diff --git a/rules/web/web_cve_2022_44877_exploitation_attempt.yml b/rules/web/web_cve_2022_44877_exploitation_attempt.yml new file mode 100644 index 000000000..4a0032b0d --- /dev/null +++ b/rules/web/web_cve_2022_44877_exploitation_attempt.yml @@ -0,0 +1,37 @@ +title: Potential Centos Web Panel Exploitation Attempt - CVE-2022-44877 +id: 1b2eeb27-949b-4704-8bfa-d8e5cfa045a1 +status: experimental +description: Detects potential exploitation attempts that target the Centos Web Panel 7 Unauthenticated Remote Code Execution CVE-2022-44877 +references: + - https://seclists.org/fulldisclosure/2023/Jan/1 + - https://www.rapid7.com/blog/post/2023/01/19/etr-exploitation-of-control-web-panel-cve-2022-44877/ +author: Nasreddine Bencherchali +date: 2023/01/20 +tags: + - attack.initial_access + - attack.t1190 + - cve.2022.44877 +logsource: + category: webserver +detection: + selection: + cs-method: 'POST' + cs-uri-query|contains|all: + - '/login/index.php' + - 'login=' + cs-uri-query|contains: + # TOD: Include other commonly used reverse shells. Examples: https://www.revshells.com/ + - 'login=$(' + # Common keywords related to python reverse shells + - 'base64' + - 'subprocess' + - 'socket' + - '${IFS}' # Usage of the input field separator to avoid writing spaces + # B64 Encoded "python" with different offsets + - 'cHl0aG9u' + - 'B5dGhvb' + - 'weXRob2' + condition: selection +falsepositives: + - Web vulnerability scanners +level: high diff --git a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml index 0b7c4bdbf..070b22d61 100644 --- a/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml +++ b/rules/windows/builtin/security/win_security_scheduled_task_deletion.yml @@ -7,7 +7,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4699 author: David Strassegger, Tim Shelton date: 2021/01/22 -modified: 2022/05/16 +modified: 2023/01/20 tags: - attack.execution - attack.privilege_escalation @@ -16,13 +16,15 @@ tags: logsource: product: windows service: security - definition: 'The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' + definition: 'Requirements: The Advanced Audit Policy setting Object Access > Audit Other Object Access Events has to be configured to allow this detection. We also recommend extracting the Command field from the embedded XML in the event data.' detection: selection: EventID: 4699 - falsepositive1: - TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f - condition: selection and not 1 of falsepositive* + filter_exact: + TaskName: '\Microsoft\Windows\RemovalTools\MRT_ERROR_HB' # Triggered by ParentCommandLine=C:\WINDOWS\system32\MRT.exe /EHB /HeartbeatFailure ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=ErrorStack,Previous=SubmitHeartbeatReportData,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f,Hr=0x80072f8f /HeartbeatError 0x80072f8f + filter_contains: + TaskName|contains: '\Mozilla\Firefox Default Browser Agent ' # Triggered by firefox updates + condition: selection and not 1 of filter_* falsepositives: - Software installation level: low diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index 81a89ea55..b9d79e986 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -12,7 +12,7 @@ references: - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2023/01/18 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1562.001 @@ -45,6 +45,8 @@ detection: - '\procmon.exe' - '\Google\Chrome\Application\chrome.exe' - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + filter_startswith: + ProcessName|startswith: 'C:\Program Files\WindowsApps\Microsoft' condition: selection_1 and not 1 of filter_* falsepositives: - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers. diff --git a/rules/windows/file/file_event/file_event_win_susp_dropper.yml b/rules/windows/file/file_event/file_event_win_susp_dropper.yml index 19659b430..40bb932a7 100644 --- a/rules/windows/file/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ references: - Malware Sandbox author: frack113 date: 2022/03/09 -modified: 2023/01/18 +modified: 2023/01/20 tags: - attack.resource_development - attack.t1587.001 @@ -66,6 +66,7 @@ detection: TargetFilename|endswith: - '\AppData\Local\Microsoft\Teams\stage\Teams.exe' - '\AppData\Local\Microsoft\Teams\stage\Squirrel.exe' + - '\AppData\Local\Microsoft\SquirrelTemp\tempb\' filter_mscorsvw: # Example: # ParentCommandLine: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe" ExecuteQueuedItems /LegacyServiceBehavior diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 5c636e5d3..ba86e98e6 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -8,7 +8,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforcredentialsa author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/20 -modified: 2022/10/24 +modified: 2023/01/20 tags: - attack.credential_access - attack.collection @@ -44,6 +44,7 @@ detection: Image|endswith: - '\AppData\Roaming\Spotify\Spotify.exe' - '\AppData\Local\Microsoft\Teams\current\Teams.exe' + - '\AppData\Local\Microsoft\Teams\stage\Teams.exe' filter_contains: Image|startswith: 'C:\Users\' Image|contains: '\AppData\Local\Microsoft\OneDrive\' diff --git a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml index 62a38c778..29bc5b10f 100644 --- a/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml +++ b/rules/windows/network_connection/net_connection_win_dllhost_net_connections.yml @@ -7,7 +7,7 @@ references: - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: bartblaze date: 2020/07/13 -modified: 2023/01/18 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1218 @@ -60,10 +60,13 @@ detection: - '20.189.' - '20.190.' - '20.191.' + - '23.79.' + - '51.10.' # Subnet: 51.103.210.0/23 - '51.103.' - '51.104.' - '51.105.' + - '52.239.' condition: selection and not 1 of filter_* falsepositives: - Communication to other corporate systems that use IP addresses from public address spaces diff --git a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml index 8ca042cc1..e0bb02c95 100755 --- a/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_powershell_network_connection.yml @@ -6,7 +6,7 @@ references: - https://www.youtube.com/watch?v=DLtJTxMWZ2o author: Florian Roth date: 2017/03/13 -modified: 2022/07/14 +modified: 2023/01/20 tags: - attack.execution - attack.t1059.001 @@ -20,7 +20,7 @@ detection: - '\pwsh.exe' Initiated: 'true' DestinationIsIpv6: 'false' - filter: + filter_internal_ip: DestinationIp|startswith: - '10.' - '192.168.' @@ -44,7 +44,32 @@ detection: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - condition: selection and not filter + filter_ipv6: + DestinationIp|startswith: + - '::1' # IPv6 loopback variant + - '0:0:0:0:0:0:0:1' # IPv6 loopback variant + - 'fe80:' # link-local address + - 'fc' # private address range fc00::/7 + - 'fd' # private address range fc00::/7 + filter_msrange: + DestinationIp|startswith: + # Subnet: 20.184.0.0/13 + - '20.184.' + - '20.185.' + - '20.186.' + - '20.187.' + - '20.188.' + - '20.189.' + - '20.190.' + - '20.191.' + - '23.79.' + - '51.10.' + # Subnet: 51.103.210.0/23 + - '51.103.' + - '51.104.' + - '51.105.' + - '52.239.' + condition: selection and not 1 of filter_* falsepositives: - Administrative scripts - Microsoft IP range diff --git a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml index d0694ab32..c9771233e 100644 --- a/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml +++ b/rules/windows/network_connection/net_connection_win_wuauclt_network_connection.yml @@ -8,7 +8,7 @@ references: - https://dtm.uk/wuauclt/ author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/10/12 -modified: 2022/12/15 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1218 @@ -17,13 +17,29 @@ logsource: product: windows detection: selection: - Image|contains: wuauclt + Image|contains: 'wuauclt' # "C:\WINDOWS\uus\AMD64\wuauclt.exe" /DeploymentHandlerFullPath \\?\C:\Windows\UUS\AMD64\UpdateDeploy.dll /ClassId aaa256e1-5b21-4993-9188-18f07ccb3b98 /RunHandlerComServer - filter_ms_range: # Sysmon - DestinationIp|startswith: '51.10' # Microsoft Range + filter_msrange: # Sysmon + DestinationIp|startswith: + # Subnet: 20.184.0.0/13 + - '20.184.' + - '20.185.' + - '20.186.' + - '20.187.' + - '20.188.' + - '20.189.' + - '20.190.' + - '20.191.' + - '23.79.' + - '51.10.' + # Subnet: 51.103.210.0/23 + - '51.103.' + - '51.104.' + - '51.105.' + - '52.239.' filter_cmdline: CommandLine|contains: '\UpdateDeploy.dll /ClassId ' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Legitimate use of wuauclt.exe over the network. level: medium diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index bfa7769f6..584ea0dfa 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,7 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 -modified: 2023/01/18 +modified: 2023/01/20 tags: - attack.defense_evasion - attack.t1562.002 @@ -37,13 +37,28 @@ detection: filter_githubdesktop: SourceImage|startswith: 'C:\Users\' SourceImage|contains: '\AppData\Local\GitHubDesktop\app-' - SourceImage|endswith: '\GitHubDesktop.exe' + SourceImage|endswith: + - '\GitHubDesktop.exe' + - '\resources\app\git\usr\bin\sh.exe' TargetImage|startswith: 'C:\Users\' TargetImage|contains: '\AppData\Local\GitHubDesktop\app-' filter_dotnet: SourceImage|startswith: 'C:\Windows\Microsoft.NET\Framework\v' SourceImage|endswith: '\NGenTask.exe' TargetImage: 'C:\Windows\Microsoft.NET\Framework\' + filter_teams_to_update: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' + TargetImage|startswith: 'C:\Users\' + TargetImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' + filter_teams_update_regsvr32: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' + TargetImage: 'C:\WINDOWS\SysWOW64\regsvr32.exe' + filter_teams_update_to_teams: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: '\AppData\Local\Microsoft\Teams\Update.exe' + TargetImage|endswith: '\AppData\Local\Microsoft\Teams\stage\Teams.exe' condition: selection and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml index 76e97c2a4..d0f211159 100644 --- a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml @@ -1,12 +1,12 @@ -title: Non Interactive PowerShell +title: Non Interactive PowerShell Process Spawned id: f4bbd493-b796-416e-bbf2-121235348529 status: test -description: Detects non-interactive PowerShell activity by looking at powershell.exe with not explorer.exe as a parent. +description: Detects non-interactive PowerShell activity by looking at powershell.exe with a non user process such as "explorer.exe" as a parent. references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190410151110.html author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements) date: 2019/09/12 -modified: 2022/11/08 +modified: 2023/01/20 tags: - attack.execution - attack.t1059.001 @@ -15,13 +15,23 @@ logsource: product: windows detection: selection: - Image|endswith: '\powershell.exe' + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' filter_generic: - ParentImage|endswith: - '\explorer.exe' - '\CompatTelRunner.exe' - ParentImage: 'C:\$WINDOWS.~BT\Sources\SetupHost.exe' # During Windows updates/upgrades # CommandLine: powershell.exe -ExecutionPolicy Restricted -Command Write-Host 'Final result: 1'; + filter_vscode: + # Triggered by VsCode when you open a Shell inside the workspace + ParentImage|startswith: 'C:\Users\' + ParentImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' + ParentCommandLine|contains: ' --ms-enable-electron-run-as-node ' condition: selection and not 1 of filter_* falsepositives: - Legitimate programs executing PowerShell scripts