From 078e3ab500dc3b218b8f33e041743554ca16f04c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Feb 2023 12:49:44 +0100 Subject: [PATCH 1/9] feat: updates and fixes --- .../proxy_adv_ip_port_scanner_upd_check.yml | 6 +- .../file_event/file_event_win_macro_file.yml | 39 ------------- ... file_event_win_msdt_susp_directories.yml} | 13 +++-- .../file_event_win_net_cli_artefact.yml | 16 +++-- ...n_new_files_in_uncommon_appdata_folder.yml | 22 +++---- .../file_event_win_new_src_file.yml | 11 ++-- ...vent_win_notepad_plus_plus_persistence.yml | 4 +- .../file_event/file_event_win_ntds_dit.yml | 7 ++- ...le_event_win_office_addin_persistence.yml} | 0 ...e_event_win_office_macro_files_created.yml | 32 ++++++++++ ...vent_win_office_macro_files_downloaded.yml | 56 ++++++++++++++++++ ...n_office_macro_files_from_susp_process.yml | 58 +++++++++++++++++++ .../file_event_win_office_outlook_newform.yml | 28 +++++++++ ...file_event_win_office_winword_startup.yml} | 0 .../file_event_win_outlook_newform.yml | 23 -------- ...event_win_powershell_startup_shortcuts.yml | 7 +-- .../file_event_win_psexec_service_key.yml | 5 +- .../file_event_win_remote_cred_dump.yml | 5 ++ .../image_load_dll_system_drawing_load.yml | 23 ++++++++ ..._load_scrcons_wmi_scripteventconsumer.yml} | 6 +- ...e_load_susp_script_dotnet_clr_dll_load.yml | 13 +++-- .../image_load_susp_system_drawing_load.yml | 39 ------------- 22 files changed, 266 insertions(+), 147 deletions(-) delete mode 100644 rules/windows/file/file_event/file_event_win_macro_file.yml rename rules/windows/file/file_event/{file_event_win_msdt_autorun.yml => file_event_win_msdt_susp_directories.yml} (78%) rename rules/windows/file/file_event/{file_event_win_persistence_office_addin.yml => file_event_win_office_addin_persistence.yml} (100%) create mode 100644 rules/windows/file/file_event/file_event_win_office_macro_files_created.yml create mode 100644 rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml create mode 100644 rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml create mode 100644 rules/windows/file/file_event/file_event_win_office_outlook_newform.yml rename rules/windows/file/file_event/{file_event_win_susp_winword_startup.yml => file_event_win_office_winword_startup.yml} (100%) delete mode 100644 rules/windows/file/file_event/file_event_win_outlook_newform.yml create mode 100644 rules/windows/image_load/image_load_dll_system_drawing_load.yml rename rules/windows/image_load/{image_load_scrcons_imageload_wmi_scripteventconsumer.yml => image_load_scrcons_wmi_scripteventconsumer.yml} (80%) delete mode 100644 rules/windows/image_load/image_load_susp_system_drawing_load.yml diff --git a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml b/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml index acadc8c23..5e4ae4829 100644 --- a/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml +++ b/rules/web/proxy_generic/proxy_adv_ip_port_scanner_upd_check.yml @@ -9,13 +9,13 @@ author: Axel Olsson date: 2022/08/14 tags: - attack.discovery - - attack.t1590 # Gather Victim Network Information + - attack.t1590 logsource: category: proxy detection: selection: - # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps - # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips + # Example request: http://www.advanced-port-scanner.com/checkupdate.php?lng=en&ver=2-5-3680&beta=n&type=upd&rmode=p&product=aps + # Example request2: http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-3499&beta=n&type=upd&rmode=p&product=aips c-uri|contains: '/checkupdate.php' c-uri-query|contains|all: - 'lng=' diff --git a/rules/windows/file/file_event/file_event_win_macro_file.yml b/rules/windows/file/file_event/file_event_win_macro_file.yml deleted file mode 100644 index 9e50c175a..000000000 --- a/rules/windows/file/file_event/file_event_win_macro_file.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Dump Office Macro Files from Commandline -id: b1c50487-1967-4315-a026-6491686d860e -status: experimental -description: A office file with macro is created from a commandline or a script -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md - - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference -author: frack113 -date: 2022/01/23 -modified: 2022/07/14 -tags: - - attack.initial_access - - attack.t1566.001 -logsource: - category: file_event - product: windows -detection: - selection_ext: - TargetFilename|endswith: - - .docm - - .dotm - - .xlsm - - .xltm - - .potm - - .pptm - - .pptx - selection_cmd: - - Image|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - - ParentImage|endswith: - - \cmd.exe - - \powershell.exe - - \pwsh.exe - condition: all of selection_* -falsepositives: - - Unknown -level: medium diff --git a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml similarity index 78% rename from rules/windows/file/file_event/file_event_win_msdt_autorun.yml rename to rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml index 4d7362e61..00760bb48 100644 --- a/rules/windows/file/file_event/file_event_win_msdt_autorun.yml +++ b/rules/windows/file/file_event/file_event_win_msdt_susp_directories.yml @@ -1,12 +1,13 @@ -title: MSDT.exe Creates Files in Autorun Directory +title: File Creation In Suspicious Directory By Msdt.EXE id: 318557a5-150c-4c8d-b70e-a9910e199857 status: experimental -description: Detects msdt.exe creating files in suspicious directories +description: Detects msdt.exe creating files in suspicious directories which could be a sign of exploitation of either Follina or Dogwalk vulnerabilities references: - https://irsl.medium.com/the-trouble-with-microsofts-troubleshooters-6e32fc80b8bd - https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ -author: Vadim Varganov, Florian Roth +author: Vadim Varganov, Florian Roth (Nextron Systems) date: 2022/08/24 +modified: 2023/02/23 tags: - attack.persistence - attack.t1547.001 @@ -18,11 +19,11 @@ detection: selection: Image|endswith: '\msdt.exe' TargetFilename|contains: - - '\Start Menu\Programs\Startup\' - - 'C:\Users\Public\' - - 'C:\PerfLogs\' - '\Desktop\' + - '\Start Menu\Programs\Startup\' + - 'C:\PerfLogs\' - 'C:\ProgramData\' + - 'C:\Users\Public\' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 6012c2d8f..9bd9b02ec 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -1,4 +1,4 @@ -title: NET CLR Binary Execution Usage Log Artifact +title: Suspicious DotNET CLR Usage Log Artifact id: e0b06658-7d1d-4cd3-bf15-03467507ff7c related: - id: 4508a70e-97ef-4300-b62b-ff27992990ea @@ -15,14 +15,14 @@ references: - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ author: frack113, omkar72, oscd.community, Wojciech Lesicki date: 2022/11/18 -modified: 2023/01/05 +modified: 2023/02/23 tags: - attack.defense_evasion - attack.t1218 logsource: category: file_event product: windows - definition: 'Requirements: UsageLogs folder must be monitored by sysmon configuration' + definition: 'Requirements: UsageLogs folder must be monitored by the sysmon configuration' detection: selection: TargetFilename|endswith: @@ -35,7 +35,15 @@ detection: - '\UsageLogs\svchost.exe.log' - '\UsageLogs\wscript.exe.log' - '\UsageLogs\wmic.exe.log' - condition: selection + filter_rundll: + # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity + ParentImage|endswith: '\MsiExec.exe' + ParentImage|ParentCommandLine: ' -Embedding' + Image|endswith: '\rundll32.exe' + CommandLine|contains|all: + - 'Temp' + - 'zzzzInvokeManagedCustomActionOutOfProc' + condition: selection and not 1 of filter_* falsepositives: - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high diff --git a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml index 0bcabe0d8..7f08eb5b6 100644 --- a/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml +++ b/rules/windows/file/file_event/file_event_win_new_files_in_uncommon_appdata_folder.yml @@ -1,4 +1,4 @@ -title: Creation Suspicious File In Uncommon AppData Folder +title: Suspicious File Creation In Uncommon AppData Folder id: d7b50671-d1ad-4871-aa60-5aa5b331fe04 status: experimental description: Detects the creation of suspicious files and folders inside the user's AppData folder but not inside any of the common and well known directories (Local, Romaing, LocalLow). This method could be used as a method to bypass detection who exclude the AppData folder in fear of FPs @@ -6,7 +6,7 @@ references: - Internal Research author: Nasreddine Bencherchali (Nextron Systems) date: 2022/08/05 -modified: 2022/10/28 +modified: 2023/02/23 tags: - attack.defense_evasion - attack.execution @@ -15,24 +15,26 @@ logsource: category: file_event detection: selection: + TargetFilename|startswith: 'C:\Users\' TargetFilename|contains: '\AppData\' TargetFilename|endswith: # Add more as needed - - '.exe' - - '.dll' - '.bat' - - '.vbe' - - '.vbs' - - '.msi' + - '.cmd' + - '.cpl' + - '.dll' + - '.exe' + - '.hta' - '.iso' - '.lnk' - - '.cmd' + - '.msi' - '.ps1' - '.psm1' - - '.hta' - - '.cpl' - '.scr' + - '.vbe' + - '.vbs' filter: + TargetFilename|startswith: 'C:\Users\' TargetFilename|contains: - '\AppData\Local\' - '\AppData\LocalLow\' diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 65bf8e139..72607f10c 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -1,15 +1,15 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d status: experimental -description: An attacker may execute an application as a .SCR File (Screensaver) using rundll32.exe desk.cpl,InstallScreenSaver +description: Detects the creation of Screensaver files (.scr) outside system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' date: 2022/04/27 -modified: 2022/11/28 +modified: 2023/02/23 tags: - - attack.t1218.011 - attack.defense_evasion + - attack.t1218.011 logsource: category: file_event product: windows @@ -18,11 +18,12 @@ detection: TargetFilename|endswith: '.scr' filter: TargetFilename|startswith: + - 'C:\$WINDOWS.~BT\NewOS\' - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - 'C:\Windows\WinSxS\' - - 'C:\$WINDOWS.~BT\NewOS\' + - ':\WUDownloadCache\' # Windows Update Download Cache condition: selection and not filter falsepositives: - - The installation of new screen savers. + - The installation of new screen savers by third party software level: medium diff --git a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml index 6c8d3124a..3ef18e300 100644 --- a/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml +++ b/rules/windows/file/file_event/file_event_win_notepad_plus_plus_persistence.yml @@ -25,8 +25,8 @@ detection: Image|endswith: - '\target.exe' - 'Installer.x64.exe' - condition: selection and not 1 of filter* + condition: selection and not 1 of filter_* falsepositives: - Possible FPs during first installation of Notepad++ - - Legitimate use of custom plugins to enhance notepad++ functionality by users + - Legitimate use of custom plugins by users in order to enhance notepad++ functionalities level: medium diff --git a/rules/windows/file/file_event/file_event_win_ntds_dit.yml b/rules/windows/file/file_event/file_event_win_ntds_dit.yml index 80ace4d8a..45dafcf4a 100644 --- a/rules/windows/file/file_event/file_event_win_ntds_dit.yml +++ b/rules/windows/file/file_event/file_event_win_ntds_dit.yml @@ -1,7 +1,7 @@ title: Suspicious NTDS.DIT Creation id: 4e7050dd-e548-483f-b7d6-527ab4fa784d -status: experimental -description: Detects suspicious creations of a file named ntds.dit, e.g. by a PowerShell parent or in a suspicious directory or a suspicious one liner +status: test +description: Detects suspicious creations of a file named "ntds.dit" (Active Directory Database) by suspicious parent process, directory or a suspicious one liner references: - https://www.ired.team/offensive-security/credential-access-and-credential-dumping/ntds.dit-enumeration - https://www.n00py.io/2022/03/manipulating-user-passwords-without-mimikatz/ @@ -16,10 +16,12 @@ tags: logsource: product: windows category: file_event + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' detection: selection_file: TargetFilename|endswith: '\ntds.dit' selection_process_parent: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|endswith: - '\powershell.exe' - '\pwsh.exe' @@ -30,6 +32,7 @@ detection: - '\nginx.exe' - '\httpd.exe' selection_process_parent_path: + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 ParentImage|contains: - '\apache' - '\tomcat' diff --git a/rules/windows/file/file_event/file_event_win_persistence_office_addin.yml b/rules/windows/file/file_event/file_event_win_office_addin_persistence.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_persistence_office_addin.yml rename to rules/windows/file/file_event/file_event_win_office_addin_persistence.yml diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml new file mode 100644 index 000000000..bc59ae1af --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -0,0 +1,32 @@ +title: Office Macro File Creation +id: 91174a41-dc8f-401b-be89-7bfc140612a0 +related: + - id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 + type: similar +status: experimental +description: Detects the creation of a new office macro files on the systems +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows +detection: + selection: + - TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + - '.pptx' + condition: selection +falsepositives: + - Very common in environments that rely heavily on macro documents +level: low diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml new file mode 100644 index 000000000..5b32b35b3 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -0,0 +1,56 @@ +title: Office Macro File Download +id: 0e29e3a7-1ad8-40aa-b691-9f82ecd33d66 +related: + - id: 91174a41-dc8f-401b-be89-7bfc140612a0 + type: similar +status: experimental +description: Detects the creation of a new office macro files on the systems via an application (browser, mail client). +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows +detection: + selection_processes: + Image|endswith: + # Email clients + - '\outlook.exe' + - '\thunderbird.exe' + - '\HxOutlook.exe' + # Browsers + - '\brave.exe' + - '\chrome.exe' + - '\firefox.exe' + - '\iexplorer.exe' + - '\microsoftedge.exe' + - '\microsoftedgecp.exe' + - '\msedge.exe' + - '\opera.exe' + selection_ext: + - TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + - '.pptx' + - TargetFilename|contains: + - '.docm:Zone' + - '.dotm:Zone' + - '.xlsm:Zone' + - '.xltm:Zone' + - '.potm:Zone' + - '.pptm:Zone' + - '.pptx:Zone' + condition: all of selection_* +falsepositives: + - Legitimate macro files downloaded from the internet + - Legitimate macro files sent as attachemnts via emails +level: medium diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml new file mode 100644 index 000000000..8ffc0e7f5 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -0,0 +1,58 @@ +title: Office Macro File Creation From Suspicious Process +id: b1c50487-1967-4315-a026-6491686d860e +status: experimental +description: Detects the creation of a office macro file from a a suspicious process +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1566.001/T1566.001.md + - https://docs.microsoft.com/en-us/deployoffice/compat/office-file-format-reference +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2022/01/23 +modified: 2023/02/22 +tags: + - attack.initial_access + - attack.t1566.001 +logsource: + category: file_event + product: windows +detection: + selection_cmd: + - Image|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + - OriginalFileName: + - 'cmd.exe' + - 'cscript.exe' + - 'mshta.exe' + - 'PowerShell.EXE' + - 'pwsh.dll' + - 'regsvr32.exe' + - 'rundll32.exe' + - 'wscript.exe' + - ParentImage|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\mshta.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + selection_ext: + TargetFilename|endswith: + - '.docm' + - '.dotm' + - '.xlsm' + - '.xltm' + - '.potm' + - '.pptm' + - '.pptx' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml new file mode 100644 index 000000000..7584c5e49 --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_office_outlook_newform.yml @@ -0,0 +1,28 @@ +title: Potential Persistence Via Outlook Form +id: c3edc6a5-d9d4-48d8-930e-aab518390917 +status: experimental +description: Detects the creation of a new Outlook form which can contain malicious code +references: + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=76 + - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=79 + - https://learn.microsoft.com/en-us/office/vba/outlook/concepts/outlook-forms/create-an-outlook-form + - https://www.slipstick.com/developer/custom-form/clean-outlooks-forms-cache/ +author: Tobias Michalski (Nextron Systems) +date: 2021/06/10 +modified: 2023/02/22 +tags: + - attack.persistence + - attack.t1137.003 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: '\outlook.exe' + TargetFilename|contains: + - '\AppData\Local\Microsoft\FORMS\IPM' + - '\Local Settings\Application Data\Microsoft\Forms' # Windows XP + condition: selection +falsepositives: + - Legitimate use of outlook forms +level: high diff --git a/rules/windows/file/file_event/file_event_win_susp_winword_startup.yml b/rules/windows/file/file_event/file_event_win_office_winword_startup.yml similarity index 100% rename from rules/windows/file/file_event/file_event_win_susp_winword_startup.yml rename to rules/windows/file/file_event/file_event_win_office_winword_startup.yml diff --git a/rules/windows/file/file_event/file_event_win_outlook_newform.yml b/rules/windows/file/file_event/file_event_win_outlook_newform.yml deleted file mode 100644 index 5c4622c5b..000000000 --- a/rules/windows/file/file_event/file_event_win_outlook_newform.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Outlook Form Installation -id: c3edc6a5-d9d4-48d8-930e-aab518390917 -status: experimental -description: Detects the creation of new Outlook form which can contain malicious code -references: - - https://twitter.com/blueteamsec1/status/1401290874202382336?s=20 -author: Tobias Michalski (Nextron Systems) -date: 2021/06/10 -modified: 2022/06/16 -tags: - - attack.persistence - - attack.t1137.003 -logsource: - product: windows - category: file_event -detection: - selection: - Image|endswith: '\outlook.exe' - TargetFilename|contains: '\appdata\local\microsoft\FORMS\' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml index 898434ae4..b0d69d9db 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_startup_shortcuts.yml @@ -1,8 +1,8 @@ -title: PowerShell Writing Startup Shortcuts +title: Potential Startup Shortcut Persistence Via PowerShell.EXE id: 92fa78e7-4d39-45f1-91a3-8b23f3f1088d status: experimental description: | - Attempts to detect PowerShell writing startup shortcuts. + Detects PowerShell writing startup shortcuts. This procedure was highlighted in Red Canary Intel Insights Oct. 2021, "We frequently observe adversaries using PowerShell to write malicious .lnk files into the startup directory to establish persistence. Accordingly, this detection opportunity is likely to identify persistence mechanisms in multiple threats. In the context of Yellow Cockatoo, this persistence mechanism eventually launches the command-line script that leads to the installation of a malicious DLL" @@ -11,7 +11,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/36d49de4c8b00bf36054294b4a1fcbab3917d7c5/atomics/T1547.001/T1547.001.md#atomic-test-7---add-executable-shortcut-link-to-user-startup-folder author: Christopher Peacock '@securepeacock', SCYTHE date: 2021/10/24 -modified: 2022/08/10 +modified: 2023/02/23 tags: - attack.persistence - attack.t1547.001 @@ -27,6 +27,5 @@ detection: TargetFilename|endswith: '.lnk' condition: selection falsepositives: - - Unknown - Depending on your environment accepted applications may leverage this at times. It is recommended to search for anomalies inidicative of malware. level: high diff --git a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml index 7f2c10487..810a73519 100644 --- a/rules/windows/file/file_event/file_event_win_psexec_service_key.yml +++ b/rules/windows/file/file_event/file_event_win_psexec_service_key.yml @@ -1,12 +1,13 @@ -title: Potential PSEXEC Remote Execution - FileCreation +title: PSEXEC Remote Execution File Artefact id: 304afd73-55a5-4bb9-8c21-0b1fc84ea9e4 status: experimental -description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed and gets written to the file system and will be recorded in the USN Journal on the target system +description: Detects creation of the PSEXEC key file. Which is created anytime a PsExec command is executed. It gets written to the file system and will be recorded in the USN Journal on the target system references: - https://aboutdfir.com/the-key-to-identify-psexec/ - https://twitter.com/davisrichardg/status/1616518800584704028 author: Nasreddine Bencherchali (Nextron Systems) date: 2023/01/21 +modified: 2023/02/23 tags: - attack.lateral_movement - attack.privilege_escalation diff --git a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml index 6c3d9310b..acdbf5da8 100644 --- a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml @@ -19,6 +19,11 @@ detection: Image|endswith: '\svchost.exe' # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$' + selection_aurora: + Provider_Name: 'Microsoft-Windows-Kernel-File' + Image|endswith: '\svchost.exe' + CommandLine|contains: 'RemoteRegistry' + TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$' condition: selection falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_dll_system_drawing_load.yml b/rules/windows/image_load/image_load_dll_system_drawing_load.yml new file mode 100644 index 000000000..51324c320 --- /dev/null +++ b/rules/windows/image_load/image_load_dll_system_drawing_load.yml @@ -0,0 +1,23 @@ +title: System Drawing DLL Load +id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c +status: experimental +description: Detects processes loading "System.Drawing.ni.dll". This could be an indicator of potential Screen Capture. +references: + - https://github.com/OTRF/detection-hackathon-apt29/issues/16 + - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/7.A.1_3B4E5808-3C71-406A-B181-17B0CE3178C9.md +author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) +date: 2020/05/02 +modified: 2023/02/22 +tags: + - attack.collection + - attack.t1113 +logsource: + product: windows + category: image_load +detection: + selection: + ImageLoaded|endswith: '\System.Drawing.ni.dll' + condition: selection +falsepositives: + - False positives are very common from system and third party applications, activity needs to be investigated. This rule is best correlated with other events to increase the level of suspiciousness +level: low diff --git a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml similarity index 80% rename from rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml rename to rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml index cbd0546ac..964af7e05 100644 --- a/rules/windows/image_load/image_load_scrcons_imageload_wmi_scripteventconsumer.yml +++ b/rules/windows/image_load/image_load_scrcons_wmi_scripteventconsumer.yml @@ -1,14 +1,14 @@ -title: WMI Script Host Process Image Loaded +title: WMI ActiveScriptEventConsumers Activity Via Scrcons.EXE DLL Load id: b439f47d-ef52-4b29-9a2f-57d8a96cb6b8 status: test -description: Detects signs of the WMI script host process %SystemRoot%\system32\wbem\scrcons.exe functionality being used via images being loaded by a process. +description: Detects signs of the WMI script host process "scrcons.exe" loading scripting DLLs which could indciates WMI ActiveScriptEventConsumers EventConsumers activity. references: - https://twitter.com/HunterPlaybook/status/1301207718355759107 - https://www.mdsec.co.uk/2020/09/i-like-to-move-it-windows-lateral-movement-part-1-wmi-event-subscription/ - https://threathunterplaybook.com/hunts/windows/200902-RemoteWMIActiveScriptEventConsumers/notebook.html author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) date: 2020/09/02 -modified: 2022/10/11 +modified: 2023/02/22 tags: - attack.lateral_movement - attack.privilege_escalation diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index eb8192074..d562194ca 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -1,7 +1,7 @@ -title: CLR DLL Loaded Via Scripting Applications +title: DotNet CLR DLL Loaded By Scripting Applications id: 4508a70e-97ef-4300-b62b-ff27992990ea status: test -description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript +description: Detects .NET CLR DLLs being loaded by scripting applications such as wscript or cscript. This could be an indication of potential suspicious execution. references: - https://github.com/tyranid/DotNetToJScript - https://thewover.github.io/Introducing-Donut/ @@ -9,7 +9,7 @@ references: - https://web.archive.org/web/20221026202428/https://gist.github.com/code-scrap/d7f152ffcdb3e0b02f7f394f5187f008 author: omkar72, oscd.community date: 2020/10/14 -modified: 2023/01/06 +modified: 2023/02/23 tags: - attack.execution - attack.privilege_escalation @@ -20,11 +20,14 @@ logsource: detection: selection: Image|endswith: - - '\wscript.exe' + - '\cmstp.exe' - '\cscript.exe' - '\mshta.exe' - - '\cmstp.exe' - '\msxsl.exe' + - '\regsvr32.exe' + - '\svchost.exe' + - '\wmic.exe' + - '\wscript.exe' ImageLoaded|endswith: - '\clr.dll' - '\mscoree.dll' diff --git a/rules/windows/image_load/image_load_susp_system_drawing_load.yml b/rules/windows/image_load/image_load_susp_system_drawing_load.yml deleted file mode 100644 index f380cf54b..000000000 --- a/rules/windows/image_load/image_load_susp_system_drawing_load.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: Suspicious System.Drawing Load -id: 666ecfc7-229d-42b8-821e-1a8f8cb7057c -status: experimental -description: A General detection for processes loading System.Drawing.ni.dll. This could be an indicator of potential Screen Capture. -references: - - https://github.com/OTRF/detection-hackathon-apt29/issues/16 - - https://github.com/OTRF/ThreatHunter-Playbook/blob/2d4257f630f4c9770f78d0c1df059f891ffc3fec/docs/evals/apt29/detections/6.B.1_6392C9F1-D975-4F75-8A70-433DEDD7F622.md -author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) -date: 2020/05/02 -modified: 2022/08/13 -tags: - - attack.collection - - attack.t1113 -logsource: - product: windows - category: image_load -detection: - selection: - ImageLoaded|endswith: '\System.Drawing.ni.dll' - filter: - # The number of false positives was too high - we had to do this broader filter - # based on the following paths that shouldn't be writable to an unprivileged user - Image|startswith: - - 'C:\Program Files\' - - 'C:\Program Files (x86)\' - - 'C:\Windows\System32\' - - 'C:\Windows\Microsoft.NET\' - - 'C:\Windows\ImmersiveControlPanel\' - filter2: - Image: 'C:\Windows\System32\NhNotifSys.exe' - filter3: - Image|startswith: 'C:\Users\' - Image|endswith: - - '\AppData\Local\NhNotifSys\nahimic\nahimicNotifSys.exe' - - '\GitHubDesktop\Update.exe' - condition: selection and not 1 of filter* -falsepositives: - - Unknown -level: low From d799ad9982cab372b4cd92c6ede14fcf2b5debd4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Feb 2023 12:55:46 +0100 Subject: [PATCH 2/9] fix: revert change to rule --- .../file/file_event/file_event_win_remote_cred_dump.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml index acdbf5da8..6c3d9310b 100644 --- a/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml +++ b/rules/windows/file/file_event/file_event_win_remote_cred_dump.yml @@ -19,11 +19,6 @@ detection: Image|endswith: '\svchost.exe' # CommandLine|contains: 'RemoteRegistry' # Uncomment this line if you collect CommandLine data for files events from more accuracy TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$' - selection_aurora: - Provider_Name: 'Microsoft-Windows-Kernel-File' - Image|endswith: '\svchost.exe' - CommandLine|contains: 'RemoteRegistry' - TargetFilename|re: '\\Windows\\System32\\[a-zA-Z0-9]{8}\.tmp$' condition: selection falsepositives: - Unknown From c37df2fa83920bb25c90f16aee7c4d0b66e70440 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Feb 2023 13:19:21 +0100 Subject: [PATCH 3/9] fix: remove incorrect field --- ...event_win_office_macro_files_from_susp_process.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 8ffc0e7f5..5207441c2 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -14,6 +14,7 @@ tags: logsource: category: file_event product: windows + definition: 'Requirements: The "ParentImage" field is not available by default on EID 11 of Sysmon logs. To be able to use this rule to the full extent you need to enriche the log with additional ParentImage data' detection: selection_cmd: - Image|endswith: @@ -25,15 +26,7 @@ detection: - '\regsvr32.exe' - '\rundll32.exe' - '\wscript.exe' - - OriginalFileName: - - 'cmd.exe' - - 'cscript.exe' - - 'mshta.exe' - - 'PowerShell.EXE' - - 'pwsh.dll' - - 'regsvr32.exe' - - 'rundll32.exe' - - 'wscript.exe' + # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 - ParentImage|endswith: - '\cmd.exe' - '\cscript.exe' From 75281c8c2075c5bff8fa83162b2d0a8ecf10615b Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Feb 2023 13:30:31 +0100 Subject: [PATCH 4/9] fix: typo in modifier name --- .../windows/file/file_event/file_event_win_net_cli_artefact.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml index 9bd9b02ec..7d2549e7e 100644 --- a/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml +++ b/rules/windows/file/file_event/file_event_win_net_cli_artefact.yml @@ -38,7 +38,7 @@ detection: filter_rundll: # This filter requires the event to be enriched by additional information such as ParentImage and CommandLine activity ParentImage|endswith: '\MsiExec.exe' - ParentImage|ParentCommandLine: ' -Embedding' + ParentCommandLine|contains: ' -Embedding' Image|endswith: '\rundll32.exe' CommandLine|contains|all: - 'Temp' From af845456168b383cb13fe52fb0a1faaf870201a7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 23 Feb 2023 13:39:17 +0100 Subject: [PATCH 5/9] fix: fp found in baseline --- .../file_event/file_event_win_office_macro_files_created.yml | 2 +- .../image_load/image_load_susp_script_dotnet_clr_dll_load.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index bc59ae1af..215cb4249 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -18,7 +18,7 @@ logsource: product: windows detection: selection: - - TargetFilename|endswith: + TargetFilename|endswith: - '.docm' - '.dotm' - '.xlsm' diff --git a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml index d562194ca..8edcc33ef 100644 --- a/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_script_dotnet_clr_dll_load.yml @@ -25,7 +25,7 @@ detection: - '\mshta.exe' - '\msxsl.exe' - '\regsvr32.exe' - - '\svchost.exe' + #- '\svchost.exe' - '\wmic.exe' - '\wscript.exe' ImageLoaded|endswith: From 47de3e1857b3b5dbc7c7f9db7c7203756ab95d90 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:32:43 +0100 Subject: [PATCH 6/9] fix: remove pwsh+cmd --- .../file_event_win_office_macro_files_from_susp_process.yml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 5207441c2..920243ae5 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -18,21 +18,15 @@ logsource: detection: selection_cmd: - Image|endswith: - - '\cmd.exe' - '\cscript.exe' - '\mshta.exe' - - '\powershell.exe' - - '\pwsh.exe' - '\regsvr32.exe' - '\rundll32.exe' - '\wscript.exe' # Note: ParentImage is a custom field and is not available by default on Sysmon EID 11 - ParentImage|endswith: - - '\cmd.exe' - '\cscript.exe' - '\mshta.exe' - - '\powershell.exe' - - '\pwsh.exe' - '\regsvr32.exe' - '\rundll32.exe' - '\wscript.exe' From 80c0c5b391003e30673542cfa08b64dff99f39a3 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:33:08 +0100 Subject: [PATCH 7/9] fix: apply rewording suggestion Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- rules/windows/file/file_event/file_event_win_new_src_file.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_new_src_file.yml b/rules/windows/file/file_event/file_event_win_new_src_file.yml index 72607f10c..01f0e5e7b 100644 --- a/rules/windows/file/file_event/file_event_win_new_src_file.yml +++ b/rules/windows/file/file_event/file_event_win_new_src_file.yml @@ -1,7 +1,7 @@ title: SCR File Write Event id: c048f047-7e2a-4888-b302-55f509d4a91d status: experimental -description: Detects the creation of Screensaver files (.scr) outside system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. +description: Detects the creation of screensaver files (.scr) outside of system folders. Attackers may execute an application as an ".SCR" file using "rundll32.exe desk.cpl,InstallScreenSaver" for example. references: - https://lolbas-project.github.io/lolbas/Libraries/Desk/ author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' From 41e6b1761014142b2b58a66803a19eb1b6a1b80a Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 24 Feb 2023 13:34:49 +0100 Subject: [PATCH 8/9] fix: remove pptx extension --- .../file_event/file_event_win_office_macro_files_created.yml | 1 - .../file_event/file_event_win_office_macro_files_downloaded.yml | 1 - .../file_event_win_office_macro_files_from_susp_process.yml | 1 - 3 files changed, 3 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml index 215cb4249..4d3d05c68 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_created.yml @@ -25,7 +25,6 @@ detection: - '.xltm' - '.potm' - '.pptm' - - '.pptx' condition: selection falsepositives: - Very common in environments that rely heavily on macro documents diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 5b32b35b3..2c4a7af55 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -40,7 +40,6 @@ detection: - '.xltm' - '.potm' - '.pptm' - - '.pptx' - TargetFilename|contains: - '.docm:Zone' - '.dotm:Zone' diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml index 920243ae5..e256ad938 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_from_susp_process.yml @@ -38,7 +38,6 @@ detection: - '.xltm' - '.potm' - '.pptm' - - '.pptx' condition: all of selection_* falsepositives: - Unknown From 60c0b5fdd01be4a9e226d1373a6c5853645ae5a1 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 24 Feb 2023 16:36:14 +0100 Subject: [PATCH 9/9] fix: remove pptx:zone Co-authored-by: frack113 <62423083+frack113@users.noreply.github.com> --- .../file_event/file_event_win_office_macro_files_downloaded.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml index 2c4a7af55..107a35c0c 100644 --- a/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml +++ b/rules/windows/file/file_event/file_event_win_office_macro_files_downloaded.yml @@ -47,7 +47,6 @@ detection: - '.xltm:Zone' - '.potm:Zone' - '.pptm:Zone' - - '.pptx:Zone' condition: all of selection_* falsepositives: - Legitimate macro files downloaded from the internet