security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1 from Neo23x0/master

Browse Source 
Get updates from head repo
This commit is contained in:
Kyle Polley
2019-02-06 17:02:41 -08:00
committed by GitHub
parent a31acd6571 adb6690c80
commit 423fdca32c
152 changed files with 2033 additions and 566 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.travis.yml
+10
View File
@@ -1,7 +1,10 @@
language: python
dist: xenial
python:
- 3.5
- 3.6
- 3.7
sudo: true
services:
- elasticsearch
cache: pip
@@ -12,3 +15,10 @@ install:
script:
- make test
- make test-backend-es-qs
notifications:
email:
recipients:
- venom14@gmail.com
- thomas@patzke.org
on_success: change
on_failure: always
.yamllint
+8
View File
@@ -1,4 +1,12 @@
---
# https://yamllint.readthedocs.io/en/latest/configuration.html
extends: default
rules:
comments: disable
comments-indentation: disable
document-start: disable
empty-lines: {max: 2, max-start: 2, max-end: 2}
indentation: disable
line-length: disable
new-line-at-end-of-file: disable
trailing-spaces: disable
Makefile
+6 -3
View File
@@ -1,7 +1,7 @@
.PHONY: test test-yaml test-sigmac
.PHONY: test test-rules test-sigmac
TMPOUT = $(shell tempfile||mktemp)
COVSCOPE = tools/sigma/*.py,tools/sigma/backends/*.py,tools/sigmac,tools/merge_sigma
test: clearcov test-yaml test-sigmac test-merge build finish
test: clearcov test-rules test-sigmac test-merge build finish
clearcov:
rm -f .coverage
@@ -10,8 +10,9 @@ finish:
coverage report --fail-under=90
rm -f $(TMPOUT)
test-yaml:
test-rules:
yamllint rules
tests/test_rules.py
test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -l
@@ -20,6 +21,7 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t graylog rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t xpack-watcher rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t elastalert rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunkxml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t logpoint rules/ > /dev/null
@@ -30,6 +32,7 @@ test-sigmac:
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qradar -c tools/config/arcsight.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t qualys -c tools/config/qualys.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t netwitness -c tools/config/netwitness.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t sumologic -c tools/config/sumologic.yml rules/ > /dev/null
coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=stable,logsource=windows,tag=attack.execution' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=critical,status=xstable,logsource=windows' rules/ > /dev/null
! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level>=high,level<=xcritical,status=stable,logsource=windows' rules/ > /dev/null
rules/apt/apt_apt29_thinktanks.yml
+32
View File
@@ -0,0 +1,32 @@
---
action: global
title: APT29
description: 'This method detects a suspicious powershell command line combination as used by APT29 in a campaign against US think tanks'
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/
logsource:
product: windows
author: Florian Roth
date: 2018/12/04
detection:
condition: selection
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*-noni -ep bypass $*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*-noni -ep bypass $*'
rules/apt/apt_chafer_mar18.yml
+2 -2
View File
@@ -48,8 +48,8 @@ detection:
- 'C:\wsc.exe*'
selection_process2:
EventID: 1
Image: '*\Windows\Temp\DB\*.exe'
Image: '*\Windows\Temp\DB\\*.exe'
selection_process3:
EventID: 1
CommandLine: '*\nslookup.exe -q=TXT*'
ParentImage: '*\Autoit*'
ParentImage: '*\Autoit*'
rules/apt/apt_dragonfly.yml
+1 -1
View File
@@ -18,7 +18,7 @@ level: critical
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Does not require group policy 'Audit Process Creation' > Include command line in process creation events
rules/apt/apt_equationgroup_dll_u_load.yml
+9 -7
View File
@@ -12,12 +12,8 @@ tags:
- attack.t1059
author: Florian Roth
date: 2018/03/10
modified: 2018/12/11
detection:
selection1:
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
CommandLine: '* -export dll_u *'
condition: 1 of them
falsepositives:
- Unknown
@@ -29,15 +25,21 @@ logsource:
detection:
selection1:
EventID: 1
Image: '*\rundll32.exe'
CommandLine: '*,dll_u'
selection2:
EventID: 1
CommandLine: '* -export dll_u *'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
EventID: 4688
Image: '*\rundll32.exe'
ProcessCommandLine: '*,dll_u'
selection2:
EventID: 4688
EventID: 4688
ProcessCommandLine: '* -export dll_u *'
rules/apt/apt_hurricane_panda.yml
+8 -5
View File
@@ -11,11 +11,8 @@ tags:
- attack.t1068
author: Florian Roth
date: 2018/02/25
modified: 2018/12/11
detection:
selection:
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
condition: selection
falsepositives:
- Unknown
@@ -27,13 +24,19 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* localgroup administrators admin /add'
- '*\Win64.exe*'
rules/apt/apt_slingshot.yml
+2 -2
View File
@@ -11,7 +11,7 @@ date: 2018/03/10
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
condition: selection
falsepositives:
@@ -30,7 +30,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
definition: 'Requirements: Audit Policy : Audit Other Object Access Events > Success'
detection:
selection:
EventID: 4701
rules/apt/apt_sofacy.yml
+9 -7
View File
@@ -1,4 +1,3 @@
---
action: global
title: Sofacy Trojan Loader Activity
@@ -12,11 +11,8 @@ tags:
- attack.g0007
author: Florian Roth
date: 2018/03/01
modified: 2018/12/11
detection:
selection:
CommandLine:
- 'rundll32.exe %APPDATA%\*.dat",*'
- 'rundll32.exe %APPDATA%\*.dll",#1'
condition: selection
falsepositives:
- Unknown
@@ -28,11 +24,17 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
EventID: 4688
ProcessCommandLine:
- 'rundll32.exe %APPDATA%\\*.dat",*'
- 'rundll32.exe %APPDATA%\\*.dll",#1'
rules/apt/apt_sofacy_zebrocy.yml
+34
View File
@@ -0,0 +1,34 @@
---
action: global
title: Sofacy Zebrocy
description: Detects Sofacy's Zebrocy malware execution
references:
- https://app.any.run/tasks/54acca9a-394e-4384-a0c8-91a96d36c81d
tags:
- attack.execution
- attack.g0020
- attack.t1059
author: Florian Roth
date: 2018/03/10
detection:
condition: selection
falsepositives:
- Unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*cmd.exe /c SYSTEMINFO & TASKLIST'
rules/apt/apt_tropictrooper.yml
+34
View File
@@ -0,0 +1,34 @@
action: global
title: TropicTrooper Campaign November 2018
status: stable
description: Detects TropicTrooper activity, an actor who targeted high-profile organizations in the energy and food and beverage sectors in Asia
references:
- https://cloudblogs.microsoft.com/microsoftsecure/2018/11/28/windows-defender-atp-device-risk-score-exposes-new-cyberattack-drives-conditional-access-to-protect-networks/
author: "@41thexplorer, Windows Defender ATP"
date: 2018/11/30
modified: 2018/12/11
tags:
- attack.execution
- attack.t1085
detection:
condition: selection
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*abCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCc*'
rules/apt/apt_turla_commands.yml
+2 -2
View File
@@ -21,8 +21,8 @@ detection:
EventID: 1
CommandLine:
- 'net use \\%DomainController%\C$ "P@ssw0rd" *'
- 'dir c:\*.doc* /s'
- 'dir %TEMP%\*.exe'
- 'dir c:\\*.doc* /s'
- 'dir %TEMP%\\*.exe'
condition: selection
level: critical
---
rules/apt/apt_turla_namedpipes.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: Markus Neis
logsource:
product: windows
service: sysmon
description: 'Note that you have to configure logging for PipeEvents in Symson config'
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
rules/apt/apt_turla_service_png.yml
+21
View File
@@ -0,0 +1,21 @@
title: Turla PNG Dropper Service
description: 'This method detects malicious services mentioned in Turla PNG dropper report by NCC Group in November 2018'
references:
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
author: Florian Roth
date: 2018/11/23
tags:
- attack.command_and_control
- attack.g0016
- attack.t1172
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
ServiceName: 'WerFaultSvc'
condition: selection
falsepositives:
- unlikely
level: critical
rules/apt/apt_unidentified_nov_18.yml
+44
View File
@@ -0,0 +1,44 @@
action: global
title: Unidentified Attacker November 2018
status: stable
description: A sigma rule detecting an unidetefied attacker who used phishing emails to target high profile orgs on November 2018. The Actor shares some TTPs with YYTRIUM/APT29 campaign in 2016.
references:
- https://twitter.com/DrunkBinary/status/1063075530180886529
author: "@41thexplorer, Windows Defender ATP"
date: 2018/11/20
modified: 2018/12/11
tags:
- attack.execution
- attack.t1085
detection:
condition: selection
level: high
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: Process Creation (ID 1)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '*cyzfc.dat, PointFunctionCall'
---
# Sysmon: File Creation (ID 11)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 11
TargetFilename:
- '*ds7002.lnk*'
rules/linux/lnx_shell_susp_commands.yml
+27 -18
View File
@@ -6,6 +6,8 @@ references:
- http://pastebin.com/FtygZ1cg
- https://artkond.com/2017/03/23/pivoting-guide/
author: Florian Roth
date: 2017/08/21
modified: 2019/02/05
logsource:
product: linux
detection:
@@ -15,30 +17,37 @@ detection:
- 'wget * - http* | sh'
- 'wget * - http* | bash'
- 'python -m SimpleHTTPServer'
- 'import pty; pty.spawn'
- '-m http.server' # Python 3
- 'import pty; pty.spawn*'
- 'socat exec:*'
- 'socat -O /tmp/*'
- 'socat tcp-connect*'
- '*echo binary >>*'
# Malware
- '*wget *; chmod +x*'
- '*wget *; chmod 777 *'
- '*cd /tmp || cd /var/run || cd /mnt*'
# Apache Struts in-the-wild exploit codes
- 'stop;service iptables stop;'
- 'stop;SuSEfirewall2 stop;'
- 'chmod 777 2020'
- '">>/etc/rc.local;'
- 'wget -c *;chmod 777'
- '*stop;service iptables stop;*'
- '*stop;SuSEfirewall2 stop;*'
- 'chmod 777 2020*'
- '*>>/etc/rc.local'
# Metasploit framework exploit codes
- 'base64 -d /tmp/'
- ' | base64 -d'
- '/bin/chmod u+s'
- 'chmod +s /tmp/'
- 'chmod u+s /tmp/'
- '/tmp/haxhax'
- '/tmp/ns_sploit'
- 'nc -l -p '
- 'cp /bin/ksh '
- 'cp /bin/sh '
- ' /tmp/*.b64 '
- '/tmp/ysocereal.jar'
- '*base64 -d /tmp/*'
- '* | base64 -d *'
- '*/chmod u+s *'
- '*chmod +s /tmp/*'
- '*chmod u+s /tmp/*'
- '* /tmp/haxhax*'
- '* /tmp/ns_sploit*'
- 'nc -l -p *'
- 'cp /bin/ksh *'
- 'cp /bin/sh *'
- '* /tmp/*.b64 *'
- '*/tmp/ysocereal.jar*'
- '*/tmp/x *'
- '*; chmod +x /tmp/*'
- '*;chmod +x /tmp/*'
condition: keywords
falsepositives:
- Unknown
rules/proxy/proxy_chafer_malware.yml
+20
View File
@@ -0,0 +1,20 @@
title: Chafer Malware URL Pattern
status: experimental
description: Detects HTTP requests used by Chafer malware
references:
- https://securelist.com/chafer-used-remexi-malware/89538/
author: Florian Roth
date: 2019/01/31
logsource:
category: proxy
detection:
selection:
c-uri-query: '*/asp.asp?ui=*'
condition: selection
fields:
- ClientIP
- URL
- UserAgent
falsepositives:
- Unknown
level: critical
rules/proxy/proxy_empty_ua.yml
+2 -3
View File
@@ -8,9 +8,8 @@ logsource:
category: proxy
detection:
selection:
UserAgent:
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
- ''
# Empty string - as used by Powershell's (New-Object Net.WebClient).DownloadString
UserAgent: ''
condition: selection
fields:
- ClientIP
rules/proxy/proxy_ua_apt.yml
+1
View File
@@ -39,6 +39,7 @@ detection:
- 'Mozilla/4.0 (compatible; RMS)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
- 'Mozilla/4.0 (compatible; MSIE 6.0; DynGate)' # Attacks on industrial enterprises using RMS and TeamViewer https://goo.gl/GthvTw
- 'O/9.27 (W; U; Z)' # Cmstar https://www.virustotal.com/#/file/e4328011bb2b04abc856ccd04404c9f95d67167f6c291d343e8ffa8aa2aa2099/details
- 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; Trident/5.0*' # KerrDown UA https://goo.gl/s2WU6o
condition: selection
fields:
- ClientIP
rules/proxy/proxy_ua_frameworks.yml
+1
View File
@@ -33,6 +33,7 @@ detection:
- 'X-FORWARDED-FOR'
- 'DotDotPwn v2.1'
- 'SIPDROID'
- 'Mozilla/5.0 (Windows NT 10.0; Win32; x32; rv:60.0)' # CobaltStrike https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
# Exploits
- '*wordpress hash grabber*'
rules/proxy/proxy_ua_malware.yml
+1
View File
@@ -49,6 +49,7 @@ detection:
- '*(Charon; Inferno)' # Loki Bot
- 'Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/5.0)' # Fareit / Pony
- 'Mozilla/4.0 (compatible; MSIE 6.1; Windows NT)' # https://goo.gl/g43qjs
- 'Mozilla/4.0(compatible; MSIE 6.0; Windows NT 5.1)' # MacControl malware https://goo.gl/sqY3Ja https://www.symantec.com/connect/blogs/osxmacontrol-back-it-again
# Others
- '* pxyscand*'
rules/proxy/proxy_ua_suspicious.yml
+1
View File
@@ -21,6 +21,7 @@ detection:
- 'Mozila/*' # single 'l'
- '_'
- 'CertUtil URL Agent' # https://twitter.com/stvemillertime/status/985150675527974912
- 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:60.0)' # CobaltStrike Beacon https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
falsepositives:
UserAgent:
- 'Mozilla/3.0 * Acrobat *' # Acrobat with linked content
rules/web/web_apache_threading_error.yml
+16
View File
@@ -0,0 +1,16 @@
title: Apache Threading Error
status: experimental
description: Detects an issue in apache logs that reports threading related errors
author: Florian Roth
date: 2019/01/22
references:
- https://github.com/hannob/apache-uaf/blob/master/README.md
logsource:
product: apache
detection:
keywords:
- '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)'
condition: keywords
falsepositives:
- https://bz.apache.org/bugzilla/show_bug.cgi?id=46185
level: medium
rules/windows/builtin/win_admin_rdp_login.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: juju4
logsource:
product: windows
service: security
description: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
definition: 'Requirements: Identifiable administrators usernames (pattern or special unique character. ex: "Admin-*"), internal policy mandating use only as secondary account'
detection:
selection:
EventID: 4624
rules/windows/builtin/win_admin_share_access.yml
+1 -1
View File
@@ -8,7 +8,7 @@ author: Florian Roth
logsource:
product: windows
service: security
description: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
definition: 'The advanced audit policy setting "Object Access > Audit File Share" must be configured for Success/Failure'
detection:
selection:
EventID: 5140
rules/windows/builtin/win_alert_active_directory_user_control.yml
+1 -1
View File
@@ -9,7 +9,7 @@ author: '@neu5ron'
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
definition: 'Requirements: Audit Policy : Policy Change > Audit Authorization Policy Change, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Authorization Policy Change'
detection:
selection:
EventID: 4704
rules/windows/builtin/win_alert_ad_user_backdoors.yml
+2 -2
View File
@@ -11,8 +11,8 @@ tags:
logsource:
product: windows
service: security
description1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
description2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
definition1: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
definition2: 'Requirements: Audit Policy : DS Access > Audit Directory Service Changes, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\DS Access\Audit Directory Service Changes'
detection:
selection1:
EventID: 4738
rules/windows/builtin/win_alert_enable_weak_encryption.yml
+1 -1
View File
@@ -7,7 +7,7 @@ author: '@neu5ron'
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
definition: 'Requirements: Audit Policy : Account Management > Audit User Account Management, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Account Management\Audit User Account Management'
detection:
selection:
EventID: 4738
rules/windows/builtin/win_alert_lsass_access.yml
+1 -1
View File
@@ -11,7 +11,7 @@ tags:
# Defender Attack Surface Reduction
logsource:
product: windows_defender
description: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
definition: 'Requirements:Enabled Block credential stealing from the Windows local security authority subsystem (lsass.exe) from Attack Surface Reduction (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2)'
detection:
selection:
EventID: 1121
rules/windows/builtin/win_disable_event_logging.yml
+3 -4
View File
@@ -1,11 +1,10 @@
title: Disabling Windows Event Auditing
description: >
Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
description: 'Detects scenarios where system auditing (ie: windows event log auditing) is disabled. This may be used in a scenario
where an entity would want to bypass local logging to evade detection when windows event logging is enabled and
reviewed. Also, it is recommended to turn off "Local Group Policy Object Processing" via GPO, which will make sure
that Active Directory GPOs take precedence over local/edited computer policies via something such as "gpedit.msc".
Please note, that disabling "Local Group Policy Object Processing" may cause an issue in scenarios of one off
specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.
specific GPO modifications -- however it is recommended to perform these modifications in Active Directory anyways.'
references:
- https://bit.ly/WinLogsZero2Hero
tags:
@@ -15,7 +14,7 @@ author: '@neu5ron'
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
definition: 'Requirements: Audit Policy : Computer Management > Audit Policy Configuration, Group Policy : Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\Policy Change\Audit Audit Policy Change'
detection:
selection:
EventID: 4719
rules/windows/builtin/win_eventlog_cleared.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Eventlog Cleared
title: Eventlog Cleared Experimental
status: experimental
description: Detects a cleared Windows Eventlog as e.g. caused by "wevtutil cl" command execution
author: Florian Roth
rules/windows/builtin/win_hack_rubeus.yml
+52
View File
@@ -0,0 +1,52 @@
---
action: global
title: Rubeus Hack Tool
description: Detects command line parameters used by Rubeus hack tool
author: Florian Roth
references:
- https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/
date: 2018/12/19
tags:
- attack.credential_access
- attack.t1003
- attack.s0005
detection:
condition: selection
falsepositives:
- unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* asreproast *'
- '* dump /service:krbtgt *'
- '* kerberoast *'
- '* createnetonly /program:*'
- '* ptt /ticket:*'
- '* /impersonateuser:*'
- '* renew /ticket:*'
- '* asktgt /user:*'
- '* harvest /interval:*'
rules/windows/builtin/win_mavinject_proc_inj.yml
+38
View File
@@ -0,0 +1,38 @@
---
action: global
title: MavInject Process Injection
status: experimental
description: Detects process injection using the signed Windows tool Mavinject32.exe
references:
- https://twitter.com/gN3mes1s/status/941315826107510784
- https://reaqta.com/2017/12/mavinject-microsoft-injector/
- https://twitter.com/Hexacorn/status/776122138063409152
author: Florian Roth
date: 2018/12/12
tags:
- attack.process_injection
- attack.t1055
- attack.signed_binary_proxy_execution
- attack.t1218
detection:
condition: selection
falsepositives:
- unknown
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine: '* /INJECTRUNNING *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '* /INJECTRUNNING *'
rules/windows/builtin/win_multiple_suspicious_cli.yml
+63 -22
View File
@@ -5,8 +5,69 @@ status: experimental
references:
- https://car.mitre.org/wiki/CAR-2013-04-002
author: juju4
modified: 2012/12/11
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- arp.exe
- at.exe
- attrib.exe
- cscript.exe
- dsquery.exe
- hostname.exe
- ipconfig.exe
- mimikatz.exe
- nbstat.exe
- net.exe
- netsh.exe
- nslookup.exe
- ping.exe
- quser.exe
- qwinsta.exe
- reg.exe
- runas.exe
- sc.exe
- schtasks.exe
- ssh.exe
- systeminfo.exe
- taskkill.exe
- telnet.exe
- tracert.exe
- wscript.exe
- xcopy.exe
# others
- pscp.exe
- copy.exe
- robocopy.exe
- certutil.exe
- vssadmin.exe
- powershell.exe
- wevtutil.exe
- psexec.exe
- bcedit.exe
- wbadmin.exe
- icacls.exe
- diskpart.exe
timeframe: 5m
condition: selection | count() by MachineName > 5
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- arp.exe
- at.exe
@@ -47,25 +108,5 @@ detection:
- wbadmin.exe
- icacls.exe
- diskpart.exe
timeframe: 5min
condition: selection | count() by MachineName > 5
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: low
---
# Windows Audit Log
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
---
# Sysmon
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
timeframe: 5m
condition: selection | count() by MachineName > 5
rules/windows/builtin/win_net_ntlm_downgrade.yml
+6 -6
View File
@@ -2,7 +2,7 @@
action: global
title: NetNTLM Downgrade Attack
description: Detects post exploitation using NetNTLM downgrade attacks
reference:
references:
- https://www.optiv.com/blog/post-exploitation-using-netntlm-downgrade-attacks
author: Florian Roth
date: 2018/03/20
@@ -22,19 +22,19 @@ detection:
selection1:
EventID: 13
TargetObject:
- '*SYSTEM\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- '*SYSTEM\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- '*SYSTEM\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
- '*SYSTEM\\*ControlSet*\Control\Lsa\lmcompatibilitylevel'
- '*SYSTEM\\*ControlSet*\Control\Lsa\NtlmMinClientSec'
- '*SYSTEM\\*ControlSet*\Control\Lsa\RestrictSendingNTLMTraffic'
---
# Windows Security Eventlog: Process Creation with Full Command Line
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
definition: 'Requirements: Audit Policy : Object Access > Audit Registry (Success)'
detection:
selection2:
EventID: 4657
ObjectName: '\REGISTRY\MACHINE\SYSTEM\*ControlSet*\Control\Lsa'
ObjectName: '\REGISTRY\MACHINE\SYSTEM\\*ControlSet*\Control\Lsa'
ObjectValueName:
- 'LmCompatibilityLevel'
- 'NtlmMinClientSec'
rules/windows/builtin/win_netsh_port_fwd.yml
+35
View File
@@ -0,0 +1,35 @@
---
action: global
title: Netsh Port Forwarding
description: Detects netsh commands that configure a port forwarding
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
tags:
- attack.lateral_movement
status: experimental
author: Florian Roth
detection:
condition: selection
falsepositives:
- Legitimate administration
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'netsh interface portproxy add v4tov4 *'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'netsh interface portproxy add v4tov4 *'
rules/windows/builtin/win_netsh_port_fwd_3389.yml
+35
View File
@@ -0,0 +1,35 @@
---
action: global
title: Netsh RDP Port Forwarding
description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/29
tags:
- attack.lateral_movement
status: experimental
author: Florian Roth
detection:
condition: selection
falsepositives:
- Legitimate administration
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'netsh i* p*=3389 c*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'netsh i* p*=3389 c*'
rules/windows/builtin/win_pass_the_hash.yml
+1 -1
View File
@@ -10,7 +10,7 @@ tags:
logsource:
product: windows
service: security
description: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
definition: The successful use of PtH for lateral movement between workstations would trigger event ID 4624, a failed logon attempt would trigger an event ID 4625
detection:
selection:
- EventID: 4624
rules/windows/builtin/win_plugx_susp_exe_locations.yml
+17 -17
View File
@@ -19,7 +19,7 @@ detection:
CommandLine: '*\CamMute.exe'
filter_cammute:
EventID: 4688
CommandLine: '*\Lenovo\Communication Utility\*'
CommandLine: '*\Lenovo\Communication Utility\\*'
# Chrome Frame Helper
selection_chrome_frame:
@@ -27,7 +27,7 @@ detection:
CommandLine: '*\chrome_frame_helper.exe'
filter_chrome_frame:
EventID: 4688
CommandLine: '*\Google\Chrome\application\*'
CommandLine: '*\Google\Chrome\application\\*'
# Microsoft Device Emulator
selection_devemu:
@@ -35,7 +35,7 @@ detection:
CommandLine: '*\dvcemumanager.exe'
filter_devemu:
EventID: 4688
CommandLine: '*\Microsoft Device Emulator\*'
CommandLine: '*\Microsoft Device Emulator\\*'
# Windows Media Player Gadget
selection_gadget:
@@ -43,7 +43,7 @@ detection:
CommandLine: '*\Gadget.exe'
filter_gadget:
EventID: 4688
CommandLine: '*\Windows Media Player\*'
CommandLine: '*\Windows Media Player\\*'
# HTML Help Workshop
selection_hcc:
@@ -51,7 +51,7 @@ detection:
CommandLine: '*\hcc.exe'
filter_hcc:
EventID: 4688
CommandLine: '*\HTML Help Workshop\*'
CommandLine: '*\HTML Help Workshop\\*'
# Hotkey Command Module for Intel Graphics Contollers
selection_hkcmd:
@@ -60,9 +60,9 @@ detection:
filter_hkcmd:
EventID: 4688
CommandLine:
- '*\System32\*'
- '*\SysNative\*'
- '*\SysWowo64\*'
- '*\System32\\*'
- '*\SysNative\\*'
- '*\SysWowo64\\*'
# McAfee component
selection_mc:
@@ -82,9 +82,9 @@ detection:
filter_msmpeng:
EventID: 4688
CommandLine:
- '*\Microsoft Security Client\*'
- '*\Windows Defender\*'
- '*\AntiMalware\*'
- '*\Microsoft Security Client\\*'
- '*\Windows Defender\\*'
- '*\AntiMalware\\*'
# Microsoft Security Center
selection_msseces:
@@ -92,7 +92,7 @@ detection:
CommandLine: '*\msseces.exe'
filter_msseces:
EventID: 4688
CommandLine: '*\Microsoft Security Center\*'
CommandLine: '*\Microsoft Security Center\\*'
# Microsoft Office 2003 OInfo
selection_oinfo:
@@ -100,7 +100,7 @@ detection:
CommandLine: '*\OInfoP11.exe'
filter_oinfo:
EventID: 4688
CommandLine: '*\Common Files\Microsoft Shared\*'
CommandLine: '*\Common Files\Microsoft Shared\\*'
# OLE View
selection_oleview:
@@ -112,20 +112,20 @@ detection:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Windows Resource Kit\\*'
# RC
selection_rc:
EventID: 4688
CommandLine: '*\OleView.exe'
CommandLine: '*\rc.exe'
filter_rc:
EventID: 4688
CommandLine:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Microsoft.NET\*'
- '*\Windows Resource Kit\\*'
- '*\Microsoft.NET\\*'
condition: ( selection_cammute and not filter_cammute ) or
( selection_chrome_frame and not filter_chrome_frame ) or
rules/windows/builtin/win_possible_applocker_bypass.yml
+1 -1
View File
@@ -30,7 +30,7 @@ level: low
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_powershell_b64_shellcode.yml
+2 -2
View File
@@ -23,9 +23,9 @@ logsource:
detection:
selection1:
EventID: 4688
ProcesssCommandLine: '*AAAAYInlM*'
ProcessCommandLine: '*AAAAYInlM*'
selection2:
ProcesssCommandLine:
ProcessCommandLine:
- '*OiCAAAAYInlM*'
- '*OiJAAAAYInlM*'
---
rules/windows/builtin/win_psexesvc_start.yml
+3 -2
View File
@@ -2,6 +2,7 @@ title: PsExec Service Start
description: Detects a PsExec service start
author: Florian Roth
date: 2018/03/13
modified: 2012/12/11
tags:
- attack.execution
- attack.t1035
@@ -9,11 +10,11 @@ tags:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
CommandLine: 'C:\Windows\PSEXESVC.exe'
ProcessCommandLine: 'C:\Windows\PSEXESVC.exe'
condition: 1 of them
falsepositives:
- Administrative activity
rules/windows/builtin/win_rare_schtasks_creations.yml
+2 -2
View File
@@ -10,12 +10,12 @@ tags:
logsource:
product: windows
service: security
description: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection (not in the baseline recommendations by Microsoft). We also recommend extracting the Command field from the embedded XML in the event data.'
detection:
selection:
EventID: 4698
timeframe: 7d
condition: selection | count(TaskName) < 5
condition: selection | count() by TaskName < 5
falsepositives:
- Software installation
- Software updates
rules/windows/builtin/win_rare_service_installs.yml
+2 -2
View File
@@ -13,8 +13,8 @@ detection:
selection:
EventID: 7045
timeframe: 7d
condition: selection | count(ServiceFileName) < 5
condition: selection | count() by ServiceFileName < 5
falsepositives:
- Software installation
- Software updates
level: low
level: low
rules/windows/builtin/win_rdp_localhost_login.yml
+24
View File
@@ -0,0 +1,24 @@
title: RDP Login from localhost
description: RDP login with localhost source address may be a tunnelled login
references:
- https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html
date: 2019/01/28
modified: 2019/01/29
tags:
- attack.lateral_movement
status: experimental
author: Thomas Patzke
logsource:
product: windows
service: security
detection:
selection:
EventID: 4624
LogonType: 10
SourceNetworkAddress:
- "::1"
- "127.0.0.1"
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/builtin/win_susp_cli_escape.yml
+22 -12
View File
@@ -9,21 +9,11 @@ references:
- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
- http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/
author: juju4
modified: 2018/12/11
tags:
- attack.defense_evasion
- attack.t1140
detection:
selection:
CommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
@@ -33,10 +23,20 @@ level: low
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
---
# Sysmon
logsource:
@@ -45,3 +45,13 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
#- '^'
#- '@'
# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form?
# - '-'
# - '―'
#- 'c:/'
- '<TAB>'
- '^h^t^t^p'
- 'h"t"t"p'
rules/windows/builtin/win_susp_commands_recon_activity.yml
+32 -14
View File
@@ -7,14 +7,26 @@ references:
- https://twitter.com/haroonmeer/status/939099379834658817
- https://twitter.com/c_APT_ure/status/939475433711722497
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
author: Florian Roth, Markus Neis
author: Florian Roth, Markus Neis
date: 2018/08/22
modified: 2018/12/11
tags:
- attack.discovery
- attack.t1073
- attack.t1012
detection:
timeframe: 15s
condition: selection | count() by CommandLine > 4
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- 'tasklist'
- 'net time'
@@ -33,23 +45,29 @@ detection:
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'
timeframe: 15s
condition: selection | count() > 4
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- 'tasklist'
- 'net time'
- 'systeminfo'
- 'whoami'
- 'nbtstat'
- 'net start'
- '*\net1 start'
- 'qprocess'
- 'nslookup'
- 'hostname.exe'
- '*\net1 user /domain'
- '*\net1 group /domain'
- '*\net1 group "domain admins" /domain'
- '*\net1 group "Exchange Trusted Subsystem" /domain'
- '*\net1 accounts /domain'
- '*\net1 user net localgroup administrators'
- 'netstat -an'
rules/windows/builtin/win_susp_dhcp_config_failed.yml
+2 -2
View File
@@ -9,10 +9,10 @@ date: 2017/05/15
author: Dimitrios Slamaris
logsource:
product: windows
service: system
service: dhcp
detection:
selection:
EventID:
EventID:
- 1031
- 1032
- 1034
rules/windows/builtin/win_susp_gup.yml
+35
View File
@@ -0,0 +1,35 @@
---
action: global
title: Suspicious GUP Usage
description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks
status: experimental
references:
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html
author: Florian Roth
date: 2019/02/06
detection:
condition: selection and not filter
falsepositives:
- 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater'
level: high
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Image: '*\GUP.exe'
filter:
Image: '*\updater\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
NewProcessName: '*\GUP.exe'
filter:
NewProcessName: '*\updater\*'
rules/windows/builtin/win_susp_iss_module_install.yml
+6 -4
View File
@@ -6,13 +6,11 @@ status: experimental
references:
- https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
author: Florian Roth
modified: 2012/12/11
tags:
- attack.persistence
- attack.t1100
detection:
selection:
CommandLine:
- '*\APPCMD.EXE install module /name:*'
condition: selection
falsepositives:
- Unknown as it may vary from organisation to arganisation how admins use to install IIS modules
@@ -24,11 +22,15 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
- '*\APPCMD.EXE install module /name:*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\APPCMD.EXE install module /name:*'
rules/windows/builtin/win_susp_msiexec_web_install.yml
+6 -4
View File
@@ -7,10 +7,8 @@ references:
- https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
author: Florian Roth
date: 2018/02/09
modified: 2012/12/11
detection:
selection:
CommandLine:
- '* msiexec*:\/\/*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
@@ -22,11 +20,15 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
- '* msiexec*:\/\/*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* msiexec*:\/\/*'
rules/windows/builtin/win_susp_net_recon_activity.yml
+1 -1
View File
@@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: security
description: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
definition: The volume of Event ID 4661 is high on Domain Controllers and therefore "Audit SAM" and "Audit Kernel Object" advanced audit policy settings are not configured in the recommandations for server systems
detection:
selection:
- EventID: 4661
rules/windows/builtin/win_susp_ntdsutil.yml
+3 -4
View File
@@ -10,8 +10,6 @@ tags:
- attack.credential_access
- attack.t1003
detection:
selection:
CommandLine: '*\ntdsutil.exe *'
condition: selection
falsepositives:
- NTDS maintenance
@@ -23,12 +21,13 @@ logsource:
detection:
selection:
EventID: 1
CommandLine: '*\ntdsutil*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\ntdsutil*'
rules/windows/builtin/win_susp_ntlm_auth.yml
+1 -1
View File
@@ -12,7 +12,7 @@ tags:
logsource:
product: windows
service: ntlm
description: Reqiures events from Microsoft-Windows-NTLM/Operational
definition: Reqiures events from Microsoft-Windows-NTLM/Operational
detection:
selection:
EventID: 8002
rules/windows/builtin/win_susp_powershell_enc_cmd.yml
+2 -2
View File
@@ -16,7 +16,7 @@ detection:
- '* -encodedcommand JAB*'
# Google Rapid Response
falsepositive1:
ImagePath: '*\GRR\*'
Image: '*\GRR\\*'
# PowerSponse deployments
falsepositive2:
CommandLine: '* -ExecutionPolicy remotesigned *'
@@ -36,7 +36,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: John Lambert (rule)
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
encoded:
EventID: 4688
rules/windows/builtin/win_susp_procdump.yml
+1 -1
View File
@@ -22,7 +22,7 @@ level: medium
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_process_creations.yml
+68 -19
View File
@@ -15,15 +15,26 @@ references:
- https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat
- https://twitter.com/vector_sec/status/896049052642533376
author: Florian Roth
modified: 2018/12/11
detection:
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\*\config\SAM*'
- 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
@@ -31,12 +42,12 @@ detection:
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\*'
- 'attrib +S +H +R *\AppData\*'
- 'schtasks* /create *\AppData\*'
- 'netsh advfirewall firewall *\AppData\\*'
- 'attrib +S +H +R *\AppData\\*'
- 'schtasks* /create *\AppData\\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\*'
- '*\Regasm *\AppData\*'
- '*\Regasm.exe *\AppData\\*'
- '*\Regasm *\AppData\\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
@@ -66,22 +77,60 @@ detection:
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
# Hacking activity
- 'vssadmin.exe delete shadows*'
- 'vssadmin delete shadows*'
- 'vssadmin create shadow /for=C:*'
- 'copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit*'
- 'copy \\?\GLOBALROOT\Device\\*\config\SAM*'
- 'reg SAVE HKLM\SYSTEM *'
- '* sekurlsa:*'
- 'net localgroup adminstrators * /add'
- 'net group "Domain Admins" * /ADD /DOMAIN'
- 'certutil.exe *-urlcache* http*'
- 'certutil.exe *-urlcache* ftp*'
# Malware
- 'netsh advfirewall firewall *\AppData\\*'
- 'attrib +S +H +R *\AppData\\*'
- 'schtasks* /create *\AppData\\*'
- 'schtasks* /sc minute*'
- '*\Regasm.exe *\AppData\\*'
- '*\Regasm *\AppData\\*'
- '*\bitsadmin* /transfer*'
- '*\certutil.exe * -decode *'
- '*\certutil.exe * -decodehex *'
- '*\certutil.exe -ping *'
- 'icacls * /grant Everyone:F /T /C /Q'
- '* wmic shadowcopy delete *'
- '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
# Scripts
- '*\wscript.exe *.jse'
- '*\wscript.exe *.js'
- '*\wscript.exe *.vba'
- '*\wscript.exe *.vbe'
- '*\cscript.exe *.jse'
- '*\cscript.exe *.js'
- '*\cscript.exe *.vba'
- '*\cscript.exe *.vbe'
# UAC bypass
- '*\fodhelper.exe'
# persistence
- '*waitfor*/s*'
- '*waitfor*/si persist*'
# remote
- '*remote*/s*'
- '*remote*/c*'
- '*remote*/q*'
# AddInProcess
- '*AddInProcess*'
# NotPowershell (nps) attack
# - '*msbuild*' # too many false positives
rules/windows/builtin/win_susp_ps_appdata.yml
+39
View File
@@ -0,0 +1,39 @@
---
action: global
title: PowerShell Script Run in AppData
status: experimental
description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder
references:
- https://twitter.com/JohnLaTwC/status/1082851155481288706
- https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03
author: Florian Roth
date: 2019/01/09
logsource:
product: windows
service: sysmon
detection:
condition: selection
falsepositives:
- Administrative scripts
level: medium
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
CommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '* /c powershell*\AppData\Local\\*'
- '* /c powershell*\AppData\Roaming\\*'
rules/windows/builtin/win_susp_rasdial_activity.yml
+1 -1
View File
@@ -18,7 +18,7 @@ level: medium
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_run_locations.yml
+5 -5
View File
@@ -11,10 +11,10 @@ tags:
detection:
selection:
CommandLine:
- "*:\\RECYCLER\\*"
- "*:\\SystemVolumeInformation\\*"
- "%windir%\\Tasks\\*"
- "%systemroot%\\debug\\*"
- '*:\RECYCLER\\*'
- '*:\SystemVolumeInformation\\*'
- '%windir%\Tasks\\*'
- '%systemroot%\debug\\*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
@@ -24,7 +24,7 @@ level: medium
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_rundll32_activity.yml
+1 -1
View File
@@ -36,7 +36,7 @@ falsepositives:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_sam_dump.yml
+1 -1
View File
@@ -8,7 +8,7 @@ author: Florian Roth
logsource:
product: windows
service: system
description: The source of this type of event is Kernel-General
definition: The source of this type of event is Kernel-General
detection:
selection:
EventID: 16
rules/windows/builtin/win_susp_svchost.yml
+1 -1
View File
@@ -32,7 +32,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_susp_sysprep_appdata.yml
+8 -5
View File
@@ -8,11 +8,8 @@ references:
- https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b
author: Florian Roth
date: 2018/06/22
modified: 2018/12/11
detection:
selection:
CommandLine:
- '*\sysprep.exe *\AppData\*'
- 'sysprep.exe *\AppData\*'
condition: selection
falsepositives:
- False positives depend on scripts and administrative tools used in the monitored environment
@@ -24,11 +21,17 @@ logsource:
detection:
selection:
EventID: 1
CommandLine:
- '*\sysprep.exe *\AppData\\*'
- 'sysprep.exe *\AppData\\*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine:
- '*\sysprep.exe *\AppData\\*'
- 'sysprep.exe *\AppData\\*'
rules/windows/builtin/win_susp_sysvol_access.yml
+4 -3
View File
@@ -8,12 +8,11 @@ references:
- https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100
author: Markus Neis
date: 2018/04/09
modified: 2018/12/11
tags:
- attack.credential_access
- attack.t1003
detection:
selection:
CommandLine: '*\SYSVOL\*\policies\*'
condition: selection
falsepositives:
- administrative activity
@@ -25,11 +24,13 @@ logsource:
detection:
selection:
EventID: 1
CommandLine: '*\SYSVOL\\*\policies\\*'
---
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\SYSVOL\\*\policies\\*'
rules/windows/builtin/win_susp_whoami.yml
+1 -1
View File
@@ -29,7 +29,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml
+1 -1
View File
@@ -30,7 +30,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/malware/av_exploiting.yml
+2
View File
@@ -1,6 +1,7 @@
title: Antivirus Exploitation Framework Detection
description: Detects a highly relevant Antivirus alert that reports an exploitation framework
date: 2018/09/09
modified: 2019/01/16
author: Florian Roth
references:
- https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/
@@ -19,6 +20,7 @@ detection:
- "*Metasploit*"
- "*PowerSploit*"
- "*CobaltSrike*"
- "*Swrort*"
condition: selection
fields:
- FileName
rules/windows/malware/av_relevant_files.yml
+7 -7
View File
@@ -1,4 +1,4 @@
title: Antivirus Exploitation Framework Detection
title: Antivirus Relevant File Paths Alerts
description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name
date: 2018/09/09
author: Florian Roth
@@ -9,12 +9,12 @@ logsource:
detection:
selection:
FileName:
- 'C:\Windows\Temp\*'
- 'C:\Temp\*'
- '*\\Client\*'
- 'C:\PerfLogs\*'
- 'C:\Users\Public\*'
- 'C:\Users\Default\*'
- 'C:\Windows\Temp\\*'
- 'C:\Temp\\*'
- '*\\Client\\*'
- 'C:\PerfLogs\\*'
- 'C:\Users\Public\\*'
- 'C:\Users\Default\\*'
- '*.ps1'
- '*.vbs'
- '*.bat'
rules/windows/malware/sysmon_malware_dridex.yml
+40
View File
@@ -0,0 +1,40 @@
---
action: global
title: Dridex Process Pattern
status: experimental
description: Detects typical Dridex process patterns
references:
- https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3
author: Florian Roth
date: 2019/01/10
logsource:
product: windows
service: sysmon
detection:
condition: 1 of them
falsepositives:
- Unlikely
level: critical
---
logsource:
product: windows
service: sysmon
detection:
selection1:
EventID: 1
CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
selection2:
EventID: 1
ParentImage: '*\svchost.exe*'
CommandLine:
- '*whoami.exe /all'
- '*net.exe view'
---
logsource:
product: windows
service: security
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
ProcessCommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*'
rules/windows/malware/sysmon_malware_notpetya.yml
+1 -1
View File
@@ -22,7 +22,7 @@ detection:
CommandLine: '* deletejournal *'
pipe_com:
EventID: 1
CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*'
CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*'
event_clean:
EventID: 1
Image: '*\wevtutil.exe'
rules/windows/malware/win_mal_adwind.yml
+4 -3
View File
@@ -8,6 +8,7 @@ references:
- https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf
author: Florian Roth, Tom Ueltschi
date: 2017/11/10
modified: 2018/12/11
detection:
condition: selection
level: high
@@ -16,11 +17,11 @@ level: high
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
CommandLine:
ProcessCommandLine:
- '*\AppData\Roaming\Oracle*\java*.exe *'
- '*cscript.exe *Retrive*.vbs *'
---
@@ -52,4 +53,4 @@ detection:
selection:
EventID: 13
TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*'
Details: '%AppData%\Roaming\Oracle\bin\*'
Details: '%AppData%\Roaming\Oracle\bin\\*'
rules/windows/malware/win_mal_wannacry.yml
+1 -1
View File
@@ -21,7 +21,7 @@ level: critical
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection1:
# Requires group policy 'Audit Process Creation' > Include command line in process creation events
rules/windows/other/win_wmi_persistence.yml
+1 -1
View File
@@ -19,7 +19,7 @@ detection:
- 'ActiveScriptEventConsumer'
- 'CommandLineEventConsumer'
- 'CommandLineTemplate'
- 'Binding EventFilter'
# - 'Binding EventFilter' # too many false positive with HP Health Driver
selection2:
EventID: 5859
condition: selection and 1 of keywords or selection2
rules/windows/powershell/powershell_malicious_commandlets.yml
+2 -2
View File
@@ -1,6 +1,7 @@
title: Malicious PowerShell Commandlets
status: experimental
description: Detects Commandlet names from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
@@ -10,7 +11,7 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- Invoke-DllInjection
@@ -40,7 +41,6 @@ detection:
- Get-VulnAutoRun
- Get-VulnSchTask
- Get-UnattendedInstallFile
- Get-WebConfig
- Get-ApplicationHost
- Get-RegAlwaysInstallElevated
- Get-Unconstrained
rules/windows/powershell/powershell_malicious_keywords.yml
+2 -7
View File
@@ -1,6 +1,7 @@
title: Malicious PowerShell Keywords
status: experimental
description: Detects keywords from well-known PowerShell exploitation frameworks
modified: 2019/01/22
references:
- https://adsecurity.org/?p=2921
tags:
@@ -10,23 +11,17 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keywords:
- AdjustTokenPrivileges
- IMAGE_NT_OPTIONAL_HDR64_MAGIC
- Management.Automation.RuntimeException
- Microsoft.Win32.UnsafeNativeMethods
- ReadProcessMemory.Invoke
- Runtime.InteropServices
- SE_PRIVILEGE_ENABLED
- System.Security.Cryptography
- System.Runtime.InteropServices
- LSA_UNICODE_STRING
- MiniDumpWriteDump
- PAGE_EXECUTE_READ
- Net.Sockets.SocketFlags
- Reflection.Assembly
- SECURITY_DELEGATION
- TOKEN_ADJUST_PRIVILEGES
- TOKEN_ALL_ACCESS
rules/windows/powershell/powershell_ntfs_ads_access.yaml → rules/windows/powershell/powershell_ntfs_ads_access.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: Sami Ruohonen
logsource:
product: windows
service: powershell
description: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommended to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
keyword1:
- "set-content"
rules/windows/powershell/powershell_prompt_credentials.yml
+1 -1
View File
@@ -12,7 +12,7 @@ author: John Lambert (idea), Florian Roth (rule)
logsource:
product: windows
service: powershell
description: 'Script block logging must be enabled'
definition: 'Script block logging must be enabled'
detection:
selection:
EventID: 4104
rules/windows/powershell/powershell_psattack.yml
+1 -1
View File
@@ -10,7 +10,7 @@ author: Sean Metcalf (source), Florian Roth (rule)
logsource:
product: windows
service: powershell
description: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
definition: 'It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277'
detection:
selection:
EventID: 4103
rules/windows/powershell/powershell_xor_commandline.yml
+2 -2
View File
@@ -1,5 +1,5 @@
action: global
title: Suspicious Encoded PowerShell Command Line
title: Suspicious XOR Encoded PowerShell Command Line
description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands.
status: experimental
author: Sami Ruohonen
@@ -23,7 +23,7 @@ detection:
logsource:
product: windows
service: security
description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation'
detection:
selection:
EventID: 4688
rules/windows/sysmon/sysmon_ads_executable.yml
+1 -1
View File
@@ -12,7 +12,7 @@ date: 2018/06/03
logsource:
product: windows
service: sysmon
description: 'Requirements: Sysmon config with Imphash logging activated'
definition: 'Requirements: Sysmon config with Imphash logging activated'
detection:
selection:
EventID: 15
rules/windows/sysmon/sysmon_attrib_hiding_files.yml
+1 -1
View File
@@ -14,7 +14,7 @@ detection:
CommandLine: '*\desktop.ini *'
intel:
ParentImage: '*\cmd.exe'
CommandLine: '+R +H +S +A \*.cui'
CommandLine: '+R +H +S +A \\*.cui'
ParentCommandLine: 'C:\WINDOWS\system32\\*.bat'
condition: selection and not (ini or intel)
fields:
rules/windows/sysmon/sysmon_cactustorch.yml
+29
View File
@@ -0,0 +1,29 @@
title: CACTUSTORCH Remote Thread Creation
description: Detects remote thread creation from CACTUSTORCH as described in references.
references:
- https://twitter.com/SBousseaden/status/1090588499517079552
- https://github.com/mdsecactivebreach/CACTUSTORCH
status: experimental
author: "@SBousseaden (detection), Thomas Patzke (rule)"
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
SourceImage:
- '*\System32\cscript.exe'
- '*\System32\wscript.exe'
- '*\System32\mshta.exe'
- '*\winword.exe'
- '*\excel.exe'
TargetImage: '*\SysWOW64\\*'
StartModule: null
condition: selection
tags:
- attack.execution
- attack.t1055
- attack.t1064
falsepositives:
- unknown
level: high
rules/windows/sysmon/sysmon_cmdkey_recon.yml
+1 -1
View File
@@ -1,7 +1,7 @@
title: Cmdkey Cached Credentials Recon
status: experimental
description: Detects usage of cmdkey to look for cached credentials
reference:
references:
- https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation
- https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx
author: jmallette
rules/windows/sysmon/sysmon_cobaltstrike_process_injection.yml
+21
View File
@@ -0,0 +1,21 @@
title: CobaltStrike Process Injection
description: Detects a possible remote threat creation with certain characteristics which are typical for Cobalt Strike beacons
references:
- https://medium.com/@olafhartong/cobalt-strike-remote-threads-detection-206372d11d0f
status: experimental
author: Olaf Hartong, Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 8
TargetProcessAddress: '*0B80'
condition: selection
tags:
- attack.process_injection
- attack.t1055
falsepositives:
- unknown
level: high
rules/windows/sysmon/sysmon_ghostpack_safetykatz.yml
+1 -1
View File
@@ -5,7 +5,7 @@ references:
- https://github.com/GhostPack/SafetyKatz
tags:
- attack.credential_access
- attack.T1003
- attack.t1003
author: Markus Neis
date: 2018/24/07
logsource:
rules/windows/sysmon/sysmon_logon_scripts_userinitmprlogonscript.yml
+34
View File
@@ -0,0 +1,34 @@
title: Logon Scripts (UserInitMprLogonScript)
status: experimental
description: Detects creation or execution of UserInitMprLogonScript persistence method
references:
- https://attack.mitre.org/techniques/T1037/
tags:
- attack.t1037
- attack.persistence
- attack.lateral_movement
author: Tom Ueltschi (@c_APT_ure)
logsource:
product: windows
service: sysmon
detection:
exec_selection:
EventID: 1
ParentImage: userinit.exe
exec_exclusion:
Image: explorer.exe
CommandLine: netlogon.bat
create_selection:
EventID:
- 1
- 11
- 12
- 13
- 14
create_keywords:
- UserInitMprLogonScript
condition: (exec_selection and not exec_exclusion) or (create_selection and create_keywords)
falsepositives:
- exclude legitimate logon scripts
- penetration tests, red teaming
level: high
rules/windows/sysmon/sysmon_mal_namedpipes.yml
+2 -2
View File
@@ -8,7 +8,7 @@ author: Florian Roth
logsource:
product: windows
service: sysmon
description: 'Note that you have to configure logging for PipeEvents in Symson config'
definition: 'Note that you have to configure logging for PipeEvents in Symson config'
detection:
selection:
EventID:
@@ -31,7 +31,7 @@ detection:
condition: selection
tags:
- attack.defense_evasion
- attack.privelege_escalation
- attack.privilege_escalation
- attack.t1055
falsepositives:
- Unkown
rules/windows/sysmon/sysmon_malware_backconnect_ports.yml
+1 -1
View File
@@ -8,7 +8,7 @@ date: 2017/03/19
logsource:
product: windows
service: sysmon
description: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 3
rules/windows/sysmon/sysmon_malware_script_dropper.yml
+10 -10
View File
@@ -12,16 +12,16 @@ detection:
- '*\wscript.exe'
- '*\cscript.exe'
CommandLine:
- '* C:\Users\*.jse *'
- '* C:\Users\*.vbe *'
- '* C:\Users\*.js *'
- '* C:\Users\*.vba *'
- '* C:\Users\*.vbs *'
- '* C:\ProgramData\*.jse *'
- '* C:\ProgramData\*.vbe *'
- '* C:\ProgramData\*.js *'
- '* C:\ProgramData\*.vba *'
- '* C:\ProgramData\*.vbs *'
- '* C:\Users\\*.jse *'
- '* C:\Users\\*.vbe *'
- '* C:\Users\\*.js *'
- '* C:\Users\\*.vba *'
- '* C:\Users\\*.vbs *'
- '* C:\ProgramData\\*.jse *'
- '* C:\ProgramData\\*.vbe *'
- '* C:\ProgramData\\*.js *'
- '* C:\ProgramData\\*.vba *'
- '* C:\ProgramData\\*.vbs *'
falsepositive:
ParentImage: '*\winzip*'
condition: selection
rules/windows/sysmon/sysmon_malware_verclsid_shellcode.yml
+2 -2
View File
@@ -8,7 +8,7 @@ date: 2017/03/04
logsource:
product: windows
service: sysmon
description: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
definition: 'Use the following config to generate the necessary Event ID 10 Process Access events: <ProcessAccess onmatch="include"><CallTrace condition="contains">VBE7.DLL</CallTrace></ProcessAccess><ProcessAccess onmatch="exclude"><CallTrace condition="excludes">UNKNOWN</CallTrace></ProcessAccess>'
detection:
selection:
EventID: 10
@@ -17,7 +17,7 @@ detection:
combination1:
CallTrace: '*|UNKNOWN(*VBE7.DLL*'
combination2:
SourceImage: '*\Microsoft Office\*'
SourceImage: '*\Microsoft Office\\*'
CallTrace: '*|UNKNOWN*'
condition: selection and 1 of combination*
falsepositives:
rules/windows/sysmon/sysmon_office_macro_cmd.yml
-24
View File
@@ -1,24 +0,0 @@
title: Office Macro Starts Cmd
status: experimental
description: Detects a Windows command line executable started from Microsoft Word or Excel
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
author: Florian Roth
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\WINWORD.EXE'
- '*\EXCEL.EXE'
Image: '*\cmd.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- unknown
level: high
rules/windows/sysmon/sysmon_office_shell.yml
+2 -1
View File
@@ -4,11 +4,12 @@ description: Detects a Windows command line executable started from Microsoft Wo
references:
- https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100
- https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html
- https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
tags:
- attack.execution
- attack.defense_evasion
- attack.t1059
- attack.T1202
- attack.t1202
author: Michael Haag, Florian Roth, Markus Neis
date: 2018/04/06
logsource:
rules/windows/sysmon/sysmon_outlook_shell.yml
-31
View File
@@ -1,31 +0,0 @@
title: Microsoft Outlook Spawning Windows Shell
status: experimental
description: Detects a Windows command line executable started from Microsoft Outlook
references:
- https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle
author: Florian Roth
date: 2018/03/06
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
ParentImage:
- '*\OUTLOOK.EXE'
Image:
- '*\cmd.exe'
- '*\powershell.exe'
- '*\wscript.exe'
- '*\cscript.exe'
- '*\sh.exe'
- '*\bash.exe'
- '*\schtasks.exe'
condition: selection
fields:
- CommandLine
- ParentCommandLine
falsepositives:
- False positives are possible, depends on organisation and processes
level: high
rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml
+18 -18
View File
@@ -1,4 +1,4 @@
title: Executable used by PlugX in Uncommon Location
title: Executable used by PlugX in Uncommon Location - Sysmon Version
status: experimental
description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location
references:
@@ -17,7 +17,7 @@ detection:
Image: '*\CamMute.exe'
filter_cammute:
EventID: 1
Image: '*\Lenovo\Communication Utility\*'
Image: '*\Lenovo\Communication Utility\\*'
# Chrome Frame Helper
selection_chrome_frame:
@@ -25,7 +25,7 @@ detection:
Image: '*\chrome_frame_helper.exe'
filter_chrome_frame:
EventID: 1
Image: '*\Google\Chrome\application\*'
Image: '*\Google\Chrome\application\\*'
# Microsoft Device Emulator
selection_devemu:
@@ -33,7 +33,7 @@ detection:
Image: '*\dvcemumanager.exe'
filter_devemu:
EventID: 1
Image: '*\Microsoft Device Emulator\*'
Image: '*\Microsoft Device Emulator\\*'
# Windows Media Player Gadget
selection_gadget:
@@ -41,7 +41,7 @@ detection:
Image: '*\Gadget.exe'
filter_gadget:
EventID: 1
Image: '*\Windows Media Player\*'
Image: '*\Windows Media Player\\*'
# HTML Help Workshop
selection_hcc:
@@ -49,7 +49,7 @@ detection:
Image: '*\hcc.exe'
filter_hcc:
EventID: 1
Image: '*\HTML Help Workshop\*'
Image: '*\HTML Help Workshop\\*'
# Hotkey Command Module for Intel Graphics Contollers
selection_hkcmd:
@@ -58,9 +58,9 @@ detection:
filter_hkcmd:
EventID: 1
Image:
- '*\System32\*'
- '*\SysNative\*'
- '*\SysWowo64\*'
- '*\System32\\*'
- '*\SysNative\\*'
- '*\SysWowo64\\*'
# McAfee component
selection_mc:
@@ -80,9 +80,9 @@ detection:
filter_msmpeng:
EventID: 1
Image:
- '*\Microsoft Security Client\*'
- '*\Windows Defender\*'
- '*\AntiMalware\*'
- '*\Microsoft Security Client\\*'
- '*\Windows Defender\\*'
- '*\AntiMalware\\*'
# Microsoft Security Center
selection_msseces:
@@ -90,7 +90,7 @@ detection:
Image: '*\msseces.exe'
filter_msseces:
EventID: 1
Image: '*\Microsoft Security Center\*'
Image: '*\Microsoft Security Center\\*'
# Microsoft Office 2003 OInfo
selection_oinfo:
@@ -98,7 +98,7 @@ detection:
Image: '*\OInfoP11.exe'
filter_oinfo:
EventID: 1
Image: '*\Common Files\Microsoft Shared\*'
Image: '*\Common Files\Microsoft Shared\\*'
# OLE View
selection_oleview:
@@ -110,20 +110,20 @@ detection:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Windows Resource Kit\\*'
# RC
selection_rc:
EventID: 1
Image: '*\OleView.exe'
Image: '*\rc.exe'
filter_rc:
EventID: 1
Image:
- '*\Microsoft Visual Studio*'
- '*\Microsoft SDK*'
- '*\Windows Kit*'
- '*\Windows Resource Kit\*'
- '*\Microsoft.NET\*'
- '*\Windows Resource Kit\\*'
- '*\Microsoft.NET\\*'
condition: ( selection_cammute and not filter_cammute ) or
( selection_chrome_frame and not filter_chrome_frame ) or
rules/windows/sysmon/sysmon_powershell_network_connection.yml
+16 -1
View File
@@ -18,7 +18,22 @@ detection:
DestinationIp:
- '10.*'
- '192.168.*'
- '172.*'
- '172.16.*'
- '172.17.*'
- '172.18.*'
- '172.19.*'
- '172.20.*'
- '172.21.*'
- '172.22.*'
- '172.23.*'
- '172.24.*'
- '172.25.*'
- '172.26.*'
- '172.27.*'
- '172.28.*'
- '172.29.*'
- '172.30.*'
- '172.31.*'
- '127.0.0.1'
DestinationIsIpv6: 'false'
User: 'NT AUTHORITY\SYSTEM'
rules/windows/sysmon/sysmon_powershell_renamed_ps.yml
+27
View File
@@ -0,0 +1,27 @@
title: Renamed Powershell.exe
status: experimental
description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018)
references:
- https://attack.mitre.org/techniques/T1086/
- https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/
tags:
- attack.t1086
- attack.execution
author: Tom Ueltschi (@c_APT_ure)
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 1
Description: Windows PowerShell
exclusion_1:
Image:
- powershell.exe
- powershell_ise.exe
exclusion_2:
Description: Windows PowerShell ISE
condition: all of selection and not (1 of exclusion_*)
falsepositives:
- penetration tests, red teaming
level: high
rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml
+47 -45
View File
@@ -6,55 +6,57 @@ references:
tags:
- attack.execution
- attack.t1086
author: Florian Roth (rule), Daniel Bohannon (idea)
author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix)
logsource:
product: windows
service: sysmon
detection:
keywords:
Image: '*\powershell.exe'
substrings:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
condition: all of them
selection:
Image:
- '*\Powershell.exe'
EventID: 1
CommandLine:
- ' -windowstyle h '
- ' -windowstyl h'
- ' -windowsty h'
- ' -windowst h'
- ' -windows h'
- ' -windo h'
- ' -wind h'
- ' -win h'
- ' -wi h'
- ' -win h '
- ' -win hi '
- ' -win hid '
- ' -win hidd '
- ' -win hidde '
- ' -NoPr '
- ' -NoPro '
- ' -NoProf '
- ' -NoProfi '
- ' -NoProfil '
- ' -nonin '
- ' -nonint '
- ' -noninte '
- ' -noninter '
- ' -nonintera '
- ' -noninterac '
- ' -noninteract '
- ' -noninteracti '
- ' -noninteractiv '
- ' -ec '
- ' -encodedComman '
- ' -encodedComma '
- ' -encodedComm '
- ' -encodedCom '
- ' -encodedCo '
- ' -encodedC '
- ' -encoded '
- ' -encode '
- ' -encod '
- ' -enco '
- ' -en '
condition: selection
falsepositives:
- Penetration tests
level: high

Some files were not shown because too many files have changed in this diff Show More