From 48baf1187b4e7bccedad171cbf0b07da65cdf10c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 11 Mar 2024 12:01:30 +0100 Subject: [PATCH] Merge PR #4752 from @frack113 - Update rules to use the `windash` modifier update: File Enumeration Via Dir Command - Update logic to use a wildcard in addition, for better accuracy. chore: update multiple rules to use the windash modifier --------- Co-authored-by: nasbench <8741929+nasbench@users.noreply.github.com> --- ...n_malware_qakbot_regsvr32_calc_pattern.yml | 5 ++-- .../proc_creation_lnx_capa_discovery.yml | 5 ++-- ...ystem_susp_service_installation_script.yml | 7 ++---- ...oc_creation_win_bash_command_execution.yml | 7 +++++- .../proc_creation_win_bash_file_execution.yml | 4 ++- .../proc_creation_win_certoc_load_dll.yml | 6 ++--- ...ion_win_certoc_load_dll_susp_locations.yml | 5 ++-- ..._win_certutil_certificate_installation.yml | 5 ++-- .../proc_creation_win_certutil_decode.yml | 11 +++----- .../proc_creation_win_certutil_encode.yml | 6 ++--- ...on_win_certutil_encode_susp_extensions.yml | 5 ++-- ...tion_win_certutil_encode_susp_location.yml | 5 ++-- .../proc_creation_win_certutil_export_pfx.yml | 6 ++--- ...proc_creation_win_chcp_codepage_lookup.yml | 7 ++---- ...ation_win_cmd_curl_download_exec_combo.yml | 6 ++--- .../proc_creation_win_cmd_del_execution.yml | 13 ++++------ .../proc_creation_win_cmd_dir_execution.yml | 23 ++++++----------- ...n_win_cmd_ping_copy_combined_execution.yml | 15 +++++------ ...on_win_cmd_ping_del_combined_execution.yml | 10 +++----- ...eation_win_cmdkey_adding_generic_creds.yml | 24 ++++++++---------- .../proc_creation_win_cmdkey_recon.yml | 6 ++--- ...on_win_diskshadow_script_mode_susp_ext.yml | 5 ++-- ...n_diskshadow_script_mode_susp_location.yml | 5 ++-- .../proc_creation_win_esentutl_webcache.yml | 6 ++--- ...proc_creation_win_expand_cabinet_files.yml | 6 ++--- .../proc_creation_win_findstr_download.yml | 10 +++----- ..._creation_win_findstr_subfolder_search.yml | 10 +++----- ...creation_win_forfiles_proxy_execution_.yml | 6 ++--- ...n_lodctr_performance_counter_tampering.yml | 5 ++-- ...oc_creation_win_odbcconf_response_file.yml | 5 ++-- .../proc_creation_win_ssh_port_forward.yml | 6 ++--- ...nternals_psexec_paexec_escalate_system.yml | 25 ++----------------- ...oc_creation_win_sysinternals_psloglist.yml | 9 ++----- ..._sysinternals_susp_psexec_paexec_flags.yml | 25 ++----------------- ...proc_creation_win_whoami_all_execution.yml | 5 ++-- ...reation_win_wmic_xsl_script_processing.yml | 6 ++--- tests/sigma_cli_conf.yml | 1 + 37 files changed, 104 insertions(+), 212 deletions(-) diff --git a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml index ae9419fbd..20e56a1c9 100644 --- a/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml +++ b/rules-emerging-threats/2023/Malware/Qakbot/proc_creation_win_malware_qakbot_regsvr32_calc_pattern.yml @@ -6,6 +6,7 @@ references: - https://github.com/pr0xylife/Qakbot/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/26 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.execution @@ -16,9 +17,7 @@ logsource: detection: selection: Image|endswith: '\regsvr32.exe' - CommandLine|contains: - - ' /s' - - ' -s' + CommandLine|contains|windash: ' -s' CommandLine|endswith: ' calc' condition: selection falsepositives: diff --git a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml index f8d78e676..ff14daba3 100644 --- a/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml +++ b/rules/linux/process_creation/proc_creation_lnx_capa_discovery.yml @@ -8,6 +8,7 @@ references: - https://github.com/diego-treitos/linux-smart-enumeration author: Nasreddine Bencherchali (Nextron Systems) date: 2022/12/28 +modified: 2024/03/05 tags: - attack.discovery - attack.t1083 @@ -17,9 +18,7 @@ logsource: detection: selection: Image|endswith: '/getcap' - CommandLine|contains: - - ' /r ' - - ' -r ' + CommandLine|contains|windash: ' -r ' condition: selection falsepositives: - Unknown diff --git a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml index 98b29b79c..9ece1ae07 100644 --- a/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml +++ b/rules/windows/builtin/system/service_control_manager/win_system_susp_service_installation_script.yml @@ -6,7 +6,7 @@ references: - Internal Research author: pH-T (Nextron Systems) date: 2022/03/18 -modified: 2024/02/23 +modified: 2024/03/05 tags: - attack.persistence - attack.privilege_escalation @@ -20,12 +20,9 @@ detection: Provider_Name: 'Service Control Manager' EventID: 7045 selection_cmd_flags: - ImagePath|contains: - - ' /c ' + ImagePath|contains|windash: - ' -c ' - - ' /r ' - ' -r ' - - ' /k ' - ' -k ' selection_binaries: ImagePath|contains: diff --git a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml index fde7ab4d9..59e46d5cc 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_command_execution.yml @@ -1,7 +1,12 @@ title: Indirect Inline Command Execution Via Bash.EXE id: 5edc2273-c26f-406c-83f3-f4d948e740dd +related: + - id: 2d22a514-e024-4428-9dba-41505bd63a5b + type: similar status: experimental -description: Detects execution of Microsoft bash launcher with the "-c" flag. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash +description: | + Detects execution of Microsoft bash launcher with the "-c" flag. + This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ author: frack113 diff --git a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml index 9b467f6d2..9e6490a8c 100644 --- a/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_bash_file_execution.yml @@ -4,7 +4,9 @@ related: - id: 5edc2273-c26f-406c-83f3-f4d948e740dd type: similar status: experimental -description: Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash +description: | + Detects execution of Microsoft bash launcher without any flags to execute the content of a bash script directly. + This can be used to potentially bypass defenses and execute Linux or Windows-based binaries directly via bash. references: - https://lolbas-project.github.io/lolbas/Binaries/Bash/ - https://linux.die.net/man/1/bash diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml index ba8468868..20d92cafd 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll.yml @@ -11,7 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Austin Songer @austinsonger date: 2021/10/23 -modified: 2023/02/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -23,9 +23,7 @@ detection: - Image|endswith: '\certoc.exe' - OriginalFileName: 'CertOC.exe' selection_cli: - CommandLine|contains: - - ' -LoadDLL ' - - ' /LoadDLL ' + CommandLine|contains|windash: ' -LoadDLL ' condition: all of selection_* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml index bb848a4bd..0e1f850a6 100644 --- a/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml +++ b/rules/windows/process_creation/proc_creation_win_certoc_load_dll_susp_locations.yml @@ -11,6 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certoc/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -22,9 +23,7 @@ detection: - Image|endswith: '\certoc.exe' - OriginalFileName: 'CertOC.exe' selection_cli: - CommandLine|contains: - - ' -LoadDLL ' - - ' /LoadDLL ' + CommandLine|contains|windash: ' -LoadDLL ' selection_paths: CommandLine|contains: - '\Appdata\Local\Temp\' diff --git a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml index ff7b276cd..00ae0c0b6 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_certificate_installation.yml @@ -13,6 +13,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1553.004/T1553.004.md author: oscd.community, @redcanary, Zach Stanford @svch0st date: 2023/03/05 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1553.004 @@ -25,9 +26,7 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli_add: - CommandLine|contains: - - '/addstore' - - '-addstore' + CommandLine|contains|windash: '-addstore' selection_cli_store: CommandLine|contains: 'root' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml index ddeb6cca0..221206546 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_decode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_decode.yml @@ -11,6 +11,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2023/02/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1027 @@ -22,13 +23,9 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli: - CommandLine|contains: - # Decode Base64 - - '-decode ' - - '/decode ' - # Decode Hex - - '-decodehex ' - - '/decodehex ' + CommandLine|contains|windash: + - '-decode ' # Decode Base64 + - '-decodehex ' # Decode Hex condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml index 025261a46..153a71d70 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode.yml @@ -8,7 +8,7 @@ references: - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/02/24 -modified: 2023/02/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1027 @@ -20,9 +20,7 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli: - CommandLine|contains: - - '-encode' - - '/encode' + CommandLine|contains|windash: '-encode' condition: all of selection_* falsepositives: - As this is a general purpose rule, legitimate usage of the encode functionality will trigger some false positives. Apply additional filters accordingly diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml index db283bb31..7d1ea21b2 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_extensions.yml @@ -12,6 +12,7 @@ references: - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1027 @@ -23,9 +24,7 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli: - CommandLine|contains: - - '-encode' - - '/encode' + CommandLine|contains|windash: '-encode' selection_extension: CommandLine|contains: - '.acl' diff --git a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml index 566347683..3e9e09894 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_encode_susp_location.yml @@ -12,6 +12,7 @@ references: - https://www.virustotal.com/gui/file/4abe1395a09fda06d897a9c4eb247278c1b6cddda5d126ce5b3f4f499e3b8fa2/behavior author: Nasreddine Bencherchali (Nextron Systems) date: 2023/05/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1027 @@ -23,9 +24,7 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli: - CommandLine|contains: - - '-encode' - - '/encode' + CommandLine|contains|windash: '-encode' selection_extension: CommandLine|contains: # Note: Add more suspicious locations to increase coverage diff --git a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml index 30526773e..f7121ebbb 100644 --- a/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml +++ b/rules/windows/process_creation/proc_creation_win_certutil_export_pfx.yml @@ -6,7 +6,7 @@ references: - https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/15 -modified: 2023/02/20 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1027 @@ -18,9 +18,7 @@ detection: - Image|endswith: '\certutil.exe' - OriginalFileName: 'CertUtil.exe' selection_cli: - CommandLine|contains: - - '-exportPFX ' - - '/exportPFX ' + CommandLine|contains|windash: '-exportPFX ' condition: all of selection_* falsepositives: - There legitimate reasons to export certificates. Investigate the activity to determine if it's benign diff --git a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml index 0608b0339..d4dbdccba 100644 --- a/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml +++ b/rules/windows/process_creation/proc_creation_win_chcp_codepage_lookup.yml @@ -7,7 +7,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/chcp author: _pete_0, TheDFIRReport date: 2022/02/21 -modified: 2024/02/16 +modified: 2024/03/05 tags: - attack.discovery - attack.t1614.001 @@ -17,12 +17,9 @@ logsource: detection: selection: ParentImage|endswith: '\cmd.exe' - ParentCommandLine|contains: - - ' /c ' + ParentCommandLine|contains|windash: - ' -c ' - - ' /r ' - ' -r ' - - ' /k ' - ' -k ' Image|endswith: '\chcp.com' CommandLine|endswith: diff --git a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml index 316c92640..566d90709 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_exec_combo.yml @@ -6,7 +6,7 @@ references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 # Dead Link author: Sreeman, Nasreddine Bencherchali (Nextron Systems) date: 2020/01/13 -modified: 2024/02/17 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -17,9 +17,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - ' /c ' - - ' -c ' + CommandLine|contains|windash: ' -c ' CommandLine|contains|all: - 'curl ' - 'http' diff --git a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml index 43f177cfd..8f0dc1a18 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_del_execution.yml @@ -11,7 +11,7 @@ references: - https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/erase author: frack113 date: 2022/01/15 -modified: 2024/02/17 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1070.004 @@ -27,13 +27,10 @@ detection: - 'del ' - 'erase ' selection_flags: - CommandLine|contains: - - ' /f' # Force deleting of read-only files. - - ' -f' - - ' /s' # Delete specified files from all subdirectories. - - ' -s' - - ' /q' # Quiet mode, do not ask if ok to delete on global wildcard - - ' -q' + CommandLine|contains|windash: + - ' -f' # Force deleting of read-only files. + - ' -s' # Delete specified files from all subdirectories. + - ' -q' # Quiet mode, do not ask if ok to delete on global wildcard condition: all of selection_* falsepositives: - False positives levels will differ Depending on the environment. You can use a combination of ParentImage and other keywords from the CommandLine field to filter legitimate activity diff --git a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml index 8a0c4599c..977855620 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_dir_execution.yml @@ -1,12 +1,13 @@ -title: Files And Subdirectories Listing Using Dir +title: File Enumeration Via Dir Command id: 7c9340a9-e2ee-4e43-94c5-c54ebbea1006 status: test -description: Detects usage of the "dir" command that is part of Windows batch/cmd to collect information about directories +description: | + Detects usage of the "dir" command part of Widows CMD with the "/S" command line flag in order to enumerate files in a specified directory and all subdirectories. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1217/T1217.md author: frack113 date: 2021/12/13 -modified: 2024/02/17 +modified: 2024/03/06 tags: - attack.discovery - attack.t1217 @@ -14,17 +15,9 @@ logsource: category: process_creation product: windows detection: - selection_dir: - CommandLine|contains: 'dir ' - selection_cli_1: - CommandLine|contains: - - ' /s' - - ' -s' - selection_cli_2: - CommandLine|contains: - - ' /b' - - ' -b' - condition: all of selection_* + selection: + CommandLine|contains|windash: 'dir*-s' + condition: selection falsepositives: - - Unknown + - Likely level: low diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml index c69cd9be9..b1b53e96f 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_copy_combined_execution.yml @@ -1,12 +1,13 @@ -title: Suspicious Ping/Copy Command Combination +title: Potentially Suspicious Ping/Copy Command Combination id: ded2b07a-d12f-4284-9b76-653e37b6c8b0 status: experimental -description: Detects uncommon one-liner command having ping and copy at the same time, which is usually used by malware. +description: | + Detects uncommon and potentially suspicious one-liner command containing both "ping" and "copy" at the same time, which is usually used by malware. references: - Internal Research author: X__Junior (Nextron Systems) date: 2023/07/18 -modified: 2024/02/26 +modified: 2024/03/06 tags: - attack.defense_evasion - attack.t1070.004 @@ -23,13 +24,9 @@ detection: - 'ping' # Covers "ping" and "ping.exe" - 'copy ' selection_cli_1: - CommandLine|contains: # Count - - ' -n ' - - ' /n ' + CommandLine|contains|windash: ' -n ' # Count selection_cli_2: - CommandLine|contains: - - ' /y ' - - ' -y ' + CommandLine|contains|windash: ' -y ' condition: all of selection_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml index 7477513ec..23ab4e0eb 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_ping_del_combined_execution.yml @@ -9,7 +9,7 @@ references: - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/blackbyte-exbyte-ransomware author: Ilya Krestinichev date: 2022/11/03 -modified: 2023/02/07 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1070.004 @@ -20,16 +20,12 @@ detection: # Note: In the case of sysmon and similar logging utilities, see this discussion https://github.com/SigmaHQ/sigma/discussions/4277 # Example: "C:\Windows\System32\cmd.exe" /C ping 127.0.0.7 -n 3 > Nul & fsutil file setZeroData offset=0 length=524288 "C:\Users\User\Desktop\lockbit\lockbit.exe" & Del /f /q "C:\Users\User\Desktop\lockbit\lockbit.exe". selection_count: - CommandLine|contains: - - ' -n ' - - ' /n ' + CommandLine|contains|windash: ' -n ' selection_nul: CommandLine|contains: 'Nul' # Covers "> Nul" and ">Nul " selection_del_param: - CommandLine|contains: - - ' /f ' + CommandLine|contains|windash: - ' -f ' - - ' /q ' - ' -q ' selection_all: CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml index d15cb9832..c215c1b20 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_adding_generic_creds.yml @@ -1,12 +1,14 @@ title: New Generic Credentials Added Via Cmdkey.EXE id: b1ec66c6-f4d1-4b5c-96dd-af28ccae7727 status: test -description: Detects usage of cmdkey to add generic credentials. As an example, this has to be used before connecting to an RDP session via command line interface. +description: | + Detects usage of "cmdkey.exe" to add generic credentials. + As an example, this can be used before connecting to an RDP session via command line interface. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol author: frack113, Nasreddine Bencherchali (Nextron Systems) date: 2023/02/03 -modified: 2024/02/23 +modified: 2024/03/05 tags: - attack.credential_access - attack.t1003.005 @@ -17,18 +19,12 @@ detection: selection_img: - Image|endswith: '\cmdkey.exe' - OriginalFileName: 'cmdkey.exe' - selection_cli_1: - CommandLine|contains: - - ' /g' - - ' -g' - selection_cli_2: - CommandLine|contains: - - ' /u' - - ' -u' - selection_cli_3: - CommandLine|contains: - - ' /p' - - ' -p' + selection_cli_generic: + CommandLine|contains|windash: ' -g' # Generic + selection_cli_user: + CommandLine|contains|windash: ' -u' # User + selection_cli_password: + CommandLine|contains|windash: ' -p' # Password condition: all of selection_* falsepositives: - Legitimate usage for administration purposes diff --git a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml index d0dcf114c..67582ff73 100644 --- a/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_cmdkey_recon.yml @@ -8,7 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/b27a3cb25025161d49ac861cb216db68c46a3537/atomics/T1003.005/T1003.005.md#atomic-test-1---cached-credential-dump-via-cmdkey author: jmallette, Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019/01/16 -modified: 2023/02/03 +modified: 2024/03/05 tags: - attack.credential_access - attack.t1003.005 @@ -20,9 +20,7 @@ detection: - Image|endswith: '\cmdkey.exe' - OriginalFileName: 'cmdkey.exe' selection_cli: - CommandLine|contains: - - ' /l' - - ' -l' + CommandLine|contains|windash: ' -l' condition: all of selection* fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml index d62d04cf3..1253c0d21 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_ext.yml @@ -23,6 +23,7 @@ references: - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/09/15 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -34,9 +35,7 @@ detection: - OriginalFileName: 'diskshadow.exe' - Image|endswith: '\diskshadow.exe' selection_flag: - CommandLine|contains: - - '/s ' - - '-s ' + CommandLine|contains|windash: '-s ' filter_main_ext: # Note: can be changed to an "endswith" to avoid rare FPs. But you need to account for quoted paths # Note: Using the ".txt" is based on the MS documentation example. Best add the extension you use internally before using this rule diff --git a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml index d6ce8ca0c..a1ce40db4 100644 --- a/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml +++ b/rules/windows/process_creation/proc_creation_win_diskshadow_script_mode_susp_location.yml @@ -21,6 +21,7 @@ references: - https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ author: Nasreddine Bencherchali (Nextron Systems) date: 2023/09/15 +modifier: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -32,9 +33,7 @@ detection: - OriginalFileName: 'diskshadow.exe' - Image|endswith: '\diskshadow.exe' selection_cli: - CommandLine|contains: - - '/s ' - - '-s ' + CommandLine|contains|windash: '-s ' selection_paths: CommandLine|contains: # Note: Add additional susp paths based on your org needs diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 8ee0079c0..1bd7d732f 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2022/10/31/follina-exploit-leads-to-domain-compromise/ author: frack113 date: 2022/02/13 -modified: 2022/10/31 +modified: 2024/03/05 tags: - attack.collection - attack.t1005 @@ -20,9 +20,7 @@ detection: - Image|endswith: '\esentutl.exe' - OriginalFileName: 'esentutl.exe' selection_flag: - CommandLine|contains: - - '/r' - - '-r' + CommandLine|contains|windash: '-r' selection_webcache: CommandLine|contains: '\Windows\WebCache' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index ae4f08690..c697a7e85 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -7,7 +7,7 @@ references: - https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/ author: Bhabesh Raj, X__Junior (Nextron Systems) date: 2021/07/30 -modified: 2023/11/02 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -17,9 +17,7 @@ logsource: detection: selection_cmd: Image|endswith: '\expand.exe' - CommandLine|contains: - - '/F:' - - '-F:' + CommandLine|contains|windash: '-F:' selection_folders_1: CommandLine|contains: - ':\Perflogs\' diff --git a/rules/windows/process_creation/proc_creation_win_findstr_download.yml b/rules/windows/process_creation/proc_creation_win_findstr_download.yml index cef27141c..f602c5230 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_download.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_download.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 -modified: 2023/11/12 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -28,13 +28,9 @@ detection: - Image|endswith: 'findstr.exe' - OriginalFileName: 'FINDSTR.EXE' selection_cli_download_1: - CommandLine|contains: - - ' /v ' - - ' -v ' + CommandLine|contains|windash: ' -v ' selection_cli_download_2: - CommandLine|contains: - - ' /l ' - - ' -l ' + CommandLine|contains|windash: ' -l ' selection_cli_download_3: CommandLine|contains: '\\\\' condition: selection_findstr and all of selection_cli_download_* diff --git a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml index 5a6705ab7..741d35c90 100644 --- a/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml +++ b/rules/windows/process_creation/proc_creation_win_findstr_subfolder_search.yml @@ -12,7 +12,7 @@ references: - https://gist.github.com/api0cradle/cdd2d0d0ec9abb686f0e89306e277b8f author: Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/05 -modified: 2023/11/12 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218 @@ -28,13 +28,9 @@ detection: - Image|endswith: 'findstr.exe' - OriginalFileName: 'FINDSTR.EXE' selection_cli_search_subfolder: - CommandLine|contains: - - ' /s ' - - ' -s ' + CommandLine|contains|windash: ' -s ' selection_cli_search_insensitive: - CommandLine|contains: - - ' /i ' - - ' -i ' + CommandLine|contains|windash: ' -i ' condition: selection_findstr and all of selection_cli_search_* falsepositives: - Administrative or software activity diff --git a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml index 9a276c8d7..c3336eab4 100644 --- a/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml +++ b/rules/windows/process_creation/proc_creation_win_forfiles_proxy_execution_.yml @@ -15,7 +15,7 @@ references: - https://pentestlab.blog/2020/07/06/indirect-command-execution/ author: Tim Rauch, Elastic, E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community date: 2022/06/14 -modified: 2024/01/05 +modified: 2024/03/05 tags: - attack.execution - attack.t1059 @@ -27,9 +27,7 @@ detection: - Image|endswith: '\forfiles.exe' - OriginalFileName: 'forfiles.exe' selection_cli: - CommandLine|contains: - - ' /c ' - - ' -c ' + CommandLine|contains|windash: ' -c ' condition: all of selection_* falsepositives: - Legitimate use via a batch script or by an administrator. diff --git a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml index 44ab5aaf4..102dccd81 100644 --- a/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_lodctr_performance_counter_tampering.yml @@ -6,6 +6,7 @@ references: - https://learn.microsoft.com/en-us/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr author: Nasreddine Bencherchali (Nextron Systems) date: 2023/06/15 +modified: 2024/03/05 tags: - attack.execution logsource: @@ -16,9 +17,7 @@ detection: Image|endswith: '\lodctr.exe' OriginalFileName: 'LODCTR.EXE' selection_cli: - CommandLine|contains: - - ' /r' - - ' -r' + CommandLine|contains|windash: ' -r' condition: all of selection_* falsepositives: - Legitimate usage by an administrator diff --git a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml index e212750ee..ba064a43b 100644 --- a/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml +++ b/rules/windows/process_creation/proc_creation_win_odbcconf_response_file.yml @@ -14,6 +14,7 @@ references: - https://www.hexacorn.com/blog/2020/08/23/odbcconf-lolbin-trifecta/ author: Kirill Kiryanov, Beyu Denis, Daniil Yugoslavskiy, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2023/05/22 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1218.008 @@ -25,9 +26,7 @@ detection: - Image|endswith: '\odbcconf.exe' - OriginalFileName: 'odbcconf.exe' selection_cli: - CommandLine|contains: - - ' -f ' - - ' /f ' + CommandLine|contains|windash: ' -f ' selection_rsp_ext: CommandLine|contains: '.rsp' condition: all of selection_* diff --git a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml index 6d5fbdb84..abd999491 100644 --- a/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml +++ b/rules/windows/process_creation/proc_creation_win_ssh_port_forward.yml @@ -6,7 +6,7 @@ references: - https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/10/12 -modified: 2023/11/06 +modified: 2024/03/05 tags: - attack.command_and_control - attack.lateral_movement @@ -19,9 +19,7 @@ logsource: detection: selection: Image|endswith: '\ssh.exe' - CommandLine|contains: - - ' -R ' - - ' /R ' + CommandLine|contains|windash: ' -R ' condition: selection falsepositives: - Administrative activity using a remote port forwarding to a local port diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml index c3bb28b0d..2b45fd3d7 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psexec_paexec_escalate_system.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/11/23 -modified: 2023/02/28 +modified: 2024/03/05 tags: - attack.resource_development - attack.t1587.001 @@ -20,43 +20,22 @@ logsource: product: windows detection: selection_sys: # Escalation to LOCAL_SYSTEM - CommandLine|contains: + CommandLine|contains|windash: # Note that you don't need to add the ".exe" part when using psexec/paexec # The "-" can also be replaced with "/" # The order of args isn't important # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - - ' /s cmd' - ' -s -i cmd' - - ' /s /i cmd' - - ' /s -i cmd' - - ' -s /i cmd' - ' -i -s cmd' - - ' /i /s cmd' - - ' -i /s cmd' - - ' /i -s cmd' # Pwsh (For PowerShell 7) - ' -s pwsh' - - ' /s pwsh' - ' -s -i pwsh' - - ' /s /i pwsh' - - ' /s -i pwsh' - - ' -s /i pwsh' - ' -i -s pwsh' - - ' /i /s pwsh' - - ' -i /s pwsh' - - ' /i -s pwsh' # PowerShell (For PowerShell 5) - ' -s powershell' - - ' /s powershell' - ' -s -i powershell' - - ' /s /i powershell' - - ' /s -i powershell' - - ' -s /i powershell' - ' -i -s powershell' - - ' /i /s powershell' - - ' -i /s powershell' - - ' /i -s powershell' selection_other: CommandLine|contains: - 'psexec' diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml index 930c35e92..04c6d1406 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_psloglist.yml @@ -9,7 +9,7 @@ references: - https://twitter.com/EricaZelic/status/1614075109827874817 author: Nasreddine Bencherchali (Nextron Systems) date: 2021/12/18 -modified: 2023/01/16 +modified: 2024/03/05 tags: - attack.discovery - attack.t1087 @@ -30,17 +30,12 @@ detection: - ' application' - ' system' selection_cli_flags: - CommandLine|contains: + CommandLine|contains|windash: - ' -d' - - ' /d' - ' -x' - - ' /x' - ' -s' - - ' /s' - ' -c' # Clear event log after displaying - - ' /c' - ' -g' # Export an event log as an evt file. - - ' /g' condition: all of selection_* falsepositives: - Another tool that uses the command line switches of PsLogList diff --git a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml index b9de88a28..e27722590 100644 --- a/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_sysinternals_susp_psexec_paexec_flags.yml @@ -11,7 +11,7 @@ references: - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2021/05/22 -modified: 2023/02/27 +modified: 2024/03/05 tags: - attack.resource_development - attack.t1587.001 @@ -21,43 +21,22 @@ logsource: detection: selection: # Escalation to LOCAL_SYSTEM - CommandLine|contains: + CommandLine|contains|windash: # Note that you don't need to add the ".exe" part when using psexec/paexec # The "-" can also be replaced with "/" # The order of args isn't important # "cmd" can be replaced by "powershell", "pwsh" or any other console like software - ' -s cmd' - - ' /s cmd' - ' -s -i cmd' - - ' /s /i cmd' - - ' /s -i cmd' - - ' -s /i cmd' - ' -i -s cmd' - - ' /i /s cmd' - - ' -i /s cmd' - - ' /i -s cmd' # Pwsh (For PowerShell 7) - ' -s pwsh' - - ' /s pwsh' - ' -s -i pwsh' - - ' /s /i pwsh' - - ' /s -i pwsh' - - ' -s /i pwsh' - ' -i -s pwsh' - - ' /i /s pwsh' - - ' -i /s pwsh' - - ' /i -s pwsh' # PowerShell (For PowerShell 5) - ' -s powershell' - - ' /s powershell' - ' -s -i powershell' - - ' /s /i powershell' - - ' /s -i powershell' - - ' -s /i powershell' - ' -i -s powershell' - - ' /i /s powershell' - - ' -i /s powershell' - - ' /i -s powershell' filter_main_exclude_coverage: # This filter exclude strings covered by 8834e2f7-6b4b-4f09-8906-d2276470ee23 CommandLine|contains: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml index f851592fb..6115cc0f1 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_all_execution.yml @@ -8,6 +8,7 @@ references: - https://www.youtube.com/watch?v=DsJ9ByX84o4&t=6s author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2023/12/04 +modified: 2024/03/05 tags: - attack.discovery - attack.t1033 @@ -20,9 +21,7 @@ detection: - Image|endswith: '\whoami.exe' - OriginalFileName: 'whoami.exe' selection_main_cli: - CommandLine|contains: - - ' -all' - - ' /all' + CommandLine|contains|windash: ' -all' condition: all of selection_main_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml index e978dae8e..eb4beb6bf 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_xsl_script_processing.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1220/T1220.md author: Timur Zinniatullin, oscd.community, Swachchhanda Shrawan Poudel date: 2019/10/21 -modified: 2023/11/09 +modified: 2024/03/05 tags: - attack.defense_evasion - attack.t1220 @@ -19,9 +19,7 @@ logsource: detection: selection: Image|endswith: '\wmic.exe' - CommandLine|contains: - - '/format' # wmic process list /FORMAT /? - - '-format' # wmic process list -FORMAT /? + CommandLine|contains|windash: '-format' # wmic process list -FORMAT /? or wmic process list /FORMAT /? filter_main_known_format: CommandLine|contains: - 'Format:List' diff --git a/tests/sigma_cli_conf.yml b/tests/sigma_cli_conf.yml index 03ebc620c..9ac8051d0 100644 --- a/tests/sigma_cli_conf.yml +++ b/tests/sigma_cli_conf.yml @@ -70,6 +70,7 @@ exclusions: fb502828-2db0-438e-93e6-801c7548686d: escaped_wildcard 59e938ff-0d6d-4dc3-b13f-36cc28734d4e: escaped_wildcard 2e7bbd54-2f26-476e-b4a1-ba5f1a012614: escaped_wildcard + 7c9340a9-e2ee-4e43-94c5-c54ebbea1006: escaped_wildcard # number_as_string 5c84856b-55a5-45f1-826f-13f37250cf4e: number_as_string 85b88e05-dadc-430b-8a9e-53ff1cd30aae: number_as_string