diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml new file mode 100644 index 000000000..379c53f74 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/image_load_apt_cozy_bear_graphical_proton_dlls.yml @@ -0,0 +1,33 @@ +title: DLL Names Used By SVR For GraphicalProton Backdoor +id: e64c8ef3-9f98-40c8-b71e-96110991cb4c +status: experimental +description: Hunts known SVR-specific DLL names. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: CISA +date: 2023/12/18 +logsource: + category: image_load + product: windows +detection: + selection: + ImageLoaded|endswith: + - '\AclNumsInvertHost.dll' + - '\AddressResourcesSpec.dll' + - '\BlendMonitorStringBuild.dll' + - '\ChildPaletteConnected.dll' + - '\DeregisterSeekUsers.dll' + - '\HandleFrequencyAll.dll' + - '\HardSwapColor.dll' + - '\LengthInMemoryActivate.dll' + - '\ModeBitmapNumericAnimate.dll' + - '\ModeFolderSignMove.dll' + - '\ParametersNamesPopup.dll' + - '\PerformanceCaptionApi.dll' + - '\ScrollbarHandleGet.dll' + - '\UnregisterAncestorAppendAuto.dll' + - '\WowIcmpRemoveReg.dll' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml new file mode 100644 index 000000000..7bc11682e --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_security_apt_cozy_bear_scheduled_tasks_name.yml @@ -0,0 +1,47 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor +id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 +related: + - id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + service: security + product: windows +detection: + selection: + EventID: + - 4698 + - 4699 + - 4702 + TaskName: + - '\defender' + - '\Microsoft\DefenderService' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck' + - '\Microsoft\Windows\ATPUpd' + - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update' + - '\Microsoft\Windows\DefenderUPDService' + - '\Microsoft\Windows\IISUpdateService' + - '\Microsoft\Windows\Speech\SpeechModelInstallTask' + - '\Microsoft\Windows\WiMSDFS' + - '\Microsoft\Windows\Windows Defender\Defender Update Service' + - '\Microsoft\Windows\Windows Defender\Service Update' + - '\Microsoft\Windows\Windows Error Reporting\CheckReporting' + - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting' + - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart' + - '\Microsoft\Windows\WindowsDefenderService' + - '\Microsoft\Windows\WindowsDefenderService2' + - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck' + - '\Microsoft\Windows\WindowsUpdate\Scheduled Check' + - '\WindowUpdate' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml new file mode 100644 index 000000000..0afd02e24 --- /dev/null +++ b/rules-emerging-threats/2023/TA/Cozy-Bear/win_taskscheduler_apt_cozy_bear_graphical_proton_task_names.yml @@ -0,0 +1,48 @@ +title: Scheduled Tasks Names Used By SVR For GraphicalProton Backdoor - Task Scheduler +id: 2bfc1373-0220-4fbd-8b10-33ddafd2a142 +related: + - id: 8fa65166-f463-4fd2-ad4f-1436133c52e1 # Security-Audting Eventlog + type: similar +status: experimental +description: Hunts for known SVR-specific scheduled task names +author: CISA +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +date: 2023/12/18 +tags: + - attack.persistence +logsource: + product: windows + service: taskscheduler + definition: 'Requirements: The "Microsoft-Windows-TaskScheduler/Operational" is disabled by default and needs to be enabled in order for this detection to trigger' +detection: + selection: + EventID: + - 129 # Task Created + - 140 # Task Updated + - 141 # Task Deleted + TaskName: + - '\defender' + - '\Microsoft\DefenderService' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCheck' + - '\Microsoft\Windows\Application Experience\StartupAppTaskCkeck' + - '\Microsoft\Windows\ATPUpd' + - '\Microsoft\Windows\Data Integrity Scan\Data Integrity Update' + - '\Microsoft\Windows\DefenderUPDService' + - '\Microsoft\Windows\IISUpdateService' + - '\Microsoft\Windows\Speech\SpeechModelInstallTask' + - '\Microsoft\Windows\WiMSDFS' + - '\Microsoft\Windows\Windows Defender\Defender Update Service' + - '\Microsoft\Windows\Windows Defender\Service Update' + - '\Microsoft\Windows\Windows Error Reporting\CheckReporting' + - '\Microsoft\Windows\Windows Error Reporting\SubmitReporting' + - '\Microsoft\Windows\Windows Filtering Platform\BfeOnServiceStart' + - '\Microsoft\Windows\WindowsDefenderService' + - '\Microsoft\Windows\WindowsDefenderService2' + - '\Microsoft\Windows\WindowsUpdate\Scheduled AutoCheck' + - '\Microsoft\Windows\WindowsUpdate\Scheduled Check' + - '\WindowUpdate' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml similarity index 51% rename from rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml index 426d1093c..cb5b74832 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_data_compressed.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_compress_archive_usage.yml @@ -1,26 +1,26 @@ -title: Data Compressed - PowerShell +title: Compress-Archive Cmdlet Execution id: 6dc5d284-69ea-42cf-9311-fb1c3932a69a status: test -description: An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" cmdlet in order to compress folders and files. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1560/T1560.md author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2022/12/25 +modified: 2023/12/15 tags: - attack.exfiltration - attack.t1560 + - detection.threat_hunting logsource: product: windows category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: selection: - ScriptBlockText|contains|all: - - '-Recurse' - - '|' - - 'Compress-Archive' + ScriptBlockText|contains: 'Compress-Archive' condition: selection falsepositives: - - Highly likely if archive operations are done via PowerShell. + - Likely level: low diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 77c56db45..0a1e4292b 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md # XForceIR (SideLoadHunter Project), Chris Spehn (research WFH Dridex) author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/14 -modified: 2023/10/24 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.persistence @@ -453,26 +453,26 @@ detection: Image|contains: ':\ProgramData\Microsoft\Windows Defender\Platform\' Image|endswith: '\version.dll' filter_optional_office_appvpolicy: - Image: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' - ImageLoaded: 'C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' + Image|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe' + ImageLoaded|endswith: ':\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll' filter_optional_azure: - ImageLoaded|startswith: 'C:\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' + ImageLoaded|contains: ':\Packages\Plugins\Microsoft.GuestConfiguration.ConfigurationforWindows\' filter_optional_dell: - Image|startswith: - - 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' - - 'C:\Windows\System32\backgroundTaskHost.exe' - ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|contains: + - ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + - ':\Windows\System32\backgroundTaskHost.exe' + ImageLoaded|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' filter_optional_dell_wldp: - Image|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' + Image|contains: ':\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' Image|endswith: '\wldp.dll' filter_optional_checkpoint: - Image|startswith: - - 'C:\Program Files\CheckPoint\' - - 'C:\Program Files (x86)\CheckPoint\' + Image|contains: + - ':\Program Files\CheckPoint\' + - ':\Program Files (x86)\CheckPoint\' Image|endswith: '\SmartConsole.exe' - ImageLoaded|startswith: - - 'C:\Program Files\CheckPoint\' - - 'C:\Program Files (x86)\CheckPoint\' + ImageLoaded|contains: + - ':\Program Files\CheckPoint\' + - ':\Program Files (x86)\CheckPoint\' ImageLoaded|endswith: '\PolicyManager.dll' condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: diff --git a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml index c7eb42a25..d2e570ff5 100644 --- a/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_classic/posh_pc_susp_zip_compress.yml @@ -1,15 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell -id: 71ff406e-b633-4989-96ec-bc49d825a412 +id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2023/10/27 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -18,11 +25,10 @@ logsource: service: powershell-classic detection: selection: - Data|contains|all: - - 'Compress-Archive' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' + Data|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml index 8185505ce..8ef177de6 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_susp_zip_compress.yml @@ -1,15 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Module -id: daf7eb81-35fd-410d-9d7a-657837e602bb +id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2022/12/02 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -18,13 +25,12 @@ logsource: category: ps_module definition: 0ad03ef1-f21b-4a79-8ce8-e6900c54b65b detection: - selection_4103: + selection: ContextInfo|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4103 + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml index 8e3d02546..1023cd6ee 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_zip_compress.yml @@ -1,12 +1,22 @@ title: Zip A Folder With PowerShell For Staging In Temp - PowerShell Script -id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 +id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script +related: + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 -modified: 2022/12/02 +modified: 2023/12/18 tags: - attack.collection - attack.t1074.001 @@ -15,13 +25,12 @@ logsource: category: ps_script definition: 'Requirements: Script Block Logging must be enabled' detection: - selection_4104: - ScriptBlockText|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' - condition: selection_4104 + selection: + ScriptBlockText|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' + condition: selection falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml index 28089bffb..638262eb6 100644 --- a/rules/windows/process_creation/proc_creation_win_nltest_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_nltest_recon.yml @@ -20,7 +20,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5360c9d9ffa3b25f6495f7a16e267b719eba2c37/atomics/T1482/T1482.md#atomic-test-2---windows---discover-domain-trusts-with-nltest author: Craig Young, oscd.community, Georg Lauenstein date: 2021/07/24 -modified: 2023/02/04 +modified: 2023/12/15 tags: - attack.discovery - attack.t1016 @@ -32,24 +32,20 @@ detection: selection_nltest: - Image|endswith: '\nltest.exe' - OriginalFileName: 'nltestrk.exe' - selection_recon1: - CommandLine|contains|all: - - '/server' - - '/query' - selection_recon2: - CommandLine|contains: - - '/dclist:' - - '/parentdomain' - - '/domain_trusts' - - '/all_trusts' # Flag for /domain_trusts - - '/trusted_domains' - - '/user' - condition: selection_nltest and 1 of selection_recon* -fields: - - Image - - User - - CommandLine - - ParentCommandLine + selection_recon: + - CommandLine|contains|all: + - 'server' + - 'query' + - CommandLine|contains: + - '/user' + - 'all_trusts' # Flag for /domain_trusts + - 'dclist:' + - 'dnsgetdc:' + - 'domain_trusts' + - 'dsgetdc:' + - 'parentdomain' + - 'trusted_domains' + condition: all of selection_* falsepositives: - Legitimate administration use but user and host must be investigated -level: high +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml index d761577c2..d9795a0eb 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_zip_compress.yml @@ -1,13 +1,20 @@ -title: Zip A Folder With PowerShell For Staging In Temp -id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 +title: Folder Compress To Potentially Suspicious Output Via Compress-Archive Cmdlet +id: 85a8e5ba-bd03-4bfb-bbfa-a4409a8f8b98 # Process Creation related: - - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 - type: derived + - id: 71ff406e-b633-4989-96ec-bc49d825a412 # PowerShell Classic + type: similar + - id: daf7eb81-35fd-410d-9d7a-657837e602bb # PowerShell Module + type: similar + - id: b7a3c9a3-09ea-4934-8864-6a32cacd98d9 # PowerShell Script + type: similar status: test -description: Use living off the land tools to zip a file and stage it in the Windows temporary folder for later exfiltration +description: | + Detects PowerShell scripts that make use of the "Compress-Archive" Cmdlet in order to compress folders and files where the output is stored in a potentially suspicious location that is used often by malware for exfiltration. + An adversary might compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1074.001/T1074.001.md -author: frack113 + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a +author: Nasreddine Bencherchali (Nextron Systems), frack113 date: 2021/07/20 modified: 2022/10/09 tags: @@ -18,11 +25,10 @@ logsource: category: process_creation detection: selection: - CommandLine|contains|all: - - 'Compress-Archive ' - - ' -Path ' - - ' -DestinationPath ' - - '$env:TEMP\' + CommandLine|contains: + - 'Compress-Archive -Path*-DestinationPath $env:TEMP' + - 'Compress-Archive -Path*-DestinationPath*\AppData\Local\Temp\' + - 'Compress-Archive -Path*-DestinationPath*:\Windows\Temp\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml index 38aa56f37..b7d6ba431 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml @@ -1,11 +1,11 @@ -title: Disabled RestrictedAdminMode For RDS - ProcCreation +title: RestrictedAdminMode Registry Value Tampering - ProcCreation id: 28ac00d6-22d9-4a3c-927f-bbd770104573 related: - id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 # Registry type: similar status: test description: | - Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: @@ -13,6 +13,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 date: 2023/01/13 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1112 @@ -24,7 +25,6 @@ detection: CommandLine|contains|all: - '\System\CurrentControlSet\Control\Lsa\' - 'DisableRestrictedAdmin' - - ' 1' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml new file mode 100644 index 000000000..fc9bf8c47 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_reg_nolmhash.yml @@ -0,0 +1,31 @@ +title: Enable LM Hash Storage - ProcCreation +id: 98dedfdd-8333-49d4-9f23-d7018cccae53 +related: + - id: c420410f-c2d8-4010-856b-dffe21866437 # Registry + type: similar +status: test +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password + - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/12/15 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains|all: + - '\System\CurrentControlSet\Control\Lsa\' + - 'NoLMHash' + - ' 0' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml index a7f7c5371..f5530768c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ -author: frack113, Nasreddine Bencherchali +author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2022/08/19 modified: 2022/10/10 tags: diff --git a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml index a098d0454..0a2651217 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_volsnap_disable.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/0gtweet/status/1354766164166115331 author: Florian Roth (Nextron Systems) date: 2021/01/28 -modified: 2022/10/09 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,8 +16,6 @@ logsource: detection: selection: CommandLine|contains|all: - - 'reg' - - ' add ' - '\Services\VSS\Diag' - '/d Disabled' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml index 56671315a..ceb02dd82 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_write_protect_for_storage_disabled.yml @@ -4,7 +4,7 @@ status: test description: Looks for changes to registry to disable any write-protect property for storage devices. This could be a precursor to a ransomware attack and has been an observed technique used by cypherpunk group. author: Sreeman date: 2021/06/11 -modified: 2022/08/05 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1562 @@ -14,9 +14,8 @@ logsource: detection: selection: CommandLine|contains|all: - - 'reg add' - - '\system\currentcontrolset\control' - - 'write protection' + - '\System\CurrentControlSet\Control' + - 'Write Protection' - '0' CommandLine|contains: - 'storage' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml index 4ca49d1f1..12f16076b 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_recon_process.yml @@ -20,12 +20,12 @@ detection: - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: 'process' - filter: + filter_main_creation: CommandLine|contains|all: # Rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - 'call' - 'create' - condition: all of selection* and not filter + condition: all of selection* and not 1 of filter_* falsepositives: - Unknown level: medium diff --git a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml index 098e845b9..df75d08f2 100644 --- a/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml +++ b/rules/windows/registry/registry_set/registry_set_lsa_disablerestrictedadmin.yml @@ -1,11 +1,11 @@ -title: Disabled RestrictedAdminMode For RDS +title: RestrictedAdminMode Registry Value Tampering id: d6ce7ebd-260b-4323-9768-a9631c8d4db2 related: - id: 28ac00d6-22d9-4a3c-927f-bbd770104573 # process_creation type: similar status: experimental description: | - Detect activation of DisableRestrictedAdmin to disable RestrictedAdmin mode. + Detects changes to the "DisableRestrictedAdmin" registry value in order to disable or enable RestrictedAdmin mode. RestrictedAdmin mode prevents the transmission of reusable credentials to the remote system to which you connect using Remote Desktop. This prevents your credentials from being harvested during the initial connection process if the remote server has been compromise references: @@ -13,7 +13,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/32905.remote-desktop-services-enable-restricted-admin-mode.aspx author: frack113 date: 2023/01/13 -modified: 2023/08/17 +modified: 2023/12/15 tags: - attack.defense_evasion - attack.t1112 @@ -23,7 +23,6 @@ logsource: detection: selection: TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\DisableRestrictedAdmin' - Details: 'DWORD (0x00000001)' condition: selection falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml new file mode 100644 index 000000000..72a748c8d --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_system_lsa_nolmhash.yml @@ -0,0 +1,29 @@ +title: Enable LM Hash Storage +id: c420410f-c2d8-4010-856b-dffe21866437 +related: + - id: 98dedfdd-8333-49d4-9f23-d7018cccae53 # process_creation + type: similar +status: experimental +description: | + Detects changes to the "NoLMHash" registry value in order to allow Windows to store LM Hashes. + By setting this registry value to "0" (DWORD), Windows will be allowed to store a LAN manager hash of your password in Active Directory and local SAM databases. +references: + - https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a + - https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/prevent-windows-store-lm-hash-password + - https://www.sans.org/blog/protecting-privileged-domain-accounts-lm-hashes-the-good-the-bad-and-the-ugly/ +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/12/15 +tags: + - attack.defense_evasion + - attack.t1112 +logsource: + product: windows + category: registry_set +detection: + selection: + TargetObject|endswith: 'System\CurrentControlSet\Control\Lsa\NoLMHash' + Details: 'DWORD (0x00000000)' + condition: selection +falsepositives: + - Unknown +level: high