diff --git a/deprecated/windows/proc_creation_win_service_stop.yml b/deprecated/windows/proc_creation_win_service_stop.yml index 125126aa1..a0cf913b0 100644 --- a/deprecated/windows/proc_creation_win_service_stop.yml +++ b/deprecated/windows/proc_creation_win_service_stop.yml @@ -1,7 +1,7 @@ title: Stop Windows Service id: eb87818d-db5d-49cc-a987-d5da331fbd90 status: deprecated -description: Detects a windows service to be stopped +description: Detects a Windows service to be stopped author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali date: 2019/10/23 modified: 2023/03/05 diff --git a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml index 6f3803bad..6a6b45099 100644 --- a/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml +++ b/rules-emerging-threats/2017/Malware/NotPetya/proc_creation_win_malware_notpetya.yml @@ -1,7 +1,7 @@ title: NotPetya Ransomware Activity id: 79aeeb41-8156-4fac-a0cd-076495ab82a1 status: test -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and Windows eventlogs are cleared using wevtutil references: - https://securelist.com/schroedingers-petya/78870/ - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 diff --git a/rules/web/webserver_generic/web_susp_windows_path_uri.yml b/rules/web/webserver_generic/web_susp_windows_path_uri.yml index 42391902e..3835da11a 100644 --- a/rules/web/webserver_generic/web_susp_windows_path_uri.yml +++ b/rules/web/webserver_generic/web_susp_windows_path_uri.yml @@ -1,7 +1,7 @@ title: Suspicious Windows Strings In URI id: 9f6a34b4-2688-4eb7-a7f5-e39fef573d0e status: experimental -description: Detects suspicious windows strins in URI which could indicate possible exfiltration or webshell communication +description: Detects suspicious Windows strings in URI which could indicate possible exfiltration or webshell communication references: - https://thedfirreport.com/2022/06/06/will-the-real-msiexec-please-stand-up-exploit-leads-to-data-exfiltration/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml index 420037348..a3a6620c5 100644 --- a/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml +++ b/rules/windows/builtin/application/application_error/win_werfault_susp_lsass_credential_dump.yml @@ -1,7 +1,7 @@ title: Potential Credential Dumping Via WER - Application id: a18e0862-127b-43ca-be12-1a542c75c7c5 status: experimental -description: Detects windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential +description: Detects Windows error reporting event where the process that crashed is lsass. This could be the cause of an intentional crash by techniques such as Lsass-Shtinkering to dump credential references: - https://github.com/deepinstinct/Lsass-Shtinkering - https://media.defcon.org/DEF%20CON%2030/DEF%20CON%2030%20presentations/Asaf%20Gilboa%20-%20LSASS%20Shtinkering%20Abusing%20Windows%20Error%20Reporting%20to%20Dump%20LSASS.pdf diff --git a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml index b88773ccf..6a8c83109 100644 --- a/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml +++ b/rules/windows/builtin/firewall_as/win_firewall_as_change_rule.yml @@ -1,7 +1,7 @@ title: Firewall Rule Modified In The Windows Firewall Exception List id: 5570c4d9-8fdd-4622-965b-403a5a101aa0 status: experimental -description: Detects when a rule has been modified in the windows firewall exception list +description: Detects when a rule has been modified in the Windows firewall exception list references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-r2-and-2008/dd364427(v=ws.10) author: frack113 diff --git a/rules/windows/builtin/security/win_security_defender_bypass.yml b/rules/windows/builtin/security/win_security_defender_bypass.yml index 283d5f05c..a975119ed 100644 --- a/rules/windows/builtin/security/win_security_defender_bypass.yml +++ b/rules/windows/builtin/security/win_security_defender_bypass.yml @@ -1,7 +1,7 @@ title: Windows Defender Exclusion Set id: e9c8808f-4cfb-4ba9-97d4-e5f3beaa244d status: test -description: Detects scenarios where an windows defender exclusion was added in registry where an entity would want to bypass antivirus scanning from windows defender +description: Detects scenarios where an Windows Defender exclusion was added in registry where an entity would want to bypass antivirus scanning from Windows Defender references: - https://www.bleepingcomputer.com/news/security/gootkit-malware-bypasses-windows-defender-by-setting-path-exclusions/ author: '@BarryShooshooga' diff --git a/rules/windows/builtin/security/win_security_external_device.yml b/rules/windows/builtin/security/win_security_external_device.yml index fe85965dd..5f1e15eda 100644 --- a/rules/windows/builtin/security/win_security_external_device.yml +++ b/rules/windows/builtin/security/win_security_external_device.yml @@ -1,7 +1,7 @@ title: External Disk Drive Or USB Storage Device id: f69a87ea-955e-4fb4-adb2-bb9fd6685632 status: test -description: Detects external diskdrives or plugged in USB devices , EventID 6416 on windows 10 or later +description: Detects external diskdrives or plugged in USB devices, EventID 6416 on Windows 10 or later author: Keith Wright date: 2019/11/20 modified: 2022/10/09 diff --git a/rules/windows/builtin/security/win_security_user_creation.yml b/rules/windows/builtin/security/win_security_user_creation.yml index f0911193b..1748014e3 100644 --- a/rules/windows/builtin/security/win_security_user_creation.yml +++ b/rules/windows/builtin/security/win_security_user_creation.yml @@ -1,7 +1,7 @@ title: Local User Creation id: 66b6be3d-55d0-4f47-9855-d69df21740ea status: test -description: Detects local user creation on windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your windows server logs and not on your DC logs. +description: Detects local user creation on Windows servers, which shouldn't happen in an Active Directory environment. Apply this Sigma Use Case on your Windows server logs and not on your DC logs. references: - https://patrick-bareiss.com/detecting-local-user-creation-in-ad-with-sigma/ author: Patrick Bareiss diff --git a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml index f4d01fd34..4b19beb71 100644 --- a/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml +++ b/rules/windows/builtin/system/microsoft_windows_ntfs/win_system_volume_shadow_copy_mount.yml @@ -1,7 +1,7 @@ title: Volume Shadow Copy Mount id: f512acbf-e662-4903-843e-97ce4652b740 status: test -description: Detects volume shadow copy mount via windows event log +description: Detects volume shadow copy mount via Windows event log references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1003.002/T1003.002.md#atomic-test-3---esentutlexe-sam-copy author: Roberto Rodriguez @Cyb3rWard0g, Open Threat Research (OTR) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml index bb9bfcfeb..ce0ed2c56 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_krbrelayup_service_installation.yml @@ -1,7 +1,7 @@ title: KrbRelayUp Service Installation id: e97d9903-53b2-41fc-8cb9-889ed4093e80 status: experimental -description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) +description: Detects service creation from KrbRelayUp tool used for privilege escalation in Windows domain environments where LDAP signing is not enforced (the default settings) references: - https://github.com/Dec0ne/KrbRelayUp author: Sittikorn S, Tim Shelton diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml index 11e686d32..8edccd725 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_generic.yml @@ -4,7 +4,7 @@ related: - id: d6b5520d-3934-48b4-928c-2aa3f92d6963 type: similar status: experimental -description: Detects windows services that got terminated for whatever reason +description: Detects Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml index b48674267..1724ebe35 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_error_important.yml @@ -4,7 +4,7 @@ related: - id: acfa2210-0d71-4eeb-b477-afab494d596c type: similar status: experimental -description: Detects important or interesting windows services that got terminated for whatever reason +description: Detects important or interesting Windows services that got terminated for whatever reason references: - https://www.microsoft.com/en-us/security/blog/2023/04/11/guidance-for-investigating-attacks-using-cve-2022-21894-the-blacklotus-campaign/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml index ecf75354e..0c5a1411b 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_service_terminated_unexpectedly.yml @@ -1,7 +1,7 @@ title: Important Windows Service Terminated Unexpectedly id: 56abae0c-6212-4b97-adc0-0b559bb950c3 status: experimental -description: Detects important or interesting windows services that got terminated unexpectedly. +description: Detects important or interesting Windows services that got terminated unexpectedly. references: - https://www.randori.com/blog/vulnerability-analysis-queuejumper-cve-2023-21554/ author: Nasreddine Bencherchali (Nextron Systems) @@ -21,7 +21,7 @@ detection: # Use this If you collect the binary value provided from this event, which is the wide hex encoded value of the service name. - Binary|contains: - '4d0053004d005100' # MSMQ (Microsoft Message Queuing). Encoded in upper case just in case - - '6d0073006d007100' # msmq + - '6d0073006d007100' # msmq condition: all of selection_* falsepositives: - Rare false positives could occur since service termination could happen due to multiple reasons diff --git a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml index dc4ec9c8e..2c73b254c 100644 --- a/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml +++ b/rules/windows/builtin/windefend/win_defender_suspicious_features_tampering.yml @@ -6,7 +6,7 @@ related: - id: a3ab73f1-bd46-4319-8f06-4b20d0617886 type: similar status: stable -description: Detects suspicious changes to the windows defender configuration +description: Detects suspicious changes to the Windows Defender configuration references: - https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide - https://bidouillesecurity.com/disable-windows-defender-in-powershell/#DisableAntiSpyware diff --git a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml index 40235df5c..c3d0b3929 100644 --- a/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml +++ b/rules/windows/file/file_event/file_event_win_shell_write_susp_files_extensions.yml @@ -4,7 +4,7 @@ related: - id: 1277f594-a7d1-4f28-a2d3-73af5cbeab43 type: derived status: experimental -description: Detects windows executables that writes files with suspicious extensions +description: Detects Windows executables that writes files with suspicious extensions references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml index 84b1f5cd6..707239007 100644 --- a/rules/windows/file/file_event/file_event_win_susp_double_extension.yml +++ b/rules/windows/file/file_event/file_event_win_susp_double_extension.yml @@ -6,7 +6,7 @@ related: - id: 3215aa19-f060-4332-86d5-5602511f3ca8 type: similar status: experimental -description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that windows hide default extensions by default. +description: Detects dropped files with double extensions, which is often used by malware as a method to abuse the fact that Windows hide default extensions by default. references: - https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml index 03a17f1d4..d9b0f8ee1 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_clear_eventlog.yml @@ -4,7 +4,7 @@ related: - id: cc36992a-4671-4f21-a91d-6c2b72a2edf5 type: derived status: experimental -description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the windows event logs +description: Detects usage of known powershell cmdlets such as "Clear-EventLog" to clear the Windows event logs references: - https://twitter.com/oroneequalsone/status/1568432028361830402 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.001/T1070.001.md diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml index f8785f34e..57998fecb 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml @@ -4,7 +4,7 @@ related: - id: 07e3cb2c-0608-410d-be4b-1511cb1a0448 type: similar status: experimental -description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet +description: Detects attempts to remove Windows Defender configuration using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index 372585a87..4bfc60ee9 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -4,7 +4,7 @@ related: - id: ec19ebab-72dc-40e1-9728-4c0b805d722c type: derived status: experimental -description: Detects powershell scripts attempting to disable scheduled scanning and other parts of windows defender atp or set default actions to allow. +description: Detects PowerShell scripts attempting to disable scheduled scanning and other parts of Windows Defender ATP or set default actions to allow. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md - https://docs.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps diff --git a/rules/windows/process_access/proc_access_win_invoke_phantom.yml b/rules/windows/process_access/proc_access_win_invoke_phantom.yml index 3edea6c0e..5cec62e5a 100755 --- a/rules/windows/process_access/proc_access_win_invoke_phantom.yml +++ b/rules/windows/process_access/proc_access_win_invoke_phantom.yml @@ -1,7 +1,7 @@ title: Potential Svchost Memory Access id: 166e9c50-8cd9-44af-815d-d1f0c0e90dde status: experimental -description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM windows event logging service. +description: Detects potential access to svchost process memory such as that used by Invoke-Phantom to kill the winRM Windows event logging service. references: - https://github.com/hlldz/Invoke-Phant0m - https://twitter.com/timbmsft/status/900724491076214784 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index dbd81092b..3b2e6ea8c 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,7 +1,7 @@ title: Files And Subdirectories Listing Using Dir id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 status: experimental -description: Detects usage of the "dir" command that's part of windows batch/cmd to collect information about directories +description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml index e92c2ef68..bf889c045 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -6,7 +6,7 @@ related: - id: 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a type: similar status: experimental -description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicious location +description: Detects inline Windows shell commands redirecting output via the ">" symbol to a suspicious location references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml index ed5f243d8..6f4e18c2c 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_krbrelayup.yml @@ -1,7 +1,7 @@ title: HackTool - KrbRelayUp Execution id: 12827a56-61a4-476a-a9cb-f3068f191073 status: experimental -description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced +description: Detects KrbRelayUp used to perform a universal no-fix local privilege escalation in Windows domain environments where LDAP signing is not enforced references: - https://github.com/Dec0ne/KrbRelayUp author: Florian Roth (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml index 5497cd382..80352a3b0 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_pktmon.yml @@ -1,7 +1,7 @@ title: Use of PktMon.exe id: f956c7c1-0f60-4bc5-b7d7-b39ab3c08908 status: test -description: Tools to Capture Network Packets on the windows 10 with October 2018 Update or later. +description: Tools to capture network packets on Windows 10 with October 2018 update or later. references: - https://lolbas-project.github.io/lolbas/Binaries/Pktmon/ author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml b/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml index 09647dbfb..f25cdfbf7 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_tamper_defender_remove_mppreference.yml @@ -4,7 +4,7 @@ related: - id: ae2bdd58-0681-48ac-be7f-58ab4e593458 type: similar status: experimental -description: Detects attempts to remove windows defender configuration using the 'MpPreference' cmdlet +description: Detects attempts to remove Windows Defender configurations using the 'MpPreference' cmdlet references: - https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/windows-10-controlled-folder-access-event-search/ba-p/2326088 author: Nasreddine Bencherchali (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml index 5bdc88a1a..dde52fca8 100644 --- a/rules/windows/process_creation/proc_creation_win_pua_crassus.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_crassus.yml @@ -1,7 +1,7 @@ title: PUA - Crassus Execution id: 2c32b543-1058-4808-91c6-5b31b8bed6c5 status: experimental -description: Detects Crassus a windows privilege escalation discovery tool based on PE metadata characteristics. +description: Detects Crassus, a Windows privilege escalation discovery tool, based on PE metadata characteristics. references: - https://github.com/vu-ls/Crassus author: pH-T (Nextron Systems) diff --git a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml index b9fb112dd..c31969ab3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_elevated_system_shell.yml @@ -1,7 +1,7 @@ title: Suspicious Elevated System Shell id: 178e615d-e666-498b-9630-9ed363038101 status: experimental -description: Detects when a shell program such as the windows Command Prompt or PowerShell is launched with system privileges. +description: Detects when a shell program such as the Windows command prompt or PowerShell is launched with system privileges. references: - https://github.com/Wh04m1001/SysmonEoP author: frack113, Tim Shelton (update fp) diff --git a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml index d5967a44e..d55f1e293 100644 --- a/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml +++ b/rules/windows/process_creation/proc_creation_win_userinit_uncommon_child_processes.yml @@ -10,7 +10,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/server-core/server-core-sconfig#powershell-is-the-default-shell-on-server-core author: Tom Ueltschi (@c_APT_ure), Tim Shelton date: 2019/01/12 -modified: 2023/01/31 +modified: 2023/06/21 tags: - attack.t1037.001 - attack.persistence @@ -36,6 +36,8 @@ detection: - 'C:\Windows\SysWOW64\proquota.exe' filter_optional_citrix: Image|endswith: '\Citrix\System32\icast.exe' + filter_optional_image_null: + Image: null condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - Legitimate logon scripts or custom shells may trigger false positives. Apply additional filters accordingly. diff --git a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml index 89e7c5625..6f38bca7b 100644 --- a/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_wsl_lolbin_execution.yml @@ -4,7 +4,7 @@ related: - id: 2267fe65-0681-42ad-9a6d-46553d3f3480 # Generic susp child processes rules type: similar status: test -description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary linux and windows commands +description: Detects potential abuse of Windows Subsystem for Linux (WSL) binary as a LOLBIN to execute arbitrary Linux or Windows commands references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ - https://twitter.com/nas_bench/status/1535431474429808642 diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index b53df547a..b2cc65fea 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -1,7 +1,7 @@ title: UAC Bypass Via Wsreset id: 6ea3bf32-9680-422d-9f50-e90716b12a66 status: test -description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. +description: Unfixed method for UAC bypass from Windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. references: - https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly - https://lolbas-project.github.io/lolbas/Binaries/Wsreset diff --git a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml index b38ee9706..a2e86bc73 100644 --- a/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml +++ b/rules/windows/registry/registry_set/registry_set_change_winevt_channelaccess.yml @@ -1,7 +1,7 @@ title: Change Winevt Event Access Permission Via Registry id: 7d9263bd-dc47-4a58-bc92-5474abab390c status: experimental -description: Detects tampering with the "ChannelAccess" registry key in order to change access to windows event channel +description: Detects tampering with the "ChannelAccess" registry key in order to change access to Windows event channel references: - https://app.any.run/tasks/77b2e328-8f36-46b2-b2e2-8a80398217ab/ - https://learn.microsoft.com/en-us/windows/win32/api/winevt/ diff --git a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml index ba278b9b2..3adcb5775 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_security_center_notifications.yml @@ -1,7 +1,7 @@ title: Disable Windows Security Center Notifications id: 3ae1a046-f7db-439d-b7ce-b8b366b81fa6 status: experimental -description: Detect set UseActionCenterExperience to 0 to disable the windows security center notification +description: Detect set UseActionCenterExperience to 0 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml index 9efca0a3e..c0037d67a 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_windows_firewall.yml @@ -1,7 +1,7 @@ title: Disable Windows Firewall by Registry id: e78c408a-e2ea-43cd-b5ea-51975cf358c0 status: experimental -description: Detect set EnableFirewall to 0 to disable the windows firewall +description: Detect set EnableFirewall to 0 to disable the Windows firewall references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.004/T1562.004.md author: frack113 diff --git a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml index 5f0f30a08..c0c358728 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_winevt_logging.yml @@ -1,7 +1,7 @@ title: Disable Windows Event Logging Via Registry id: 2f78da12-f7c7-430b-8b19-a28f269b77a3 status: experimental -description: Detects tampering with the "Enabled" registry key in order to disable windows logging of a windows event channel +description: Detects tampering with the "Enabled" registry key in order to disable Windows logging of a Windows event channel references: - https://twitter.com/WhichbufferArda/status/1543900539280293889 - https://github.com/DebugPrivilege/CPP/blob/c39d365617dbfbcb01fffad200d52b6239b2918c/Windows%20Defender/RestoreDefenderConfig.cpp diff --git a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml index bac00d388..0b4414c36 100644 --- a/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml +++ b/rules/windows/registry/registry_set/registry_set_suppress_defender_notifications.yml @@ -1,7 +1,7 @@ title: Activate Suppression of Windows Security Center Notifications id: 0c93308a-3f1b-40a9-b649-57ea1a1c1d63 status: experimental -description: Detect set Notification_Suppress to 1 to disable the windows security center notification +description: Detect set Notification_Suppress to 1 to disable the Windows security center notification references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1112/T1112.md author: frack113 diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index 33f8c1991..bfca24f8a 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -6,7 +6,7 @@ related: - id: fd115e64-97c7-491f-951c-fc8da7e042fa type: obsoletes status: experimental -description: Detects when attackers or tools disable Windows Defender functionalities via the windows registry +description: Detects when attackers or tools disable Windows Defender functionalities via the Windows registry references: - https://thedfirreport.com/2021/10/18/icedid-to-xinglocker-ransomware-in-24-hours/ - https://gist.github.com/anadr/7465a9fde63d41341136949f14c21105