From 4c323d40dd7d8ca7e000d8bcec9a6d7c07cba049 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:42:34 +0700 Subject: [PATCH 01/34] Create aws_securityhub_disable_finding.yml --- .../cloud/aws_securityhub_disable_finding.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/cloud/aws_securityhub_disable_finding.yml diff --git a/rules/cloud/aws_securityhub_disable_finding.yml b/rules/cloud/aws_securityhub_disable_finding.yml new file mode 100644 index 000000000..1bb027f1d --- /dev/null +++ b/rules/cloud/aws_securityhub_disable_finding.yml @@ -0,0 +1,29 @@ +title: AWS - SecurityHub Findings Disruption +id: a607e1fe-74bf-4440-a3ec-b059b9103157 +status: stable +description: Identifies to evade finding on SecurityHub. +author: Sittikorn S +date: 2021/06/28 +reference: + - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ +tags: + - attack.defensive_evasion + - attack.t1562.006 +logsource: + service: cloudtrail +detection: + selection: + eventSource: securityhub.amazonaws.com + eventName: + - 'BatchUpdateFindings' + - 'DeleteInsight' + - 'UpdateFindings' + - 'UpdateInsight' + condition: selection +fields: + - sourceIPAddress + - userIdentity.arn +falsepositives: + - System or Network administrator behaviors + - DEV, UAT, SAT environment. You should apply this rule with PROD environment only. +level: high From ff83414871069965d7a947d252c698c6f89f80ef Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:45:31 +0700 Subject: [PATCH 02/34] Update and rename aws_securityhub_disable_finding.yml to aws_securityhub_finding_evasion.yml --- ..._disable_finding.yml => aws_securityhub_finding_evasion.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/cloud/{aws_securityhub_disable_finding.yml => aws_securityhub_finding_evasion.yml} (94%) diff --git a/rules/cloud/aws_securityhub_disable_finding.yml b/rules/cloud/aws_securityhub_finding_evasion.yml similarity index 94% rename from rules/cloud/aws_securityhub_disable_finding.yml rename to rules/cloud/aws_securityhub_finding_evasion.yml index 1bb027f1d..9b4d4e64d 100644 --- a/rules/cloud/aws_securityhub_disable_finding.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -1,4 +1,4 @@ -title: AWS - SecurityHub Findings Disruption +title: AWS SecurityHub Findings Evasion id: a607e1fe-74bf-4440-a3ec-b059b9103157 status: stable description: Identifies to evade finding on SecurityHub. From 071699da5e541df19943c75a9c6d4db8c604f347 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:52:42 +0700 Subject: [PATCH 03/34] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index 9b4d4e64d..d3ab84c39 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -4,7 +4,7 @@ status: stable description: Identifies to evade finding on SecurityHub. author: Sittikorn S date: 2021/06/28 -reference: +references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - attack.defensive_evasion From 5a61e402bfb8be76b7ce49cce2735f77ee888cfd Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 15:57:21 +0700 Subject: [PATCH 04/34] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index d3ab84c39..b065bb878 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -8,7 +8,7 @@ references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - attack.defensive_evasion - - attack.t1562.006 + - attack.t1562 logsource: service: cloudtrail detection: From bfe110a2c5f2274e7e3aeb2c551431f8342c931c Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Mon, 28 Jun 2021 16:07:54 +0700 Subject: [PATCH 05/34] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index b065bb878..d5090b2d2 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -7,7 +7,7 @@ date: 2021/06/28 references: - https://docs.aws.amazon.com/cli/latest/reference/securityhub/ tags: - - attack.defensive_evasion + - attack.defense_evasion - attack.t1562 logsource: service: cloudtrail From 9c769a3fce3fc5ac9d5149f06734f6d741fc9034 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 29 Jun 2021 12:49:32 +0200 Subject: [PATCH 06/34] Update aws_securityhub_finding_evasion.yml --- rules/cloud/aws_securityhub_finding_evasion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/aws_securityhub_finding_evasion.yml b/rules/cloud/aws_securityhub_finding_evasion.yml index d5090b2d2..5c9013583 100644 --- a/rules/cloud/aws_securityhub_finding_evasion.yml +++ b/rules/cloud/aws_securityhub_finding_evasion.yml @@ -1,7 +1,7 @@ title: AWS SecurityHub Findings Evasion id: a607e1fe-74bf-4440-a3ec-b059b9103157 status: stable -description: Identifies to evade finding on SecurityHub. +description: Detects the modification of the findings on SecurityHub. author: Sittikorn S date: 2021/06/28 references: From 7fca08e5bdef385951077a65d1f81bb821004d66 Mon Sep 17 00:00:00 2001 From: Cian Mc Govern Date: Fri, 2 Jul 2021 21:56:08 +0100 Subject: [PATCH 07/34] Escape spaces in graylog backend --- tools/sigma/backends/graylog.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/graylog.py b/tools/sigma/backends/graylog.py index 615cca1b1..90f3ec725 100644 --- a/tools/sigma/backends/graylog.py +++ b/tools/sigma/backends/graylog.py @@ -23,5 +23,5 @@ class GraylogQuerystringBackend(ElasticsearchQuerystringBackend): active = True config_required = False - reEscape = re.compile("([+\\-!(){}\\[\\]^\"~:/]|(? Date: Sat, 3 Jul 2021 20:48:03 +0800 Subject: [PATCH 08/34] Update powershell_data_compressed.yml Corrected old link and formatting. --- rules/windows/powershell/powershell_data_compressed.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index 8a5127487..c297661c9 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -1,11 +1,11 @@ -title: Data Compressed - Powershell +title: Data Compressed - PowerShell id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.yaml logsource: product: windows service: powershell @@ -19,7 +19,7 @@ detection: - 'Compress-Archive' condition: selection falsepositives: - - highly likely if archive ops are done via PS + - Highly likely if archive operations are done via PowerShell. level: low tags: - attack.exfiltration From c63439e74d2bba8eaca47cc4a330d318b5b46e18 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Sun, 4 Jul 2021 08:15:29 +0800 Subject: [PATCH 09/34] Update powershell_data_compressed.yml Changed reference link from `.yaml` to `.md`. --- rules/windows/powershell/powershell_data_compressed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_data_compressed.yml b/rules/windows/powershell/powershell_data_compressed.yml index c297661c9..fd9bd0ae9 100644 --- a/rules/windows/powershell/powershell_data_compressed.yml +++ b/rules/windows/powershell/powershell_data_compressed.yml @@ -5,7 +5,7 @@ description: An adversary may compress data (e.g., sensitive documents) that is author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560/T1560.md logsource: product: windows service: powershell From 268c97f23a67f9449e9c39230d7820744494f2e1 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Sun, 4 Jul 2021 09:53:23 +0800 Subject: [PATCH 10/34] Update win_susp_sdelete.yml Update old links and typo. --- rules/windows/builtin/win_susp_sdelete.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_susp_sdelete.yml b/rules/windows/builtin/win_susp_sdelete.yml index 558a109e1..081c8d15c 100644 --- a/rules/windows/builtin/win_susp_sdelete.yml +++ b/rules/windows/builtin/win_susp_sdelete.yml @@ -1,14 +1,14 @@ title: Secure Deletion with SDelete id: 39a80702-d7ca-4a83-b776-525b1f86a36d status: experimental -description: Detects renaming of file while deletion with SDelete tool +description: Detects renaming of file while deletion with SDelete tool. author: Thomas Patzke date: 2017/06/14 modified: 2020/08/2 references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/sdelete.htm - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - - https://technet.microsoft.com/en-us/en-en/sysinternals/sdelete.aspx + - https://docs.microsoft.com/en-gb/sysinternals/downloads/sdelete tags: - attack.impact - attack.defense_evasion @@ -33,5 +33,5 @@ detection: - '.ZZZ' condition: selection falsepositives: - - Legitime usage of SDelete + - Legitimate usage of SDelete level: medium From a60a2feb178dac6834abddb90a2519fc87b02db9 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Sun, 4 Jul 2021 10:38:53 +0800 Subject: [PATCH 11/34] Update sysmon_susp_pfx_file_creation.yml Fixed typo. --- rules/windows/file_event/sysmon_susp_pfx_file_creation.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml index e9e962736..8c010b15d 100644 --- a/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml +++ b/rules/windows/file_event/sysmon_susp_pfx_file_creation.yml @@ -1,6 +1,6 @@ title: Suspicious PFX File Creation id: dca1b3e8-e043-4ec8-85d7-867f334b5724 -description: A General detection for processes creating PFX files. This could be an inidicator of an adversary exporting a local certificate to a pfx file. +description: A general detection for processes creating PFX files. This could be an indicator of an adversary exporting a local certificate to a PFX file. status: experimental date: 2020/05/02 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) @@ -18,5 +18,5 @@ detection: TargetFilename|endswith: '.pfx' condition: selection falsepositives: - - unknown -level: medium \ No newline at end of file + - System administrators managing certififcates. +level: medium From 8fd81acee41c6ba54aaad119618f4e5e5c1c05fd Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 4 Jul 2021 11:56:59 +0200 Subject: [PATCH 12/34] Change getRuleName() to get 'id-title' instead of ('id' or 'title') --- tools/sigma/backends/elasticsearch.py | 2 +- tools/sigma/backends/mixins.py | 11 +++++++++-- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 855e8815d..4026b58e5 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1171,7 +1171,7 @@ class ElastalertBackend(DeepFieldMappingMixin, MultiRuleOutputMixin): for parsed in sigmaparser.condparsed: #Static data rule_object = { - "name": rulename + "_" + str(rule_number), + "name": rulename, "description": description, "index": index, "priority": self.convertLevel(level), diff --git a/tools/sigma/backends/mixins.py b/tools/sigma/backends/mixins.py index ed1fc8ddc..a835be997 100644 --- a/tools/sigma/backends/mixins.py +++ b/tools/sigma/backends/mixins.py @@ -68,9 +68,16 @@ class MultiRuleOutputMixin: """ try: - rulename = sigmaparser.parsedyaml["id"] + yaml_id = sigmaparser.parsedyaml["id"] except KeyError: - rulename = sigmaparser.parsedyaml["title"].replace(" ", "-").replace("(", "").replace(")", "") + yaml_id = "00000000-0000-0000-0000-000000000000" + try: + yaml_title = sigmaparser.parsedyaml["title"] + except KeyError: + yaml_title = "No Title" + yaml_title = yaml_title.replace(" ", "-").replace("(", "").replace(")", "") + + rulename = "%s-%s" % (yaml_id, yaml_title) if rulename in self.rulenames: # add counter if name collides cnt = 2 while "%s-%d" % (rulename, cnt) in self.rulenames: From 62b25cadf16b52d9c52d390d6a3e070be0d9221b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Jul 2021 13:47:56 +0200 Subject: [PATCH 13/34] rule: mimikatz printernightmare --- ...win_registry_mimikatz_printernightmare.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml new file mode 100644 index 000000000..64caf704d --- /dev/null +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -0,0 +1,26 @@ +title: Printnightmare Mimimkatz Driver Name +id: ba6b9e43-1d45-4d3c-a504-1043a64c8469 +status: experimental +description: Detects static QMS 810 driver name used by Mimikatz +references: + - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 +author: Markus Neis, @markus_neis +tags: + - attack.execution + - cve.2021-1675 + - cve.2021-34527 +date: 2021/06/07 +logsource: + product: windows + category: registry_event +detection: + selection: + EventID: + - 12 # key create + - 13 # value set + selection_qms: + - TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + condition: selection and selection_qms +falsepositives: + - Unknown +level: critical \ No newline at end of file From fd5b7506d1de021e13aff01355707b84b10196ae Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 4 Jul 2021 14:03:28 +0200 Subject: [PATCH 14/34] refactor: changed rule contents, removed eventIDs --- .../win_registry_mimikatz_printernightmare.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 64caf704d..c62015f73 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -4,6 +4,8 @@ status: experimental description: Detects static QMS 810 driver name used by Mimikatz references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 + - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf + - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 author: Markus Neis, @markus_neis tags: - attack.execution @@ -15,12 +17,8 @@ logsource: category: registry_event detection: selection: - EventID: - - 12 # key create - - 13 # value set - selection_qms: - - TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' - condition: selection and selection_qms + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + condition: selection falsepositives: - - Unknown + - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) level: critical \ No newline at end of file From d05f3efd1ba6e13dd96d15791c9e0a4c25cc30e2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Sun, 4 Jul 2021 19:44:50 +0200 Subject: [PATCH 15/34] fix pr 869 --- .../powershell_renamed_powershell.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/powershell/powershell_renamed_powershell.yml diff --git a/rules/windows/powershell/powershell_renamed_powershell.yml b/rules/windows/powershell/powershell_renamed_powershell.yml new file mode 100644 index 000000000..e1b909104 --- /dev/null +++ b/rules/windows/powershell/powershell_renamed_powershell.yml @@ -0,0 +1,26 @@ +title: Renamed Powershell +id: 30a8cb77-8eb3-4cfb-8e79-ad457c5a4592 +description: Detects renamed powershell +status: experimental +references: + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse +author: Harish Segar, frack113 +date: 2020/06/29 +modified: 2021/07/04 +tags: + - attack.execution + - attack.t1086 +logsource: + product: windows + service: powershell-classic +detection: + selection: + EventID: 400 + HostName: "ConsoleHost" + filter: + HostApplication|startswith: + - "powershell" + condition: selection and not filter +falsepositives: + - unknown +level: low \ No newline at end of file From 7fab22ddc20c3b77185cf18afeed455a2eab947f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:03:35 +0200 Subject: [PATCH 16/34] rule: more Kaseya patterns --- .../windows/process_creation/win_apt_revil_kaseya.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/rules/windows/process_creation/win_apt_revil_kaseya.yml b/rules/windows/process_creation/win_apt_revil_kaseya.yml index 2ab3055a0..b3f6cab3a 100644 --- a/rules/windows/process_creation/win_apt_revil_kaseya.yml +++ b/rules/windows/process_creation/win_apt_revil_kaseya.yml @@ -7,8 +7,10 @@ references: - https://www.joesandbox.com/analysis/443736/0/html - https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b - https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/ + - https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/ author: Florian Roth date: 2021/07/03 +modified: 2021/07/05 tags: - attack.execution - attack.g0115 @@ -23,11 +25,20 @@ detection: - 'del /q /f c:\kworking\agent.crt' - 'Kaseya VSA Agent Hot-fix' - '\AppData\Local\Temp\MsMpEng.exe' + - 'rmdir /s /q %SystemDrive%\inetpub\logs' + - 'del /s /q /f %SystemDrive%\\*.log' + - 'c:\kworking1\agent.exe' + - 'c:\kworking1\agent.crt' selection2: Image: - 'C:\Windows\MsMpEng.exe' - 'C:\Windows\cert.exe' - 'C:\kworking\agent.exe' + - 'C:\kworking1\agent.exe' + selection3: + CommandLine|contains|all: + - 'del /s /q /f' + - 'WebPages\Errors\webErrorLog.txt' condition: selection1 and selection2 falsepositives: - Unknown From 7e9d6600ebe3988c50d05e1403f5ff56a3a2f6c7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:03:56 +0200 Subject: [PATCH 17/34] rule: PrinterNightmare - new mimikatz printer name --- .../win_registry_mimikatz_printernightmare.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index c62015f73..35d69bd94 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -11,14 +11,17 @@ tags: - attack.execution - cve.2021-1675 - cve.2021-34527 -date: 2021/06/07 +date: 2021/07/04 +modified: 2021/07/05 logsource: product: windows category: registry_event detection: selection: - TargetObject|startswith: 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + TargetObject|startswith: + -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' + - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz\' condition: selection falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) -level: critical \ No newline at end of file +level: critical \ No newline at end of file From 6c4f36c47350a36ef8394c1d23a2b20000d3ee8f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 12:05:57 +0200 Subject: [PATCH 18/34] fix: minor typo - no \ at the end of the expression --- .../registry_event/win_registry_mimikatz_printernightmare.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 35d69bd94..5fd0912b4 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -20,7 +20,7 @@ detection: selection: TargetObject|startswith: -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' - - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz\' + - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' condition: selection falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) From 0245d5806503249ba52d96b7a082d5b7474a3081 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 5 Jul 2021 12:56:05 +0200 Subject: [PATCH 19/34] fix missing description --- rules/windows/builtin/win_susp_failed_guest_logon.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_susp_failed_guest_logon.yml b/rules/windows/builtin/win_susp_failed_guest_logon.yml index 938be568e..0d7657d52 100644 --- a/rules/windows/builtin/win_susp_failed_guest_logon.yml +++ b/rules/windows/builtin/win_susp_failed_guest_logon.yml @@ -1,6 +1,6 @@ title: Suspicious Rejected SMB Guest Logon From IP id: 71886b70-d7b4-4dbf-acce-87d2ca135262 -description: +description: Detect Attempt PrintNightmare (CVE-2021-1675) Remote code execution in Windows Spooler Service author: Florian Roth, KevTheHermit, fuzzyf10w status: experimental level: medium @@ -9,6 +9,7 @@ references: - https://github.com/hhlxf/PrintNightmare - https://github.com/afwu/PrintNightmare date: 2021/06/30 +modified: 2021/07/05 logsource: product: windows service: smbclient-security From e5849a08f1be5dca55284a8fe4cee6e5265c5df0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 5 Jul 2021 15:29:52 +0200 Subject: [PATCH 20/34] rule: PrinterNightmare Mimikatz update https://github.com/gentilkiwi/mimikatz/commit/51dc7c0363d4e1e1eb2d35f5d5a25841b0801861#diff-cf4373b6c7195386ac1973681e5561bd96e1bb9e099cfd3febd1111e986bd17cL1450-R1451 --- .../win_registry_mimikatz_printernightmare.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml index 5fd0912b4..cb39ee540 100644 --- a/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml +++ b/rules/windows/registry_event/win_registry_mimikatz_printernightmare.yml @@ -6,7 +6,7 @@ references: - https://github.com/gentilkiwi/mimikatz/commit/c21276072b3f2a47a21e215a46962a17d54b3760 - https://www.lexjansen.com/sesug/1993/SESUG93035.pdf - https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rprn/4464eaf0-f34f-40d5-b970-736437a21913 -author: Markus Neis, @markus_neis +author: Markus Neis, @markus_neis, Florian Roth tags: - attack.execution - cve.2021-1675 @@ -21,7 +21,11 @@ detection: TargetObject|startswith: -'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\QMS 810\' - 'HKLM\System\CurrentControlSet\Control\Print\Environments\Windows x64\Drivers\Version-3\mimikatz' - condition: selection + selection_alt: + TargetObject|contains|all: + - 'legitprinter' + - '\Control\Print\Environments\Windows' + condition: selection or selection_alt falsepositives: - Legitimate installation of printer driver QMS 810, Texas Instruments microLaser printer (unlikely) level: critical \ No newline at end of file From 3bc6532049436b1d4a43f0f07ef586a01479e216 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Mon, 5 Jul 2021 20:30:07 +0545 Subject: [PATCH 21/34] Added and updated Defender's tamper related rules --- rules/windows/other/win_defender_disabled.yml | 11 +++++++- ...win_defender_tamper_protection_trigger.yml | 26 +++++++++++++++++++ 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 rules/windows/other/win_defender_tamper_protection_trigger.yml diff --git a/rules/windows/other/win_defender_disabled.yml b/rules/windows/other/win_defender_disabled.yml index 6b0a4d4e3..0dfd079c7 100644 --- a/rules/windows/other/win_defender_disabled.yml +++ b/rules/windows/other/win_defender_disabled.yml @@ -3,7 +3,7 @@ title: Windows Defender Threat Detection Disabled id: fe34868f-6e0e-4882-81f6-c43aa8f15b62 description: Detects disabling Windows Defender threat protection date: 2020/07/28 -modified: 2021/06/07 +modified: 2021/07/05 author: Ján Trenčanský, frack113 references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus @@ -44,3 +44,12 @@ detection: TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware' Details: 'DWORD (0x00000001)' condition: tamper_registry +--- +logsource: + product: windows + category: system +detection: + selection3: + EventID: 7036 + Message: 'The Windows Defender Antivirus Service service entered the stopped state' + condition: selection3 \ No newline at end of file diff --git a/rules/windows/other/win_defender_tamper_protection_trigger.yml b/rules/windows/other/win_defender_tamper_protection_trigger.yml new file mode 100644 index 000000000..0eeb90cc1 --- /dev/null +++ b/rules/windows/other/win_defender_tamper_protection_trigger.yml @@ -0,0 +1,26 @@ +title: Microsoft Defender Tamper Protection Trigger +id: 49e5bc24-8b86-49f1-b743-535f332c2856 +description: Detects block of attempt to disable real time protection of Microsoft Defender by tamper protection +date: 2021/07/05 +author: Bhabesh Raj +references: + - https://bhabeshraj.com/post/tampering-with-microsoft-defenders-tamper-protection +status: stable +tags: + - attack.defense_evasion + - attack.t1089 # an old one + - attack.t1562.001 +falsepositives: + - Administrator actions +level: critical +logsource: + product: windows + service: windefend +detection: + selection: + EventID: + - 5013 + Value|endswith: + - '\Windows Defender\DisableAntiSpyware = 0x1()' + - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' + condition: selection \ No newline at end of file From c01ec60e7dfabcc74889792336b1cba374a12dda Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 11:03:08 +0800 Subject: [PATCH 22/34] Update win_mal_service_installs.yml - Add new service Add new malicious service (javamtsup) by APT29 and add reference links. --- rules/windows/builtin/win_mal_service_installs.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 5e9adf31e..af2c247a2 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -1,9 +1,13 @@ title: Malicious Service Installations id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a -description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping and other suspicious activity +description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 modified: 2021/05/27 +references: + - https://awakesecurity.com/blog/threat-hunting-for-paexec/ + - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html + - https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf tags: - attack.persistence - attack.privilege_escalation @@ -25,6 +29,8 @@ detection: ServiceName: 'mssecsvc2.0' malsvc_persistence: ServiceFileName|contains: 'net user' + malsvc_apt29: + ServiceName: 'javamtsup' condition: selection and 1 of malsvc_* falsepositives: - Penetration testing From a0407cf47717cb15ed01f0d840fd166c3bf73791 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 12:11:32 +0800 Subject: [PATCH 23/34] Update win_mal_service_installs.yml - Add new Event ID Added event ID 4697, which is equivalent to existing event ID 7045. --- rules/windows/builtin/win_mal_service_installs.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index af2c247a2..61d264cde 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -22,7 +22,9 @@ logsource: service: system detection: selection: - EventID: 7045 + EventID: + - 4697 + - 7045 malsvc_paexec: ServiceFileName|contains: '\PAExec' malsvc_wannacry: From 9c94cf42fe2f67ed6708be544d1939917acd7e26 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 6 Jul 2021 09:26:43 +0200 Subject: [PATCH 24/34] childimage do not exist in sysmon schema --- .../process_creation/win_susp_use_of_vsjitdebugger_bin.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 529aff91d..50654354a 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -11,6 +11,7 @@ tags: - attack.defense_evasion author: Agro (@agro_sev), Ensar Şamil (@sblmsrsn), oscd.community date: 2020/10/14 +modified: 2021/07/06 logsource: category: process_creation product: windows @@ -18,9 +19,9 @@ detection: selection: ParentImage|endswith: '\vsjitdebugger.exe' reduction1: - ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' + Image|endswith: '\vsimmersiveactivatehelper*.exe' reduction2: - ChildImage|endswith: '\devenv.exe' + Image|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - the process spawned by vsjitdebugger.exe is uncommon. From aab65361da05987eba4cb310bd5579ddf0f909c6 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 00:50:23 -0700 Subject: [PATCH 25/34] Update rules/windows/builtin/win_mal_service_installs.yml Add modified date. Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- rules/windows/builtin/win_mal_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_mal_service_installs.yml b/rules/windows/builtin/win_mal_service_installs.yml index 61d264cde..491926aee 100644 --- a/rules/windows/builtin/win_mal_service_installs.yml +++ b/rules/windows/builtin/win_mal_service_installs.yml @@ -3,7 +3,7 @@ id: 2cfe636e-317a-4bee-9f2c-1066d9f54d1a description: Detects known malicious service installs that only appear in cases of lateral movement, credential dumping, and other suspicious activities. author: Florian Roth, Daniil Yugoslavskiy, oscd.community (update) date: 2017/03/27 -modified: 2021/05/27 +modified: 2021/07/06 references: - https://awakesecurity.com/blog/threat-hunting-for-paexec/ - https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html From cfccdea28ea91f0e43c6fdc1419c4e71bb21286a Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 6 Jul 2021 10:09:47 +0200 Subject: [PATCH 26/34] change OriginalFilename case --- rules/windows/process_creation/win_purplesharp_indicators.yml | 3 ++- rules/windows/process_creation/win_susp_renamed_paexec.yml | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_purplesharp_indicators.yml b/rules/windows/process_creation/win_purplesharp_indicators.yml index 503b7a656..29ae7a7ad 100644 --- a/rules/windows/process_creation/win_purplesharp_indicators.yml +++ b/rules/windows/process_creation/win_purplesharp_indicators.yml @@ -4,6 +4,7 @@ status: experimental description: Detect author: Florian Roth date: 2021/06/18 +modified: 2021/07/06 references: - https://github.com/mvelazc0/PurpleSharp logsource: @@ -15,7 +16,7 @@ detection: - xyz123456.exe - PurpleSharp selection2: - OriginalFilename: + OriginalFileName: - 'PurpleSharp.exe' condition: selection1 or selection2 falsepositives: diff --git a/rules/windows/process_creation/win_susp_renamed_paexec.yml b/rules/windows/process_creation/win_susp_renamed_paexec.yml index cc1d5f209..7c51c620a 100644 --- a/rules/windows/process_creation/win_susp_renamed_paexec.yml +++ b/rules/windows/process_creation/win_susp_renamed_paexec.yml @@ -6,6 +6,7 @@ references: - https://www.poweradmin.com/paexec/ author: Florian Roth date: 2021/05/22 +modified: 2021/07/06 logsource: category: process_creation product: windows @@ -13,7 +14,7 @@ detection: selection1: Description: 'PAExec Application' selection2: - OriginalFilename: 'PAExec.exe' + OriginalFileName: 'PAExec.exe' filter: Image|endswith: - '\PAexec.exe' From 7f15b0a0757057fea9b8bf4d99c4dd7358456691 Mon Sep 17 00:00:00 2001 From: G Y <35021368+leegengyu@users.noreply.github.com> Date: Tue, 6 Jul 2021 16:24:02 +0800 Subject: [PATCH 27/34] Update win_smb_file_creation_admin_shares.yml - Dead link Updated dead link. --- rules/windows/builtin/win_smb_file_creation_admin_shares.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml index ad5a06218..0569c9822 100644 --- a/rules/windows/builtin/win_smb_file_creation_admin_shares.yml +++ b/rules/windows/builtin/win_smb_file_creation_admin_shares.yml @@ -9,7 +9,7 @@ tags: - attack.t1021.002 references: - https://github.com/OTRF/ThreatHunter-Playbook/blob/master/playbooks/WIN-201012004336.yaml - - https://mordordatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file + - https://securitydatasets.com/notebooks/small/windows/08_lateral_movement/SDWIN-200806015757.html?highlight=create%20file logsource: product: windows service: security @@ -23,4 +23,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high \ No newline at end of file +level: high From 5d10cc68dab9bc9e8585cb4b3eba89a2d8f7da9a Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 16:35:20 +0800 Subject: [PATCH 28/34] Update mordordatasets references --- rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml | 4 ++-- .../image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml index 92db1c231..ae9420ad8 100644 --- a/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/sysmon_uipromptforcreds_dlls.yml @@ -9,7 +9,7 @@ tags: - attack.collection - attack.t1056.002 references: - - https://mordordatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html + - https://securitydatasets.com/notebooks/small/windows/06_credential_access/SDWIN-201020013208.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1056.002/T1056.002.md#atomic-test-2---powershell---prompt-user-for-password - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa logsource: @@ -26,4 +26,4 @@ detection: condition: selection falsepositives: - other legitimate processes loading those DLLs in your environment. -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml index 91d711f5c..b3020349e 100644 --- a/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml +++ b/rules/windows/image_load/sysmon_wmic_remote_xsl_scripting_dlls.yml @@ -8,7 +8,7 @@ tags: - attack.defense_evasion - attack.t1220 references: - - https://mordordatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html + - https://securitydatasets.com/notebooks/small/windows/05_defense_evasion/SDWIN-201017061100.html - https://twitter.com/dez_/status/986614411711442944 - https://lolbas-project.github.io/lolbas/Binaries/Wmic/ logsource: @@ -23,4 +23,4 @@ detection: condition: selection falsepositives: - Apparently, wmic os get lastboottuptime loads vbscript.dll -level: high \ No newline at end of file +level: high From 7557732ca2f2e7784eb69036b14e46f7b483d92c Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 17:21:22 +0800 Subject: [PATCH 29/34] Updated ART reference links from .yaml to .md and sub-technique links. --- .../powershell/powershell_winlogon_helper_dll.yml | 2 +- .../process_creation/win_data_compressed_with_rar.yml | 6 +++--- rules/windows/process_creation/win_hh_chm.yml | 2 +- rules/windows/process_creation/win_indirect_cmd.yml | 8 ++++---- .../win_local_system_owner_account_discovery.yml | 4 ++-- rules/windows/process_creation/win_lsass_dump.yml | 2 +- .../windows/process_creation/win_mshta_javascript.yml | 4 ++-- rules/windows/process_creation/win_net_enum.yml | 2 +- .../windows/process_creation/win_network_sniffing.yml | 2 +- .../process_creation/win_powershell_audio_capture.yml | 6 +++--- rules/windows/process_creation/win_query_registry.yml | 2 +- .../windows/process_creation/win_service_execution.yml | 6 +++--- .../process_creation/win_soundrec_audio_capture.yml | 6 +++--- .../windows/process_creation/win_susp_fsutil_usage.yml | 4 ++-- .../win_susp_service_path_modification.yml | 4 ++-- .../process_creation/win_xsl_script_processing.yml | 10 +++++----- 16 files changed, 35 insertions(+), 35 deletions(-) diff --git a/rules/windows/powershell/powershell_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_winlogon_helper_dll.yml index 9555ba0d5..026d82402 100644 --- a/rules/windows/powershell/powershell_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_winlogon_helper_dll.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2020/12/01 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1004/T1004.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md logsource: product: windows service: powershell diff --git a/rules/windows/process_creation/win_data_compressed_with_rar.yml b/rules/windows/process_creation/win_data_compressed_with_rar.yml index 01367c2fb..344b670c5 100644 --- a/rules/windows/process_creation/win_data_compressed_with_rar.yml +++ b/rules/windows/process_creation/win_data_compressed_with_rar.yml @@ -1,12 +1,12 @@ title: Data Compressed - rar.exe id: 6f3e2987-db24-4c78-a860-b4f4095a7095 status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, E.M. Anhaus, oscd.community date: 2019/10/21 modified: 2020/08/29 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1002/T1002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md - https://eqllib.readthedocs.io/en/latest/analytics/1ec33c93-3d0b-4a28-8014-dbdaae5c60ae.html logsource: category: process_creation @@ -25,7 +25,7 @@ fields: - ParentProcessGuid - ParentCommandLine falsepositives: - - highly likely if rar is default archiver in the monitored environment + - Highly likely if rar is a default archiver in the monitored environment. level: low tags: - attack.exfiltration # an old one diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 62b856326..90bb35a1a 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -4,7 +4,7 @@ description: Identifies usage of hh.exe executing recently modified .chm files. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Dan Beavin), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.001/T1218.001.md - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 1fcadb91c..21fce0555 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -1,10 +1,10 @@ title: Indirect Command Execution id: fa47597e-90e9-41cd-ab72-c3b74cfb0d02 -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe +description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.md - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html date: 2019/10/24 modified: 2019/11/11 @@ -26,6 +26,6 @@ fields: - ParentCommandLine - CommandLine falsepositives: - - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts - - Legit usage of scripts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts. + - Legitimate usage of scripts. level: low diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml index 9e3288eff..8fc72c85f 100644 --- a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2020/09/01 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md logsource: category: process_creation product: windows @@ -46,7 +46,7 @@ detection: - '/scriptpath' # discovery only - '/times' # discovery only - '/workstations' # discovery only - condition: (selection_1 and not filter_1) or ( selection_2 and not filter_2) + condition: (selection_1 and not filter_1) or (selection_2 and not filter_2) fields: - Image - CommandLine diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index 090c43bbd..a564d536d 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -8,7 +8,7 @@ modified: 2019/11/11 references: - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.md tags: - attack.credential_access - attack.t1003.001 diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 1b2f0a940..5f7818614 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -1,13 +1,13 @@ title: Mshta JavaScript Execution id: 67f113fa-e23d-4271-befa-30113b3e08b1 -description: Identifies suspicious mshta.exe commands +description: Identifies suspicious mshta.exe commands. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2020/09/01 references: - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.005/T1218.005.md tags: - attack.defense_evasion - attack.t1170 # an old one diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 7cc356863..a2b549207 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -4,7 +4,7 @@ status: stable description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/10/30 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_network_sniffing.yml b/rules/windows/process_creation/win_network_sniffing.yml index 94abda394..b4f7ebce4 100644 --- a/rules/windows/process_creation/win_network_sniffing.yml +++ b/rules/windows/process_creation/win_network_sniffing.yml @@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index a349defdf..4d5a7beba 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -1,12 +1,12 @@ title: Audio Capture via PowerShell id: 932fb0d8-692b-4b0f-a26e-5643a50fe7d6 -description: Detects audio capture via PowerShell Cmdlet +description: Detects audio capture via PowerShell Cmdlet. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html tags: - attack.collection @@ -16,7 +16,7 @@ detection: CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' condition: selection falsepositives: - - Legitimate audio capture by legitimate user + - Legitimate audio capture by legitimate user. level: medium logsource: category: process_creation diff --git a/rules/windows/process_creation/win_query_registry.yml b/rules/windows/process_creation/win_query_registry.yml index 5b6b48d5c..937c4dbc2 100644 --- a/rules/windows/process_creation/win_query_registry.yml +++ b/rules/windows/process_creation/win_query_registry.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1012/T1012.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_service_execution.yml b/rules/windows/process_creation/win_service_execution.yml index f0706ff78..f83b64bdd 100644 --- a/rules/windows/process_creation/win_service_execution.yml +++ b/rules/windows/process_creation/win_service_execution.yml @@ -1,12 +1,12 @@ title: Service Execution id: 2a072a96-a086-49fa-bcb5-15cc5a619093 status: experimental -description: Detects manual service execution (start) via system utilities +description: Detects manual service execution (start) via system utilities. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1035/T1035.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md logsource: category: process_creation product: windows @@ -18,7 +18,7 @@ detection: CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression condition: selection falsepositives: - - Legitimate administrator or user executes a service for legitimate reason + - Legitimate administrator or user executes a service for legitimate reasons. level: low tags: - attack.execution diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index 35358d12e..bf6f35df8 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -1,12 +1,12 @@ title: Audio Capture via SoundRecorder id: 83865853-59aa-449e-9600-74b9d89a6d6e -description: Detect attacker collecting audio via SoundRecorder application +description: Detect attacker collecting audio via SoundRecorder application. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.md - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html tags: - attack.collection @@ -20,5 +20,5 @@ detection: CommandLine|contains: '/FILE' condition: selection falsepositives: - - Legitimate audio capture by legitimate user + - Legitimate audio capture by legitimate user. level: medium diff --git a/rules/windows/process_creation/win_susp_fsutil_usage.yml b/rules/windows/process_creation/win_susp_fsutil_usage.yml index e725a1971..1b76d1091 100644 --- a/rules/windows/process_creation/win_susp_fsutil_usage.yml +++ b/rules/windows/process_creation/win_susp_fsutil_usage.yml @@ -1,13 +1,13 @@ title: Fsutil Suspicious Invocation id: add64136-62e5-48ea-807e-88638d02df1e -description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size..). Might be used by ransomwares during the attack (seen by NotPetya and others) +description: Detects suspicious parameters of fsutil (deleting USN journal, configuring it with small size, etc). Might be used by ransomwares during the attack (seen by NotPetya and others). author: Ecco, E.M. Anhaus, oscd.community date: 2019/09/26 modified: 2019/11/11 level: high references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-usn - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.md - https://eqllib.readthedocs.io/en/latest/analytics/c91f422a-5214-4b17-8664-c5fcf115c0a2.html tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/win_susp_service_path_modification.yml b/rules/windows/process_creation/win_susp_service_path_modification.yml index e04dd5d7c..c2a766bc1 100644 --- a/rules/windows/process_creation/win_susp_service_path_modification.yml +++ b/rules/windows/process_creation/win_susp_service_path_modification.yml @@ -1,9 +1,9 @@ title: Suspicious Service Path Modification id: 138d3531-8793-4f50-a2cd-f291b2863d78 -description: Detects service path modification to powershell/cmd +description: Detects service path modification to PowerShell or cmd. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1031/T1031.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/process_creation/win_xsl_script_processing.yml b/rules/windows/process_creation/win_xsl_script_processing.yml index a25ce1307..5b709c938 100644 --- a/rules/windows/process_creation/win_xsl_script_processing.yml +++ b/rules/windows/process_creation/win_xsl_script_processing.yml @@ -1,13 +1,13 @@ title: XSL Script Processing id: 05c36dd6-79d6-4a9a-97da-3db20298ab2d status: experimental -description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files, rule detects when adversaries - abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses +description: Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. Rule detects when adversaries + abuse this functionality to execute arbitrary files while potentially bypassing application whitelisting defenses. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1220/T1220.md logsource: category: process_creation product: windows @@ -18,8 +18,8 @@ detection: - Image|endswith: '\msxsl.exe' condition: selection falsepositives: - - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment - - msxsl.exe is not installed by default so unlikely. + - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. + - msxsl.exe is not installed by default, so unlikely. level: medium tags: - attack.defense_evasion From 5eb9547d5b088d1783f1818645040123078b449d Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 17:30:57 +0800 Subject: [PATCH 30/34] Updated ART reference links from .yaml to .md and sub-technique links. --- rules/windows/process_creation/win_bootconf_mod.yml | 2 +- .../win_change_default_file_association.yml | 2 +- .../win_file_permission_modifications.yml | 9 +++++---- rules/windows/process_creation/win_interactive_at.yml | 4 ++-- .../windows/process_creation/win_susp_eventlog_clear.yml | 4 ++-- 5 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index 2b54eecd1..54238917e 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -7,7 +7,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.comm date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html tags: - attack.impact diff --git a/rules/windows/process_creation/win_change_default_file_association.yml b/rules/windows/process_creation/win_change_default_file_association.yml index f832f07c9..06ca7b033 100644 --- a/rules/windows/process_creation/win_change_default_file_association.yml +++ b/rules/windows/process_creation/win_change_default_file_association.yml @@ -6,7 +6,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1042/T1042.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.001/T1546.001.md logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 32264a065..019d5b8ad 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -1,15 +1,16 @@ title: File or Folder Permissions Modifications id: 37ae075c-271b-459b-8d7b-55ad5f993dd8 status: experimental -description: Detects a file or folder permissions modifications +description: Detects a file or folder's permissions being modified. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222/T1222.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.yaml author: Jakob Weinzettl, oscd.community date: 2019/10/23 modified: 2019/11/08 tags: - attack.defense_evasion - - attack.t1222 + - attack.t1222.001 + - attack.t1222 # an old one logsource: category: process_creation product: windows @@ -28,5 +29,5 @@ fields: - User - CommandLine falsepositives: - - Users interacting with the files on their own (unlikely unless power users) + - Users interacting with the files on their own (unlikely unless privileged users). level: medium diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 8f93d2da0..9dde4c688 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,10 +1,10 @@ title: Interactive AT Job id: 60fc936d-2eb0-4543-8a13-911c750a1dfc -description: Detect an interactive AT job, which may be used as a form of privilege escalation +description: Detect an interactive AT job, which may be used as a form of privilege escalation. status: experimental author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053.002/T1053.002.md - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html date: 2019/10/24 modified: 2019/11/11 diff --git a/rules/windows/process_creation/win_susp_eventlog_clear.yml b/rules/windows/process_creation/win_susp_eventlog_clear.yml index 70eb2a638..7046f941a 100644 --- a/rules/windows/process_creation/win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/win_susp_eventlog_clear.yml @@ -1,9 +1,9 @@ title: Suspicious Eventlog Clear or Configuration Using Wevtutil id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 -description: Detects clearing or configuration of eventlogs uwing wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others) +description: Detects clearing or configuration of eventlogs using wevtutil, powershell and wmic. Might be used by ransomwares during the attack (seen by NotPetya and others). author: Ecco, Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070/T1070.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 modified: 2019/11/11 From 69d5d9734d5f51288bb11450f0ed5352c960aea0 Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 17:39:25 +0800 Subject: [PATCH 31/34] Updated ART reference links from .yaml --- rules/linux/lnx_chattr_immutable_removal.yml | 8 ++++---- rules/linux/lnx_dd_delete_file.yml | 10 +++++----- rules/linux/lnx_file_or_folder_permissions.yml | 8 ++++---- rules/linux/lnx_pers_systemd_reload.yml | 10 +++++----- rules/linux/lnx_shell_clear_cmd_history.yml | 2 +- .../win_dsquery_domain_trust_discovery.yml | 6 +++--- rules/windows/process_creation/win_net_user_add.yml | 10 +++++----- .../process_creation/win_new_service_creation.yml | 6 +++--- .../win_susp_direct_asep_reg_keys_modification.yml | 6 +++--- 9 files changed, 33 insertions(+), 33 deletions(-) diff --git a/rules/linux/lnx_chattr_immutable_removal.yml b/rules/linux/lnx_chattr_immutable_removal.yml index 0c3868332..687e46dc7 100644 --- a/rules/linux/lnx_chattr_immutable_removal.yml +++ b/rules/linux/lnx_chattr_immutable_removal.yml @@ -1,11 +1,11 @@ title: Remove Immutable File Attribute id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 status: experimental -description: Detects removing immutable file attribute +description: Detects removing immutable file attribute. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md logsource: product: linux service: auditd @@ -16,8 +16,8 @@ detection: a1|contains: '-i' condition: selection falsepositives: - - Administrator interacting with immutable files (for instance backups) + - Administrator interacting with immutable files (e.g. for instance backups). level: medium tags: - attack.defense_evasion - - attack.t1222.002 \ No newline at end of file + - attack.t1222.002 diff --git a/rules/linux/lnx_dd_delete_file.yml b/rules/linux/lnx_dd_delete_file.yml index c5a1ed98d..2ef02aebc 100644 --- a/rules/linux/lnx_dd_delete_file.yml +++ b/rules/linux/lnx_dd_delete_file.yml @@ -1,11 +1,11 @@ title: Overwriting the File with Dev Zero or Null id: 37222991-11e9-4b6d-8bdf-60fbe48f753e status: stable -description: Detects overwriting (effectively wiping/deleting) the file +description: Detects overwriting (effectively wiping/deleting) of a file. author: Jakob Weinzettl, oscd.community date: 2019/10/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1485/T1485.md logsource: product: linux service: auditd @@ -18,10 +18,10 @@ detection: - 'if=/dev/zero' condition: selection falsepositives: - - Appending null bytes to files - - Legitimate overwrite of files + - Appending null bytes to files. + - Legitimate overwrite of files. level: low tags: - attack.impact - - attack.t1485 \ No newline at end of file + - attack.t1485 diff --git a/rules/linux/lnx_file_or_folder_permissions.yml b/rules/linux/lnx_file_or_folder_permissions.yml index 0e806a84c..07818316f 100644 --- a/rules/linux/lnx_file_or_folder_permissions.yml +++ b/rules/linux/lnx_file_or_folder_permissions.yml @@ -1,11 +1,11 @@ title: File or Folder Permissions Change id: 74c01ace-0152-4094-8ae2-6fd776dd43e5 status: experimental -description: Detects file and folder permission changes +description: Detects file and folder permission changes. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.002/T1222.002.md logsource: product: linux service: auditd @@ -17,8 +17,8 @@ detection: - 'chown' condition: selection falsepositives: - - User interacting with files permissions (normal/daily behaviour) + - User interacting with files permissions (normal/daily behaviour). level: low tags: - attack.defense_evasion - - attack.t1222.002 \ No newline at end of file + - attack.t1222.002 diff --git a/rules/linux/lnx_pers_systemd_reload.yml b/rules/linux/lnx_pers_systemd_reload.yml index 69881a029..3050725a2 100644 --- a/rules/linux/lnx_pers_systemd_reload.yml +++ b/rules/linux/lnx_pers_systemd_reload.yml @@ -1,12 +1,12 @@ title: Systemd Service Reload or Start id: 2625cc59-0634-40d0-821e-cb67382a3dd7 status: experimental -description: Detects a reload or a start of a service +description: Detects a reload or a start of a service. author: Jakob Weinzettl, oscd.community date: 2019/09/23 references: - https://attack.mitre.org/techniques/T1543/002/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.002/T1543.002.md logsource: product: linux service: auditd @@ -19,9 +19,9 @@ detection: - 'start' condition: selection falsepositives: - - Installation of legitimate service - - Legitimate reconfiguration of service + - Installation of legitimate service. + - Legitimate reconfiguration of service. level: low tags: - attack.persistence - - attack.t1543.002 \ No newline at end of file + - attack.t1543.002 diff --git a/rules/linux/lnx_shell_clear_cmd_history.yml b/rules/linux/lnx_shell_clear_cmd_history.yml index 0249d6134..b8679b8e4 100644 --- a/rules/linux/lnx_shell_clear_cmd_history.yml +++ b/rules/linux/lnx_shell_clear_cmd_history.yml @@ -13,7 +13,7 @@ author: Patrick Bareiss date: 2019/03/24 modified: 2020/07/13 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1070.003/T1070.003.md - https://attack.mitre.org/techniques/T1070/003/ - https://www.hackers-arise.com/single-post/2016/06/20/Covering-your-BASH-Shell-Tracks-AntiForensics logsource: diff --git a/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml b/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml index a59cb6d6a..c171175c8 100644 --- a/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml +++ b/rules/windows/process_creation/win_dsquery_domain_trust_discovery.yml @@ -1,9 +1,9 @@ title: Domain Trust Discovery id: 77815820-246c-47b8-9741-e0def3f57308 status: experimental -description: Detects a discovery of domain trusts +description: Detects a discovery of domain trusts. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md author: Jakob Weinzettl, oscd.community date: 2019/10/23 modified: 2019/11/08 @@ -23,5 +23,5 @@ detection: CommandLine|contains: 'domain_trusts' condition: selection falsepositives: - - Administration of systems + - Administration of systems. level: medium diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 4b06ac1a9..66e14aefd 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -1,11 +1,11 @@ title: Net.exe User Account Creation id: cd219ff3-fa99-45d4-8380-a7d15116c6dc status: experimental -description: Identifies creation of local users via the net.exe command +description: Identifies creation of local users via the net.exe command. references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml -author: Endgame, JHasenbusch (adapted to sigma for oscd.community) + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136.001/T1136.001.md +author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) date: 2018/10/30 modified: 2020/09/01 tags: @@ -29,6 +29,6 @@ fields: - User - CommandLine falsepositives: - - Legit user creation - - Better use event ids for user creation rather than command line rules + - Legitimate user creation. + - Better use event IDs for user creation rather than command line rules. level: medium diff --git a/rules/windows/process_creation/win_new_service_creation.yml b/rules/windows/process_creation/win_new_service_creation.yml index 36bada36d..aeb35f836 100644 --- a/rules/windows/process_creation/win_new_service_creation.yml +++ b/rules/windows/process_creation/win_new_service_creation.yml @@ -1,7 +1,7 @@ title: New Service Creation id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab status: experimental -description: Detects creation of a new service +description: Detects creation of a new service. author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 modified: 2019/11/04 @@ -11,7 +11,7 @@ tags: - attack.t1050 # an old one - attack.t1543.003 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1050/T1050.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1543.003/T1543.003.md logsource: category: process_creation product: windows @@ -25,5 +25,5 @@ detection: CommandLine|contains: 'new-service' condition: selection falsepositives: - - Legitimate administrator or user creates a service for legitimate reason + - Legitimate administrator or user creates a service for legitimate reasons. level: low diff --git a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml index 810f8be98..16aa181f8 100644 --- a/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/win_susp_direct_asep_reg_keys_modification.yml @@ -3,7 +3,7 @@ id: 24357373-078f-44ed-9ac4-6d334a668a11 description: Detects direct modification of autostart extensibility point (ASEP) in registry using reg.exe. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md tags: - attack.persistence - attack.t1547.001 @@ -35,6 +35,6 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reason - - Legitimate administrator sets up autorun keys for legitimate reason + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. level: medium From 3791ab4b129df3b2b483eabac99c90f7dd6e0b30 Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 17:43:20 +0800 Subject: [PATCH 32/34] Updated ART reference links from .yaml to .md --- rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml | 4 ++-- rules/linux/auditd/lnx_auditd_masquerading_crond.yml | 2 +- rules/linux/auditd/lnx_auditd_user_discovery.yml | 2 +- rules/linux/auditd/lnx_data_compressed.yml | 8 ++++---- rules/linux/auditd/lnx_network_sniffing.yml | 4 ++-- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 2e9e33da2..868ff4c6b 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd date: 2019/10/24 modified: 2019/11/11 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.006/T1574.006.md - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html logsource: product: linux @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.defense_evasion - - attack.t1574.006 \ No newline at end of file + - attack.t1574.006 diff --git a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml index c76769bc9..abb7ac2c5 100644 --- a/rules/linux/auditd/lnx_auditd_masquerading_crond.yml +++ b/rules/linux/auditd/lnx_auditd_masquerading_crond.yml @@ -6,7 +6,7 @@ description: Masquerading occurs when the name or location of an executable, leg author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.003/T1036.003.md logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_auditd_user_discovery.yml b/rules/linux/auditd/lnx_auditd_user_discovery.yml index 67c8e7804..286fc3036 100644 --- a/rules/linux/auditd/lnx_auditd_user_discovery.yml +++ b/rules/linux/auditd/lnx_auditd_user_discovery.yml @@ -6,7 +6,7 @@ description: Adversaries may use the information from System Owner/User Discover author: Timur Zinniatullin, oscd.community date: 2019/10/21 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md logsource: product: linux service: auditd diff --git a/rules/linux/auditd/lnx_data_compressed.yml b/rules/linux/auditd/lnx_data_compressed.yml index 5987f9335..127323a10 100644 --- a/rules/linux/auditd/lnx_data_compressed.yml +++ b/rules/linux/auditd/lnx_data_compressed.yml @@ -1,12 +1,12 @@ title: Data Compressed id: a3b5e3e9-1b49-4119-8b8e-0344a01f21ee status: experimental -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network +description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1560.001/T1560.001.md logsource: product: linux service: auditd @@ -24,8 +24,8 @@ detection: a1|contains: '-c' condition: 1 of them falsepositives: - - Legitimate use of archiving tools by legitimate user + - Legitimate use of archiving tools by legitimate user. level: low tags: - attack.exfiltration - - attack.t1560.001 \ No newline at end of file + - attack.t1560.001 diff --git a/rules/linux/auditd/lnx_network_sniffing.yml b/rules/linux/auditd/lnx_network_sniffing.yml index b4d629211..9f2078370 100644 --- a/rules/linux/auditd/lnx_network_sniffing.yml +++ b/rules/linux/auditd/lnx_network_sniffing.yml @@ -7,7 +7,7 @@ author: Timur Zinniatullin, oscd.community date: 2019/10/21 modified: 2019/11/04 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1040/T1040.md logsource: product: linux service: auditd @@ -24,7 +24,7 @@ detection: a3: '-i' condition: selection1 or selection2 falsepositives: - - Legitimate administrator or user uses network sniffing tool for legitimate reason + - Legitimate administrator or user uses network sniffing tool for legitimate reasons. level: low tags: - attack.credential_access From 1f19f79da9e2d0fab4122a7dcffb5121158fad2b Mon Sep 17 00:00:00 2001 From: leegengyu Date: Tue, 6 Jul 2021 17:56:38 +0800 Subject: [PATCH 33/34] Convert ART reference links from .yaml to .md --- .../process_creation/win_file_permission_modifications.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 019d5b8ad..345cb8d01 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -3,7 +3,7 @@ id: 37ae075c-271b-459b-8d7b-55ad5f993dd8 status: experimental description: Detects a file or folder's permissions being modified. references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md author: Jakob Weinzettl, oscd.community date: 2019/10/23 modified: 2019/11/08 From 12fb71b83b2f564376df978ec200240438c14ac3 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 6 Jul 2021 12:53:38 +0200 Subject: [PATCH 34/34] fix invalid field name --- ...in_susp_failed_logons_single_source_kerberos.yml | 13 +++++++------ ...n_susp_failed_logons_single_source_kerberos2.yml | 13 +++++++------ ...n_susp_failed_logons_single_source_kerberos3.yml | 13 +++++++------ 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml index 17114308a..5f7fb4bc1 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos.yml @@ -1,8 +1,9 @@ title: Valid Users Failing to Authenticate From Single Source Using Kerberos id: 5d1d946e-32e6-4d9a-a0dc-0ac022c7eb98 description: Detects multiple failed logins with multiple valid domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4771' - Failure_Code: '0x18' - filter: - Account_Name: '*$' + EventID: 4771 + Status: '0x18' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml index 7da50919a..480663d1c 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos2.yml @@ -1,8 +1,9 @@ title: Disabled Users Failing To Authenticate From Source Using Kerberos id: 4b6fe998-b69c-46d8-901b-13677c9fb663 description: Detects failed logins with multiple disabled domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4768' - Result_Code: '0x12' - filter: - Account_Name: '*$' + EventID: 4768 + Status: '0x12' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems diff --git a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml index 514ec94fd..8bc4d8b84 100644 --- a/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml +++ b/rules/windows/builtin/win_susp_failed_logons_single_source_kerberos3.yml @@ -1,8 +1,9 @@ title: Invalid Users Failing To Authenticate From Source Using Kerberos id: bc93dfe6-8242-411e-a2dd-d16fa0cc8564 description: Detects failed logins with multiple invalid domain accounts from a single source system using the Kerberos protocol. -author: Mauricio Velazco +author: Mauricio Velazco, frack113 date: 2021/06/01 +modified: 2021/07/06 references: - https://docs.splunk.com/Documentation/ESSOC/3.22.0/stories/UseCase#Active_directory_password_spraying tags: @@ -14,13 +15,13 @@ logsource: service: security detection: selection: - EventID: '4768' - Result_Code: '0x6' - filter: - Account_Name: '*$' + EventID: 4768 + Status: '0x6' + filter_computer: + TargetUserName|endswith: '$' timeframe: 24h condition: - - selection and not filter | count(Account_Name) by Client_Address > 10 + - selection and not filter_computer | count(TargetUserName) by IpAddress > 10 falsepositives: - Vulnerability scanners - Missconfigured systems