security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge PR #4631 from @nasbench - add rules related to CISA aa23-347a advisory and other updates

Browse Source 
new: DLL Names Used By SVR For GraphicalProton Backdoor
new: Enable LM Hash Storage
new: Enable LM Hash Storage - ProcCreation
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
new: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
update: Compress-Archive Cmdlet Execution - Reudced Level to low and moved to Threat Hunting folder.
update: Disabled Volume Snapshots - Update logic by removing the reg string to also account for potential renamed executions
update: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet - Update logic to be more specific
update: Potential Recon Activity Via Nltest.EXE - Add dnsgetdc coverage and enhance logic by removing /
update: Potential System DLL Sideloading From Non System Locations - Enhance logic by removing hardcoded C: value to account for other potential system locations
update: RestrictedAdminMode Registry Value Tampering - ProcCreation - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: RestrictedAdminMode Registry Value Tampering - Update logic the logic to not care about the data. As this registry value has use cases either be it "0" or "1"
update: Write Protect For Storage Disabled - Update logic by removing the reg string to also account for potential renamed executions
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell - Update logic to be more specific
update: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script - Update logic to be more specific

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
This commit is contained in:
Nasreddine Bencherchali
2023-12-18 16:46:46 +01:00
committed by GitHub
parent d652a9e8fb
commit 412edd1e1a
18 changed files with 312 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml
+33
View File
@@ -0,0 +1,33 @@
title: DLL Names Used By SVR For GraphicalProton Backdoor
id: e64c8ef3-9f98-40c8-b71e-96110991cb4c
status: experimental
description: Hunts known SVR-specific DLL names.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: CISA
date: 2023/12/18
logsource:
category: image_load
product: windows
detection:
selection:
ImageLoaded|endswith:
- '\AclNumsInvertHost.dll'
- '\AddressResourcesSpec.dll'
- '\BlendMonitorStringBuild.dll'
- '\ChildPaletteConnected.dll'
- '\DeregisterSeekUsers.dll'
- '\HandleFrequencyAll.dll'
- '\HardSwapColor.dll'
- '\LengthInMemoryActivate.dll'
- '\ModeBitmapNumericAnimate.dll'
- '\ModeFolderSignMove.dll'
- '\ParametersNamesPopup.dll'
- '\PerformanceCaptionApi.dll'
- '\ScrollbarHandleGet.dll'
- '\UnregisterAncestorAppendAuto.dll'
- '\WowIcmpRemoveReg.dll'
condition: selection
falsepositives:
- Unknown
level: medium
rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml
+47
View File
@@ -0,0 +1,47 @@
title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor
id: 8fa65166-f463-4fd2-ad4f-1436133c52e1
related:
- id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
type: similar
status: experimental
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023/12/18
tags:
- attack.persistence
logsource:
service: security
product: windows
detection:
selection:
EventID:
- 4698
- 4699
- 4702
TaskName:
- '\defender'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\WindowUpdate'
condition: selection
falsepositives:
- Unknown
level: high
rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml
+48
View File
@@ -0,0 +1,48 @@
title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler
id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142
related:
- id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog
type: similar
status: experimental
description: Hunts for known SVR-specific scheduled task names
author: CISA
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
date: 2023/12/18
tags:
- attack.persistence
logsource:
product: windows
service: taskscheduler
definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger'
detection:
selection:
EventID:
- 129 # Task Created
- 140 # Task Updated
- 141 # Task Deleted
TaskName:
- '\defender'
- '\Microsoft\DefenderService'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCheck'
- '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck'
- '\Microsoft\Windows\ATPUpd'
- '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update'
- '\Microsoft\Windows\DefenderUPDService'
- '\Microsoft\Windows\IISUpdateService'
- '\Microsoft\Windows\Speech\SpeechModelInstallTask'
- '\Microsoft\Windows\WiMSDFS'
- '\Microsoft\Windows\Windows Defender\Defender Update Service'
- '\Microsoft\Windows\Windows Defender\Service Update'
- '\Microsoft\Windows\Windows Error Reporting\CheckReporting'
- '\Microsoft\Windows\Windows Error Reporting\SubmitReporting'
- '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart'
- '\Microsoft\Windows\WindowsDefenderService'
- '\Microsoft\Windows\WindowsDefenderService2'
- '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck'
- '\Microsoft\Windows\WindowsUpdate\Scheduled Check'
- '\WindowUpdate'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml → rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml
+8 -8
View File
@@ -1,26 +1,26 @@
title: Data Compressed - PowerShell
title: Compress-Archive Cmdlet Execution
id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a
status: test
description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md
author: Timur Zinniatullin, oscd.community
date: 2019/10/21
modified: 2022/12/25
modified: 2023/12/15
tags:
- attack.exfiltration
- attack.t1560
- detection.threat_hunting
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
ScriptBlockText|contains|all:
- '-Recurse'
- '|'
- 'Compress-Archive'
ScriptBlockText|contains: 'Compress-Archive'
condition: selection
falsepositives:
- Highly likely if archive operations are done via PowerShell.
- Likely
level: low
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+15 -15
View File
@@ -9,7 +9,7 @@ references:
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex)
author: Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/14
modified: 2023/10/24
modified: 2023/12/15
tags:
- attack.defense_evasion
- attack.persistence
@@ -453,26 +453,26 @@ detection:
Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\'
Image|endswith: '\version.dll'
filter_optional_office_appvpolicy:
Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
Image|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe'
ImageLoaded|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll'
filter_optional_azure:
ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
ImageLoaded|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\'
filter_optional_dell:
Image|startswith:
- 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- 'C:\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|contains:
- ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
- ':\Windows\System32\backgroundTaskHost.exe'
ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
filter_optional_dell_wldp:
Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs'
Image|endswith: '\wldp.dll'
filter_optional_checkpoint:
Image|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
Image|contains:
- ':\Program Files\CheckPoint\'
- ':\Program Files (x86)\CheckPoint\'
Image|endswith: '\SmartConsole.exe'
ImageLoaded|startswith:
- 'C:\Program Files\CheckPoint\'
- 'C:\Program Files (x86)\CheckPoint\'
ImageLoaded|contains:
- ':\Program Files\CheckPoint\'
- ':\Program Files (x86)\CheckPoint\'
ImageLoaded|endswith: '\PolicyManager.dll'
condition: selection and not 1 of filter_main_* and not 1 of filter_optional_*
falsepositives:
rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml
+17 -11
View File
@@ -1,15 +1,22 @@
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell
id: 71ff406e-b633-4989-96ec-bc49d825a412
id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021/07/20
modified: 2023/10/27
modified: 2023/12/18
tags:
- attack.collection
- attack.t1074.001
@@ -18,11 +25,10 @@ logsource:
service: powershell-classic
detection:
selection:
Data|contains|all:
- 'Compress-Archive'
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
Data|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml
+18 -12
View File
@@ -1,15 +1,22 @@
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module
id: daf7eb81-35fd-410d-9d7a-657837e602bb
id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021/07/20
modified: 2022/12/02
modified: 2023/12/18
tags:
- attack.collection
- attack.t1074.001
@@ -18,13 +25,12 @@ logsource:
category: ps_module
definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b
detection:
selection_4103:
selection:
ContextInfo|contains|all:
- 'Compress-Archive '
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
condition: selection_4103
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml
+20 -11
View File
@@ -1,12 +1,22 @@
title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
related:
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
type: similar
status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021/07/20
modified: 2022/12/02
modified: 2023/12/18
tags:
- attack.collection
- attack.t1074.001
@@ -15,13 +25,12 @@ logsource:
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection_4104:
ScriptBlockText|contains|all:
- 'Compress-Archive '
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
condition: selection_4104
selection:
ScriptBlockText|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_nltest_recon.yml
+16 -20
View File
@@ -20,7 +20,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest
author: Craig Young, oscd.community, Georg Lauenstein
date: 2021/07/24
modified: 2023/02/04
modified: 2023/12/15
tags:
- attack.discovery
- attack.t1016
@@ -32,24 +32,20 @@ detection:
selection_nltest:
- Image|endswith: '\nltest.exe'
- OriginalFileName: 'nltestrk.exe'
selection_recon1:
CommandLine|contains|all:
- '/server'
- '/query'
selection_recon2:
CommandLine|contains:
- '/dclist:'
- '/parentdomain'
- '/domain_trusts'
- '/all_trusts' # Flag for /domain_trusts
- '/trusted_domains'
- '/user'
condition: selection_nltest and 1 of selection_recon*
fields:
- Image
- User
- CommandLine
- ParentCommandLine
selection_recon:
- CommandLine|contains|all:
- 'server'
- 'query'
- CommandLine|contains:
- '/user'
- 'all_trusts' # Flag for /domain_trusts
- 'dclist:'
- 'dnsgetdc:'
- 'domain_trusts'
- 'dsgetdc:'
- 'parentdomain'
- 'trusted_domains'
condition: all of selection_*
falsepositives:
- Legitimate administration use but user and host must be investigated
level: high
level: medium
rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml
+17 -11
View File
@@ -1,13 +1,20 @@
title: Zip A Folder With PowerShell For Staging In Temp
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98
title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet
id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation
related:
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9
type: derived
- id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic
type: similar
- id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module
type: similar
- id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script
type: similar
status: test
description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration
description: |
Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration.
An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md
author: frack113
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
author: Nasreddine Bencherchali (Nextron Systems), frack113
date: 2021/07/20
modified: 2022/10/09
tags:
@@ -18,11 +25,10 @@ logsource:
category: process_creation
detection:
selection:
CommandLine|contains|all:
- 'Compress-Archive '
- ' -Path '
- ' -DestinationPath '
- '$env:TEMP\'
CommandLine|contains:
- 'Compress-Archive -Path*-DestinationPath $env:TEMP'
- 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\'
- 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml
+3 -3
View File
@@ -1,11 +1,11 @@
title: Disabled RestrictedAdminMode For RDS - ProcCreation
title: RestrictedAdminMode Registry Value Tampering - ProcCreation
id: 28ac00d6-22d9-4a3c-927f-bbd770104573
related:
- id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry
type: similar
status: test
description: |
Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode.
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
@@ -13,6 +13,7 @@ references:
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023/01/13
modified: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1112
@@ -24,7 +25,6 @@ detection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa\'
- 'DisableRestrictedAdmin'
- ' 1'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml
+31
View File
@@ -0,0 +1,31 @@
title: Enable LM Hash Storage - ProcCreation
id: 98dedfdd-8333-49d4-9f23-d7018cccae53
related:
- id: c420410f-c2d8-4010-856b-dffe21866437 # Registry
type: similar
status: test
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
category: process_creation
detection:
selection:
CommandLine|contains|all:
- '\System\CurrentControlSet\Control\Lsa\'
- 'NoLMHash'
- ' 0'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml
+1 -1
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md
- https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/
author: frack113, Nasreddine Bencherchali
author: frack113, Nasreddine Bencherchali (Nextron Systems)
date: 2022/08/19
modified: 2022/10/10
tags:
rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml
+1 -3
View File
@@ -6,7 +6,7 @@ references:
- https://twitter.com/0gtweet/status/1354766164166115331
author: Florian Roth (Nextron Systems)
date: 2021/01/28
modified: 2022/10/09
modified: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -16,8 +16,6 @@ logsource:
detection:
selection:
CommandLine|contains|all:
- 'reg'
- ' add '
- '\Services\VSS\Diag'
- '/d Disabled'
condition: selection
rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml
+3 -4
View File
@@ -4,7 +4,7 @@ status: test
description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group.
author: Sreeman
date: 2021/06/11
modified: 2022/08/05
modified: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1562
@@ -14,9 +14,8 @@ logsource:
detection:
selection:
CommandLine|contains|all:
- 'reg add'
- '\system\currentcontrolset\control'
- 'write protection'
- '\System\CurrentControlSet\Control'
- 'Write Protection'
- '0'
CommandLine|contains:
- 'storage'
rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml
+2 -2
View File
@@ -20,12 +20,12 @@ detection:
- OriginalFileName: 'wmic.exe'
selection_cli:
CommandLine|contains: 'process'
filter:
filter_main_creation:
CommandLine|contains|all:
# Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}`
- 'call'
- 'create'
condition: all of selection* and not filter
condition: all of selection* and not 1 of filter_*
falsepositives:
- Unknown
level: medium
rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml
+3 -4
View File
@@ -1,11 +1,11 @@
title: Disabled RestrictedAdminMode For RDS
title: RestrictedAdminMode Registry Value Tampering
id: d6ce7ebd-260b-4323-9768-a9631c8d4db2
related:
- id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation
type: similar
status: experimental
description: |
Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode.
Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode.
RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop.
This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise
references:
@@ -13,7 +13,7 @@ references:
- https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx
author: frack113
date: 2023/01/13
modified: 2023/08/17
modified: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1112
@@ -23,7 +23,6 @@ logsource:
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin'
Details: 'DWORD (0x00000001)'
condition: selection
falsepositives:
- Unknown
rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml
+29
View File
@@ -0,0 +1,29 @@
title: Enable LM Hash Storage
id: c420410f-c2d8-4010-856b-dffe21866437
related:
- id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation
type: similar
status: experimental
description: |
Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes.
By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases.
references:
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a
- https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password
- https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/
author: Nasreddine Bencherchali (Nextron Systems)
date: 2023/12/15
tags:
- attack.defense_evasion
- attack.t1112
logsource:
product: windows
category: registry_set
detection:
selection:
TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash'
Details: 'DWORD (0x00000000)'
condition: selection
falsepositives:
- Unknown
level: high