diff --git a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml b/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml index acadc8c23..5e4ae4829 100644 --- a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml +++ b/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml @@ -9,13 +9,13 @@ author: Axel Olsson date: 2022/08/14 tags: - attack.discovery - - attack.t1590 # Gather Victim Network Information + - attack.t1590 logsource: category: proxy detection: selection: - # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps - # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips + # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps + # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips c-uri|contains: '/checkupdate.php' c-uri-query|contains|all: - 'lng=' diff --git a/rules/windows/file/file_event/file_event_win_macro_file.yml b/rules/windows/file/file_event/file_event_win_macro_file.yml deleted file mode 100644 index 9e50c175a..000000000 --- a/rules/windows/file/file_event/file_event_win_macro_file.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Dump Office Macro Files from Commandline -id: b1c50487-1967-4315-a026-6491686d860e -status: experimental -description: A office file with macro is created from a commandline or a script -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference -author: frack113 -date: 2022/01/23 -modified: 2022/07/14 -tags: - - attack.initial_access - - attack.t1566.001 -logsource: - category: file_event - product: windows -detection: - selection_ext: - TargetFilename|endswith: - - .docm - - .dotm - - .xlsm - - .xltm - - .potm - - .pptm - - .pptx - selection_cmd: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - ParentImage|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - condition: all of selection_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml similarity index 78% rename from rules/windows/file/file_event/file_event_win_msdt_autorun.yml rename to rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 4d7362e61..00760bb48 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -1,12 +1,13 @@ -title: MSDT.exe Creates Files in Autorun Directory +title: File Creation In Suspicious Directory By Msdt.EXE id: 318557a5-150c-4c8d-b70e-a9910e199857 status: experimental -description: Detects msdt.exe creating files in suspicious directories +description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ -author: Vadim Varganov, Florian Roth +author: Vadim Varganov, Florian Roth (Nextron Systems) date: 2022/08/24 +modified: 2023/02/23 tags: - attack.persistence - attack.t1547.001 @@ -18,11 +19,11 @@ detection: selection: Image|endswith: '\msdt.exe' TargetFilename|contains: - - '\Start Menu\Programs\Startup\' - - 'C:\Users\Public\' - - 'C:\PerfLogs\' - '\Desktop\' + - '\Start Menu\Programs\Startup\' + - 'C:\PerfLogs\' - 'C:\ProgramData\' + - 'C:\Users\Public\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 6012c2d8f..7d2549e7e 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -1,4 +1,4 @@ -title: NET CLR Binary Execution Usage Log Artifact +title: Suspicious DotNET CLR Usage Log Artifact id: e0b06658-7d1d-4cd3-bf15-03467507ff7c related: - id: 4508a70e-97ef-4300-b62b-ff27992990ea @@ -15,14 +15,14 @@ references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113, omkar72, oscd.community, Wojciech Lesicki date: 2022/11/18 -modified: 2023/01/05 +modified: 2023/02/23 tags: - attack.defense_evasion - attack.t1218 logsource: category: file_event product: windows - definition: 'Requirements: UsageLogs folder must be monitored by sysmon configuration' + definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration' detection: selection: TargetFilename|endswith: @@ -35,7 +35,15 @@ detection: - '\UsageLogs\svchost.exe.log' - '\UsageLogs\wscript.exe.log' - '\UsageLogs\wmic.exe.log' - condition: selection + filter_rundll: + # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity + ParentImage|endswith: '\MsiExec.exe' + ParentCommandLine|contains: ' -Embedding' + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'Temp' + - 'zzzzInvokeManagedCustomActionOutOfProc' + condition: selection and not 1 of filter_* falsepositives: - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 0bcabe0d8..7f08eb5b6 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -1,4 +1,4 @@ -title: Creation Suspicious File In Uncommon AppData Folder +title: Suspicious File Creation In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 status: experimental description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs @@ -6,7 +6,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 -modified: 2022/10/28 +modified: 2023/02/23 tags: - attack.defense_evasion - attack.execution @@ -15,24 +15,26 @@ logsource: category: file_event detection: selection: + TargetFilename|startswith: 'C:\Users\' TargetFilename|contains: '\AppData\' TargetFilename|endswith: # Add more as needed - - '.exe' - - '.dll' - '.bat' - - '.vbe' - - '.vbs' - - '.msi' + - '.cmd' + - '.cpl' + - '.dll' + - '.exe' + - '.hta' - '.iso' - '.lnk' - - '.cmd' + - '.msi' - '.ps1' - '.psm1' - - '.hta' - - '.cpl' - '.scr' + - '.vbe' + - '.vbs' filter: + TargetFilename|startswith: 'C:\Users\' TargetFilename|contains: - '\AppData\Local\' - '\AppData\LocalLow\' diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 65bf8e139..01f0e5e7b 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -1,15 +1,15 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d status: experimental -description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver +description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 -modified: 2022/11/28 +modified: 2023/02/23 tags: - - attack.t1218.011 - attack.defense_evasion + - attack.t1218.011 logsource: category: file_event product: windows @@ -18,11 +18,12 @@ detection: TargetFilename|endswith: '.scr' filter: TargetFilename|startswith: + - 'C:\$WINDOWS.~BT\NewOS\' - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - - 'C:\$WINDOWS.~BT\NewOS\' + - ':\WUDownloadCache\' # Windows Update Download Cache condition: selection and not filter falsepositives: - - The installation of new screen savers. + - The installation of new screen savers by third party software level: medium diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 6c8d3124a..3ef18e300 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -25,8 +25,8 @@ detection: Image|endswith: - '\target.exe' - 'Installer.x64.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Possible FPs during first installation of Notepad++ - - Legitimate use of custom plugins to enhance notepad++ functionality by users + - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities level: medium diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml index 80ace4d8a..45dafcf4a 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml @@ -1,7 +1,7 @@ title: Suspicious NTDS.DIT Creation id: 4e7050dd-e548-483f-b7d6-527ab4fa784d -status: experimental -description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner +status: test +description: Detects suspicious creations of a file named "ntds.dit" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ @@ -16,10 +16,12 @@ tags: logsource: product: windows category: file_event + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' detection: selection_file: TargetFilename|endswith: '\ntds.dit' selection_process_parent: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|endswith: - '\powershell.exe' - '\pwsh.exe' @@ -30,6 +32,7 @@ detection: - '\nginx.exe' - '\httpd.exe' selection_process_parent_path: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|contains: - '\apache' - '\tomcat' diff --git a/rules/windows/file/file_event/file_event_win_persistence_office_addin.yml b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_persistence_office_addin.yml rename to rules/windows/file/file_event/file_event_win_office_addin_persistence.yml diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml new file mode 100644 index 000000000..4d3d05c68 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -0,0 +1,31 @@ +title: Office Macro File Creation +id: 91174a41-dc8f-401b-be89-7bfc140612a0 +related: + - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 + type: similar +status: experimental +description: Detects the creation of a new office macro files on the systems +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows +detection: + selection: + TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + condition: selection +falsepositives: + - Very common in environments that rely heavily on macro documents +level: low diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml new file mode 100644 index 000000000..107a35c0c --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -0,0 +1,54 @@ +title: Office Macro File Download +id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 +related: + - id: 91174a41-dc8f-401b-be89-7bfc140612a0 + type: similar +status: experimental +description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows +detection: + selection_processes: + Image|endswith: + # Email clients + - '\outlook.exe' + - '\thunderbird.exe' + - '\HxOutlook.exe' + # Browsers + - '\brave.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\iexplorer.exe' + - '\microsoftedge.exe' + - '\microsoftedgecp.exe' + - '\msedge.exe' + - '\opera.exe' + selection_ext: + - TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + - TargetFilename|contains: + - '.docm:Zone' + - '.dotm:Zone' + - '.xlsm:Zone' + - '.xltm:Zone' + - '.potm:Zone' + - '.pptm:Zone' + condition: all of selection_* +falsepositives: + - Legitimate macro files downloaded from the internet + - Legitimate macro files sent as attachemnts via emails +level: medium diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml new file mode 100644 index 000000000..e256ad938 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -0,0 +1,44 @@ +title: Office Macro File Creation From Suspicious Process +id: b1c50487-1967-4315-a026-6491686d860e +status: experimental +description: Detects the creation of a office macro file from a a suspicious process +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +modified: 2023/02/22 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' +detection: + selection_cmd: + - Image|endswith: + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 + - ParentImage|endswith: + - '\cscript.exe' + - '\mshta.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + selection_ext: + TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml new file mode 100644 index 000000000..7584c5e49 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -0,0 +1,28 @@ +title: Potential Persistence Via Outlook Form +id: c3edc6a5-d9d4-48d8-930e-aab518390917 +status: experimental +description: Detects the creation of a new Outlook form which can contain malicious code +references: + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79 + - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form + - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ +author: Tobias Michalski (Nextron Systems) +date: 2021/06/10 +modified: 2023/02/22 +tags: + - attack.persistence + - attack.t1137.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\outlook.exe' + TargetFilename|contains: + - '\AppData\Local\Microsoft\FORMS\IPM' + - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP + condition: selection +falsepositives: + - Legitimate use of outlook forms +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file/file_event/file_event_win_office_winword_startup.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_susp_winword_startup.yml rename to rules/windows/file/file_event/file_event_win_office_winword_startup.yml diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml deleted file mode 100644 index 5c4622c5b..000000000 --- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Outlook Form Installation -id: c3edc6a5-d9d4-48d8-930e-aab518390917 -status: experimental -description: Detects the creation of new Outlook form which can contain malicious code -references: - - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -author: Tobias Michalski (Nextron Systems) -date: 2021/06/10 -modified: 2022/06/16 -tags: - - attack.persistence - - attack.t1137.003 -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: '\outlook.exe' - TargetFilename|contains: '\appdata\local\microsoft\FORMS\' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index 898434ae4..b0d69d9db 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,8 +1,8 @@ -title: PowerShell Writing Startup Shortcuts +title: Potential Startup Shortcut Persistence Via PowerShell.EXE id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d status: experimental description: | - Attempts to detect PowerShell writing startup shortcuts. + Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder author: Christopher Peacock '@securepeacock', SCYTHE date: 2021/10/24 -modified: 2022/08/10 +modified: 2023/02/23 tags: - attack.persistence - attack.t1547.001 @@ -27,6 +27,5 @@ detection: TargetFilename|endswith: '.lnk' condition: selection falsepositives: - - Unknown - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. level: high diff --git a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml index 7f2c10487..810a73519 100644 --- a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml @@ -1,12 +1,13 @@ -title: Potential PSEXEC Remote Execution - FileCreation +title: PSEXEC Remote Execution File Artefact id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 status: experimental -description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system +description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/21 +modified: 2023/02/23 tags: - attack.lateral_movement - attack.privilege_escalation diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules/windows/image_load/image_load_dll_system_drawing_load.yml new file mode 100644 index 000000000..51324c320 --- /dev/null +++ b/rules/windows/image_load/image_load_dll_system_drawing_load.yml @@ -0,0 +1,23 @@ +title: System Drawing DLL Load +id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c +status: experimental +description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2023/02/22 +tags: + - attack.collection + - attack.t1113 +logsource: + product: windows + category: image_load +detection: + selection: + ImageLoaded|endswith: '\System.Drawing.ni.dll' + condition: selection +falsepositives: + - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness +level: low diff --git a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml similarity index 80% rename from rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml rename to rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml index cbd0546ac..964af7e05 100644 --- a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml @@ -1,14 +1,14 @@ -title: WMI Script Host Process Image Loaded +title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 status: test -description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. +description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity. references: - https://twitter.com/HunterPlaybook/status/1301207718355759107 - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/09/02 -modified: 2022/10/11 +modified: 2023/02/22 tags: - attack.lateral_movement - attack.privilege_escalation diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index eb8192074..8edcc33ef 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -1,7 +1,7 @@ -title: CLR DLL Loaded Via Scripting Applications +title: DotNet CLR DLL Loaded By Scripting Applications id: 4508a70e-97ef-4300-b62b-ff27992990ea status: test -description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript +description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. references: - https://github.com/tyranid/DotNetToJScript - https://thewover.github.io/Introducing-Donut/ @@ -9,7 +9,7 @@ references: - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 author: omkar72, oscd.community date: 2020/10/14 -modified: 2023/01/06 +modified: 2023/02/23 tags: - attack.execution - attack.privilege_escalation @@ -20,11 +20,14 @@ logsource: detection: selection: Image|endswith: - - '\wscript.exe' + - '\cmstp.exe' - '\cscript.exe' - '\mshta.exe' - - '\cmstp.exe' - '\msxsl.exe' + - '\regsvr32.exe' + #- '\svchost.exe' + - '\wmic.exe' + - '\wscript.exe' ImageLoaded|endswith: - '\clr.dll' - '\mscoree.dll' diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml deleted file mode 100644 index f380cf54b..000000000 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Suspicious System.Drawing Load -id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -status: experimental -description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. -references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/08/13 -tags: - - attack.collection - - attack.t1113 -logsource: - product: windows - category: image_load -detection: - selection: - ImageLoaded|endswith: '\System.Drawing.ni.dll' - filter: - # The number of false positives was too high - we had to do this broader filter - # based on the following paths that shouldn't be writable to an unprivileged user - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\Microsoft.NET\' - - 'C:\Windows\ImmersiveControlPanel\' - filter2: - Image: 'C:\Windows\System32\NhNotifSys.exe' - filter3: - Image|startswith: 'C:\Users\' - Image|endswith: - - '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' - - '\GitHubDesktop\Update.exe' - condition: selection and not 1 of filter* -falsepositives: - - Unknown -level: low