diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml new file mode 100644 index 000000000..5c9013583 --- /dev/null +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -0,0 +1,29 @@ +title: AWS SecurityHub Findings Evasion +id: a607e1fe-74bf-4440-a3ec-b059b9103157 +status: stable +description: Detects the modification of the findings on SecurityHub. +author: Sittikorn S +date: 2021/06/28 +references: + - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +tags: + - attack.defense_evasion + - attack.t1562 +logsource: + service: cloudtrail +detection: + selection: + eventSource: securityhub.amazonaws.com + eventName: + - 'BatchUpdateFindings' + - 'DeleteInsight' + - 'UpdateFindings' + - 'UpdateInsight' + condition: selection +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors + - DEV, UAT, SAT environment. You should apply this rule with PROD environment only. +level: high diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 2e9e33da2..868ff4c6b 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html logsource: product: linux @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1574.006 \ No newline at end of file + - attack.t1574.006 diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index c76769bc9..abb7ac2c5 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 67c8e7804..286fc3036 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 5987f9335..127323a10 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,12 +1,12 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md logsource: product: linux service: auditd @@ -24,8 +24,8 @@ detection: a1|contains: '-c' condition: 1 of them falsepositives: - - Legitimate use of archiving tools by legitimate user + - Legitimate use of archiving tools by legitimate user. level: low tags: - attack.exfiltration - - attack.t1560.001 \ No newline at end of file + - attack.t1560.001 diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index b4d629211..9f2078370 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md logsource: product: linux service: auditd @@ -24,7 +24,7 @@ detection: a3: '-i' condition: selection1 or selection2 falsepositives: - - Legitimate administrator or user uses network sniffing tool for legitimate reason + - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low tags: - attack.credential_access diff --git a/rules/linux/lnx_chattr_immutable_removal.yml b/rules/linux/lnx_chattr_immutable_removal.yml index 0c3868332..687e46dc7 100644 --- a/rules/linux/lnx_chattr_immutable_removal.yml +++ b/rules/linux/lnx_chattr_immutable_removal.yml @@ -1,11 +1,11 @@ title: Remove Immutable File Attribute id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 status: experimental -description: Detects removing immutable file attribute +description: Detects removing immutable file attribute. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md logsource: product: linux service: auditd @@ -16,8 +16,8 @@ detection: a1|contains: '-i' condition: selection falsepositives: - - Administrator interacting with immutable files (for instance backups) + - Administrator interacting with immutable files (e.g. for instance backups). level: medium tags: - attack.defense_evasion - - attack.t1222.002 \ No newline at end of file + - attack.t1222.002 diff --git a/rules/linux/lnx_dd_delete_file.yml b/rules/linux/lnx_dd_delete_file.yml index c5a1ed98d..2ef02aebc 100644 --- a/rules/linux/lnx_dd_delete_file.yml +++ b/rules/linux/lnx_dd_delete_file.yml @@ -1,11 +1,11 @@ title: Overwriting the File with Dev Zero or Null id: 37222991-11e9-4b6d-8bdf-60fbe48f753e status: stable -description: Detects overwriting (effectively wiping/deleting) the file +description: Detects overwriting (effectively wiping/deleting) of a file. author: Jakob Weinzettl, oscd.community date: 2019/10/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md logsource: product: linux service: auditd @@ -18,10 +18,10 @@ detection: - 'if=/dev/zero' condition: selection falsepositives: - - Appending null bytes to files - - Legitimate overwrite of files + - Appending null bytes to files. + - Legitimate overwrite of files. level: low tags: - attack.impact - - attack.t1485 \ No newline at end of file + - attack.t1485 diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml index 0e806a84c..07818316f 100644 --- a/rules/linux/lnx_file_or_folder_permissions.yml +++ b/rules/linux/lnx_file_or_folder_permissions.yml @@ -1,11 +1,11 @@ title: File or Folder Permissions Change id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 status: experimental -description: Detects file and folder permission changes +description: Detects file and folder permission changes. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md logsource: product: linux service: auditd @@ -17,8 +17,8 @@ detection: - 'chown' condition: selection falsepositives: - - User interacting with files permissions (normal/daily behaviour) + - User interacting with files permissions (normal/daily behaviour). level: low tags: - attack.defense_evasion - - attack.t1222.002 \ No newline at end of file + - attack.t1222.002 diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml index 69881a029..3050725a2 100644 --- a/rules/linux/lnx_pers_systemd_reload.yml +++ b/rules/linux/lnx_pers_systemd_reload.yml @@ -1,12 +1,12 @@ title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 status: experimental -description: Detects a reload or a start of a service +description: Detects a reload or a start of a service. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md logsource: product: linux service: auditd @@ -19,9 +19,9 @@ detection: - 'start' condition: selection falsepositives: - - Installation of legitimate service - - Legitimate reconfiguration of service + - Installation of legitimate service. + - Legitimate reconfiguration of service. level: low tags: - attack.persistence - - attack.t1543.002 \ No newline at end of file + - attack.t1543.002 diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 0249d6134..b8679b8e4 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -13,7 +13,7 @@ author: Patrick Bareiss date: 2019/03/24 modified: 2020/07/13 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md - https://attack.mitre.org/techniques/T1070/003/ - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics logsource: diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 5e9adf31e..491926aee 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,13 @@ title: Malicious Service Installations id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a -description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2021/05/27 +modified: 2021/07/06 +references: + - https://awakesecurity.com/blog/threat-hunting-for-paexec/ + - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html + - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf tags: - attack.persistence - attack.privilege_escalation @@ -18,13 +22,17 @@ logsource: service: system detection: selection: - EventID: 7045 + EventID: + - 4697 + - 7045 malsvc_paexec: ServiceFileName|contains: '\PAExec' malsvc_wannacry: ServiceName: 'mssecsvc2.0' malsvc_persistence: ServiceFileName|contains: 'net user' + malsvc_apt29: + ServiceName: 'javamtsup' condition: selection and 1 of malsvc_* falsepositives: - Penetration testing diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml index ad5a06218..0569c9822 100644 --- a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml @@ -9,7 +9,7 @@ tags: - attack.t1021.002 references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml - - https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file + - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file logsource: product: windows service: security @@ -23,4 +23,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/builtin/win_susp_failed_guest_logon.yml index 938be568e..0d7657d52 100644 --- a/rules/windows/builtin/win_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml @@ -1,6 +1,6 @@ title: Suspicious Rejected SMB Guest Logon From IP id: 71886b70-d7b4-4dbf-acce-87d2ca135262 -description: +description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service author: Florian Roth, KevTheHermit, fuzzyf10w status: experimental level: medium @@ -9,6 +9,7 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare date: 2021/06/30 +modified: 2021/07/05 logsource: product: windows service: smbclient-security diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml index 17114308a..5f7fb4bc1 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -1,8 +1,9 @@ title: Valid Users Failing to Authenticate From Single Source Using Kerberos id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4771' - Failure_Code: '0x18' - filter: - Account_Name: '*$' + EventID: 4771 + Status: '0x18' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 7da50919a..480663d1c 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -1,8 +1,9 @@ title: Disabled Users Failing To Authenticate From Source Using Kerberos id: 4b6fe998-b69c-46d8-901b-13677c9fb663 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4768' - Result_Code: '0x12' - filter: - Account_Name: '*$' + EventID: 4768 + Status: '0x12' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 514ec94fd..8bc4d8b84 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -1,8 +1,9 @@ title: Invalid Users Failing To Authenticate From Source Using Kerberos id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4768' - Result_Code: '0x6' - filter: - Account_Name: '*$' + EventID: 4768 + Status: '0x6' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 558a109e1..081c8d15c 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -1,14 +1,14 @@ title: Secure Deletion with SDelete id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: experimental -description: Detects renaming of file while deletion with SDelete tool +description: Detects renaming of file while deletion with SDelete tool. author: Thomas Patzke date: 2017/06/14 modified: 2020/08/2 references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx + - https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete tags: - attack.impact - attack.defense_evasion @@ -33,5 +33,5 @@ detection: - '.ZZZ' condition: selection falsepositives: - - Legitime usage of SDelete + - Legitimate usage of SDelete level: medium diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index e9e962736..8c010b15d 100644 --- a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -1,6 +1,6 @@ title: Suspicious PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 -description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file. +description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. status: experimental date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -18,5 +18,5 @@ detection: TargetFilename|endswith: '.pfx' condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - System administrators managing certififcates. +level: medium diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index 92db1c231..ae9420ad8 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -9,7 +9,7 @@ tags: - attack.collection - attack.t1056.002 references: - - https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html + - https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa logsource: @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - other legitimate processes loading those DLLs in your environment. -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml index 91d711f5c..b3020349e 100644 --- a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -8,7 +8,7 @@ tags: - attack.defense_evasion - attack.t1220 references: - - https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html + - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html - https://twitter.com/dez_/status/986614411711442944 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ logsource: @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Apparently, wmic os get lastboottuptime loads vbscript.dll -level: high \ No newline at end of file +level: high diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 6b0a4d4e3..0dfd079c7 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/06/07 +modified: 2021/07/05 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -44,3 +44,12 @@ detection: TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' Details: 'DWORD (0x00000001)' condition: tamper_registry +--- +logsource: + product: windows + category: system +detection: + selection3: + EventID: 7036 + Message: 'The Windows Defender Antivirus Service service entered the stopped state' + condition: selection3 \ No newline at end of file diff --git a/rules/windows/other/win_defender_tamper_protection_trigger.yml b/rules/windows/other/win_defender_tamper_protection_trigger.yml new file mode 100644 index 000000000..0eeb90cc1 --- /dev/null +++ b/rules/windows/other/win_defender_tamper_protection_trigger.yml @@ -0,0 +1,26 @@ +title: Microsoft Defender Tamper Protection Trigger +id: 49e5bc24-8b86-49f1-b743-535f332c2856 +description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +date: 2021/07/05 +author: Bhabesh Raj +references: + - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection +status: stable +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 +falsepositives: + - Administrator actions +level: critical +logsource: + product: windows + service: windefend +detection: + selection: + EventID: + - 5013 + Value|endswith: + - '\Windows Defender\DisableAntiSpyware = 0x1()' + - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + condition: selection \ No newline at end of file diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 8a5127487..fd9bd0ae9 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -1,11 +1,11 @@ -title: Data Compressed - Powershell +title: Data Compressed - PowerShell id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md logsource: product: windows service: powershell @@ -19,7 +19,7 @@ detection: - 'Compress-Archive' condition: selection falsepositives: - - highly likely if archive ops are done via PS + - Highly likely if archive operations are done via PowerShell. level: low tags: - attack.exfiltration diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml new file mode 100644 index 000000000..e1b909104 --- /dev/null +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -0,0 +1,26 @@ +title: Renamed Powershell +id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 +description: Detects renamed powershell +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: Harish Segar, frack113 +date: 2020/06/29 +modified: 2021/07/04 +tags: + - attack.execution + - attack.t1086 +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: 400 + HostName: "ConsoleHost" + filter: + HostApplication|startswith: + - "powershell" + condition: selection and not filter +falsepositives: + - unknown +level: low \ No newline at end of file diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 9555ba0d5..026d82402 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2020/12/01 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md logsource: product: windows service: powershell diff --git a/rules/windows/process_creation/win_apt_revil_kaseya.yml b/rules/windows/process_creation/win_apt_revil_kaseya.yml index 2ab3055a0..b3f6cab3a 100644 --- a/rules/windows/process_creation/win_apt_revil_kaseya.yml +++ b/rules/windows/process_creation/win_apt_revil_kaseya.yml @@ -7,8 +7,10 @@ references: - https://www.joesandbox.com/analysis/443736/0/html - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ + - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ author: Florian Roth date: 2021/07/03 +modified: 2021/07/05 tags: - attack.execution - attack.g0115 @@ -23,11 +25,20 @@ detection: - 'del /q /f c:\kworking\agent.crt' - 'Kaseya VSA Agent Hot-fix' - '\AppData\Local\Temp\MsMpEng.exe' + - 'rmdir /s /q %SystemDrive%\inetpub\logs' + - 'del /s /q /f %SystemDrive%\\*.log' + - 'c:\kworking1\agent.exe' + - 'c:\kworking1\agent.crt' selection2: Image: - 'C:\Windows\MsMpEng.exe' - 'C:\Windows\cert.exe' - 'C:\kworking\agent.exe' + - 'C:\kworking1\agent.exe' + selection3: + CommandLine|contains|all: + - 'del /s /q /f' + - 'WebPages\Errors\webErrorLog.txt' condition: selection1 and selection2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index 2b54eecd1..54238917e 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html tags: - attack.impact diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index f832f07c9..06ca7b033 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 01367c2fb..344b670c5 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -1,12 +1,12 @@ title: Data Compressed - rar.exe id: 6f3e2987-db24-4c78-a860-b4f4095a7095 status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, E.M. Anhaus, oscd.community date: 2019/10/21 modified: 2020/08/29 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html logsource: category: process_creation @@ -25,7 +25,7 @@ fields: - ParentProcessGuid - ParentCommandLine falsepositives: - - highly likely if rar is default archiver in the monitored environment + - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - attack.exfiltration # an old one diff --git a/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml b/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml index a59cb6d6a..c171175c8 100644 --- a/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml +++ b/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml @@ -1,9 +1,9 @@ title: Domain Trust Discovery id: 77815820-246c-47b8-9741-e0def3f57308 status: experimental -description: Detects a discovery of domain trusts +description: Detects a discovery of domain trusts. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md author: Jakob Weinzettl, oscd.community date: 2019/10/23 modified: 2019/11/08 @@ -23,5 +23,5 @@ detection: CommandLine|contains: 'domain_trusts' condition: selection falsepositives: - - Administration of systems + - Administration of systems. level: medium diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 32264a065..345cb8d01 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -1,15 +1,16 @@ title: File or Folder Permissions Modifications id: 37ae075c-271b-459b-8d7b-55ad5f993dd8 status: experimental -description: Detects a file or folder permissions modifications +description: Detects a file or folder's permissions being modified. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md author: Jakob Weinzettl, oscd.community date: 2019/10/23 modified: 2019/11/08 tags: - attack.defense_evasion - - attack.t1222 + - attack.t1222.001 + - attack.t1222 # an old one logsource: category: process_creation product: windows @@ -28,5 +29,5 @@ fields: - User - CommandLine falsepositives: - - Users interacting with the files on their own (unlikely unless power users) + - Users interacting with the files on their own (unlikely unless privileged users). level: medium diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 62b856326..90bb35a1a 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 1fcadb91c..21fce0555 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -1,10 +1,10 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe +description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html date: 2019/10/24 modified: 2019/11/11 @@ -26,6 +26,6 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts - - Legit usage of scripts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. + - Legitimate usage of scripts. level: low diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 8f93d2da0..9dde4c688 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,10 +1,10 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc -description: Detect an interactive AT job, which may be used as a form of privilege escalation +description: Detect an interactive AT job, which may be used as a form of privilege escalation. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html date: 2019/10/24 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 9e3288eff..8fc72c85f 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2020/09/01 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md logsource: category: process_creation product: windows @@ -46,7 +46,7 @@ detection: - '/scriptpath' # discovery only - '/times' # discovery only - '/workstations' # discovery only - condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2) + condition: (selection_1 and not filter_1) or (selection_2 and not filter_2) fields: - Image - CommandLine diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 090c43bbd..a564d536d 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -8,7 +8,7 @@ modified: 2019/11/11 references: - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 1b2f0a940..5f7818614 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -1,13 +1,13 @@ title: Mshta JavaScript Execution id: 67f113fa-e23d-4271-befa-30113b3e08b1 -description: Identifies suspicious mshta.exe commands +description: Identifies suspicious mshta.exe commands. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2020/09/01 references: - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md tags: - attack.defense_evasion - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 7cc356863..a2b549207 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -4,7 +4,7 @@ status: stable description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/10/30 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 4b06ac1a9..66e14aefd 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -1,11 +1,11 @@ title: Net.exe User Account Creation id: cd219ff3-fa99-45d4-8380-a7d15116c6dc status: experimental -description: Identifies creation of local users via the net.exe command +description: Identifies creation of local users via the net.exe command. references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml -author: Endgame, JHasenbusch (adapted to sigma for oscd.community) + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) date: 2018/10/30 modified: 2020/09/01 tags: @@ -29,6 +29,6 @@ fields: - User - CommandLine falsepositives: - - Legit user creation - - Better use event ids for user creation rather than command line rules + - Legitimate user creation. + - Better use event IDs for user creation rather than command line rules. level: medium diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index 94abda394..b4f7ebce4 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 36bada36d..aeb35f836 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -1,7 +1,7 @@ title: New Service Creation id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab status: experimental -description: Detects creation of a new service +description: Detects creation of a new service. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -11,7 +11,7 @@ tags: - attack.t1050 # an old one - attack.t1543.003 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md logsource: category: process_creation product: windows @@ -25,5 +25,5 @@ detection: CommandLine|contains: 'new-service' condition: selection falsepositives: - - Legitimate administrator or user creates a service for legitimate reason + - Legitimate administrator or user creates a service for legitimate reasons. level: low diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index a349defdf..4d5a7beba 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -1,12 +1,12 @@ title: Audio Capture via PowerShell id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6 -description: Detects audio capture via PowerShell Cmdlet +description: Detects audio capture via PowerShell Cmdlet. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html tags: - attack.collection @@ -16,7 +16,7 @@ detection: CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' condition: selection falsepositives: - - Legitimate audio capture by legitimate user + - Legitimate audio capture by legitimate user. level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 503b7a656..29ae7a7ad 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -4,6 +4,7 @@ status: experimental description: Detect author: Florian Roth date: 2021/06/18 +modified: 2021/07/06 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -15,7 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFilename: + OriginalFileName: - 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 5b6b48d5c..937c4dbc2 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index f0706ff78..f83b64bdd 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,12 +1,12 @@ title: Service Execution id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: experimental -description: Detects manual service execution (start) via system utilities +description: Detects manual service execution (start) via system utilities. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md logsource: category: process_creation product: windows @@ -18,7 +18,7 @@ detection: CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: selection falsepositives: - - Legitimate administrator or user executes a service for legitimate reason + - Legitimate administrator or user executes a service for legitimate reasons. level: low tags: - attack.execution diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index 35358d12e..bf6f35df8 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -1,12 +1,12 @@ title: Audio Capture via SoundRecorder id: 83865853-59aa-449e-9600-74b9d89a6d6e -description: Detect attacker collecting audio via SoundRecorder application +description: Detect attacker collecting audio via SoundRecorder application. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html tags: - attack.collection @@ -20,5 +20,5 @@ detection: CommandLine|contains: '/FILE' condition: selection falsepositives: - - Legitimate audio capture by legitimate user + - Legitimate audio capture by legitimate user. level: medium diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 810f8be98..16aa181f8 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11 description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md tags: - attack.persistence - attack.t1547.001 @@ -35,6 +35,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - - Legitimate administrator sets up autorun keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. level: medium diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 70eb2a638..7046f941a 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,9 +1,9 @@ title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 -description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) +description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). author: Ecco, Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e725a1971..1b76d1091 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,13 +1,13 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e -description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) +description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 modified: 2019/11/11 level: high references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml index cc1d5f209..7c51c620a 100644 --- a/rules/windows/process_creation/win_susp_renamed_paexec.yml +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -6,6 +6,7 @@ references: - https://www.poweradmin.com/paexec/ author: Florian Roth date: 2021/05/22 +modified: 2021/07/06 logsource: category: process_creation product: windows @@ -13,7 +14,7 @@ detection: selection1: Description: 'PAExec Application' selection2: - OriginalFilename: 'PAExec.exe' + OriginalFileName: 'PAExec.exe' filter: Image|endswith: - '\PAexec.exe' diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index e04dd5d7c..c2a766bc1 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -1,9 +1,9 @@ title: Suspicious Service Path Modification id: 138d3531-8793-4f50-a2cd-f291b2863d78 -description: Detects service path modification to powershell/cmd +description: Detects service path modification to PowerShell or cmd. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 529aff91d..50654354a 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 +modified: 2021/07/06 logsource: category: process_creation product: windows @@ -18,9 +19,9 @@ detection: selection: ParentImage|endswith: '\vsjitdebugger.exe' reduction1: - ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' + Image|endswith: '\vsimmersiveactivatehelper*.exe' reduction2: - ChildImage|endswith: '\devenv.exe' + Image|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - the process spawned by vsjitdebugger.exe is uncommon. diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index a25ce1307..5b709c938 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -1,13 +1,13 @@ title: XSL Script Processing id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries - abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries + abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md logsource: category: process_creation product: windows @@ -18,8 +18,8 @@ detection: - Image|endswith: '\msxsl.exe' condition: selection falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - - msxsl.exe is not installed by default so unlikely. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. + - msxsl.exe is not installed by default, so unlikely. level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml new file mode 100644 index 000000000..cb39ee540 --- /dev/null +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -0,0 +1,31 @@ +title: Printnightmare Mimimkatz Driver Name +id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 +status: experimental +description: Detects static QMS 810 driver name used by Mimikatz +references: + - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 + - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 +author: Markus Neis, @markus_neis, Florian Roth +tags: + - attack.execution + - cve.2021-1675 + - cve.2021-34527 +date: 2021/07/04 +modified: 2021/07/05 +logsource: + product: windows + category: registry_event +detection: + selection: + TargetObject|startswith: + -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' + selection_alt: + TargetObject|contains|all: + - 'legitprinter' + - '\Control\Print\Environments\Windows' + condition: selection or selection_alt +falsepositives: + - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) +level: critical \ No newline at end of file diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 855e8815d..4026b58e5 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1171,7 +1171,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): for parsed in sigmaparser.condparsed: #Static data rule_object = { - "name": rulename + "_" + str(rule_number), + "name": rulename, "description": description, "index": index, "priority": self.convertLevel(level), diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 615cca1b1..90f3ec725 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -23,5 +23,5 @@ class GraylogQuerystringBackend(ElasticsearchQuerystringBackend): active = True config_required = False - reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(?