security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix: apply suggestions from code review

Browse Source 
Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-02-16 11:05:38 +01:00
committed by GitHub
parent 7ec76db26c
commit 362f4e4e60
13 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/process_creation/proc_creation_win_pua_webbrowserpassview.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: PUA - WebBrowserPassView Execution
id: d0dae994-26c6-4d2d-83b5-b3c8b79ae513
status: experimental
description: Detect execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers, Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari, and Opera
description: Detects the execution of WebBrowserPassView.exe. A password recovery tool that reveals the passwords stored by the following Web browsers: Internet Explorer (Version 4.0 - 11.0), Mozilla Firefox (All Versions), Google Chrome, Safari and Opera
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1555.003/T1555.003.md
author: frack113
rules/windows/process_creation/proc_creation_win_wmic_eventconsumer_creation.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: New ActiveScriptEventConsumer Created Via Wmic.EXE
id: ebef4391-1a81-4761-a40a-1db446c0e625
status: test
description: Detects WMIC executions in which a event consumer gets created. This could be used to establish persistence
description: Detects WMIC executions in which an event consumer gets created. This could be used to establish persistence
references:
- https://twitter.com/johnlatwc/status/1408062131321270282?s=12
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
rules/windows/process_creation/proc_creation_win_wmic_process_creation.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 # For suspicious process creation
type: derived
status: test
description: Detects new process creation using WMIC via the "process call creat" flags
description: Detects new process creation using WMIC via the "process call create" flag
references:
- https://www.sans.org/blog/wmic-for-incident-response/
author: Michael Haag, Florian Roth (Nextron Systems), juju4, oscd.community
rules/windows/process_creation/proc_creation_win_wmic_recon_computersystem.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Computer System Reconnaissance Via Wmic.EXE
id: 9d7ca793-f6bd-471c-8d0f-11e68b2f0d2f
status: experimental
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model...etc.
description: Detects execution of wmic utility with the "computersystem" flag in order to obtain information about the machine such as the domain, username, model, etc.
references:
- https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
author: Nasreddine Bencherchali (Nextron Systems)
rules/windows/process_creation/proc_creation_win_wmic_recon_csproduct.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Hardware Model Reconnaissance Via Wmic.EXE
id: 3e3ceccd-6c06-48b8-b5ff-ab1d25db8c1d
status: experimental
description: Detects execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
description: Detects the execution of WMIC with the "csproduct" which is used to obtain information such as hardware models and vendor information
references:
- https://jonconwayuk.wordpress.com/2014/01/31/wmic-csproduct-using-wmi-to-identify-make-and-model-of-hardware/
- https://www.uptycs.com/blog/kuraystealer-a-bandit-using-discord-webhooks
rules/windows/process_creation/proc_creation_win_wmic_recon_hotfix.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Windows Hotfix Updates Reconnaissance Via Wmic.EXE
id: dfd2fcb7-8bd5-4daa-b132-5adb61d6ad45
status: experimental
description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfixe updates on the system. This is often used by pentesters and attackers enumeration scripts
description: Detects the execution of wmic with the "qfe" flag in order to obtain information about installed hotfix updates on the system. This is often used by pentester and attacker enumeration scripts
references:
- https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
- https://sushant747.gitbooks.io/total-oscp-guide/content/privilege_escalation_windows.html
rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Process Reconnaissance Via Wmic.EXE
id: 221b251a-357a-49a9-920a-271802777cc0
status: experimental
description: Detects the execution of "wmic" with the "process" flag. Whihc adversary might use to list Processes running on the compromised host or list installed Software hotfix and patches.
description: Detects the execution of "wmic" with the "process" flag, which adversary might use to list processes running on the compromised host or list installed software hotfixes and patches.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1047/T1047.md
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
rules/windows/process_creation/proc_creation_win_wmic_recon_product.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Potential Product Reconnaissance Via Wmic.EXE
id: e568650b-5dcd-4658-8f34-ded0b1e13992
status: experimental
description: Detects execution of WMIC in order to get list of firewal executing suspicious or recon commands
description: Detects the execution of WMIC in order to get a list of firewall and antivirus products
references:
- https://github.com/albertzsigovits/malware-notes/blob/c820c7fea76cf76a861b28ebc77e06100e20ec29/Ransomware/Maze.md
- https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1
rules/windows/process_creation/proc_creation_win_wmic_recon_service.yml
+1 -1
View File
@@ -5,7 +5,7 @@ related:
type: similar
status: experimental
description: |
An adversary might use WMI to check if a certain Remote Service is running on a remote device.
An adversary might use WMI to check if a certain remote service is running on a remote device.
When the test completes, a service information will be displayed on the screen if it exists.
A common feedback message is that "No instance(s) Available" if the service queried is not running.
A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreachable
rules/windows/process_creation/proc_creation_win_wmic_recon_unquoted_service_search.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
- id: 76f55eaa-d27f-4213-9d45-7b0e4b60bbae
type: similar
status: experimental
description: Detects known wmi recon method to look for unquoted service paths using wmic. Often used by pentesters and attackers enumeration scripts
description: Detects known WMI recon method to look for unquoted service paths using wmic. Often used by pentester and attacker enumeration scripts
references:
- https://github.com/nccgroup/redsnarf/blob/35949b30106ae543dc6f2bc3f1be10c6d9a8d40e/redsnarf.py
- https://github.com/S3cur3Th1sSh1t/Creds/blob/eac23d67f7f90c7fc8e3130587d86158c22aa398/PowershellScripts/jaws-enum.ps1
rules/windows/process_creation/proc_creation_win_wmic_remote_execution.yml
+1 -1
View File
@@ -6,7 +6,7 @@ related:
- id: 09af397b-c5eb-4811-b2bb-08b3de464ebf
type: obsoletes
status: experimental
description: Detects execution of WMIC to query information on a remote system
description: Detects the execution of WMIC to query information on a remote system
references:
- https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/
- https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic
rules/windows/process_creation/proc_creation_win_wmic_susp_process_creation.yml
+1 -1
View File
@@ -4,7 +4,7 @@ related:
- id: 526be59f-a573-4eea-b5f7-f0973207634d # Generic
type: derived
status: test
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32"...etc
description: Detects WMIC executing "process call create" with suspicious calls to processes such as "rundll32", "regsrv32", etc.
references:
- https://thedfirreport.com/2020/10/08/ryuks-return/
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker
rules/windows/process_creation/proc_creation_win_wsl_windows_binaries_execution.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Windows Binary Executed From WSL
id: ed825c86-c009-4014-b413-b76003e33d35
status: experimental
description: Detects execution of windows binaries from wihthin a WSL instance. This could be used to avoid parent/child relationship detections or similar
description: Detects the execution of Windows binaries from within a WSL instance. This could be used to masquerade parent-child relationships
references:
- Internal Research
author: Nasreddine Bencherchali (Nextron Systems)