From 7c44a58e5df87b33bc077b5ca87dd457860d9915 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Oct 2022 11:40:49 +0200 Subject: [PATCH 1/4] refactor: extended renamed adfind detection --- .../proc_creation_win_susp_renamed_adfind.yml | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml b/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml index d5cc8629d..520de418f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_renamed_adfind.yml @@ -11,6 +11,7 @@ references: - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md date: 2022/08/21 +modified: 2022/10/13 tags: - attack.discovery - attack.t1018 @@ -21,7 +22,28 @@ logsource: category: process_creation product: windows detection: - selection: + selection_1: + CommandLine|contains: + - 'domainlist' + - 'trustdmp' + - 'dcmodes' + - 'adinfo' + - ' dclist ' + - 'computer_pwdnotreqd' + - 'objectcategory=' + - '-subnets -f' + - 'name="Domain Admins"' + - '-sc u:' + - 'domainncs' + - 'dompol' + - ' oudmp ' + - 'subnetdmp' + - 'gpodmp' + - 'fspdmp' + - 'users_noexpire' + - 'computers_active' + - 'computers_pwdnotreqd' + selection_2: - Imphash: - bca5675746d13a1f246e2da3c2217492 - 53e117a96057eaf19c41380d0e87f1c2 @@ -31,7 +53,7 @@ detection: filter: Image|endswith: '\AdFind.exe' OriginalFileName: 'AdFind.exe' - condition: selection and not filter + condition: 1 of selection* and not filter falsepositives: - Unknown level: high From 6706a67bb8bec761c22de188096bbf39c8c9b35d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Oct 2022 11:44:49 +0200 Subject: [PATCH 2/4] refactor: move few apt rules to categories, del 'apt' folder --- .../powershell/powershell_script/posh_ps_apt_silence_eda.yml} | 0 .../proc_creation_win_apt_silence_downloader_v3.yml} | 0 2 files changed, 0 insertions(+), 0 deletions(-) rename rules/{apt/apt_silence_eda.yml => windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml} (100%) rename rules/{apt/apt_silence_downloader_v3.yml => windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml} (100%) diff --git a/rules/apt/apt_silence_eda.yml b/rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml similarity index 100% rename from rules/apt/apt_silence_eda.yml rename to rules/windows/powershell/powershell_script/posh_ps_apt_silence_eda.yml diff --git a/rules/apt/apt_silence_downloader_v3.yml b/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml similarity index 100% rename from rules/apt/apt_silence_downloader_v3.yml rename to rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml From cc8a1a5441b035b3c166562cc31850b58268b2bf Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Oct 2022 15:43:02 +0200 Subject: [PATCH 3/4] rule: suspicious wermgr process trees --- .../proc_creation_win_susp_wermgr.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_wermgr.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml new file mode 100644 index 000000000..ab08b328b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -0,0 +1,36 @@ +title: Suspicious WERMGR Process Patterns +id: CBEC226F-63D9-4ECA-9F52-DFB6652F24DF +status: experimental +description: Detects suspicious Windows Error Reporting manager (wermgr.exe) process patterns - suspicious parents / children, execution folders, command lines etc. +references: + - https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html + - https://www.echotrail.io/insights/search/wermgr.exe +author: Florian Roth +date: 2022/10/14 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\wermgr.exe' + filter_img_location: + Image|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + selection_susp_parent: + ParentImage|endswith: '\wermgr.exe' + Image|endswith: + - '\nslookup.exe' + - '\ipconfig.exe' + - '\net.exe' + - '\net1.exe' + - '\whoami.exe' + - '\netstat.exe' + - '\systeminfo.exe' + - '\cmd.exe' + - '\powershell.exe' + condition: selection_img and not filter_image_location + or 1 of selection_susp* +falsepositives: + - Unknown +level: high From 77a61facd2e6cf90ce483ed8bb7f0fe44241f198 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 14 Oct 2022 17:27:20 +0200 Subject: [PATCH 4/4] fix: wrong selector in condition --- .../windows/process_creation/proc_creation_win_susp_wermgr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml index ab08b328b..363cabff5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wermgr.yml @@ -29,7 +29,7 @@ detection: - '\systeminfo.exe' - '\cmd.exe' - '\powershell.exe' - condition: selection_img and not filter_image_location + condition: selection_img and not filter_img_location or 1 of selection_susp* falsepositives: - Unknown