREFIREWALLS/NETWORKRULECOLLECTIONS/DELETE + condition: selection falsepositives: - - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Rule Collections (Application, NAT, and Network) being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Rule Collections (Application, NAT, and Network) modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index fe2af9ae7..1b7ab5b75 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -1,34 +1,34 @@ title: Azure Keyvault Key Modified or Deleted id: 80eeab92-0979-4152-942d-96749e11df40 -description: Identifies when a Keyvault Key is modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when a Keyvault Key is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE - - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION - - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/KEYS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/CREATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/IMPORT/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/KEYS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/KEYS/PURGE/ACTION + condition: selection falsepositives: - - Key being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index cc596dcbf..3f82b47e5 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -1,29 +1,29 @@ title: Azure Key Vault Modified or Deleted id: 459a2970-bb84-4e6a-a32e-ff0fbd99448d -description: Identifies when a key vault is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when a key vault is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/WRITE - - MICROSOFT.KEYVAULT/VAULTS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION - - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/DEPLOY/ACTION + - MICROSOFT.KEYVAULT/VAULTS/ACCESSPOLICIES/WRITE + condition: selection falsepositives: - - Key Vault being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Key Vault being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Key Vault modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 53f85064a..9b21a9182 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -1,33 +1,33 @@ title: Azure Keyvault Secrets Modified or Deleted id: b831353c-1971-477b-abb6-2828edc3bca1 -description: Identifies when secrets are modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/16 +description: Identifies when secrets are modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION - - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access - - attack.t1552 - - attack.t1552.001 + selection: + operationName: + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/WRITE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/DELETE + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/BACKUP/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/PURGE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/UPDATE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RECOVER/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/RESTORE/ACTION + - MICROSOFT.KEYVAULT/VAULTS/SECRETS/SETSECRET/ACTION + condition: selection falsepositives: - - Secrets being modified or deleted may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Secrets being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Secrets modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access + - attack.t1552 + - attack.t1552.001 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 3e2dbbbae..ba4475845 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -1,34 +1,34 @@ title: Azure Kubernetes Admission Controller id: a61a3c56-4ce2-4351-a079-88ae4cbd2b58 -description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. -author: Austin Songer @austinsonger status: experimental +description: Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information. +references: + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes +author: Austin Songer @austinsonger date: 2021/11/25 modified: 2021/11/26 -references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes logsource: product: azure service: activitylogs detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO - properties.message|endswith: - - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE - condition: selection1 or selection2 -level: medium -tags: - - attack.persistence - - attack.t1078 - - attack.credential_access - - attack.t1552 - - attack.t1552.007 + selection1: + operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + selection2: + operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + operationName|endswith: + - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE + - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE + condition: selection1 or selection2 falsepositives: -- Azure Kubernetes Admissions Controller may be done by a system administrator. -- If known behavior is causing false positives, it can be exempted from the rule. + - Azure Kubernetes Admissions Controller may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.persistence + - attack.t1078 + - attack.credential_access + - attack.t1552 + - attack.t1552.007 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 6af9fe8ac..4ba51f245 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -1,28 +1,27 @@ title: Azure Kubernetes Cluster Created or Deleted id: 9541f321-7cba-4b43-80fc-fbd1fb922808 -description: Detects when a Azure Kubernetes Cluster is created or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects when a Azure Kubernetes Cluster is created or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE - condition: selection -level: low -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/DELETE + condition: selection falsepositives: - - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - Kubernetes cluster being created or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Kubernetes cluster created or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: low diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 146f196aa..276ab59e0 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -1,34 +1,34 @@ title: Azure Kubernetes CronJob id: 1c71e254-6655-42c1-b2d6-5e4718d7fc0a -description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. -author: Austin Songer @austinsonger status: experimental -date: 2021/11/22 +description: Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ - - https://kubernetes.io/docs/concepts/workloads/controllers/job/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/ + - https://kubernetes.io/docs/concepts/workloads/controllers/job/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ +author: Austin Songer @austinsonger +date: 2021/11/22 logsource: - product: azure - service: activitylogs + product: azure + service: activitylogs detection: - selection1: - properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - selection2: - properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH - properties.message|endswith: - - /CRONJOBS/WRITE - - /JOBS/WRITE - condition: selection1 or selection2 -level: medium -tags: - - attack.persistence - - attack.privilege_escalation - - attack.execution + selection1: + operationName|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + operationName|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + selection2: + operationName|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + operationName|endswith: + - /CRONJOBS/WRITE + - /JOBS/WRITE + condition: selection1 or selection2 falsepositives: - - Azure Kubernetes CronJob/Job may be done by a system administrator. - - If known behavior is causing false positives, it can be exempted from the rule. + - Azure Kubernetes CronJob/Job may be done by a system administrator. + - If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.persistence + - attack.privilege_escalation + - attack.execution +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index 7c4aefd91..a1f4ebfb5 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -1,24 +1,23 @@ title: Azure Kubernetes Events Deleted id: 225d8b09-e714-479c-a0e4-55e6f29adf35 -description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. -author: Austin Songer @austinsonger status: experimental -date: 2021/07/24 +description: Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml +author: Austin Songer @austinsonger +date: 2021/07/24 logsource: product: azure service: activitylogs detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE - condition: selection_operation_name -level: medium -tags: - - attack.defense_evasion - - attack.t1562 - - attack.t1562.001 + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE + condition: selection falsepositives: -- Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - Event deletions may be done by a system or network administrator. Verify whether the username, hostname, and/or resource name should be making changes in your environment. Events deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.defense_evasion + - attack.t1562 + - attack.t1562.001 +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index e731c0d87..1f8c0d632 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -1,30 +1,30 @@ title: Azure Kubernetes Network Policy Change id: 08d6ac24-c927-4469-b3b7-2e422d6e3c43 -description: Identifies when a Azure Kubernetes network policy is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a Azure Kubernetes network policy is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/NETWORKING.K8S.IO/NETWORKPOLICIES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EXTENSIONS/NETWORKPOLICIES/DELETE + condition: selection falsepositives: - - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Policy being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Policy being modified and deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index ac7d0e1df..63c1276af 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -1,22 +1,22 @@ title: Azure Kubernetes Pods Deleted id: b02f9591-12c3-4965-986a-88028629b2e1 -description: Identifies the deletion of Azure Kubernetes Pods. -author: Austin Songer @austinsonger status: experimental -date: 2021/07/24 +description: Identifies the deletion of Azure Kubernetes Pods. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml +author: Austin Songer @austinsonger +date: 2021/07/24 logsource: product: azure service: activitylogs detection: - selection_operation_name: - properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE - condition: selection_operation_name -level: medium -tags: - - attack.impact + selection: + operationName: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE + condition: selection falsepositives: -- Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. -- Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Pods may be deleted by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Pods deletions from unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index b13335b6b..4d7c79d5c 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -1,33 +1,33 @@ title: Azure Kubernetes Sensitive Role Access id: 818fee0c-e0ec-4e45-824e-83e4817b0887 -description: Identifies when ClusterRoles/Roles are being modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when ClusterRoles/Roles are being modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION - condition: selection -level: medium -tags: - - attack.impact + selection: + operationname: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/ESCALATE/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/BIND/ACTION + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLES/ESCALATE/ACTION + condition: selection falsepositives: - - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - ClusterRoles/Roles being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - ClusterRoles/Roles modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index 923169ffe..c5b2a933b 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -1,31 +1,30 @@ title: Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted id: 25cb259b-bbdc-4b87-98b7-90d7c72f8743 -description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE - condition: selection -level: medium -tags: - - attack.impact - - attack.credential_access + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/CLUSTERROLEBINDINGS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLEBINDINGS/DELETE + condition: selection falsepositives: - - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. - + - RoleBinding/ClusterRoleBinding being modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - RoleBinding/ClusterRoleBinding modification from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact + - attack.credential_access +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 3f24ab0ba..5474c3f4e 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -1,28 +1,28 @@ title: Azure Kubernetes Secret or Config Object Access id: 7ee0b4aa-d8d4-4088-b661-20efdf41a04c -description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/CONFIGMAPS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SECRETS/DELETE + condition: selection falsepositives: - - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Sensitive objects may be accessed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. Sensitive objects accessed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index 6a56ea6c6..b23a8e7d5 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -1,28 +1,28 @@ title: Azure Kubernetes Service Account Modified or Deleted id: 12d027c3-b48c-4d9d-8bb6-a732200034b2 -description: Identifies when a service account is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/07 +description: Identifies when a service account is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes - - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ - - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ - - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 - - https://attack.mitre.org/matrices/enterprise/cloud/ + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes + - https://www.microsoft.com/security/blog/2021/03/23/secure-containerized-environments-with-updated-threat-matrix-for-kubernetes/ + - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ + - https://medium.com/mitre-engenuity/att-ck-for-containers-now-available-4c2359654bf1 + - https://attack.mitre.org/matrices/enterprise/cloud/ +author: Austin Songer @austinsonger +date: 2021/08/07 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/WRITE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/DELETE + - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/SERVICEACCOUNTS/IMPERSONATE/ACTION + condition: selection falsepositives: - - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Service account being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service account modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index 2a36bbdab..ad4fdd0e6 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -1,25 +1,25 @@ title: Azure Network Firewall Policy Modified or Deleted id: 83c17918-746e-4bd9-920b-8e098bf88c23 -description: Identifies when a Firewall Policy is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/09/02 +description: Identifies when a Firewall Policy is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/09/02 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION - - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION - - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/JOIN/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/CERTIFICATES/ACTION + - MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE + condition: selection falsepositives: - - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Policy being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Policy modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index a2ab1da57..ae11eb3b3 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -1,25 +1,25 @@ title: Azure Firewall Rule Configuration Modified or Deleted id: 2a7d64cf-81fa-4daf-ab1b-ab80b789c067 -description: Identifies when a Firewall Rule Configuration is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Firewall Rule Configuration is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE - - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULECOLLECTIONGROUPS/DELETE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/WRITE + - MICROSOFT.NETWORK/FIREWALLPOLICIES/RULEGROUPS/DELETE + condition: selection falsepositives: - - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Firewall Rule Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Firewall Rule Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index c54bd0d56..d422e6c47 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -1,27 +1,27 @@ title: Azure Point-to-site VPN Modified or Deleted id: d9557b75-267b-4b43-922f-a775e2d1f792 -description: Identifies when a Point-to-site VPN is Modified or Deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Point-to-site VPN is Modified or Deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION - - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/WRITE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DELETE + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/RESET/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/GENERATEVPNPROFILE/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/DISCONNECTP2SVPNCONNECTIONS/ACTION + - MICROSOFT.NETWORK/P2SVPNGATEWAYS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection falsepositives: - - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Point-to-site VPN being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Point-to-site VPN modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index cd2f06382..9cd57c6e3 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -1,27 +1,27 @@ title: Azure Network Security Configuration Modified or Deleted id: d22b4df4-5a67-4859-a578-8c9a0b5af9df -description: Identifies when a network security configuration is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a network security configuration is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION - - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/WRITE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/SECURITYRULES/DELETE + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKSECURITYGROUPS/PROVIDERS/MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/WRITE + condition: selection falsepositives: - - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Network Security Configuration being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Network Security Configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 5eefd7274..8476562c9 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -1,32 +1,32 @@ title: Azure Virtual Network Device Modified or Deleted id: 15ef3fac-f0f0-4dc4-ada0-660aa72980b3 -description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a virtual network device is being modified or deleted. This can be a network interface, network virtual appliance, virtual hub, or virtual router. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE - - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE - - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE - - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION - - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE - - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE - - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE - - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE - - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE - - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE - - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/TAPCONFIGURATIONS/DELETE + - MICROSOFT.NETWORK/NETWORKINTERFACES/WRITE + - MICROSOFT.NETWORK/NETWORKINTERFACES/JOIN/ACTION + - MICROSOFT.NETWORK/NETWORKINTERFACES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/DELETE + - MICROSOFT.NETWORK/NETWORKVIRTUALAPPLIANCES/WRITE + - MICROSOFT.NETWORK/VIRTUALHUBS/DELETE + - MICROSOFT.NETWORK/VIRTUALHUBS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/WRITE + - MICROSOFT.NETWORK/VIRTUALROUTERS/DELETE + condition: selection falsepositives: - - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network Device being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network Device modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index faa1a2c7b..9700d3d83 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -1,22 +1,21 @@ title: Azure New CloudShell Created id: 72af37e2-ec32-47dc-992b-bc288a2708cb -description: Identifies when a new cloudshell is created inside of Azure portal. -author: Austin Songer status: experimental -date: 2021/09/21 +description: Identifies when a new cloudshell is created inside of Azure portal. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/09/21 logsource: product: azure service: activitylogs detection: - selection: - properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE - condition: selection -level: medium -tags: - - attack.execution - - attack.t1059 + selection: + operationName: MICROSOFT.PORTAL/CONSOLES/WRITE + condition: selection falsepositives: - - A new cloudshell may be created by a system administrator. - + - A new cloudshell may be created by a system administrator. +tags: + - attack.execution + - attack.t1059 +level: medium diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 37c184fd9..0b4000b57 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -1,21 +1,21 @@ title: Azure Subscription Permission Elevation Via ActivityLogs id: 09438caa-07b1-4870-8405-1dbafe3dad95 status: experimental -author: Austin Songer @austinsonger -date: 2021/11/26 description: Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment. references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization +author: Austin Songer @austinsonger +date: 2021/11/26 logsource: product: azure service: activitylogs detection: - selection1: - properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION - condition: selection1 -level: high + selection: + operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + condition: selection falsepositives: - If this was approved by System Administrator. tags: - attack.initial_access - attack.t1078 +level: high diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index 7c079c960..ecf5c81cb 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -1,22 +1,22 @@ title: Azure Suppression Rule Created id: 92cc3e5d-eb57-419d-8c16-5c63f325a401 -description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. -author: Austin Songer status: experimental -date: 2021/08/16 +description: Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer +date: 2021/08/16 logsource: product: azure service: activitylogs detection: - selection: - properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + condition: selection falsepositives: - - Suppression Rule being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index 40a1604f6..0fd8bf918 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -1,26 +1,26 @@ title: Azure Virtual Network Modified or Deleted id: bcfcc962-0e4a-4fd9-84bb-a833e672df3f -description: Identifies when a Virtual Network is modified or deleted in Azure. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a Virtual Network is modified or deleted in Azure. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message|startswith: - - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ - - MICROSOFT.NETWORK/VIRTUALNETWORKS/ - properties.message|endswith: - - /WRITE - - /DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName|startswith: + - MICROSOFT.NETWORK/VIRTUALNETWORKGATEWAYS/ + - MICROSOFT.NETWORK/VIRTUALNETWORKS/ + operationName|endswith: + - /WRITE + - /DELETE + condition: selection falsepositives: - - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Virtual Network being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Virtual Network modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index e7cc2e36b..819b03d1f 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -1,23 +1,23 @@ title: Azure VPN Connection Modified or Deleted id: 61171ffc-d79c-4ae5-8e10-9323dba19cd3 -description: Identifies when a VPN connection is modified or deleted. -author: Austin Songer @austinsonger status: experimental -date: 2021/08/08 +description: Identifies when a VPN connection is modified or deleted. references: - - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations + - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations +author: Austin Songer @austinsonger +date: 2021/08/08 logsource: product: azure service: activitylogs detection: - selection: - properties.message: - - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE - - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE - condition: selection -level: medium -tags: - - attack.impact + selection: + operationName: + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/WRITE + - MICROSOFT.NETWORK/VPNGATEWAYS/VPNCONNECTIONS/DELETE + condition: selection falsepositives: - - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - VPN Connection being modified or deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - VPN Connection modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. +tags: + - attack.impact +level: medium From 6aabfaba4fbdb7489717ec36206b4d5841584746 Mon Sep 17 00:00:00 2001 From: Ben Montour <8712103+benmontour@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:32:10 -0500 Subject: [PATCH 04/27] added modified field with current date --- .../azure/azure_application_gateway_modified_or_deleted.yml | 1 + .../azure_application_security_group_modified_or_deleted.yml | 1 + .../azure/azure_container_registry_created_or_deleted.yml | 1 + rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_firewall_modified_or_deleted.yml | 1 + .../azure_firewall_rule_collection_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_keyvault_modified_or_deleted.yml | 1 + .../cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_admission_controller.yml | 2 +- .../azure/azure_kubernetes_cluster_created_or_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_cronjob.yml | 1 + rules/cloud/azure/azure_kubernetes_events_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_network_policy_change.yml | 1 + rules/cloud/azure/azure_kubernetes_pods_deleted.yml | 1 + rules/cloud/azure/azure_kubernetes_role_access.yml | 3 ++- .../azure/azure_kubernetes_rolebinding_modified_or_deleted.yml | 1 + .../azure/azure_kubernetes_secret_or_config_object_access.yml | 1 + .../azure_kubernetes_service_account_modified_or_deleted.yml | 1 + .../azure_network_firewall_policy_modified_or_deleted.yml | 1 + .../azure/azure_network_firewall_rule_modified_or_deleted.yml | 1 + .../cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml | 1 + .../cloud/azure/azure_network_security_modified_or_deleted.yml | 1 + .../azure/azure_network_virtual_device_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_new_cloudshell_created.yml | 1 + ...ure_subscription_permissions_elevation_via_activitylogs.yml | 1 + rules/cloud/azure/azure_suppression_rule_created.yml | 1 + .../cloud/azure/azure_virtual_network_modified_or_deleted.yml | 1 + rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml | 1 + 29 files changed, 30 insertions(+), 2 deletions(-) diff --git a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml index ef8ebebc8..8b62ecf56 100644 --- a/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_gateway_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml index 1dc692624..bcbfa9edb 100644 --- a/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_application_security_group_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml index 93361db37..9e5c19e72 100644 --- a/rules/cloud/azure/azure_container_registry_created_or_deleted.yml +++ b/rules/cloud/azure/azure_container_registry_created_or_deleted.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 886d2bece..2a547da1c 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml index 609d5d479..55e14f6c8 100644 --- a/rules/cloud/azure/azure_firewall_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml index 8102e8764..663451b18 100644 --- a/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_firewall_rule_collection_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml index 1b7ab5b75..1f01e1047 100644 --- a/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_key_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml index 3f82b47e5..12cd43471 100644 --- a/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml index 9b21a9182..eea6c9415 100644 --- a/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_keyvault_secrets_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index ba4475845..9ea9e0829 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes author: Austin Songer @austinsonger date: 2021/11/25 -modified: 2021/11/26 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml index 4ba51f245..a23b6ea42 100644 --- a/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_cluster_created_or_deleted.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index 276ab59e0..9ad66faa6 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -9,6 +9,7 @@ references: - https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/ author: Austin Songer @austinsonger date: 2021/11/22 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_events_deleted.yml b/rules/cloud/azure/azure_kubernetes_events_deleted.yml index a1f4ebfb5..27501276e 100644 --- a/rules/cloud/azure/azure_kubernetes_events_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_events_deleted.yml @@ -7,6 +7,7 @@ references: - https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml author: Austin Songer @austinsonger date: 2021/07/24 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml index 1f8c0d632..4c253a7da 100644 --- a/rules/cloud/azure/azure_kubernetes_network_policy_change.yml +++ b/rules/cloud/azure/azure_kubernetes_network_policy_change.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml index 63c1276af..e73fb5a25 100644 --- a/rules/cloud/azure/azure_kubernetes_pods_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_pods_deleted.yml @@ -7,6 +7,7 @@ references: - https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml author: Austin Songer @austinsonger date: 2021/07/24 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_role_access.yml b/rules/cloud/azure/azure_kubernetes_role_access.yml index 4d7c79d5c..4b12ff466 100644 --- a/rules/cloud/azure/azure_kubernetes_role_access.yml +++ b/rules/cloud/azure/azure_kubernetes_role_access.yml @@ -10,12 +10,13 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs detection: selection: - operationname: + operationName: - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/WRITE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/DELETE - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/RBAC.AUTHORIZATION.K8S.IO/ROLES/BIND/ACTION diff --git a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml index c5b2a933b..7ca8555b4 100644 --- a/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_rolebinding_modified_or_deleted.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml index 5474c3f4e..4da4dfa56 100644 --- a/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml +++ b/rules/cloud/azure/azure_kubernetes_secret_or_config_object_access.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml index b23a8e7d5..1b1c33b0a 100644 --- a/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_kubernetes_service_account_modified_or_deleted.yml @@ -10,6 +10,7 @@ references: - https://attack.mitre.org/matrices/enterprise/cloud/ author: Austin Songer @austinsonger date: 2021/08/07 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml index ad4fdd0e6..a5ba249b5 100644 --- a/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_policy_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/09/02 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml index ae11eb3b3..cdd431468 100644 --- a/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_firewall_rule_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml index d422e6c47..8b7bcfe0a 100644 --- a/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_p2s_vpn_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml index 9cd57c6e3..cfc0a269d 100644 --- a/rules/cloud/azure/azure_network_security_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_security_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml index 8476562c9..413bd1cbb 100644 --- a/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_network_virtual_device_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_new_cloudshell_created.yml b/rules/cloud/azure/azure_new_cloudshell_created.yml index 9700d3d83..9fa3a59a7 100644 --- a/rules/cloud/azure/azure_new_cloudshell_created.yml +++ b/rules/cloud/azure/azure_new_cloudshell_created.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/09/21 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 0b4000b57..ed19e1b6f 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization author: Austin Songer @austinsonger date: 2021/11/26 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index ecf5c81cb..87669808e 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer date: 2021/08/16 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml index 0fd8bf918..3c9974d55 100644 --- a/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_virtual_network_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs diff --git a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml index 819b03d1f..75b953a00 100644 --- a/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_vpn_connection_modified_or_deleted.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations author: Austin Songer @austinsonger date: 2021/08/08 +modified: 2022/08/23 logsource: product: azure service: activitylogs From 59394d2309202b6782ed3071f8f806ed13db2d10 Mon Sep 17 00:00:00 2001 From: Ben Montour <8712103+benmontour@users.noreply.github.com> Date: Tue, 23 Aug 2022 14:35:48 -0500 Subject: [PATCH 05/27] bad sort on subfields startswith/endswith --- rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml index 2a547da1c..ba6de103b 100644 --- a/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml +++ b/rules/cloud/azure/azure_dns_zone_modified_or_deleted.yml @@ -12,10 +12,10 @@ logsource: service: activitylogs detection: selection: + operationName|startswith: MICROSOFT.NETWORK/DNSZONES operationName|endswith: - /WRITE - /DELETE - operationName|startswith: MICROSOFT.NETWORK/DNSZONES condition: selection falsepositives: - DNS zone modified and deleted may be performed by a system administrator. Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. From 88295a305c3ee44b1fcb6faf74076617209ec7c9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 01:05:40 +0100 Subject: [PATCH 06/27] Rule Dev --- ...oad_side_load_from_non_system_location.yml | 58 ++++++++++++++++++- ...tion_win_modify_group_policy_settings.yml} | 0 ...proc_creation_win_new_network_provider.yml | 33 +++++++++++ ...win_renamed_rundll32_dllregisterserver.yml | 2 +- ...add_renamed_sysinternals_eula_accepted.yml | 52 +++++++++++++++++ ...ry_add_susp_sysinternals_eula_accepted.yml | 35 +++++++++++ ...egistry_add_sysinternals_eula_accepted.yml | 4 +- .../registry_set_new_network_provider.yml | 34 +++++++++++ 8 files changed, 213 insertions(+), 5 deletions(-) rename rules/windows/process_creation/{proc_creation_modify_group_policy_settings.yml => proc_creation_win_modify_group_policy_settings.yml} (100%) create mode 100644 rules/windows/process_creation/proc_creation_win_new_network_provider.yml create mode 100644 rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml create mode 100644 rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml create mode 100644 rules/windows/registry/registry_set/registry_set_new_network_provider.yml diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 4a6bb9930..1fbe3af1e 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -6,9 +6,9 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll -author: Nasreddine Bencherchali, Wietze Beukema (project and research) +author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/08/17 +modified: 2022/08/24 tags: - attack.defense_evasion - attack.persistence @@ -356,6 +356,60 @@ detection: - '\dpx.dll' - '\fxsapi.dll' - '\fxstiff.dll' + - '\xpsservices.dll' + - '\appvpolicy.dll' + - '\batmeter.dll' + - '\bootux.dll' + - '\cmutil.dll' + - '\configmanager2.dll' + - '\coredplus.dll' + - '\coreuicomponents.dll' + - '\cryptsp.dll' + - '\dmcommandlineutils.dll' + - '\drvstore.dll' + - '\dsprop.dll' + - '\dxcore.dll' + - '\edgeiso.dll' + - '\framedynos.dll' + - '\fveskybackup.dll' + - '\fvewiz.dll' + - '\gpapi.dll' + - '\icmp.dll' + - '\ifsutil.dll' + - '\iumsdk.dll' + - '\lockhostingframework.dll' + - '\lrwizdll.dll' + - '\mbaexmlparser.dll' + - '\mfc42u.dll' + - '\msiso.dll' + - '\msvcp110_win.dll' + - '\netapi32.dll' + - '\netjoin.dll' + - '\netprovfw.dll' + - '\opcservices.dll' + - '\pkeyhelper.dll' + - '\playsndsrv.dll' + - '\powrprof.dll' + - '\prntvpt.dll' + - '\profapi.dll' + - '\proximitycommon.dll' + - '\proximityservicepal.dll' + - '\rasdlg.dll' + - '\security.dll' + - '\sppcext.dll' + - '\srmtrace.dll' + - '\tpmcoreprovisioning.dll' + - '\umpdc.dll' + - '\unattend.dll' + - '\urlmon.dll' + - '\vdsutil.dll' + - '\version.dll' + - '\winbio.dll' + - '\windows.ui.immersive.dll' + - '\winscard.dll' + - '\winsync.dll' + - '\wscapi.dll' + - '\wsmsvc.dll' filter_generic: ImageLoaded|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/process_creation/proc_creation_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_modify_group_policy_settings.yml rename to rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml diff --git a/rules/windows/process_creation/proc_creation_win_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml new file mode 100644 index 000000000..7fad53fee --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_new_network_provider.yml @@ -0,0 +1,33 @@ +title: New Network Provider - CommandLine +id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 +related: + - id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 + type: similar +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +author: Nasreddine Bencherchali +date: 2022/08/23 +status: experimental +references: + - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\System\CurrentControlSet\Services\' + - '\NetworkProvider' + filter: + CommandLine|contains: + - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + condition: selection and not filter +falsepositives: + - Other legitimate network providers used and not filtred in this rule +level: high +tags: + - attack.credential_access + - attack.t1003 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml index 0f033ceb6..498857c98 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_rundll32_dllregisterserver.yml @@ -1,7 +1,7 @@ title: DllRegisterServer Call From Non Rundll32 id: 2569ed8c-1147-498a-9b8c-2ad3656b10ed status: stable -description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could that the 'rundll32' utility has been renamed in order to avoid detection +description: Detects when 'DllRegisterServer' is called in the commandline and the image is not rundll32. This could mean that the 'rundll32' utility has been renamed in order to avoid detection author: Nasreddine Bencherchali references: - https://twitter.com/swisscom_csirt/status/1331634525722521602?s=20 diff --git a/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml new file mode 100644 index 000000000..9bd765ad6 --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_renamed_sysinternals_eula_accepted.yml @@ -0,0 +1,52 @@ +title: Usage of Suspicious Sysinternals Tools +id: f50f3c09-557d-492d-81db-9064a8d4e211 +related: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived +status: experimental +description: Detects the of the "accepteula" key related to sysinternals tools being created from non sysinternals tools +references: + - Internal Research +date: 2022/08/24 +author: Nasreddine Bencherchali +logsource: + product: windows + category: registry_add +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\PsExec' + - '\ProcDump' + - '\Handle' + - '\LiveKd' + - '\Process Explorer' + - '\PsLoglist' + - '\PsPasswd' + - '\Active Directory Explorer' + TargetObject|endswith: '\EulaAccepted' + filter: + Image|endswith: + - '\PsExec.exe' + - '\PsExec64.exe' + - '\procdump.exe' + - '\procdump64.exe' + - '\handle.exe' + - '\handle64.exe' + - '\livekd.exe' + - '\livekd64.exe' + - '\procexp.exe' + - '\procexp64.exe' + - '\psloglist.exe' + - '\psloglist64.exe' + - '\pspasswd.exe' + - '\pspasswd64.exe' + - '\ADExplorer.exe' + - '\ADExplorer64.exe' + condition: selection and not filter +falsepositives: + - Unlikely +level: high +tags: + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml new file mode 100644 index 000000000..e1f5fddaa --- /dev/null +++ b/rules/windows/registry/registry_add/registry_add_susp_sysinternals_eula_accepted.yml @@ -0,0 +1,35 @@ +title: Usage of Suspicious Sysinternals Tools +id: c7da8edc-49ae-45a2-9e61-9fd860e4e73d +related: + - id: 25ffa65d-76d8-4da5-a832-3f2b0136e133 + type: derived +status: experimental +description: Detects the usage of Suspicious Sysinternals Tools such as PsExec, Procdump...etc via the "accepteula" key being added to Registry +references: + - https://twitter.com/Moti_B/status/1008587936735035392 +date: 2022/08/24 +author: Nasreddine Bencherchali +logsource: + product: windows + category: registry_add +detection: + selection: + EventType: CreateKey + TargetObject|contains: + - '\PsExec' + - '\ProcDump' + - '\Handle' + - '\LiveKd' + - '\Process Explorer' + - '\PsLoglist' + - '\PsPasswd' + - '\Active Directory Explorer' + - '\Sysinternals' # Global level https://twitter.com/leonzandman/status/1561736801953382400 + TargetObject|endswith: '\EulaAccepted' + condition: selection +falsepositives: + - Legitimate use of SysInternals tools +level: medium +tags: + - attack.resource_development + - attack.t1588.002 diff --git a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml index 7f17c2c24..ce209be72 100755 --- a/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml +++ b/rules/windows/registry/registry_add/registry_add_sysinternals_eula_accepted.yml @@ -20,5 +20,5 @@ falsepositives: - Programs that use the same Registry Key level: low tags: - - attack.resource_development - - attack.t1588.002 \ No newline at end of file + - attack.resource_development + - attack.t1588.002 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml new file mode 100644 index 000000000..fb95eef95 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -0,0 +1,34 @@ +title: New Network Provider - Registry +id: 0442defa-b4a2-41c9-ae2c-ea7042fc4701 +related: + - id: baef1ec6-2ca9-47a3-97cc-4cf2bda10b77 + type: similar +description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it +author: Nasreddine Bencherchali +date: 2022/08/23 +status: experimental +references: + - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade + - https://github.com/gtworek/PSBits/tree/master/PasswordStealing/NPPSpy +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: + - '\System\CurrentControlSet\Services\' + - '\NetworkProvider' + filter: + TargetObject|contains: + - '\System\CurrentControlSet\Services\WebClient\NetworkProvider' + - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' + - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' + #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV + condition: selection +falsepositives: + - Other legitimate network providers used and not filtred in this rule +level: high +tags: + - attack.credential_access + - attack.t1003 From 920c196f5b0730297430f728b81d360731533fd5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 01:10:37 +0100 Subject: [PATCH 07/27] Update registry_set_new_network_provider.yml --- .../registry/registry_set/registry_set_new_network_provider.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index fb95eef95..c016cab04 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -16,7 +16,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject|contains: + TargetObject|contains|all: - '\System\CurrentControlSet\Services\' - '\NetworkProvider' filter: From 781c69e04c3cb0e7837be7cf7b9ff836c8543737 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 01:17:53 +0100 Subject: [PATCH 08/27] Fix FP --- .../image_load_side_load_from_non_system_location.yml | 3 +++ .../registry_set/registry_set_new_network_provider.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 1fbe3af1e..a37434bed 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -421,6 +421,9 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_appvpolicy: + ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll + Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index c016cab04..49a746ff1 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -25,7 +25,7 @@ detection: - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV - condition: selection + condition: selection and not filter falsepositives: - Other legitimate network providers used and not filtred in this rule level: high From 1faef2fa97e5eda2884b054f3f1db7eb59256c7b Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Wed, 24 Aug 2022 09:23:35 +0900 Subject: [PATCH 09/27] fix backend bool conversion errors --- .../driver_load_vuln_avast_anti_rootkit_driver.yml | 3 ++- .../net_connection_win_remote_powershell_session_network.yml | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml index c74c764eb..f1e5c9bbd 100644 --- a/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_avast_anti_rootkit_driver.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://www.aon.com/cyber-solutions/aon_cyber_labs/yours-truly-signed-av-driver-weaponizing-an-antivirus-driver/ date: 2022/07/28 +modified: 2022/08/24 logsource: product: windows category: driver_load @@ -22,7 +23,7 @@ detection: driver_img: ImageLoaded|endswith: '\aswArPot.sys' driver_status: - - Signed: false + - Signed: 'false' - SignatureStatus: Expired condition: 1 of selection* or all of driver_* falsepositives: diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 465b440ff..0b2e6f4f2 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html date: 2019/09/12 -modified: 2022/08/16 +modified: 2022/08/24 logsource: category: network_connection product: windows @@ -15,7 +15,7 @@ detection: DestinationPort: - 5985 - 5986 - Initiated: true # only matches of the initiating system can be evaluated + Initiated: 'true' # only matches of the initiating system can be evaluated filter: - User|contains: # covers many language settings for Network Service, please expand - 'NETWORK SERVICE' From b5d5a648b5946f60799e4301f94682b2953577b2 Mon Sep 17 00:00:00 2001 From: Tomasuh <3432107+Tomasuh@users.noreply.github.com> Date: Wed, 24 Aug 2022 08:19:51 +0200 Subject: [PATCH 10/27] proxy_ua_bitsadmin_susp_ip.yml falsepositive fix Change to endswith instead of startswith to avoid matching subdomains which starts with digits, example: 3.au.download.windowsupdate.com --- rules/proxy/proxy_ua_bitsadmin_susp_ip.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml b/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml index af0556668..ce4b7f470 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_ip.yml @@ -4,12 +4,13 @@ status: experimental description: Detects Bitsadmin connections to IP addresses instead of FQDN names author: Florian Roth date: 2022/06/10 +modified: 2022/08/24 logsource: category: proxy detection: selection: c-useragent|startswith: 'Microsoft BITS/' - cs-host|startswith: + cs-host|endswith: - '1' - '2' - '3' From 706a4bd0fac428658c9db3b97a63e751babde41c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 24 Aug 2022 10:09:40 +0200 Subject: [PATCH 11/27] fix: many FPs in testing environment --- .../registry/registry_set/registry_set_taskcache_entry.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index 5283cd144..eaa29e421 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/11 +modified: 2022/08/24 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -33,6 +33,8 @@ detection: Image: - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' - 'C:\Program Files (x86)\Microsoft Office\root\Integration\Integrator.exe' + filter_msiexec: + Image: 'C:\Windows\System32\msiexec.exe' condition: selection and not 1 of filter* falsepositives: - Unknown From 9f02e37dfa794e62d5f7f150b38afbe1c8c93963 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 12:23:00 +0100 Subject: [PATCH 12/27] Update --- ...ent_win_susp_powershell_profile_create.yml | 41 ++++++++++--------- ..._set_asep_reg_keys_modification_common.yml | 1 + .../registry_set_persistence_autodial_dll.yml | 1 + 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml index ba07ecf39..2e3f5f3b0 100644 --- a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml +++ b/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml @@ -1,29 +1,32 @@ title: Powershell Profile.ps1 Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf status: test -description: Detects a change in profile.ps1 of the Powershell profile -author: HieuTT35 +description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +author: HieuTT35, Nasreddine Bencherchali references: - - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + - https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/ + - https://persistence-info.github.io/Data/powershellprofile.html date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/08/24 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - target1: - TargetFilename|contains|all: - - '\My Documents\PowerShell\' - - '\profile.ps1' - target2: - TargetFilename|contains|all: - - 'C:\Windows\System32\WindowsPowerShell\v1.0\' - - '\profile.ps1' - condition: target1 or target2 + selection: + TargetFilename|endswith: + - '\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' + - '\WindowsPowerShell\profile.ps1' + - '\PowerShell\Microsoft.PowerShell_profile.ps1' + - '\PowerShell\profile.ps1' + - '\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' + - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' + - '\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1' + - '\Program Files\PowerShell\7\profile.ps1' + condition: selection falsepositives: - - System administrator create Powershell profile manually + - System administrator create Powershell profile manually level: high tags: - - attack.persistence - - attack.privilege_escalation - - attack.t1546.013 + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml index 9ceff48be..d605c7e6b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_common.yml @@ -10,6 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys + - https://persistence-info.github.io/Data/userinitmprlogonscript.html # UserInitMprLogonScript date: 2019/10/25 modified: 2022/04/04 logsource: diff --git a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml index f5fbff59d..a83c505ae 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_autodial_dll.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali date: 2022/08/10 references: - https://www.hexacorn.com/blog/2015/01/13/beyond-good-ol-run-key-part-24/ + - https://persistence-info.github.io/Data/autodialdll.html logsource: category: registry_set product: windows From 10c5b51c5f25f3402dc9aad09c1c76d9ade44284 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 12:23:20 +0100 Subject: [PATCH 13/27] Update file_event_win_susp_powershell_profile_create.yml --- .../file_event_win_susp_powershell_profile_create.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml index 2e3f5f3b0..f3da78694 100644 --- a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml +++ b/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml @@ -1,4 +1,4 @@ -title: Powershell Profile.ps1 Modification +title: Powershell Profile Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf status: test description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence From 918cf94c1bf27c0fab6b776fa61ea1015221b853 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 12:29:35 +0100 Subject: [PATCH 14/27] Add + Rename --- ...ile_event_win_susp_powershell_profile.yml} | 2 +- ...ent_win_susp_vscode_powershell_profile.yml | 25 +++++++++++++++++++ 2 files changed, 26 insertions(+), 1 deletion(-) rename rules/windows/file_event/{file_event_win_susp_powershell_profile_create.yml => file_event_win_susp_powershell_profile.yml} (97%) create mode 100644 rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml similarity index 97% rename from rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml rename to rules/windows/file_event/file_event_win_susp_powershell_profile.yml index f3da78694..3189d96ff 100644 --- a/rules/windows/file_event/file_event_win_susp_powershell_profile_create.yml +++ b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml @@ -1,4 +1,4 @@ -title: Powershell Profile Modification +title: PowerShell Profile Modification id: b5b78988-486d-4a80-b991-930eff3ff8bf status: test description: Detects the creation or modification of a powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence diff --git a/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml new file mode 100644 index 000000000..a2a9389e3 --- /dev/null +++ b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -0,0 +1,25 @@ +title: VsCode Powershell Profile Modification +id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 +related: + - id: b5b78988-486d-4a80-b991-930eff3ff8bf + type: similar +status: test +description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-7.2 +date: 2022/08/24 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\Microsoft.VSCode_profile.ps1' + condition: selection +falsepositives: + - Legitimate use of the profile by developers or administrators +level: high +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1546.013 From be2ec96dc2ce1f28199faca6ebdc69b66b5e08a2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 12:29:54 +0100 Subject: [PATCH 15/27] Update file_event_win_susp_vscode_powershell_profile.yml --- .../file_event_win_susp_vscode_powershell_profile.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml index a2a9389e3..f85738a13 100644 --- a/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml +++ b/rules/windows/file_event/file_event_win_susp_vscode_powershell_profile.yml @@ -3,7 +3,7 @@ id: 3a9fa2ec-30bc-4ebd-b49e-7c9cff225502 related: - id: b5b78988-486d-4a80-b991-930eff3ff8bf type: similar -status: test +status: experimental description: Detects the creation or modification of a vscode related powershell profile which could indicate suspicious activity as the profile can be used as a mean of persistence author: Nasreddine Bencherchali references: From afff53b8129ae3d7fb493c841b429cb1a4424ad8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 12:48:23 +0100 Subject: [PATCH 16/27] Add '/k' option to CMD rules --- .../win_susp_service_installation_script.yml | 40 +++++++++---------- .../proc_creation_win_malware_qbot.yml | 4 +- ...proc_creation_win_public_folder_parent.yml | 40 ++++++++++--------- ...proc_creation_win_susp_codepage_lookup.yml | 38 +++++++++--------- .../proc_creation_win_susp_del.yml | 6 +-- ...win_susp_psexex_paexec_escalate_system.yml | 7 ++-- ...proc_creation_win_susp_schtasks_change.yml | 3 ++ ...eation_win_susp_schtasks_folder_combos.yml | 7 +++- ...roc_creation_win_susp_wmic_proc_create.yml | 3 +- 9 files changed, 80 insertions(+), 68 deletions(-) diff --git a/rules/windows/builtin/system/win_susp_service_installation_script.yml b/rules/windows/builtin/system/win_susp_service_installation_script.yml index 1b2b4fd9d..0f4c9ec47 100644 --- a/rules/windows/builtin/system/win_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/win_susp_service_installation_script.yml @@ -6,27 +6,27 @@ author: pH-T date: 2022/03/18 modified: 2022/03/24 logsource: - product: windows - service: system + product: windows + service: system detection: - selection: - Provider_Name: 'Service Control Manager' - EventID: 7045 - suspicious1: - ImagePath|contains: ' /C ' - suspicious2: - ImagePath|contains: - - 'powershell' - - 'wscript' - - 'cscript' - - 'mshta' - - 'rundll32' - condition: selection and all of suspicious* + selection: + Provider_Name: 'Service Control Manager' + EventID: 7045 + suspicious1: + ImagePath|contains: ' /C ' + suspicious2: + ImagePath|contains: + - 'powershell' + - 'wscript' + - 'cscript' + - 'mshta' + - 'rundll32' + condition: selection and all of suspicious* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.persistence - - attack.privilege_escalation - - car.2013-09-005 - - attack.t1543.003 + - attack.persistence + - attack.privilege_escalation + - car.2013-09-005 + - attack.t1543.003 diff --git a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml index b9720b5f5..db8b1bb7b 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_qbot.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_qbot.yml @@ -4,7 +4,7 @@ status: stable description: Detects QBot like process executions author: Florian Roth date: 2019/10/01 -modified: 2021/01/25 +modified: 2022/08/24 tags: - attack.execution - attack.t1059.005 @@ -25,7 +25,7 @@ detection: - 'regsvr32.exe' - 'C:\ProgramData' - '.tmp' - condition: selection1 or selection2 or selection3 + condition: 1 of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml index eda2ef47b..aa71e61ca 100644 --- a/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_public_folder_parent.yml @@ -4,28 +4,30 @@ status: experimental description: This rule detects suspicious processes with parent images located in the C:\Users\Public folder author: Florian Roth references: - - https://redcanary.com/blog/blackbyte-ransomware/ + - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/25 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|startswith: 'C:\Users\Public\' - CommandLine|contains: - - 'powershell' - - 'cmd.exe /c ' - - 'cmd /c ' - - 'wscript.exe' - - 'cscript.exe' - - 'bitsadmin' - - 'certutil' - - 'mshta.exe' - condition: selection + selection: + ParentImage|startswith: 'C:\Users\Public\' + CommandLine|contains: + - 'powershell' + - 'cmd.exe /c ' + - 'cmd.exe /k ' + - 'cmd /c ' + - 'cmd /k ' + - 'wscript.exe' + - 'cscript.exe' + - 'bitsadmin' + - 'certutil' + - 'mshta.exe' + condition: selection fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index c3e68b05b..fabb0e86f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -4,29 +4,31 @@ status: experimental description: Detects use of chcp to look up the system locale value as part of host discovery author: '_pete_0, TheDFIRReport' references: - - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp + - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp date: 2022/02/21 modified: 2022/04/21 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage|endswith: '\cmd.exe' - ParentCommandLine|contains: ' /c ' - Image|endswith: '\chcp.com' - CommandLine|endswith: - - 'chcp' - - 'chcp ' - - 'chcp ' - condition: selection + selection: + ParentImage|endswith: '\cmd.exe' + ParentCommandLine|contains: + - ' /c ' + - ' /k ' + Image|endswith: '\chcp.com' + CommandLine|endswith: + - 'chcp' + - 'chcp ' + - 'chcp ' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.discovery - - attack.t1614.001 + - attack.discovery + - attack.t1614.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_del.yml b/rules/windows/process_creation/proc_creation_win_susp_del.yml index c065e0976..5586480df 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -1,14 +1,14 @@ title: Suspicious Del in CommandLine id: 204b17ae-4007-471b-917b-b917b315c5db status: experimental -description: suspicious command line to remove exe or dll +description: Detects suspicious command line to remove and 'exe' or 'dll' author: frack113 date: 2021/12/02 references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D tags: - attack.defense_evasion - - attack.t1070.004 + - attack.t1070.004 logsource: category: process_creation product: windows @@ -23,7 +23,7 @@ detection: - 'del *.dll' - 'C:\ProgramData\' condition: susp_del_exe or susp_del_dll -#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit +#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml index 103bb2861..7da441b61 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psexex_paexec_escalate_system.yml @@ -8,7 +8,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth date: 2021/11/23 -modified: 2022/07/21 +modified: 2022/08/24 logsource: category: process_creation product: windows @@ -20,10 +20,11 @@ detection: - 'PAExec' - 'accepteula' - 'cmd /c ' + - 'cmd /k ' condition: selection falsepositives: - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare) level: high tags: - - attack.develop_capabilities - - attack.t1587.001 \ No newline at end of file + - attack.resource_development + - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml index 4aa76a302..e1e2e281d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml @@ -13,6 +13,7 @@ tags: - attack.t1053.005 author: Nasreddine Bencherchali date: 2022/07/28 +modified: 2022/08/24 logsource: product: windows category: process_creation @@ -42,7 +43,9 @@ detection: - 'regsvr32' - 'rundll32' - 'cmd /c ' + - 'cmd /k ' - 'cmd.exe /c ' + - 'cmd.exe /k ' - 'powershell' - 'mshta' - 'wscript' diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml index 276f358ef..ede801918 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml @@ -9,6 +9,7 @@ tags: - attack.t1053.005 author: Florian Roth date: 2022/04/15 +modified: 2022/08/24 logsource: product: windows category: process_creation @@ -20,12 +21,14 @@ detection: CommandLine|contains: - 'powershell' - 'cmd /c ' + - 'cmd /k ' - 'cmd.exe /c ' - selection1_all_folders: + - 'cmd.exe /k ' + selection_all_folders: CommandLine|contains: - 'C:\ProgramData\' - '%ProgramData%' - condition: all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index a0f27bec9..999d77e14 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2020/10/12 -modified: 2022/08/09 +modified: 2022/08/24 logsource: category: process_creation product: windows @@ -23,6 +23,7 @@ detection: - 'bitsadmin' - 'regsvr32' - 'cmd.exe /c ' + - 'cmd.exe /k ' - 'powershell' - 'pwsh' - 'certutil' From 9dccb4830ece092659763f5cc5c1a967cfd6b1ec Mon Sep 17 00:00:00 2001 From: Ali Alwashali Date: Wed, 24 Aug 2022 16:16:38 +0300 Subject: [PATCH 17/27] Update posh_ps_disable_psreadline_command_history.yml --- .../posh_ps_disable_psreadline_command_history.yml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 9fefb91f5..03cad76e1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -1,4 +1,4 @@ -title: Disable Powershell Command History +title: Disable Powershell Command History id: 602f5669-6927-4688-84db-0d4b7afb2150 status: experimental description: Powershell command history can be disabled by removing psreadline module @@ -12,11 +12,13 @@ logsource: definition: Script block logging must be enabled detection: selection: - ScriptBlockText|contains: 'Remove-Module psreadline' + ScriptBlockText|contains|all: + - Remove-Module + - psreadline condition: selection falsepositives: - Legitimate script level: medium tags: - - attack.lateral_movement - - attack.t1021.006 + - attack.defense_evasion + - attack.t1070.003 From e310bda6adb2ebb88d31f78937722431ad3f7c20 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 24 Aug 2022 15:34:36 +0000 Subject: [PATCH 18/27] FP: sentinel one performs this --- .../file_event/file_event_win_susp_adsi_cache_usage.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml index 81b34659c..b7afdc19b 100755 --- a/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml +++ b/rules/windows/file_event/file_event_win_susp_adsi_cache_usage.yml @@ -8,7 +8,7 @@ references: - https://blog.fox-it.com/2020/03/19/ldapfragger-command-and-control-over-ldap-attributes/ - https://github.com/fox-it/LDAPFragger date: 2019/03/24 -modified: 2022/08/16 +modified: 2022/08/24 logsource: product: windows category: file_event @@ -26,7 +26,9 @@ detection: - 'C:\Program Files\Cylance\Desktop\CylanceSvc.exe' - 'C:\Windows\System32\wbem\WmiPrvSE.exe' filter_begins: - Image|startswith: 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + Image|startswith: + - 'C:\Windows\ccmsetup\autoupgrade\ccmsetup' # C:\Windows\ccmsetup\autoupgrade\ccmsetup.TMC00002.40.exe + - 'C:\Program Files\SentinelOne\Sentinel Agent' # C:\Program Files\SentinelOne\Sentinel Agent 21.7.7.40005\SentinelAgent.exe filter_ends: Image|endswith: '\LANDesk\LDCLient\ldapwhoami.exe' filter_domain_controller: From 583155df30bc45dda028840154d1153c43105b25 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 24 Aug 2022 18:42:56 +0200 Subject: [PATCH 19/27] Order --- .../registry/registry_event/registry_event_apt_pandemic.yml | 2 +- .../registry_set/registry_set_crashdump_disabled.yml | 3 ++- .../registry_set_cve_2021_31979_cve_2021_33771_exploits.yml | 5 +++-- .../registry_set/registry_set_dns_serverlevelplugindll.yml | 5 +++-- 4 files changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml index ae48ef5e2..ee4a492b2 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_pandemic.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: '\SYSTEM\CurrentControlSet\services\null\Instance' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml index be96ca227..a3c75e5a4 100644 --- a/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml +++ b/rules/windows/registry/registry_set/registry_set_crashdump_disabled.yml @@ -4,7 +4,7 @@ status: experimental description: Detects disabling the CrashDump per registry (as used by HermeticWiper) author: Tobias Michalski date: 2022/02/24 -modified: 2022/03/26 +modified: 2022/08/23 references: - https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack/ logsource: @@ -12,6 +12,7 @@ logsource: category: registry_set detection: selection: + EventType: SetValue TargetObject|contains: 'SYSTEM\CurrentControlSet\Control\CrashControl' Details: 'DWORD (0x00000000)' condition: selection diff --git a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml index 08a48fe20..7a9c52e09 100644 --- a/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml +++ b/rules/windows/registry/registry_set/registry_set_cve_2021_31979_cve_2021_33771_exploits.yml @@ -4,7 +4,7 @@ status: experimental description: Detects patterns as noticed in exploitation of Windows CVE-2021-31979 CVE-2021-33771 vulnerability and DevilsTongue malware by threat group Sourgum author: Sittikorn S, frack113 date: 2021/07/16 -modified: 2022/06/29 +modified: 2022/08/23 references: - https://www.microsoft.com/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/ @@ -17,9 +17,10 @@ tags: # - threat_group.Sourgum logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: - CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32\(Default) - CLSID\{7C857801-7381-11CF-884D-00AA004B2E24}\InProcServer32\(Default) diff --git a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml index 572e3ba60..38ea828ff 100755 --- a/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml +++ b/rules/windows/registry/registry_set/registry_set_dns_serverlevelplugindll.yml @@ -6,7 +6,7 @@ description: Detects the installation of a plugin DLL via ServerLevelPluginDll p references: - https://medium.com/@esnesenon/feature-not-bug-dnsadmin-to-dc-compromise-in-one-line-a0f779b8dc83 date: 2017/05/08 -modified: 2021/09/12 +modified: 2022/08/23 author: Florian Roth tags: - attack.defense_evasion @@ -14,9 +14,10 @@ tags: - attack.t1112 logsource: product: windows - category: registry_event + category: registry_set detection: selection: + EventType: SetValue TargetObject|endswith: '\services\DNS\Parameters\ServerLevelPluginDll' condition: selection fields: From 728a7ccb662ad088830adf60ea77f83af03fb261 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 24 Aug 2022 18:35:23 +0100 Subject: [PATCH 20/27] Fix after review --- rules/windows/driver_load/driver_load_vuln_drivers.yml | 2 +- .../file_event_win_susp_powershell_profile.yml | 5 +---- .../process_creation/proc_creation_win_susp_del.yml | 9 ++++++--- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index 6fe73a176..a3898ef84 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -792,7 +792,7 @@ detection: - '\semav6msr.sys' - '\piddrv64.sys' driver_status: - - Signed: false + - Signed: 'false' - SignatureStatus: Expired condition: 1 of selection* or all of driver_* falsepositives: diff --git a/rules/windows/file_event/file_event_win_susp_powershell_profile.yml b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml index 3189d96ff..737db2024 100644 --- a/rules/windows/file_event/file_event_win_susp_powershell_profile.yml +++ b/rules/windows/file_event/file_event_win_susp_powershell_profile.yml @@ -14,13 +14,10 @@ logsource: detection: selection: TargetFilename|endswith: - - '\WindowsPowerShell\Microsoft.PowerShell_profile.ps1' + - '\Microsoft.PowerShell_profile.ps1' - '\WindowsPowerShell\profile.ps1' - - '\PowerShell\Microsoft.PowerShell_profile.ps1' - '\PowerShell\profile.ps1' - - '\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1' - '\Windows\System32\WindowsPowerShell\v1.0\profile.ps1' - - '\Program Files\PowerShell\7\Microsoft.PowerShell_profile.ps1' - '\Program Files\PowerShell\7\profile.ps1' condition: selection falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_del.yml b/rules/windows/process_creation/proc_creation_win_susp_del.yml index 5586480df..40c8158f0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_del.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_del.yml @@ -4,6 +4,7 @@ status: experimental description: Detects suspicious command line to remove and 'exe' or 'dll' author: frack113 date: 2021/12/02 +modified: 2022/08/24 references: - https://www.joesandbox.com/analysis/509330/0/html#1044F3BDBE3BB6F734E357235F4D5898582D tags: @@ -15,15 +16,17 @@ logsource: detection: susp_del_exe: CommandLine|contains|all: - - 'del *.exe' + - 'del ' + - '\*.exe' - '/f ' - '/q ' susp_del_dll: CommandLine|contains|all: - - 'del *.dll' + # Example: cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit + - 'del ' + - '\*.dll' - 'C:\ProgramData\' condition: susp_del_exe or susp_del_dll -#cmd.exe (PID: 1044 cmdline: 'C:\Windows\System32\cmd.exe' /c taskkill /im A8D4.exe /f & timeout /t 6 & del /f /q 'C:\Users\user~1\AppData\Local\Temp\A8D4.exe' & del C:\ProgramData\*.dll & exit falsepositives: - Unknown level: medium From 1c536e0698013beb9efab16d15a64046f04d583d Mon Sep 17 00:00:00 2001 From: vadim Date: Wed, 24 Aug 2022 22:18:13 +0300 Subject: [PATCH 21/27] Add new rules for detection msdt.exe create file to autorun --- .../file_event_win_msdt_autorun.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_msdt_autorun.yml diff --git a/rules/windows/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file_event/file_event_win_msdt_autorun.yml new file mode 100644 index 000000000..ca7ea012a --- /dev/null +++ b/rules/windows/file_event/file_event_win_msdt_autorun.yml @@ -0,0 +1,22 @@ +title: Msdt.exe create executable file in autorun directory +id: +status: experimental +description: Detection msdt.exe create executable file in autorun directory. CVE-2022-30190 +author: Vadim Varganov +references: + - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd +date: 2022/08/24 +logsource: + category: file_event + product: windows +detection: + selection: + - Image|endswith: '\msdt.exe' + - TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\' + condition: selection +falsepositives: + - Undefined +level: high +tags: + - attack.persistance + - attack.t1547.001 From 4a8d4041ee7043b70f5c65ce83691aeea5a6389d Mon Sep 17 00:00:00 2001 From: Vadim Varganov Date: Thu, 25 Aug 2022 09:25:30 +0300 Subject: [PATCH 22/27] Update file_event_win_msdt_autorun.yml --- rules/windows/file_event/file_event_win_msdt_autorun.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file_event/file_event_win_msdt_autorun.yml index ca7ea012a..68ae08744 100644 --- a/rules/windows/file_event/file_event_win_msdt_autorun.yml +++ b/rules/windows/file_event/file_event_win_msdt_autorun.yml @@ -1,5 +1,5 @@ -title: Msdt.exe create executable file in autorun directory -id: +title: msdt.exe Create file in Autorun directory +id: 318557a5-150c-4c8d-b70e-a9910e199857 status: experimental description: Detection msdt.exe create executable file in autorun directory. CVE-2022-30190 author: Vadim Varganov @@ -18,5 +18,5 @@ falsepositives: - Undefined level: high tags: - - attack.persistance + - attack.persistence - attack.t1547.001 From 61657f50e6b9b8fc525b738fef2d768ffdf2dd4b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 25 Aug 2022 08:38:43 +0200 Subject: [PATCH 23/27] Update file_event_win_msdt_autorun.yml --- .../file_event_win_msdt_autorun.yml | 25 ++++++++++++------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/rules/windows/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file_event/file_event_win_msdt_autorun.yml index 68ae08744..65151c6fb 100644 --- a/rules/windows/file_event/file_event_win_msdt_autorun.yml +++ b/rules/windows/file_event/file_event_win_msdt_autorun.yml @@ -1,22 +1,29 @@ -title: msdt.exe Create file in Autorun directory +title: MSDT.exe Creates Files in Autorun Directory id: 318557a5-150c-4c8d-b70e-a9910e199857 status: experimental -description: Detection msdt.exe create executable file in autorun directory. CVE-2022-30190 -author: Vadim Varganov +description: Detects msdt.exe creating files in suspicious directories +author: Vadim Varganov, Florian Roth references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd + - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ date: 2022/08/24 +tags: + - attack.persistence + - attack.t1547.001 + - cve.2022.30190 logsource: category: file_event product: windows detection: selection: - - Image|endswith: '\msdt.exe' - - TargetFilename|contains: '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\' + Image|endswith: '\msdt.exe' + TargetFilename|contains: + - '\Start Menu\Programs\Startup\' + - 'C:\Users\Public\' + - 'C:\PerfLogs\' + - '\Desktop\' + - 'C:\ProgramData\' condition: selection falsepositives: - - Undefined + - Unknown level: high -tags: - - attack.persistence - - attack.t1547.001 From 3c5852b5f5c4f0cff148539cf29f96daf8aa867a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 25 Aug 2022 08:45:39 +0200 Subject: [PATCH 24/27] fix: line endings, level, description, fp --- ..._ps_disable_psreadline_command_history.yml | 48 +++++++++---------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml index 03cad76e1..0fd446068 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_psreadline_command_history.yml @@ -1,24 +1,24 @@ -title: Disable Powershell Command History -id: 602f5669-6927-4688-84db-0d4b7afb2150 -status: experimental -description: Powershell command history can be disabled by removing psreadline module -references: - - https://twitter.com/DissectMalware/status/1062879286749773824 -author: Ali Alwashali -date: 2022/08/21 -logsource: - product: windows - category: ps_script - definition: Script block logging must be enabled -detection: - selection: - ScriptBlockText|contains|all: - - Remove-Module - - psreadline - condition: selection -falsepositives: - - Legitimate script -level: medium -tags: - - attack.defense_evasion - - attack.t1070.003 +title: Disable Powershell Command History +id: 602f5669-6927-4688-84db-0d4b7afb2150 +status: experimental +description: Detects scripts or commands that disabled the Powershell command history by removing psreadline module +references: + - https://twitter.com/DissectMalware/status/1062879286749773824 +author: Ali Alwashali +date: 2022/08/21 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - Remove-Module + - psreadline + condition: selection +falsepositives: + - Legitimate script that disables the command history +level: high +tags: + - attack.defense_evasion + - attack.t1070.003 From f316469cd744ad4c2a9ea099cb1d3ae46a11d158 Mon Sep 17 00:00:00 2001 From: jkb <80353249+jkb-s@users.noreply.github.com> Date: Fri, 26 Aug 2022 00:25:04 +0200 Subject: [PATCH 25/27] Fixing selection_user to match NT AUTHORITY\SYSTEM This should be 'SYSTEM' not ' SYSTEM ' - these leading/trailing spaces are making this detection invalid since the /RU parameter value will be "NT AUTHORITY\SYSTEM". --- .../process_creation/proc_creation_win_schtasks_system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 5fb8aed32..9924e7b09 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -21,7 +21,7 @@ detection: selection_user: CommandLine|contains: - 'NT AUT' - - ' SYSTEM ' + - 'SYSTEM' filter: # FP from test set in SIGMA ParentImage|contains|all: From 060fbcda31abbdd36b2101e9fedc31ad07e620b7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 26 Aug 2022 11:25:41 +0100 Subject: [PATCH 26/27] Revert "Fixing selection_user to match NT AUTHORITY\SYSTEM" --- .../process_creation/proc_creation_win_schtasks_system.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml index 9924e7b09..5fb8aed32 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_system.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_system.yml @@ -21,7 +21,7 @@ detection: selection_user: CommandLine|contains: - 'NT AUT' - - 'SYSTEM' + - ' SYSTEM ' filter: # FP from test set in SIGMA ParentImage|contains|all: From e80116e704d3774c0885b0a01dfae88387709fc9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 26 Aug 2022 16:51:02 +0200 Subject: [PATCH 27/27] fix: FPs found in testing environment --- .../sysmon_susp_remote_thread.yml | 7 ++++++- ...in_always_install_elevated_windows_installer.yml | 13 +++++++++++-- .../registry_set_disable_winevt_logging.yml | 8 +++++--- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml index c1019a171..e4db5a7fe 100644 --- a/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml +++ b/rules/windows/create_remote_thread/sysmon_susp_remote_thread.yml @@ -7,7 +7,7 @@ notes: - MonitoringHost.exe is a process that loads .NET CLR by default and thus a favorite for process injection for .NET in-memory offensive tools. status: experimental date: 2019/10/27 -modified: 2022/08/12 +modified: 2022/08/26 author: Perez Diego (@darkquassar), oscd.community references: - Personal research, statistical analysis @@ -91,6 +91,11 @@ detection: TargetImage: 'System' filter_powershell: SourceParentImage: 'C:\Windows\System32\CompatTelRunner.exe' + filter_schtasks_conhost: + SourceImage: + - 'C:\Windows\System32\schtasks.exe' + - 'C:\Windows\SysWOW64\schtasks.exe' + TargetImage: 'C:\Windows\System32\conhost.exe' condition: selection and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml index c59c9aaca..694d57530 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_windows_installer.yml @@ -4,7 +4,7 @@ description: This rule looks for Windows Installer service (msiexec.exe) trying status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -modified: 2022/02/18 +modified: 2022/08/25 references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg tags: @@ -32,11 +32,20 @@ detection: filter_repair: - CommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option" - ParentCommandLine|endswith: '\system32\msiexec.exe /V' # ignore "repair option" + filter_autoupdater: + ParentImage|startswith: + - 'C:\ProgramData\Sophos\' + - 'C:\ProgramData\Avira\' + - 'C:\Program Files\Avast Software\' + - 'C:\Program Files (x86)\Avast Software\' + - 'C:\Program Files\Google\Update\' + - 'C:\Program Files (x86)\Google\Update\' condition: ( (image_1 and user) or (image_2 and user and integrity_level) ) and not 1 of filter* fields: - IntegrityLevel - User - Image falsepositives: - - System administrator Usage + - System administrator usage + - Anti virus products level: medium diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index f5e047e88..75a52bd13 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/08/10 +modified: 2022/08/26 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -22,9 +22,11 @@ detection: filter_iis: Image|startswith: 'C:\Windows\winsxs\' Image|endswith: '\TiWorker.exe' # many different TargetObjects - filter_fsmfd: + filter_svchost: Image: 'C:\Windows\System32\svchost.exe' - TargetObject|contains: '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' + TargetObject|contains: + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' condition: selection and not 1 of filter* falsepositives: - Legitimate administrators disabling specific event log for troubleshooting