diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 000000000..7959554a1 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,13 @@ +# These are supported funding model platforms + +github: [thomaspatzke] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] diff --git a/rules/windows/image_load/image_load_susp_winword_wmidll_load.yml b/rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml similarity index 100% rename from rules/windows/image_load/image_load_susp_winword_wmidll_load.yml rename to rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml diff --git a/rules/windows/file_event/file_event_win_hktl_createminidump.yml b/rules-deprecated/windows/le_event_win_hktl_createminidump.yml similarity index 100% rename from rules/windows/file_event/file_event_win_hktl_createminidump.yml rename to rules-deprecated/windows/le_event_win_hktl_createminidump.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml b/rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml rename to rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml diff --git a/rules/windows/registry/registry_event/registry_event_asep_reg_keys_modification.yml b/rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml similarity index 100% rename from rules/windows/registry/registry_event/registry_event_asep_reg_keys_modification.yml rename to rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml diff --git a/rules/windows/builtin/security/win_lateral_movement_condrv.yml b/rules-deprecated/windows/win_lateral_movement_condrv.yml similarity index 97% rename from rules/windows/builtin/security/win_lateral_movement_condrv.yml rename to rules-deprecated/windows/win_lateral_movement_condrv.yml index faf084994..9e5d69097 100644 --- a/rules/windows/builtin/security/win_lateral_movement_condrv.yml +++ b/rules-deprecated/windows/win_lateral_movement_condrv.yml @@ -24,5 +24,5 @@ detection: ObjectName: '\Device\ConDrv' condition: selection falsepositives: - - legal admin action + - Legal admin action level: low diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 884360c34..3e2dbbbae 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -12,14 +12,12 @@ logsource: service: activitylogs detection: selection1: - properties.message|startswith: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO properties.message|endswith: - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE selection2: - properties.message|startswith: - - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO properties.message|endswith: - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index ec22988cb..146f196aa 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -14,14 +14,12 @@ logsource: service: activitylogs detection: selection1: - properties.message|startswith: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH properties.message|endswith: - /CRONJOBS/WRITE - /JOBS/WRITE selection2: - properties.message|startswith: - - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH properties.message|endswith: - /CRONJOBS/WRITE - /JOBS/WRITE @@ -32,5 +30,5 @@ tags: - attack.privilege_escalation - attack.execution falsepositives: - - Azure Kubernetes CronJob/Job may be done by a system administrator. + - Azure Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 82994da37..37c184fd9 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -11,8 +11,7 @@ logsource: service: activitylogs detection: selection1: - properties.message: - - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION condition: selection1 level: high falsepositives: diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index 1edf50649..7c079c960 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -11,13 +11,12 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE condition: selection level: medium tags: - attack.impact falsepositives: - - Suppression Rule being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index 67cfdabe6..9bdabb295 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,16 +12,14 @@ logsource: service: gcp.audit detection: selection1: - gcp.audit.method_name|startswith: - - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. - gcp.audit.method_name|endswith: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. + gcp.audit.method_name|endswith: - create - patch - replace selection2: - gcp.audit.method_name|startswith: - - admissionregistration.k8s.io.v*.validatingwebhookconfigurations. - gcp.audit.method_name|endswith: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations. + gcp.audit.method_name|endswith: - create - patch - replace diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 11ff77811..7136534ab 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -18,7 +18,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.initial_access diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 69480d462..c9ce5ab4d 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -13,8 +13,7 @@ logsource: service: okta detection: selection: - displaymessage: - - User attempted unauthorized access to app + displaymessage: User attempted unauthorized access to app condition: selection level: medium tags: diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 50e682026..3c679197e 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -15,8 +15,7 @@ logsource: service: security detection: selection: - EventID: - - 4800 + EventID: 4800 condition: selection falsepositives: - Unknown diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index fff85facd..cfb085506 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -15,12 +15,9 @@ logsource: detection: selection: type: EXECVE - a0: - - arecord - a1: - - '-vv' - a2: - - '-fdat' + a0: arecord + a1: '-vv' + a2: '-fdat' condition: selection tags: - attack.collection diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 7bd2b3b07..7641995de 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -12,8 +12,7 @@ logsource: service: auditd detection: selection: - key: - - 'susp_activity' + key: 'susp_activity' condition: selection falsepositives: - Admin or User activity diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index cd613bb72..4eaefc716 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -29,7 +29,7 @@ fields: - key falsepositives: - Legitimate administrative activity - - Ligitimate software, cleaning hist file + - Legitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index da6a25d92..96bfcc8be 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -16,12 +16,11 @@ detection: type: 'PATH' nametype: 'CREATE' name_1: - name|startswith: + name|startswith: - '/usr/lib/systemd/system/' - '/etc/systemd/system/' name_2: - name|contains: - - '/.config/systemd/user/' + name|contains: '/.config/systemd/user/' condition: path and 1 of name_* falsepositives: - Admin work like legit service installs. diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 08684b463..6673e20bf 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -19,8 +19,7 @@ logsource: detection: commands: type: EXECVE - a0: - - unzip + a0: unzip a1: a1|endswith: - '.jpg' diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index d6723d8e0..a0c4b717f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -3,7 +3,7 @@ id: f8341cb2-ee25-43fa-a975-d8a5a9714b39 status: experimental description: Detects the usage of the unsafe bpftrace option author: Andreas Hunkeler (@Karneades) -tags: +tags: - attack.execution - attack.t1059.004 references: @@ -15,10 +15,8 @@ logsource: product: linux detection: selection1: - Image|endswith: - - 'bpftrace' - CommandLine|contains: - - '--unsafe' + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' condition: selection1 falsepositives: - Legitimate usage of the unsafe option diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index a8e4cdaf2..2b1791a11 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -12,25 +12,19 @@ logsource: product: linux detection: selection_1: - Image|endswith: - - '/lastlog' + Image|endswith: '/lastlog' selection_2: - CommandLine|contains: - - '''x:0:''' + CommandLine|contains: '''x:0:''' selection_3: - Image|endswith: - - '/cat' + Image|endswith: '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - Image|endswith: - - '/id' + Image|endswith: '/id' selection_5: - Image|endswith: - - '/lsof' - CommandLine|contains: - - '-u' + Image|endswith: '/lsof' + CommandLine|contains: '-u' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index 1dad31c4d..5ba646c21 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -12,13 +12,10 @@ logsource: product: linux detection: selection_1: - Image|endswith: - - '/groups' + Image|endswith: '/groups' selection_2: - Image|endswith: - - '/cat' - CommandLine|contains: - - '/etc/group' + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index a8c45fd7e..0a78a6256 100644 --- a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -12,10 +12,8 @@ logsource: product: linux detection: selection: - Image|endswith: - - 'crontab' - CommandLine|contains: - - '/tmp/' + Image|endswith: 'crontab' + CommandLine|contains: '/tmp/' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 6a8b600a2..4816e3fe1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ date: 2021/10/15 -modified: 2022/03/14 +modified: 2022/05/09 author: Florian Roth tags: - attack.persistence @@ -26,18 +26,18 @@ detection: ParentCommandLine|contains|all: - '/bin/java' - 'tomcat' - selection_websphere: # ? just guessing + selection_websphere: # ? just guessing ParentCommandLine|contains|all: - '/bin/java' - 'websphere' selection_sub_processes: - Image|endswith: + Image|endswith: - '/whoami' - '/ifconfig' - '/usr/bin/ip' - '/bin/uname' - condition: selection_sub_processes and ( selection_general or selection_tomcat ) + condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere) falsepositives: - - Web applications that invoke Linux command line tools + - Web applications that invoke Linux command line tools level: critical diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index 35f8c42da..1c4308a70 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/osascript' - CommandLine|contains|all: - - '-e' + Image|endswith: '/osascript' + CommandLine|contains: '-e' condition: selection falsepositives: - Application installers might contain scripts as part of the installation process. diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index fd3cfb82c..107d98437 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -12,15 +12,11 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '/truncate' - CommandLine|contains: - - '-s' + Image|endswith: '/truncate' + CommandLine|contains: '-s' selection2: - Image|endswith: - - '/dd' - CommandLine|contains: - - 'if=' + Image|endswith: '/dd' + CommandLine|contains: 'if=' filter: CommandLine|contains: 'of=' condition: selection1 or (selection2 and not filter) diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml index 573af8117..a000b5eb8 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_account.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/dscl' - CommandLine|contains: - - 'create' + Image|endswith: '/dscl' + CommandLine|contains: 'create' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index 220f44f01..ae273c242 100644 --- a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -12,10 +12,8 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '/grep' - CommandLine|contains: - - 'password' + Image|endswith: '/grep' + CommandLine|contains: 'password' selection2: CommandLine|contains: 'laZagne' condition: selection1 or selection2 diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index bb18b8a3a..ac814a811 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -13,8 +13,7 @@ logsource: category: process_creation detection: selection1: - Image: - - '/usr/sbin/osascript' + Image: '/usr/sbin/osascript' selection2: CommandLine|contains|all: - '-e' diff --git a/rules/macos/process_creation/proc_creation_macos_local_account.yml b/rules/macos/process_creation/proc_creation_macos_local_account.yml index 5274f9fbc..75dd152ca 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_account.yml @@ -12,34 +12,27 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/dscl' + Image|endswith: '/dscl' CommandLine|contains|all: - 'list' - '/users' selection_2: - Image|endswith: - - '/dscacheutil' + Image|endswith: '/dscacheutil' CommandLine|contains|all: - '-q' - 'user' selection_3: - CommandLine|contains: - - '''x:0:''' + CommandLine|contains: '''x:0:''' selection_4: - Image|endswith: - - '/cat' + Image|endswith: '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - Image|endswith: - - '/id' + Image|endswith: '/id' selection_6: - Image|endswith: - - '/lsof' - CommandLine|contains: - - '-u' + Image|endswith: '/lsof' + CommandLine|contains: '-u' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_local_groups.yml b/rules/macos/process_creation/proc_creation_macos_local_groups.yml index ff1fa3e08..4701c17c3 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_groups.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_groups.yml @@ -12,19 +12,15 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/dscacheutil' + Image|endswith: '/dscacheutil' CommandLine|contains|all: - '-q' - 'group' selection_2: - Image|endswith: - - '/cat' - CommandLine|contains: - - '/etc/group' + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' selection_3: - Image|endswith: - - '/dscl' + Image|endswith: '/dscl' CommandLine|contains|all: - '-list' - '/groups' diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 2ebcdf856..3aa5400fa 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -12,13 +12,10 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/arp' - CommandLine|contains: - - '-a' + Image|endswith: '/arp' + CommandLine|contains: '-a' selection_2: - Image|endswith: - - '/ping' + Image|endswith: '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 - ' 192.168.' #192.168.0.0/16 diff --git a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml index b0e4558d4..98db020a8 100644 --- a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml +++ b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/crontab' - CommandLine|contains: - - '/tmp/' + Image|endswith: '/crontab' + CommandLine|contains: '/tmp/' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml index ff2c21434..501651898 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -22,7 +22,7 @@ detection: condition: selection falsepositives: - Legitimate administrative activity - - Ligitimate software, cleaning hist file + - Legitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/network/zeek/zeek_dns_nkn.yml b/rules/network/zeek/zeek_dns_nkn.yml index eafbcd529..35c1bc3d6 100644 --- a/rules/network/zeek/zeek_dns_nkn.yml +++ b/rules/network/zeek/zeek_dns_nkn.yml @@ -24,5 +24,5 @@ fields: - id.resp_h - answers falsepositives: - - unknown + - Unknown level: low diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 1f41a07f9..8674e33f3 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -33,6 +33,8 @@ detection: - '172.29.' - '172.30.' - '172.31.' + - 'fd' + - '2620:83:800f' #approved_rdp: #dst_ip: #- x.x.x.x diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index e9b886aa5..68c8c83f0 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -35,7 +35,7 @@ detection: - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high tags: - attack.lateral_movement diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index d2fc92f84..ff4e1bdb2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -32,7 +32,7 @@ fields: - SubjectUserName - RelativeTargetName falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software + - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files level: medium tags: diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 173944db0..d71b2ec56 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -18,7 +18,7 @@ detection: service|startswith: '$' condition: selection and not computer_acct falsepositives: - - normal enterprise SPN requests activity + - Normal enterprise SPN requests activity level: medium tags: - attack.credential_access diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index c8803a0a1..c2a5ac293 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -13,8 +13,7 @@ logsource: category: proxy detection: selection: - r-dns: - - 'api.telegram.org' # Often used by Bots + r-dns: 'api.telegram.org' # Often used by Bots filter: c-useragent|contains: # Used https://core.telegram.org/bots/samples for this list diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 953c84a77..6516f0304 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -2,9 +2,9 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ -author: Florian Roth +author: Florian Roth, Tim Shelton date: 2019/03/07 -modified: 2021/08/09 +modified: 2022/05/09 logsource: category: proxy detection: @@ -15,6 +15,7 @@ detection: - '.com' - '.net' - '.org' + - '.scdn.co' # spotify streaming condition: selection and not falsepositives fields: - ClientIP diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index ca2c3e4e3..fdbf79f30 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -14,5 +14,5 @@ detection: - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' condition: keywords falsepositives: - - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 + - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 level: medium diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 869a932e9..4cf8badf1 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -17,12 +17,12 @@ tags: - attack.t1190 - cve.2021.20090 - cve.2021.20091 -logsource: +logsource: category: webserver detection: path_traversal: - c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) - - '..%2f' + # CVE-2021-20090 (Bypass Auth: Path Traversal) + c-uri|contains: '..%2f' config_file_inj: c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - '..%2f' diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml index 368ddf6ec..7b97de252 100644 --- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml @@ -13,8 +13,7 @@ logsource: category: webserver detection: selection: - c-uri|contains: - - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 condition: selection falsepositives: - Scanning from Nuclei diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index 7e38813c7..145f51802 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -29,7 +29,7 @@ fields: - cs-method - cs-User-Agent falsepositives: - - web applications that use the same URL parameters as ReGeorg + - Web applications that use the same URL parameters as ReGeorg level: high tags: - attack.persistence diff --git a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 9e28f7ab9..85b0dd888 100644 --- a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -28,7 +28,7 @@ fields: - FileHash - Fqbn falsepositives: - - need tuning applocker or add exceptions in SIEM + - Need tuning applocker or add exceptions in SIEM level: medium tags: - attack.execution diff --git a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml index 4fb27b2df..9218d3288 100644 --- a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml @@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -modified: 2022/05/05 +modified: 2022/05/10 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton references: - https://twitter.com/menasec1/status/1111556090137903104 @@ -24,7 +24,9 @@ detection: - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' filter1: - ObjectType: 'dnsNode' + ObjectType: + - 'dnsNode' + - 'dnsZoneScope' condition: selection and not 1 of filter* falsepositives: - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml index c5798b2c3..344bd7246 100644 --- a/rules/windows/builtin/security/win_account_discovery.yml +++ b/rules/windows/builtin/security/win_account_discovery.yml @@ -34,5 +34,5 @@ detection: - ObjectName|contains: 'admin' condition: selection and selection_object falsepositives: - - if source account name is not an admin then its super suspicious + - If source account name is not an admin then its super suspicious level: high diff --git a/rules/windows/builtin/security/win_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml index aa61b3585..6dba9193c 100644 --- a/rules/windows/builtin/security/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml @@ -15,8 +15,7 @@ detection: selection_base: EventID: 4704 selection_keywords: - PrivilegeList|contains: - - 'SeEnableDelegationPrivilege' + PrivilegeList|contains: 'SeEnableDelegationPrivilege' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index 031277636..5ab6628d6 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -22,7 +22,7 @@ detection: - '%%4417' condition: selection falsepositives: - - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks + - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high tags: - attack.persistence diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index a5a4abc1d..79fb3d013 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -38,7 +38,7 @@ detection: - 'sql\query' condition: selection1 and not false_positives falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml index 225208a98..2a8eebdbd 100644 --- a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml +++ b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml @@ -23,6 +23,6 @@ detection: PasswordLastSet: '-' condition: selection and not filter falsepositives: - - automatic DC computer account password change + - Automatic DC computer account password change - Legitimate DC computer account password change level: high diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 9d4815c54..824d0f1ec 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -67,8 +67,7 @@ detection: - C:\Windows\Temp\asgard2-agent\ - C:\ProgramData\Microsoft\Windows Defender\Platform\ filter2: - ProcessName|startswith: - - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' condition: 1 of selection_* and not 1 of filter* diff --git a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml index 61b204cab..3a896b3de 100644 --- a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml @@ -34,6 +34,6 @@ fields: - SubjectUserName - RelativeTargetName falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software + - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files level: medium diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml new file mode 100644 index 000000000..3ab241a79 --- /dev/null +++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml @@ -0,0 +1,22 @@ +title: KrbRelayUp Service Installation +id: e97d9903-53b2-41fc-8cb9-889ed4093e80 +status: experimental +description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) +author: Sittikorn S +date: 2022/05/11 +references: + - https://github.com/Dec0ne/KrbRelayUp +logsource: + product: windows + category: system +detection: + selection: + EventID: '7045' + ServiceName: 'KrbSCM' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1543 diff --git a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml index 953145060..5f73f0aee 100644 --- a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml @@ -14,7 +14,7 @@ detection: Caption: 'sysmon64.exe - Application Error' condition: selection falsepositives: - - none + - Unknown level: high tags: - attack.t1562 diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index 363596a2f..3d19e70af 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,8 +12,7 @@ detection: selection: EventID: 106 filter1: - TaskName: - - \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan + TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan timeframe: 7d condition: selection and not 1 of filter* | count() by TaskName < 5 falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 69ea17366..a87228d9f 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -17,8 +17,7 @@ logsource: service: windefend detection: selection: - EventID: - - 5013 + EventID: 5013 Value|endswith: - '\Windows Defender\DisableAntiSpyware = 0x1()' - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index fbaec49c6..3bd13f623 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -13,7 +13,7 @@ detection: ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the environment + - There is a relevant set of false positives depending on applications in the environment level: high tags: - attack.persistence diff --git a/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml index 462ef78b8..045ca1dbf 100644 --- a/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml @@ -21,8 +21,7 @@ logsource: product: windows detection: selection: - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' condition: selection fields: - ComputerName diff --git a/rules/windows/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file_event/file_event_win_iso_file_recent.yml index da522c721..c4ec55e2e 100644 --- a/rules/windows/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file_event/file_event_win_iso_file_recent.yml @@ -14,13 +14,12 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: + TargetFilename|endswith: - '.iso.lnk' - '.img.lnk' - '.vhd.lnk' - '.vhdx.lnk' - TargetFilename|contains: - - '\Microsoft\Windows\Recent\' + TargetFilename|contains: '\Microsoft\Windows\Recent\' condition: selection falsepositives: - Cases in which a user mounts an image file for legitimate reasons diff --git a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml index 526903249..11a4e147f 100644 --- a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml +++ b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml @@ -12,10 +12,9 @@ tags: logsource: product: windows category: file_event -detection: +detection: mimikatz_memssp_filename: - TargetFilename|endswith: - - 'mimilsa.log' + TargetFilename|endswith: 'mimilsa.log' condition: mimikatz_memssp_filename falsepositives: - Unlikely diff --git a/rules/windows/file_event/file_event_win_susp_clr_logs.yml b/rules/windows/file_event/file_event_win_susp_clr_logs.yml index 7cc42eda4..afedb81f4 100644 --- a/rules/windows/file_event/file_event_win_susp_clr_logs.yml +++ b/rules/windows/file_event/file_event_win_susp_clr_logs.yml @@ -1,6 +1,6 @@ title: Suspcious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. +description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ @@ -33,5 +33,5 @@ detection: - 'svchost' condition: selection falsepositives: - - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process + - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml index 119379751..3dbda7a44 100755 --- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml @@ -21,7 +21,7 @@ detection: condition: selection and not filter falsepositives: - Operations performed through Windows SCCM or equivalent - - read only access list authority + - Read only access list authority level: medium tags: - attack.persistence diff --git a/rules/windows/file_event/file_event_win_susp_dropper.yml b/rules/windows/file_event/file_event_win_susp_dropper.yml index 46e8d1cd3..c41b3d5a5 100644 --- a/rules/windows/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ author: frack113 references: - Malware Sandbox date: 2022/03/09 -modified: 2022/04/28 +modified: 2022/05/08 logsource: product: windows category: file_event @@ -14,6 +14,11 @@ detection: selection: Image|endswith: '.exe' TargetFilename|endswith: '.exe' + filter_whitelist: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\system32\cleanmgr.exe' + - 'C:\Windows\explorer.exe' filter_update: Image: 'C:\WINDOWS\system32\svchost.exe' TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\' @@ -21,10 +26,6 @@ detection: filter_tiworker: Image|startswith: 'C:\Windows\WinSxS\' Image|endswith: '\TiWorker.exe' - filter_msiexec: - Image: 'C:\Windows\System32\msiexec.exe' - filter_cleanmgr: - Image: 'C:\WINDOWS\system32\cleanmgr.exe' filter_programfiles: - Image|startswith: - 'C:\Program Files\' diff --git a/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml new file mode 100644 index 000000000..a089cd21e --- /dev/null +++ b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml @@ -0,0 +1,29 @@ +title: Creation of an WerFault.exe in Unusual Folder +id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 +status: experimental +description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking +author: frack113 +references: + - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ +date: 2022/05/09 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\WerFault.exe' + - '\wer.dll' + filter_whitelist: + TargetFilename|contains: + - '\System32\' + - '\SysWOW64\' + - '\WinSxS\' + condition: selection and not filter_whitelist +falsepositives: + - Unknown +level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1574.001 diff --git a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml index 698b6de4c..4b9ad9667 100644 --- a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml @@ -15,10 +15,10 @@ detection: to_dll: TargetFilename|endswith: '.dll' filter_from_dll: - - OriginalFilename|endswith: + - OriginalFilename|endswith: - '.dll' - '.tmp' # VSCode FP - - OriginalFilename|contains: + - OriginalFilename|contains: - '.dll.' - '\SquirrelTemp\temp' filter_tiworker: diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml index b49be7ca9..e9d31e38c 100644 --- a/rules/windows/image_load/image_load_susp_fax_dll.yml +++ b/rules/windows/image_load/image_load_susp_fax_dll.yml @@ -12,13 +12,10 @@ logsource: product: windows detection: selection: - Image|endswith: - - fxssvc.exe - ImageLoaded|endswith: - - ualapi.dll + Image|endswith: fxssvc.exe + ImageLoaded|endswith: ualapi.dll filter: - ImageLoaded|startswith: - - C:\Windows\WinSxS\ + ImageLoaded|startswith: C:\Windows\WinSxS\ condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_susp_image_load.yml b/rules/windows/image_load/image_load_susp_image_load.yml index ff5ca7bfe..5b4a32a59 100755 --- a/rules/windows/image_load/image_load_susp_image_load.yml +++ b/rules/windows/image_load/image_load_susp_image_load.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\notepad.exe' + Image|endswith: '\notepad.exe' ImageLoaded|endswith: - '\samlib.dll' - '\WinSCard.dll' diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml index 6feea67a4..39d6afed7 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\assembly\' + ImageLoaded|startswith: 'C:\Windows\assembly\' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml index 2cb835dfa..6c721153a 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|contains: - - '\clr.dll' + ImageLoaded|contains: '\clr.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml index fc8c755b5..4fb4fd360 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' + ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml index 649f5d309..adcd6b0ab 100755 --- a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|contains: - - '\dsparse.dll' + ImageLoaded|contains: '\dsparse.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml index f72268538..dd54239f2 100755 --- a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|endswith: - - '\kerberos.dll' + ImageLoaded|endswith: '\kerberos.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml index 1d9b98d2c..6ad311ec0 100644 --- a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml +++ b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml @@ -7,18 +7,17 @@ date: 2021/07/07 modified: 2022/05/06 references: - 1bd85e1caa1415ebdc8852c91e37bbb7 - - https://twitter.com/am0nsec/status/1412232114980982787 + - https://twitter.com/am0nsec/status/1412232114980982787 tags: - attack.defense_evasion - - attack.impact + - attack.impact - attack.t1490 logsource: category: image_load product: windows detection: selection: - ImageLoaded|endswith: - - '\vss_ps.dll' + ImageLoaded|endswith: '\vss_ps.dll' filter: Image|endswith: - '\svchost.exe' @@ -39,4 +38,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: high diff --git a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml index 02a3bf323..626eb21ae 100755 --- a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml @@ -12,15 +12,13 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\svchost.exe' + Image|endswith: '\svchost.exe' ImageLoaded|endswith: - '\tsmsisrv.dll' - '\tsvipsrv.dll' - '\wlbsctrl.dll' filter: - ImageLoaded|startswith: - - 'C:\Windows\WinSxS\' + ImageLoaded|startswith: 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index ff1fba982..595d310d5 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -18,13 +18,10 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\dism.exe' - ImageLoaded|endswith: - - '\dismcore.dll' + Image|endswith: '\dism.exe' + ImageLoaded|endswith: '\dismcore.dll' filter: - ImageLoaded: - - 'C:\Windows\System32\Dism\dismcore.dll' + ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll' condition: selection and not filter falsepositives: - Actions of a legitimate telnet client diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 54b267a98..f60f06682 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -38,5 +38,5 @@ detection: - Image|contains: '\Local\Microsoft\OneDrive\' condition: selection and not filter falsepositives: - - other legitimate processes loading those DLLs in your environment. + - Other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml index f94985f7a..70b019528 100755 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml @@ -41,7 +41,7 @@ detection: condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools - - domain controller using dns.exe + - Domain controller using dns.exe level: high tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 8faa41211..0d36117af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -modified: 2021/10/16 +modified: 2022/05/10 author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a @@ -18,19 +18,24 @@ logsource: category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_payload_1: + selection_1a_payload: Payload|contains: - 'del' - 'Remove-Item' - 'rm' - Payload|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' + selection_1b_payload: + Payload|contains: '(Get-PSReadlineOption).HistorySavePath' selection_payload_2: Payload|contains|all: - 'Set-PSReadlineOption' - - '–HistorySaveStyle' + - '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both - 'SaveNothing' - condition: selection_payload_1 or selection_payload_2 + selection_payload_3: + Payload|contains|all: + - 'Set-PSReadlineOption' + - '-HistorySaveStyle' + - 'SaveNothing' + condition: 1 of selection_payload_* or all of selection_1* falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index 79f2a00d5..6305b90d1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -22,5 +22,5 @@ detection: - 'DatabasePath ' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index a33d80aea..7edd8a19b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -22,8 +22,7 @@ detection: - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = false_positive_1: - ContextInfo|contains: - - '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' + ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' condition: selection and not 1 of false_positive* falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index d1902e7f8..d9b2bdb47 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -9,24 +9,30 @@ author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a date: 2022/01/25 +modified: 2022/05/10 logsource: product: windows category: ps_script definition: Script block logging must be enabled detection: - selection_1: + selection1a: ScriptBlockText|contains: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' + selection1b: + ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption' - - '–HistorySaveStyle' + - '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both - 'SaveNothing' - condition: 1 of selection_* + selection_3: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '-HistorySaveStyle' + - 'SaveNothing' + condition: 1 of selection_* or all of selection1* falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index eec0a0b9b..0e1f00f76 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -11,10 +11,9 @@ references: logsource: product: windows category: ps_script -detection: +detection: selection1: - ScriptBlockText|contains: - - Clear-History + ScriptBlockText|contains: Clear-History selection2a: ScriptBlockText|contains: - Remove-Item diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 348a66a39..ac9457f21 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -26,5 +26,5 @@ detection: - '[IO.File]::SetLastWriteTime' condition: selection_ioc falsepositives: - - Legitimeate admin script + - Legitimate admin script level: medium diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 1f7310c25..41ad52be8 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -4,15 +4,28 @@ description: Detects the usage of the direct syscall of NtOpenProcess which migh references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 status: experimental -author: Christian Burkard +author: Christian Burkard, Tim Shelton date: 2021/07/28 +modified: 2022/05/15 logsource: category: process_access product: windows detection: selection: CallTrace|startswith: 'UNKNOWN' - condition: selection + falsepositive1: + TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe' + SourceImage: 'C:\Windows\Explorer.EXE' + falsepositive2: + TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' + SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe' + falsepositive3: + TargetImage|endswith: 'vcredist_x64.exe' + SourceImage|endswith: 'vcredist_x64.exe' + falsepositive4: + TargetImage: 'C:\Windows\system32\systeminfo.exe' + SourceImage|endswith: 'setup64.exe' #vmware + condition: selection and not 1 of falsepositive* falsepositives: - Unknown level: critical diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml index 3d748a08d..3e02c246a 100644 --- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml @@ -72,8 +72,7 @@ detection: - TargetImage|endswith: '\Microsoft VS Code\Code.exe' - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter filter_set_1: - SourceImage: - - 'C:\WINDOWS\Explorer.EXE' + SourceImage: 'C:\WINDOWS\Explorer.EXE' TargetImage: - 'C:\WINDOWS\system32\backgroundTaskHost.exe' - 'C:\WINDOWS\explorer.exe' diff --git a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml index c461c3a2c..d87221f9d 100755 --- a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml @@ -26,5 +26,5 @@ tags: - attack.t1021.006 - attack.s0002 falsepositives: - - low + - Unlikely level: high diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 98ba8e4d1..9390c1a4e 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -59,8 +59,7 @@ detection: SourceImage|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - SourceImage|contains: - - 'Antivirus' + SourceImage|contains: 'Antivirus' filter7: SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' filter8: @@ -69,7 +68,7 @@ detection: SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: + SourceImage|endswith: - '\thor64.exe' - '\thor.exe' # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.) diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index fa47b67be..1ae2217af 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -77,8 +77,7 @@ detection: SourceImage|startswith: - 'C:\Progra Files\' - 'C:\Progra Files (x86)\' - SourceImage|contains: - - 'Antivirus' + SourceImage|contains: 'Antivirus' filter_mrt: SourceImage: 'C:\WINDOWS\system32\MRT.exe' GrantedAccess: '0x1418' @@ -86,7 +85,7 @@ detection: SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: + SourceImage|endswith: - '\thor64.exe' - '\thor.exe' GrantedAccess: '0x1fffff' diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml index 661b19510..4d1e94480 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml @@ -19,8 +19,7 @@ detection: ParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentImage|endswith: - - 'tmp' + ParentImage|endswith: 'tmp' condition: image and parent_image fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml index 0fac43cee..3512ee434 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\crackmapexec.exe' + Image|endswith: '\crackmapexec.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml index 8b731bfb3..ffabc8685 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access - - attack.t1212 + - attack.t1212 - attack.command_and_control - attack.t1071 logsource: @@ -25,8 +25,7 @@ detection: - ':\Program Files(x86)\' - ':\Program Files\' legitimate_executable: - sha1: - - 'e570585edc69f9074cb5e8a790708336bd45ca0f' + sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml index 1b6cebf75..2e78e6e83 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml @@ -25,8 +25,7 @@ detection: - '/transfer' - 'CSIDL_APPDATA' selection2: - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE' + CommandLine|contains: 'CSIDL_SYSTEM_DRIVE' selection3: CommandLine|contains: - '\msf.ps1' diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index 9926930f7..43aa1fd55 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -7,7 +7,7 @@ references: tags: - attack.g0032 - attack.execution - - attack.t1106 + - attack.t1106 author: Bhabesh Raj date: 2021/04/20 modified: 2021/06/27 @@ -20,15 +20,11 @@ detection: - 'mshta' - '.zip' selection2: - ParentImage: - - 'C:\Windows\System32\wbem\wmiprvse.exe' - Image: - - 'C:\Windows\System32\mshta.exe' + ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe' + Image: 'C:\Windows\System32\mshta.exe' selection3: - ParentImage|contains: - - ':\Users\Public\' - Image: - - 'C:\Windows\System32\rundll32.exe' + ParentImage|contains: ':\Users\Public\' + Image: 'C:\Windows\System32\rundll32.exe' condition: 1 of selection* falsepositives: - Should not be any false positives diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index dec51827b..163796a0f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -8,7 +8,7 @@ references: tags: - attack.g0032 - attack.execution - - attack.t1059 + - attack.t1059 author: Florian Roth date: 2020/12/23 modified: 2021/06/27 @@ -32,8 +32,7 @@ detection: - ' > %temp%\~' # Network share discovery selection4: - CommandLine|contains: - - '.255 10 C:\ProgramData\' + CommandLine|contains: '.255 10 C:\ProgramData\' condition: 1 of selection* falsepositives: - Overlap with legitimate process activity in some cases (especially selection 3 and 4) diff --git a/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml index e4f571891..eab960716 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\powershell.exe' - ParentImage|endswith: - - '\excel.exe' - CommandLine|contains: - - 'DataExchange.dll' + Image|endswith: '\powershell.exe' + ParentImage|endswith: '\excel.exe' + CommandLine|contains: 'DataExchange.dll' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml index 5cfbb594c..4fa710af6 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml @@ -22,7 +22,7 @@ detection: selection1: Image|contains: 'windows\system32\Physmem.sys' selection2: - Image|contains: + Image|contains: - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini' - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini' - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini' @@ -31,10 +31,9 @@ detection: - 'windows\system32\filepath2' - 'windows\system32\ime' registry_command: - CommandLine|contains: - - 'reg add' + CommandLine|contains: 'reg add' registry_key: - CommandLine|contains: + CommandLine|contains: - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32' - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32' condition: selection1 or selection2 or (selection3 and registry_command and registry_key) diff --git a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml index 7edbbc58c..443cace83 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml @@ -16,11 +16,9 @@ detection: - 'dll,MyStart' - 'dll MyStart' selection2a: - CommandLine|endswith: - - ' MyStart' + CommandLine|endswith: ' MyStart' selection2b: - CommandLine|contains: - - 'rundll32.exe' + CommandLine|contains: 'rundll32.exe' condition: selection1 or ( selection2a and selection2b ) falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index be14932ea..58d0e330c 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - '7z.exe a -v500m -mx9 -r0 -p' + CommandLine|contains: '7z.exe a -v500m -mx9 -r0 -p' selection2: ParentCommandLine|contains|all: - 'wscript.exe' @@ -32,14 +31,14 @@ detection: ParentCommandLine|contains: 'C:\Windows' CommandLine|contains: 'cmd.exe /C ' selection4: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32 c:\windows\' - '.dll ' specific1: ParentImage|endswith: '\rundll32.exe' Image|endswith: '\dllhost.exe' filter1: - CommandLine: + CommandLine: - ' ' - '' condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) diff --git a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml index 12cb48791..23c50fe2f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml @@ -12,16 +12,15 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'setup0.exe -p' - selection2: - CommandLine|contains|all: - - 'setup.exe' + CommandLine|contains: 'setup0.exe -p' + selection2a: + CommandLine|contains: 'setup.exe' + selection2b: CommandLine|endswith: - '-x:0' - '-x:1' - '-x:2' - condition: 1 of selection* + condition: selection1 or all of selection2* falsepositives: - Legitimate setups that use similar flags level: critical diff --git a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml index d47b54577..251f7b728 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' CommandLine|contains: - 'zxFunction' - 'RemoteDiskXXXXX' diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml index a06d44563..9775594dc 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -24,8 +24,8 @@ fields: - ParentCommandLine - User falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini + - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - Msiexec.exe hiding desktop.ini level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml index 508bc93c9..f2f783ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml @@ -11,30 +11,26 @@ tags: - attack.persistence - attack.t1197 - attack.s0190 - - attack.t1036.003 + - attack.t1036.003 date: 2017/03/09 modified: 2021/07/16 -author: Michael Haag, FPT.EagleEye +author: Michael Haag, FPT.EagleEye logsource: category: process_creation product: windows detection: selection1: - Image|endswith: - - '\bitsadmin.exe' + Image|endswith: '\bitsadmin.exe' susp_flag_1: - CommandLine|contains: - - ' /transfer ' + CommandLine|contains: ' /transfer ' susp_flag_2: CommandLine|contains: - ' /create ' - ' /addfile ' http_flag: - CommandLine|contains: - - 'http' + CommandLine|contains: 'http' selection2: - CommandLine|contains: - - 'copy bitsadmin.exe' + CommandLine|contains: 'copy bitsadmin.exe' condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2 fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml index c49a2c2fc..b36661bce 100644 --- a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection_one: - Image|endswith: - - '\wmic.exe' + Image|endswith: '\wmic.exe' CommandLine|contains|all: - wmic - format diff --git a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml index 01a59704d..6ddcd6289 100644 --- a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\SepRemovalToolNative_x64.exe' + Image|endswith: '\SepRemovalToolNative_x64.exe' selection2: Image|endswith: '\CATClean.exe' CommandLine|contains: '--uninstall' diff --git a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml index 6b9cba57b..9c8a3796b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml @@ -1,4 +1,4 @@ -title: Windows Cmd Delete File +title: Windows Cmd Delete File id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 status: experimental description: | @@ -17,13 +17,13 @@ detection: - CommandLine|contains|all: - 'del ' - /f - - CommandLine|contains|all: + - CommandLine|contains|all: - rmdir - /s - - /q + - /q condition: selection falsepositives: - - Legitim script + - Legitimate script level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index 3b3d79819..b0773efe7 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1196/ - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins date: 2020/06/22 -modified: 2022/03/31 +modified: 2022/05/10 logsource: product: windows category: process_creation @@ -27,8 +27,7 @@ detection: Image|endswith: '\reg.exe' CommandLine|contains: 'add' selection3: - CommandLine|contains: - - 'CurrentVersion\\Control Panel\\CPLs' + CommandLine|contains: 'CurrentVersion\Control Panel\CPLs' condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3) falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml index 33776066d..1996c9d8f 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml @@ -3,6 +3,7 @@ id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 status: experimental author: frack113 date: 2021/07/12 +modified: 2022/05/13 description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -18,11 +19,13 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /INJECTRUNNING' - '.dll' # space some time in the end - OriginalFileName|contains: mavinject - condition: selection + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' + condition: selection fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml index 8a2ddd09c..af24a4df5 100644 --- a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml @@ -21,10 +21,8 @@ logsource: detection: # Dropper selection1: - ParentImage|endswith: - - '\WINWORD.exe' - Image|endswith: - - '.tmp' + ParentImage|endswith: '\WINWORD.exe' + Image|endswith: '.tmp' # Binary Execution selection2: Image|endswith: '\wmic.exe' diff --git a/rules/windows/process_creation/proc_creation_win_dotnet.yml b/rules/windows/process_creation/proc_creation_win_dotnet.yml index 94d171008..22899b5ed 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet.yml @@ -17,8 +17,7 @@ detection: CommandLine|endswith: - '.dll' - '.csproj' - Image|endswith: - - '\dotnet.exe' + Image|endswith: '\dotnet.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index fef0d5ff6..a6cd04c13 100644 --- a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection_dismhost: - Image|endswith: '\DismHost.exe' + Image|endswith: '\DismHost.exe' ParentCommandLine|contains|all: - '/online' - '/Disable-Feature' @@ -30,7 +30,7 @@ detection: #/quiet condition: 1 of selection_* falsepositives: - - Legitim script + - Legitimate script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 15a863b09..4e7dbfd6f 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -7,16 +7,19 @@ references: - https://redcanary.com/threat-detection-report/threats/qbot/ author: frack113 date: 2022/02/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \esentutl.exe + selection_img: + - Image|endswith: '\esentutl.exe' + - OriginalFileName: 'esentutl.exe' + selection_cli: CommandLine|contains|all: - '/r ' - '\Windows\WebCache' - condition: selection + condition: all of selection* falsepositives: - Legitimate use level: medium diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index b05acd63f..1202cc9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\expand.exe' + Image|endswith: '\expand.exe' CommandLine|contains: - '.cab' - '/F:' diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml index 99e1ac1cb..2baea071a 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml @@ -12,16 +12,14 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'Add-PrinterPort -Name' + CommandLine|contains: 'Add-PrinterPort -Name' selection2: CommandLine|contains: - '.exe' - '.dll' - '.bat' selection3: - CommandLine|contains: - - 'Generic / Text Only' + CommandLine|contains: 'Generic / Text Only' condition: ( selection1 and selection2 ) or selection3 falsepositives: - New printer port install on host diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index d4bce635d..a32df9b76 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -6,7 +6,7 @@ author: Jakob Weinzettl, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md date: 2019/10/23 -modified: 2022/02/11 +modified: 2022/05/12 logsource: category: process_creation product: windows @@ -26,6 +26,8 @@ detection: CommandLine|contains|all: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' + filter_programs: + CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' condition: selection or selection2 and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 379d807d8..2439d79a9 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -16,8 +16,7 @@ detection: binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine|contains: - - 'drives' + CommandLine|contains: 'drives' condition: (1 of binary_*) and selection falsepositives: - Certain software or administrative tasks may trigger false positivies. diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index 2c07f3ef8..af0f12009 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -11,9 +11,9 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - '\CurrentVersion\Image File Execution Options\' + selection1: + CommandLine|contains: '\CurrentVersion\Image File Execution Options\' + selection2: CommandLine|contains: - 'sethc.exe' - 'utilman.exe' @@ -22,7 +22,7 @@ detection: - 'narrator.exe' - 'displayswitch.exe' - 'atbroker.exe' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml index 27c50a03e..a7f26efec 100644 --- a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml @@ -28,8 +28,7 @@ detection: - 'dir ' - '\Users\' filter_1: - CommandLine|contains: - - ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" + CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" selection_2: Image|endswith: - '\net.exe' diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml index 673b9d38d..9f1eee3d9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -20,8 +20,7 @@ detection: CommandLine|contains|all: - '/in:' - '/out:' - Image|endswith: - - '\DataSvcUtil.exe' + Image|endswith: '\DataSvcUtil.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml index 7e08a32ab..a0b6f4c7d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -22,8 +22,7 @@ detection: - '-a' - '/add-driver' - '.inf' - Image|endswith: - - '\pnputil.exe' + Image|endswith: '\pnputil.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 053380a11..fe63247ce 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -11,10 +11,9 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\policydefinitions\postgresql.exe' + Image|endswith: '\policydefinitions\postgresql.exe' selection2: - - CommandLine|contains: + - CommandLine|contains: - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - ' 1> \\127.0.0.1\ADMIN$\__16' - CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index ed7b06d2c..c6991a184 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -11,17 +11,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\net.exe' - '\net1.exe' - CommandLine|contains|all: - - 'stop' + CommandLine|contains: 'stop' + selection2: CommandLine|contains: - 'samss' - 'audioendpointbuilder' - 'unistoresvc_?????' - condition: selection + condition: all of selection* falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml index 7984ee402..1d8f28bbe 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml @@ -21,8 +21,7 @@ detection: ParentCommandLine|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - ParentCommandLine|endswith: - - '.exe' + ParentCommandLine|endswith: '.exe' selection2: - CommandLine|contains|all: - '/c' diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml index ebba96eab..cae16b444 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\cmd.exe' - Image|endswith: - - '\nltest.exe' - CommandLine|contains: - - '/domain_trusts /all_trusts' + ParentImage|endswith: '\cmd.exe' + Image|endswith: '\nltest.exe' + CommandLine|contains: '/domain_trusts /all_trusts' condition: selection falsepositives: - Rare System Admin Activity diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml index 38d6626a5..8dd7d3d8f 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\wermgr.exe' - ParentImage|endswith: - - '\rundll32.exe' - ParentCommandLine|contains: - - 'DllRegisterServer' + Image|endswith: '\wermgr.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains: 'DllRegisterServer' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml index d8555d7cf..81afa4eff 100644 --- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml @@ -36,8 +36,7 @@ detection: - process - vault mimikatz_separator: - CommandLine|contains: - - '::' + CommandLine|contains: '::' function_names: # To cover functions from modules that are not in module_names (likely too generic) CommandLine|contains: - 'aadcookie' #misc module @@ -52,8 +51,7 @@ detection: - 'mstsc' #ts module - 'multirdp' #ts module filter_1: - CommandLine|contains: - - 'function Convert-GuidToCompressedGuid' + CommandLine|contains: 'function Convert-GuidToCompressedGuid' condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter* falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/process_creation/proc_creation_win_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_msdeploy.yml index aa5cec86c..b4a8128e3 100644 --- a/rules/windows/process_creation/proc_creation_win_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_msdeploy.yml @@ -18,8 +18,7 @@ detection: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' - Image|endswith: - - '\msdeploy.exe' + Image|endswith: '\msdeploy.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 5f6d5acc2..e7f778b71 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -16,9 +16,7 @@ logsource: detection: selection: Image|endswith: '\msiexec.exe' - CommandLine|contains|all: - - ' /y' - #- '.dll' + CommandLine|contains: ' /y' filter_apple: CommandLine|contains: - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index 2c58a5c20..f030d7aad 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -13,11 +13,9 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'System.Management.Automation.AmsiUtils' + CommandLine|contains: 'System.Management.Automation.AmsiUtils' selection2: - CommandLine|contains: - - 'amsiInitFailed' + CommandLine|contains: 'amsiInitFailed' condition: selection1 and selection2 falsepositives: - Potential Admin Activity diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml index 9448e1ec9..953a15d66 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml @@ -43,8 +43,7 @@ detection: - 'Xor' selection6: Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'cOnvErTTO-SECUreStRIng' + CommandLine|contains: 'cOnvErTTO-SECUreStRIng' condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index 85c5b6258..65baa60a6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -11,13 +11,13 @@ tags: - attack.t1562.001 author: Florian Roth date: 2021/04/29 -modified: 2022/03/04 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection1: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection2: @@ -25,6 +25,7 @@ detection: - ' -ExclusionPath ' - ' -ExclusionExtension ' - ' -ExclusionProcess ' + - ' -ExclusionIpAddress ' condition: all of selection* falsepositives: - Possible Admin Activity diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml index befce328c..3f4c07db0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml @@ -12,11 +12,9 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' selection2: - Description|contains: - - 'Windows-Hostprozess (Rundll32)' + Description|contains: 'Windows-Hostprozess (Rundll32)' selection3: CommandLine|contains: - 'Default.GetString' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 58199e0fa..9d10dbb79 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -17,8 +17,7 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'new-object system.net.sockets.tcpclient' + CommandLine|contains: 'new-object system.net.sockets.tcpclient' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml index 5eab70d41..f1c2d0234 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\Powershell.exe' + Image|endswith: '\Powershell.exe' CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 487acdcbd..fbe446452 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -21,8 +21,7 @@ detection: - '-join`' - 'char' false_positives: - ParentImage: - - C:\Program Files\Amazon\SSM\ssm-document-worker.exe + ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe condition: selection and filter and not false_positives falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml index 8b8145bca..abb3d0378 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml @@ -6,6 +6,7 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth date: 2022/01/04 +modified: 2022/05/10 tags: - attack.defense_evasion - attack.t1036 @@ -16,8 +17,7 @@ logsource: detection: selection1: Image|endswith: '\rdrleakdiag.exe' - CommandLine|contains|all: - - '/fullmemdmp' + CommandLine|contains: '/fullmemdmp' selection2: CommandLine|contains|all: - '/fullmemdmp' diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml index 5a5d32ced..88b58785a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml @@ -6,6 +6,7 @@ references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth date: 2022/03/22 +modified: 2022/05/09 logsource: category: process_creation product: windows @@ -22,7 +23,7 @@ detection: CommandLine|contains: - 'Real-Time Protection' - 'TamperProtection' - condition: selection + condition: selection and selection_target falsepositives: - Legitimate use level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 41a4ad907..7b56642af 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -3,7 +3,7 @@ id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: experimental description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' -references: +references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 modified: 2022/03/15 @@ -12,8 +12,7 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - '\SYSTEM\CurrentControlSet\Control\Terminal Server' diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml index b84fc5db8..5a2eaee7f 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml @@ -6,6 +6,7 @@ references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth date: 2022/03/22 +modified: 2022/05/09 logsource: category: process_creation product: windows @@ -21,7 +22,7 @@ detection: CommandLine|contains: - 'Real-Time Protection' - 'TamperProtection' - condition: selection + condition: selection and selection_target falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_regini.yml b/rules/windows/process_creation/proc_creation_win_regini.yml index 3c85a7789..c8ce2752f 100644 --- a/rules/windows/process_creation/proc_creation_win_regini.yml +++ b/rules/windows/process_creation/proc_creation_win_regini.yml @@ -11,13 +11,14 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 -modified: 2021/05/24 +modified: 2022/05/09 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\regini.exe' + - Image|endswith: '\regini.exe' + - OriginalFileName: 'REGINI.EXE' filter: CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 3673e52b8..4541b899f 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -11,15 +11,17 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/12 -modified: 2021/05/24 +modified: 2022/05/09 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\regini.exe' + - Image|endswith: '\regini.exe' + - OriginalFileName: 'REGINI.EXE' + selection_re: CommandLine|re: ':[^ \\\\]' - condition: selection + condition: selection and selection_re fields: - ParentImage - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 6976b23af..b731b8c88 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -16,8 +16,7 @@ detection: selection2: Description: Java(TM) Update Scheduler filter: - Image|endswith: - - '\jusched.exe' + Image|endswith: '\jusched.exe' condition: (selection1 or selection2) and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index c73a9ce5d..49b5972b0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection1: - Product|contains: - - 'PAExec' + Product|contains: 'PAExec' selection2: - Imphash: - 11D40A7B7876288F919AB819CC2D9802 diff --git a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml index 120e7670a..a9c63570e 100644 --- a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml @@ -15,8 +15,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\scrcons.exe' + ParentImage|endswith: '\scrcons.exe' Image|endswith: - '\svchost.exe' - '\dllhost.exe' diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index e1113ee4b..e50a66e49 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -19,8 +19,7 @@ detection: Image|endswith: '\sdbinst.exe' CommandLine|contains: '.sdb' filter: - CommandLine|contains: - - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml index cadb49794..03710bf57 100644 --- a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml @@ -33,8 +33,7 @@ detection: - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete selection2: - Image|endswith: - - '\wbadmin.exe' + Image|endswith: '\wbadmin.exe' CommandLine|contains|all: - delete - catalog diff --git a/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml b/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml index 13073ec7d..360b6a07f 100644 --- a/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml @@ -15,8 +15,7 @@ logsource: detection: selection: ParentImage|endswith: '\java.exe' - Image|endswith: - - '\cmd.exe' + Image|endswith: '\cmd.exe' filter: ParentImage|contains: 'build' # excluding CI build agents CommandLine|contains: 'build' # excluding CI build agents diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml index 60de68d90..79ce72384 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml @@ -9,13 +9,13 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth date: 2022/01/20 -modified: 2022/05/05 +modified: 2022/05/13 logsource: product: windows category: process_creation detection: selection: - - OriginalFileName|contains: 'AdvancedRun.exe' + - OriginalFileName: 'AdvancedRun.exe' - CommandLine|contains|all: - ' /EXEFilename ' - ' /Run' diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml index 6cc5e378c..ed6ba646a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection_special: - CommandLine|contains: - - ' -M pe_inject ' + CommandLine|contains: ' -M pe_inject ' selection_execute: CommandLine|contains|all: - ' --local-auth' diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml index 3fbae6f32..8dcca7ac3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml @@ -32,6 +32,6 @@ detection: - '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' condition: selection and not filter falsepositives: - - https://twitter.com/gN3mes1s/status/1206874118282448897 - - https://twitter.com/gabriele_pippi/status/1206907900268072962 + - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 + - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml index 30deb267c..be735dbd3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml @@ -14,11 +14,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\dctask64.exe' + Image|endswith: '\dctask64.exe' filter: - CommandLine|contains: - - 'DesktopCentral_Agent\agent' + CommandLine|contains: 'DesktopCentral_Agent\agent' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml index 664d3d691..0d6f91371 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml @@ -17,15 +17,13 @@ logsource: product: windows detection: selection_tools: - CommandLine|contains: - - 'logman ' + CommandLine|contains: 'logman ' selection_action: CommandLine|contains: - 'stop ' - 'delete ' selection_service: - CommandLine|contains: - - EventLog-System + CommandLine|contains: EventLog-System condition: all of selection* falsepositives: - Legitimate deactivation by administrative staff diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml index 899c82581..780851390 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml @@ -13,11 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\ditsnap.exe' + Image|endswith: '\ditsnap.exe' selection2: - CommandLine|contains: - - 'ditsnap.exe' + CommandLine|contains: 'ditsnap.exe' condition: selection or selection2 falsepositives: - Legitimate admin usage diff --git a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml index e36f67c40..548e20722 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' CommandLine|endswith: - ',RunDLL' - ',Control_RunDLL' @@ -28,8 +27,7 @@ detection: - '.dll",Control_RunDLL' - '.dll'',Control_RunDLL' filter_ide: - ParentImage|endswith: - - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe + ParentImage|endswith: '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe condition: selection and not filter_ide and not filter_legitimate_dll falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index 8f63d9810..90ec98835 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -19,8 +19,7 @@ detection: - 'bin\' - '\Tools\' - '\SMSComponent\' - ParentImage|endswith: - - '\services.exe' + ParentImage|endswith: '\services.exe' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml index 8b8c71f02..08a99c7ea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml @@ -12,12 +12,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - \explorer.exe - ParentImage|endswith: - - \cmd.exe - CommandLine|contains: - - explorer.exe + Image|endswith: \explorer.exe + ParentImage|endswith: \cmd.exe + CommandLine|contains: explorer.exe condition: selection falsepositives: - Legitimate explorer.exe run from cmd.exe diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml index 204e9b0e0..d8294d91a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selectionFindstr: - CommandLine|contains: - - findstr + CommandLine|contains: findstr selection_V_L: CommandLine|contains|all: - /V diff --git a/rules/windows/process_creation/proc_creation_win_susp_ftp.yml b/rules/windows/process_creation/proc_creation_win_susp_ftp.yml index 4cdecc4be..3672b3102 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ftp.yml @@ -6,7 +6,7 @@ author: Victor Sergeev, oscd.community references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml date: 2020/10/09 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -14,7 +14,7 @@ detection: ftp_path: Image|endswith: 'ftp.exe' ftp_metadata: - OriginalFileName|contains: 'ftp.exe' + OriginalFileName: 'ftp.exe' cmd_with_script_modifier: CommandLine|contains: '-s:' parent_path: diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index 9dc7023c9..24b1dfcf3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -32,8 +32,7 @@ detection: - '--config' - '.yml' selection3: - Image|endswith: - - 'ngrok.exe' + Image|endswith: 'ngrok.exe' CommandLine|contains: - ' tcp ' - ' http ' @@ -41,5 +40,5 @@ detection: condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok - - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) + - Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml index 025f56012..3ecfbf9b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml @@ -34,8 +34,7 @@ detection: - ' UwB' - ' cwB' selection5: - CommandLine|contains: - - '.exe -ENCOD ' + CommandLine|contains: '.exe -ENCOD ' falsepositive1: CommandLine|contains|all: - ' -ExecutionPolicy' diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml index 511113af3..781fbe875 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml @@ -1,7 +1,7 @@ -title: Suspicious Execution of Powershell with Base64 +title: Suspicious Execution of Powershell with Base64 id: fb843269-508c-4b76-8b8d-88679db22ce7 status: experimental -description: Commandline to lauch powershell with a base64 payload +description: Commandline to lauch powershell with a base64 payload author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets @@ -22,8 +22,7 @@ detection: - ' -enco' - ' -ec ' filter: - CommandLine|contains: - - ' -Encoding ' + CommandLine|contains: ' -Encoding ' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml index bffd87a36..623460262 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml @@ -14,9 +14,8 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - 'Get-Process lsass' + CommandLine|contains: 'Get-Process lsass' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_print.yml b/rules/windows/process_creation/proc_creation_win_susp_print.yml index 85f863d3c..6bfa9327e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_print.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_print.yml @@ -13,19 +13,14 @@ logsource: product: windows detection: selection1: - Image|endswith: - - \print.exe - CommandLine|startswith: - - print + Image|endswith: \print.exe + CommandLine|startswith: print selection2: - CommandLine|contains: - - /D + CommandLine|contains: /D exeCondition: - CommandLine|contains: - - .exe + CommandLine|contains: .exe cmdExclude: - CommandLine|contains: - - print.exe + CommandLine|contains: print.exe condition: selection1 and selection2 and exeCondition and not cmdExclude falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index 01fe56869..c9c183005 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -8,6 +8,7 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList author: Nasreddine Bencherchali @nas_bench date: 2021/12/18 +modified: 2022/05/13 tags: - attack.discovery - attack.t1087 @@ -18,7 +19,7 @@ logsource: product: windows detection: selection1: - OriginalFileName|contains: 'psloglist' + OriginalFileName: 'psloglist' selection2: Image|endswith: - '\psloglist.exe' @@ -32,7 +33,7 @@ detection: - '-s' - '/s' other: - CommandLine|contains|all: + CommandLine|contains|all: - 'security' - 'accepteula' condition: (1 of selection*) or (flags and other) diff --git a/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml index 4c9a56dc6..28e8f04fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection_password: - CommandLine|contains: - - ' -hp' + CommandLine|contains: ' -hp' selection_other: CommandLine|contains: - ' -m' diff --git a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml index bf1f81614..0be3e83c4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - rasdial.exe + Image|endswith: rasdial.exe condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 41133d360..82c0c02b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -10,7 +10,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218.010 - car.2019-04-002 - car.2019-04-003 logsource: @@ -26,12 +26,16 @@ detection: selection3: Image|endswith: '\regsvr32.exe' ParentImage|endswith: '\cmd.exe' - selection4: + selection4a: Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: + CommandLine|contains|all: - '/i:' - CommandLine|contains: - 'http' + CommandLine|endswith: 'scrobj.dll' + selection4b: + Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' - 'ftp' CommandLine|endswith: 'scrobj.dll' selection5: @@ -45,7 +49,7 @@ detection: Image|endswith: '\regsvr32.exe' selection8: Image|endswith: '\regsvr32.exe' - CommandLine|contains: + CommandLine|contains: - '\AppData\Local' - 'C:\Users\Public' condition: 1 of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml index 76bdf7c29..9ee1096ec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml @@ -7,8 +7,9 @@ references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 + - https://twitter.com/nas_bench/status/1433344116071583746 date: 2019/01/16 -modified: 2021/12/04 +modified: 2022/05/09 logsource: category: process_creation product: windows @@ -68,6 +69,9 @@ detection: - CommandLine|contains|all: - 'dfshim.dll' - 'ShOpenVerbApplication' + - CommandLine|contains|all: + - 'dfshim.dll' + - 'ShOpenVerbShortcut' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 3c704f06d..dfef79f64 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -18,8 +18,7 @@ detection: - 'javascript' - '..\..\mshtml,RunHTMLApplication' selection2: - CommandLine|contains: - - ';document.write();GetObject("script' + CommandLine|contains: ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 1141e5ed2..aabc317a5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -14,10 +14,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\rundll32.exe' - Image|endswith: - - '\explorer.exe' + ParentImage|endswith: '\rundll32.exe' + Image|endswith: '\explorer.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index 119acb1a7..9602b809b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -13,14 +13,11 @@ logsource: category: process_creation detection: process_name: - Image|endswith: - - '\runonce.exe' + Image|endswith: '\runonce.exe' process_description: - Description: - - 'Run Once Wrapper' + Description: 'Run Once Wrapper' command_line: - CommandLine|contains: - - ' /AlternateShellStartup' + CommandLine|contains: ' /AlternateShellStartup' condition: (process_name or process_description) and command_line falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml b/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml index 5d49d1c87..74b4f0871 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml @@ -21,19 +21,19 @@ detection: CommandLine|contains: - 'HKEY_CURRENT_USER\Control Panel\Desktop' - 'HKCU\Control Panel\Desktop' - selection_option_1: # /force Active ScreenSaveActive + selection_option_1: # /force Active ScreenSaveActive CommandLine|contains|all: - '/v ScreenSaveActive' - '/t REG_SZ' - '/d 1' - '/f' - selection_option_2: # /force set ScreenSaveTimeout + selection_option_2: # /force set ScreenSaveTimeout CommandLine|contains|all: - '/v ScreenSaveTimeout' - '/t REG_SZ' - '/d ' - '/f' - selection_option_3: # /force set ScreenSaverIsSecure + selection_option_3: # /force set ScreenSaverIsSecure CommandLine|contains|all: - '/v ScreenSaverIsSecure' - '/t REG_SZ' @@ -48,5 +48,5 @@ detection: - '/f' condition: selection_reg and 1 of selection_option_* falsepositives: - - GPO + - GPO level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml index 0943f410e..c52d6fce2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\sc.exe' + Image|endswith: '\sc.exe' CommandLine|contains|all: - 'sdset' - 'D;;' diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index ea3b72cae..797350510 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -16,20 +16,20 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + CommandLine|contains: '.exe' + selection2: CommandLine|contains: - '--processStart' - '--processStartAndWait' - '--createShortcut' - CommandLine|contains|all: - - '.exe' filter1: CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Discord\Update.exe' - ' --processStart Discord.exe' - condition: selection and not 1 of filter* + condition: all of selection* and not 1 of filter* falsepositives: - 1Clipboard - Beaker Browser @@ -59,8 +59,8 @@ falsepositives: - WebTorrent - WhatsApp - WordPress.com - - atom - - gitkraken - - slack - - teams + - Atom + - Gitkraken + - Slack + - Teams level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml index ac875f0d8..66137f852 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml @@ -9,14 +9,14 @@ date: 2019/12/28 modified: 2021/02/24 tags: - attack.defense_evasion - - attack.privilege_escalation + - attack.privilege_escalation - attack.t1055 logsource: category: process_creation product: windows detection: selection1: - CommandLine|endswith: 'svchost.exe' + CommandLine|endswith: 'svchost.exe' selection2: Image|endswith: '\svchost.exe' filter: @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf + - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf level: critical diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml index 7ae1b13a7..f89eb5b11 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml @@ -13,10 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\sysprep.exe' - CommandLine|contains: - - '\AppData\' + Image|endswith: '\sysprep.exe' + CommandLine|contains: '\AppData\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml index 4f44f47df..c904134ce 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml @@ -12,17 +12,13 @@ logsource: product: windows detection: process_name: - Image|endswith: - - '\tracker.exe' + Image|endswith: '\tracker.exe' process_description: - Description: - - 'Tracker' + Description: 'Tracker' commandline_param1: - CommandLine|contains: - - ' /d ' + CommandLine|contains: ' /d ' commandline_param2: - CommandLine|contains: - - ' /c ' + CommandLine|contains: ' /c ' condition: (process_name or process_description) and commandline_param1 and commandline_param2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index bbaf07923..38bb8998a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 date: 2022/02/10 +modified: 2022/05/13 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index 50654354a..2b71b9c66 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -24,6 +24,6 @@ detection: Image|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - - the process spawned by vsjitdebugger.exe is uncommon. + - The process spawned by vsjitdebugger.exe is uncommon. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml index df9664b18..03e4273c5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml @@ -4,16 +4,19 @@ status: experimental description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe author: frack113 date: 2022/04/08 +modified: 2022/05/13 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\VaultCmd.exe' + selection_img: + - Image|endswith: '\VaultCmd.exe' + - OriginalFileName: 'VAULTCMD.EXE' + selection_cli: CommandLine|contains: '/listcreds:' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml index f440ffb2a..cc1721cc0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml @@ -11,15 +11,14 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'Execute' - 'CreateObject' - 'RegRead' - 'window.close' - '\Microsoft\Windows\CurrentVersion' filter: - CommandLine|contains: - - '\Software\Microsoft\Windows\CurrentVersion\Run' + CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index 4149781b4..b72a7eb93 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -7,15 +7,17 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\rundll32.exe' + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName: 'RUNDLL32.EXE' + selection_cli: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index e35eaa87e..0ef708805 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -9,12 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md author: frack113 date: 2021/12/13 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: where_exe: - Image|endswith: '\where.exe' + - Image|endswith: '\where.exe' + - OriginalFileName: 'where.exe' where_opt: CommandLine|contains: - 'Bookmarks' diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml index 5b2ac21c6..43a1d2f91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml @@ -7,13 +7,14 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ date: 2018/08/13 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName: 'whoami.exe' condition: selection falsepositives: - Admin activity diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml index f802e6ef6..af58e32c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth date: 2021/08/12 -modified: 2021/08/26 +modified: 2022/05/13 tags: - attack.discovery - attack.t1033 @@ -17,9 +17,10 @@ logsource: product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName: 'whoami.exe' filter1: - ParentImage|endswith: + ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' filter2: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 3fc44a897..7cba36749 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -7,18 +7,20 @@ references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ date: 2020/10/07 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cscript.exe' + selection_img: + - Image|endswith: '\cscript.exe' + - OriginalFileName: 'cscript.exe' + selection_cli: CommandLine|contains|all: - 'winrm' - 'invoke Create wmicimv2/Win32_' - '-r:http' - condition: selection + condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_winzip.yml b/rules/windows/process_creation/proc_creation_win_susp_winzip.yml index 28b69faf7..44f4b16b8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winzip.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winzip.yml @@ -19,8 +19,7 @@ detection: - 'winzip.exe' - 'winzip64.exe' selection_password: - CommandLine|contains: - - '-s"' + CommandLine|contains: '-s"' selection_other: CommandLine|contains: - ' -min ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml index 1df08c0d7..dad73ada0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml @@ -8,13 +8,14 @@ references: - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ date: 2019/01/16 -modified: 2022/01/07 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\wmic.exe' + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' selection2: CommandLine|contains|all: - 'process' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml index f69ca2899..d848aa6fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml @@ -6,18 +6,19 @@ author: 'oscd.community, Zach Stanford @svch0st' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ date: 2020/10/05 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: - - '\wsl.exe' + selection_img: + - Image|endswith: '\wsl.exe' + - OriginalFileName: 'wsl.exe' + selection_cli: CommandLine|contains: - ' -e ' - ' --exec ' - condition: selection + condition: all of selection* falsepositives: - Automation and orchestration scripts may use this method execute scripts etc level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index ada2fa1e8..8369716b3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/11/18 +modified: 2022/05/13 tags: - attack.command_and_control - attack.execution @@ -16,18 +16,19 @@ logsource: product: windows category: process_creation detection: - selection: + selection_cli: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - '.dll' - Image|endswith: - - '\wuauclt.exe' + selection_img: + - Image|endswith: '\wuauclt.exe' + - OriginalFileName: 'wuauclt.exe' filter: CommandLine|contains: - ' /ClassId ' - ' wuaueng.dll ' - condition: selection and not filter + condition: all of selection* and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml index 9b89cc9c4..421478a0f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -6,14 +6,17 @@ author: Florian Roth references: - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/26 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\Wuauclt.exe' - CommandLine|endswith: '\Wuauclt.exe' - condition: selection + selection_img: + - Image|endswith: '\Wuauclt.exe' + - OriginalFileName: 'Wuauclt.exe' + selection_cli: + CommandLine|endswith: '\Wuauclt.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index 9723e3670..89f588498 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -9,14 +9,17 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 +modified: 2022/05/13 logsource: product: windows category: process_creation detection: - test_5: - Image|endswith: '\wmic.exe' + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName: 'wmic.exe' + selection_cli: CommandLine|contains: ' group' - condition: test_5 + condition: all of selection* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index aba7d1347..414d3c9b9 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' date: 2022/01/24 -modified: 2022/05/06 +modified: 2022/05/13 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -18,7 +18,7 @@ logsource: product: windows detection: selection_org: - OriginalFileName|contains: 'NirCmd.exe' + OriginalFileName: 'NirCmd.exe' combo_exec: CommandLine|contains: - ' exec ' diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml index fcf0bf8be..d7dbc5930 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml @@ -7,17 +7,19 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cmstp.exe' + selection_img: + - Image|endswith: '\cmstp.exe' + - OriginalFileName: 'CMSTP.EXE' + selection_cli: CommandLine|contains: - '/s' - '/au' - condition: selection + condition: all of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml index 877ffb1b4..9cec27839 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -14,7 +14,8 @@ detection: selection: ParentImage|endswith: '\wsreset.exe' filter: - Image|endswith: '\conhost.exe' + - Image|endswith: '\conhost.exe' + - OriginalFileName: 'CONHOST.EXE' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index ebc8bf7af..838c0c83b 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -7,12 +7,14 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: sc: - Image|endswith: '\sc.exe' + - Image|endswith: '\sc.exe' + - OriginalFileName: 'sc.exe' cli: CommandLine|contains|all: - 'sdset' diff --git a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml index cdecb338e..5c430866b 100644 --- a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml @@ -8,7 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 -modified: 2021/10/10 +modified: 2022/05/13 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -22,19 +22,27 @@ logsource: category: process_creation product: windows detection: - selection: + selection_parent: ParentImage|endswith: '\vmtoolsd.exe' - Image|endswith: + selection_img: + - Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\wscript.exe' - '\cscript.exe' + - OriginalFileName: + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'RUNDLL32.EXE' + - 'REGSVR32.EXE' + - 'wscript.exe' + - 'cscript.exe' filter: CommandLine|contains: - '\VMware\VMware Tools\poweron-vm-default.bat' - '\VMware\VMware Tools\poweroff-vm-default.bat' - '\VMware\VMware Tools\resume-vm-default.bat' - '\VMware\VMware Tools\suspend-vm-default.bat' - condition: selection and not filter + condition: all of selection* and not filter diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 23695d2da..c9a10ddbf 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -7,7 +7,7 @@ references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ date: 2017/01/01 -modified: 2021/03/17 +modified: 2022/05/13 tags: - attack.persistence - attack.t1505.003 @@ -27,50 +27,62 @@ detection: - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - CommandLine|contains: + CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' susp_net_utility: - Image|endswith: - - '\net.exe' - - '\net1.exe' + OriginalFileName: + - 'net.exe' + - 'net1.exe' CommandLine|contains: - ' user ' - ' use ' - ' group ' susp_ping_utility: - Image|endswith: '\ping.exe' + OriginalFileName: 'ping.exe' CommandLine|contains: ' -n ' susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm susp_wmic_utility: - Image|endswith: '\wmic.exe' - CommandLine|contains: ' /node:' + OriginalFileName: 'wmic.exe' + CommandLine|contains: ' /node:' susp_misc_discovery_binaries: - Image|endswith: + - Image|endswith: - '\whoami.exe' - '\systeminfo.exe' - '\quser.exe' - - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - - '\netstat.exe' - - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\tasklist.exe' + - '\ipconfig.exe' + - '\pathping.exe' + - '\tracert.exe' + - '\netstat.exe' + - '\schtasks.exe' + - '\vssadmin.exe' + - '\wevtutil.exe' + - '\tasklist.exe' + - OriginalFileName: + - 'whoami.exe' + - 'sysinfo.exe' + - 'quser.exe' + - 'ipconfig.exe' + - 'pathping.exe' + - 'tracert.exe' + - 'netstat.exe' + - 'schtasks.exe' + - 'VSSADMIN.EXE' + - 'wevtutil.exe' + - 'tasklist.exe' susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml index 70b93cd68..d37b66104 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml @@ -7,6 +7,7 @@ references: - https://nsudo.m2team.org/en-us/ author: Florian Roth date: 2022/01/28 +modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery @@ -15,10 +16,12 @@ logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: 'TrustedInstaller' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml index 20812efdf..03fff8773 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml @@ -6,21 +6,23 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2022/01/28 +modified: 2022/05/13 tags: - attack.privilege_escalation - - attack.discovery + - attack.discovery - attack.t1033 logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Possible name overlap with NT AUHTORITY substring to cover all languages level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index 3cd02819c..bd98b67a3 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth date: 2021/05/05 +modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery @@ -14,10 +15,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\whoami.exe' + selection_img: + - Image|endswith: '\whoami.exe' + - OriginalFileName: 'whoami.exe' + selection_cli: CommandLine|contains: '/priv' - condition: selection + condition: all of selection* falsepositives: - Administrative activity (rare lookups on current privileges) level: high diff --git a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml index 5627d30b2..c3e4f3737 100644 --- a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml @@ -6,19 +6,21 @@ author: Olaf Hartong references: - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe date: 2019/05/22 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: + selection_img: Image|endswith: '\schtasks.exe' + OriginalFileName: 'schtasks.exe' + selection_cli: CommandLine|contains|all: - '/change' - '/TN' - '/RU' - '/RP' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 90b422eab..750a2cc57 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -7,21 +7,21 @@ references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis / @Karneades date: 2019/04/03 -modified: 2021/02/24 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - ParentImage|endswith: - - '\wmiprvse.exe' - Image|endswith: - - '\powershell.exe' + selection_parent: + ParentImage|endswith: '\wmiprvse.exe' + selection_img: + - Image|endswith: '\powershell.exe' + - OriginalFileName: 'PowerShell.EXE' filter_null1: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression CommandLine: null - condition: selection and not filter_null1 and not filter_null2 + condition: all of selection* and not filter_null1 and not filter_null2 falsepositives: - AppvClient - CCM diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index de1dd67a6..ac6ec4bbd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -7,20 +7,23 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe - CommandLine|contains: - - process + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName: 'wmic.exe' + selection_cli: + CommandLine|contains: + - process - qfe filter: CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - - create - condition: selection and not filter + - create + condition: all of selection* and not filter falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index f082d4db9..395005d21 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -7,21 +7,24 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/03/13 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - process - call - - create - condition: selection + - create + condition: all of selection* falsepositives: - Unknown -level: medium +level: medium tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index 17a29f777..c938237c9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -11,16 +11,19 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - - service - condition: selection + - service + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index a6e659657..260821395 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -6,14 +6,17 @@ author: frac113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic date: 2022/01/28 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName: 'wmic.exe' + selection_cli: CommandLine|contains: call uninstall - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml index 612ecd044..2cf0a1ed6 100644 --- a/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\WSreset.exe' + ParentImage|endswith: '\WSreset.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml index b861ce72e..22869e556 100644 --- a/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml @@ -29,7 +29,7 @@ detection: condition: selection and not false_positives falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - msxsl.exe is not installed by default, so unlikely. + - Msxsl.exe is not installed by default, so unlikely. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium tags: diff --git a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml index cd6eefdbf..49c0ad34f 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - ioc_1: + ioc_1: TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' ioc_2: TargetObject|startswith: @@ -29,8 +29,7 @@ detection: - Application - DefaultIcon selection2: - TargetObject|startswith: - - 'HKCU\' + TargetObject|startswith: 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index 08c3f7ea2..39233ad58 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - TargetObject|endswith: - - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' condition: selection fields: - ComputerName diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 38219ed86..1e891ab5f 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - TargetObject|endswith: - - 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' + TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' condition: selection fields: - ComputerName diff --git a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml index fb26e12b4..e809c72bc 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml @@ -11,9 +11,9 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools' - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskmgr' @@ -22,14 +22,13 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff' Details: 'DWORD (0x00000001)' - selection_set_0: + selection_set_0: EventType: SetValue - TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' - Details: 'DWORD (0x00000000)' + TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' + Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index 0134365bc..c86fbee0c 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection_reg1: - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' selection_reg2: - TargetObject|contains|all: - '\Image File Execution Options\' diff --git a/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml b/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml index e8821183c..8b0ad1aa2 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml @@ -11,24 +11,24 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower' - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' Details: 'DWORD (0x00000001)' - selection_set_0: + selection_set_0: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor' - Details: 'DWORD (0x00000000)' + Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index aad55f31b..6189ac57e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -48,8 +48,7 @@ detection: - 'C:\Program Files\Windows Defender\' Image|endswith: '\MsMpEng.exe' filter_nvidia: - Details|contains: - - '\FileRepository\nvmdi.inf' + Details|contains: '\FileRepository\nvmdi.inf' filter_edge: Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe' filter_dx: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 548685764..eec5ae64d 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -11,12 +11,12 @@ logsource: category: registry_set product: windows detection: - selection: + selection: EventType: SetValue - TargetObject|contains: + TargetObject|contains: - '\Software\Microsoft\Windows\CurrentVersion\Run' - '\Software\Microsoft\Windows\CurrentVersion\RunOnce' - Details|contains: + Details|contains: - 'powershell' - 'FromBase64String' - '.DownloadFile(' @@ -26,7 +26,7 @@ detection: - ' -encodedcommand ' condition: selection falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml new file mode 100644 index 000000000..83eb3a245 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -0,0 +1,32 @@ +title: ScreenSaver Registry Key Set +id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce +description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl +status: experimental +date: 2022/05/04 +modified: 2022/05/04 +author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +references: + - https://twitter.com/VakninHai/status/1517027824984547329 + - https://twitter.com/pabraeken/status/998627081360695297 + - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + Image|endswith: '\rundll32.exe' + registry: + TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE' + Details|endswith: '.scr' + filter: + Details|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: selection and registry and not filter +falsepositives: + - Legitimate use of screen saver +level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 41ec6e700..bad56879e 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -11,9 +11,9 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun' @@ -27,7 +27,7 @@ detection: Details: 'DWORD (0x00000001)' condition: selection_set_1 falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index dcd941a43..b1eb7f852 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -23,8 +23,7 @@ detection: - '\procmon64.exe' - '\procmon.exe' selection_3: - Details|contains: - - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' + Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection_1 and not selection_2 and not selection_3 falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index c47194cf2..20d7041bb 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -16,7 +16,7 @@ detection: - 21 condition: selector falsepositives: - - exclude legitimate (vetted) use of WMI event subscription in your network + - Exclude legitimate (vetted) use of WMI event subscription in your network level: high tags: - attack.persistence diff --git a/tests/test_rules.py b/tests/test_rules.py index 0133f0b53..dada5b768 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -57,7 +57,7 @@ class TestRules(unittest.TestCase): # if extension != ".yml": # files_with_incorrect_extensions.append(file) - # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + + # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): @@ -70,9 +70,9 @@ class TestRules(unittest.TestCase): if tm in file_data: files_with_legal_issues.append(file) - self.assertEqual(files_with_legal_issues, [], Fore.RED + + self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") - + def test_optional_tags(self): files_with_incorrect_tags = [] tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") @@ -84,7 +84,7 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) - self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): @@ -98,7 +98,7 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) - self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_duplicate_tags(self): @@ -112,10 +112,10 @@ class TestRules(unittest.TestCase): if tag in known_tags: print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) - else: + else: known_tags.append(tag) - self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): @@ -144,7 +144,7 @@ class TestRules(unittest.TestCase): detection = self.get_rule_part(file_path=file, part_name="detection") check_list_or_recurse_on_dict(detection, 1) - self.assertEqual(files_with_duplicate_filters, [], Fore.RED + + self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters") def test_field_name_with_space(self): @@ -158,7 +158,6 @@ class TestRules(unittest.TestCase): faulty_fieldnames = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) detection = self.get_rule_part(file_path = file, part_name = "detection") key_iterator(detection, faulty_fieldnames) @@ -188,7 +187,6 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) detection = self.get_rule_part(file_path = file, part_name = "detection") if "all of them" in detection["condition"]: @@ -202,28 +200,28 @@ class TestRules(unittest.TestCase): # detections not the same count can't be the same if len(detection1) != len(detection2): - return False - + return False + for named_condition in detection1: #don't check timeframes if named_condition == "timeframe": continue - - # condition clause must be the same too + + # condition clause must be the same too if named_condition == "condition": if detection1["condition"] != detection2["condition"]: return False else: continue - + # Named condition must exist in both rule files if named_condition not in detection2: return False - + #can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False - + for condition in detection1[named_condition]: if type(condition) != str: @@ -231,7 +229,7 @@ class TestRules(unittest.TestCase): if condition not in detection2[named_condition]: return False - + condition_value1 = detection1[named_condition][condition] condition_value2 = detection2[named_condition][condition] if condition_value1 != condition_value2: @@ -259,7 +257,7 @@ class TestRules(unittest.TestCase): files_and_their_detections[file] = detection - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are rule files with exactly the same detection logic.") def test_source_eventlog(self): @@ -271,7 +269,7 @@ class TestRules(unittest.TestCase): if "'source': 'eventlog'" in detection_str: faulty_detections.append(file) - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are detections with 'Source: Eventlog'. This does not add value to the detection.") def test_event_id_instead_of_process_creation(self): @@ -282,7 +280,7 @@ class TestRules(unittest.TestCase): if re.search(r'.*EventID: (?:1|4688)\s*$', line) and file not in faulty_detections: faulty_detections.append(file) - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are rules still using Sysmon 1 or Event ID 4688. Please migrate to the process_creation category.") def test_missing_id(self): @@ -295,14 +293,14 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) elif len(id) != 36: print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif id in dict_id.keys(): print(Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file,dict_id[id])) faulty_rules.append(file) else: dict_id[id] = file - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") def test_optional_related(self): @@ -321,7 +319,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) faulty_rules.append(file) else: - # should probably test if we have only 'id' and 'type' ... + # should probably test if we have only 'id' and 'type' ... type_ok = True for ref in related_lst: id_str = ref['id'] @@ -333,7 +331,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") def test_sysmon_rule_without_eventid(self): @@ -352,7 +350,7 @@ class TestRules(unittest.TestCase): if not found: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using sysmon events but with no EventID specified") def test_missing_date(self): @@ -405,7 +403,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) elif modifiedfield[4] != '/' or modifiedfield[7] != '/': print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") @@ -424,11 +422,11 @@ class TestRules(unittest.TestCase): if status_str: if not status_str in valid_status: print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif status_str == "unsupported": print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") @@ -463,10 +461,10 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'fields' fields. (has to be a list of values even if it contains only a single value)") - def test_optional_falsepositives(self): + def test_optional_falsepositives_listtype(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): falsepositives_str = self.get_rule_part(file_path=file, part_name="falsepositives") @@ -476,9 +474,48 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") + def test_optional_falsepositives_capital(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + fps = self.get_rule_part(file_path=file, part_name="falsepositives") + if fps: + for fp in fps: + # first letter should be capital + try: + if fp[0].upper() != fp[0]: + print(Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) + faulty_rules.append(file) + except TypeError as err: + print("TypeError Exception for rule {}".format(file)) + print("Error: {}".format(err)) + print("Maybe you created an empty falsepositive item?") + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with false positives that don't start with a capital letter (e.g. 'unknown' should be 'Unknown')") + + def test_optional_falsepositives_blocked_content(self): + faulty_rules = [] + banned_words = ["none", "pentest", "penetration test"] + common_typos = ["unkown", "ligitimate", "legitim ", "legitimeate"] + for file in self.yield_next_rule_file_path(self.path_to_rules): + fps = self.get_rule_part(file_path=file, part_name="falsepositives") + if fps: + for fp in fps: + for typo in common_typos: + if fp == "Unknow" or typo in fp.lower(): + print(Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) + faulty_rules.append(file) + for banned_word in banned_words: + if banned_word in fp.lower(): + print(Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with invalid false positive definitions (e.g. Pentest, None or common typos)") + # Upgrade Detection Rule License 1.1 def test_optional_author(self): faulty_rules = [] @@ -490,7 +527,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") def test_optional_license(self): @@ -524,7 +561,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)") def test_optional_target(self): @@ -537,7 +574,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)") def test_references(self): @@ -554,7 +591,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") def test_references_plural(self): @@ -571,12 +608,12 @@ class TestRules(unittest.TestCase): def test_file_names(self): faulty_rules = [] name_lst = [] - filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') + filename_pattern = re.compile(r'[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) if filename in name_lst: print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif filename[-4:] != ".yml": print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) faulty_rules.append(file) @@ -584,15 +621,15 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) faulty_rules.append(file) elif len(filename) < 14: - print(Fore.YELLOW + "Rule {} has a file name too sort <10.".format(file)) + print(Fore.YELLOW + "Rule {} has a file name too short <10.".format(file)) faulty_rules.append(file) elif filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) faulty_rules.append(file) name_lst.append(filename) - self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") + self.assertEqual(faulty_rules, [], Fore.RED + + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') def test_title(self): faulty_rules = [] @@ -630,6 +667,9 @@ class TestRules(unittest.TestCase): if title.startswith("Detects "): print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) + if title.endswith("."): + print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) + faulty_rules.append(file) wrong_casing = [] for word in title.split(" "): if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): @@ -638,9 +678,28 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing))) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + def test_title_in_first_line(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + yaml = self.get_rule_yaml(file) + + # skip multi-part yaml + if len(yaml) > 1: + continue + + # this propably is not the best way to check whether + # title is the attribute given in the 1st line + # (also assumes dict keeps the order from the input file) + if list(yaml[0].keys())[0] != "title": + print(Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules without the 'title' attribute in their first line.") + def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ @@ -654,7 +713,7 @@ class TestRules(unittest.TestCase): if not logsource: print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) faulty_rules.append(file) - continue + continue valid = True for key in logsource: if key.lower() not in valid_logsource: @@ -666,33 +725,80 @@ class TestRules(unittest.TestCase): if not valid: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - + def test_selection_list_one_value(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - valid = True - for key in detection: - if isinstance(detection[key],list): - if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + valid = True + for key in detection: + if isinstance(detection[key],list): + if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) valid = False - #deactivate because more than 170 rules have to be corrected - # if isinstance(detection[key],dict): - # for sub_key in detection[key]: - # if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" - # if len(detection[key][sub_key]) == 1: - # print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - # #valid = False - if not valid: - faulty_rules.append(file) - + if isinstance(detection[key],dict): + for sub_key in detection[key]: + if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + if len(detection[key][sub_key]) == 1: + print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + valid = False + if not valid: + faulty_rules.append(file) + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + def test_unused_selection(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + condition = detection["condition"] + wildcard_selections = re.compile(r"\sof\s([\w\*]+)(?:$|\s|\))") + + # skip rules containing aggregations + if type(condition) == list: + continue + + for selection in detection: + if selection == "condition": + continue + if selection == "timeframe": + continue + if selection in condition: + continue + # find all wildcards in condition + found = False + for wildcard_selection in wildcard_selections.findall(condition): + # wildcard matches selection + if re.search(wildcard_selection.replace(r"*", r".*"), selection) is not None: + found = True + break + # selection was not found in condition + if not found: + print(Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections") + + def test_all_value_modifier_single_item(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + for search_identifier in detection: + if isinstance(detection[search_identifier],dict): + for field in detection[search_identifier]: + if "|all" in field and not isinstance(detection[search_identifier][field],list): + print (Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format(file, search_identifier, field)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with |all modifier only having one item. " + + "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + + "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") + def test_condition_operator_casesensitive(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -707,13 +813,13 @@ class TestRules(unittest.TestCase): elif item.lower() == 'and' and not item == 'and': valid = False elif item.lower() == 'not' and not item == 'not': - valid = False + valid = False elif item.lower() == 'of' and not item == 'of': - valid = False + valid = False if not valid: print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format(file,detection["condition"])) faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using condition whitout lowercase operator") def get_mitre_data(): @@ -728,7 +834,7 @@ def get_mitre_data(): MITRE_PHASE_NAMES = set() MITRE_TOOLS = [] MITRE_GROUPS = [] - # Techniques + # Techniques enterprise_techniques = lift.get_enterprise_techniques() for t in enterprise_techniques: MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) @@ -757,7 +863,7 @@ def get_mitre_data(): if 'external_id' in r: MITRE_GROUPS.append(r['external_id'].lower()) - # Debugging + # Debugging print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) # Combine all IDs to a big tag list diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c0cf3838f..d97911d79 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -233,7 +233,304 @@ logsources: zeek: product: zeek conditions: - vendor_name: "Zeek IDS" + vendor_name: "Zeek" + vendor_type: "IDS" + zeek-category-firewall: + category: firewall + rewrite: + product: zeek + service: conn + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-conn: + product: zeek + service: conn + conditions: + hawk_source: "conn.log" + zeek-conn_long: + product: zeek + service: conn_long + conditions: + hawk_source: "conn_long.log" + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + hawk_source: "dce_rpc.log" + zeek-dns: + product: zeek + service: dns + conditions: + hawk_source: "dns.log" + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + hawk_source: "dnp3.log" + zeek-dpd: + product: zeek + service: dpd + conditions: + hawk_source: "dpd.log" + zeek-files: + product: zeek + service: files + conditions: + hawk_source: "files.log" + zeek-ftp: + product: zeek + service: ftp + conditions: + hawk_source: "ftp.log" + zeek-gquic: + product: zeek + service: gquic + conditions: + hawk_source: "gquic.log" + zeek-http: + product: zeek + service: http + conditions: + hawk_source: "http.log" + zeek-http2: + product: zeek + service: http2 + conditions: + hawk_source: "http2.log" + zeek-intel: + product: zeek + service: intel + conditions: + hawk_source: "intel.log" + zeek-irc: + product: zeek + service: irc + conditions: + hawk_source: "irc.log" + zeek-kerberos: + product: zeek + service: kerberos + conditions: + hawk_source: "kerberos.log" + zeek-known_certs: + product: zeek + service: known_certs + conditions: + hawk_source: "known_certs.log" + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + hawk_source: "known_hosts.log" + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + hawk_source: "known_modbus.log" + zeek-known_services: + product: zeek + service: known_services + conditions: + hawk_source: "known_services.log" + zeek-modbus: + product: zeek + service: modbus + conditions: + hawk_source: "modbus.log" + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + hawk_source: "modbus_register_change.log" + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + hawk_source: "mqtt_connect.log" + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + hawk_source: "mqtt_publish.log" + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + hawk_source: "mqtt_subscribe.log" + zeek-mysql: + product: zeek + service: mysql + conditions: + hawk_source: "mysql.log" + zeek-notice: + product: zeek + service: notice + conditions: + hawk_source: "notice.log" + zeek-ntlm: + product: zeek + service: ntlm + conditions: + hawk_source: "ntlm.log" + zeek-ntp: + product: zeek + service: ntp + conditions: + hawk_source: "ntp.log" + zeek-ocsp: + product: zeek + service: ntp + conditions: + hawk_source: "ocsp.log" + zeek-pe: + product: zeek + service: pe + conditions: + hawk_source: "pe.log" + zeek-pop3: + product: zeek + service: pop3 + conditions: + hawk_source: "pop3.log" + zeek-radius: + product: zeek + service: radius + conditions: + hawk_source: "radius.log" + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-rfb: + product: zeek + service: rfb + conditions: + hawk_source: "rfb.log" + zeek-sip: + product: zeek + service: sip + conditions: + hawk_source: "sip.log" + zeek-smb_files: + product: zeek + service: smb_files + conditions: + hawk_source: "smb_files.log" + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + hawk_source: "smb_mapping.log" + zeek-smtp: + product: zeek + service: smtp + conditions: + hawk_source: "smtp.log" + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + hawk_source: "smtp_links.log" + zeek-snmp: + product: zeek + service: snmp + conditions: + hawk_source: "snmp.log" + zeek-socks: + product: zeek + service: socks + conditions: + hawk_source: "socks.log" + zeek-software: + product: zeek + service: software + conditions: + hawk_source: "software.log" + zeek-ssh: + product: zeek + service: ssh + conditions: + hawk_source: "ssh.log" + zeek-ssl: + product: zeek + service: ssl + conditions: + hawk_source: "tls.log" + zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that + product: zeek + service: tls + conditions: + hawk_source: "tls.log" + zeek-syslog: + product: zeek + service: syslog + conditions: + hawk_source: "syslog.log" + zeek-tunnel: + product: zeek + service: tunnel + conditions: + hawk_source: "tunnel.log" + zeek-traceroute: + product: zeek + service: traceroute + conditions: + hawk_source: "traceroute.log" + zeek-weird: + product: zeek + service: weird + conditions: + hawk_source: "weird.log" + zeek-x509: + product: zeek + service: x509 + conditions: + hawk_source: "x509.log" + zeek-ip_search: + product: zeek + service: network + conditions: + hawk_source: + - "conn.log" + - "conn_long.log" + - "dce_rpc.log" + - "dhcp.log" + - "dnp3.log" + - "dns.log" + - "ftp.log" + - "gquic.log" + - "http.log" + - "irc.log" + - "kerberos.log" + - "modbus.log" + - "mqtt_connect.log" + - "mqtt_publish.log" + - "mqtt_subscribe.log" + - "mysql.log" + - "ntlm.log" + - "ntp.log" + - "radius.log" + - "rfb.log" + - "sip.log" + - "smb_files.log" + - "smb_mapping.log" + - "smtp.log" + - "smtp_links.log" + - "snmp.log" + - "socks.log" + - "ssh.log" + - "tls.log" #SSL + - "tunnel.log" + - "weird.log" azure-signin: product: azure service: signinlogs @@ -258,6 +555,11 @@ logsources: conditions: vendor_name: "Microsoft" product_name: "Azure" + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + channel: 'Microsoft-ServiceBus-Client' windows-application: product: windows service: application @@ -351,6 +653,14 @@ logsources: conditions: product_name: 'PowerShell' vendor_id: 4104 + windows-ps-classic-start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic windows-ps-classic-provider: product: windows category: ps_classic_provider_start @@ -430,6 +740,9 @@ logsources: conditions: product_name: "Sysmon" vendor_id: 14 + #dns: + # category: dns + # conditions: qflow: product: qflow netflow: @@ -537,7 +850,6 @@ fieldmappings: DetectionSource: value Priority: event_priority event_type_id: vendor_id - eventtype: vendor_type destination.port: ip_dport user: correlation_username User: correlation_username @@ -568,3 +880,14 @@ fieldmappings: user-agent: http_user_agent cs-User-Agent: http_user_agent r-dns: http_host + id.orig_h: ip_src + id.orig_p: ip_src_port + id.resp_h: ip_dst + id.resp_p: ip_dst_port + host: ip_src + hostname: ip_src_host + port_num: ip_dst_port + query: dns_query + orig_ip_bytes: net_if_out_bytes + resp_ip_bytes: net_if_in_bytes + QNAME: qname diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 71d897fe4..20a064d18 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -199,6 +199,10 @@ class HAWKBackend(SingleTextQueryBackend): if key.lower() in ("logname","source"): self.logname = value if type(value) == str and "*" in value: + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + value = value.replace("*", "EEEESTAREEE") value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") @@ -240,6 +244,9 @@ class HAWKBackend(SingleTextQueryBackend): if value[0:17] == 'Microsoft-Windows': value = value[18:] + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value # return json.dumps(nodeRet) return nodeRet @@ -255,6 +262,10 @@ class HAWKBackend(SingleTextQueryBackend): #return json.dumps(nodeRet) return nodeRet else: + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value if notNode: nodeRet["args"]["comparison"]["value"] = "!=" @@ -302,6 +313,8 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['args']['str']['value'] = 'null' ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in item.upper(): + item = item.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') item = item.replace("*", "EEEESTAREEE") item = re.escape(item) item = item.replace("EEEESTAREEE", ".*") @@ -316,6 +329,7 @@ class HAWKBackend(SingleTextQueryBackend): if item[-2:] == "\\\\": item = item[:-2] + if endsWith and not startsWith: nodeRet['args']['str']['value'] = item + "$" elif startsWith and not endsWith: @@ -336,11 +350,16 @@ class HAWKBackend(SingleTextQueryBackend): # custom, since we trim up string size in log to save bytes key = nodeRet['key'] value = nodeRet['args']['str']['value'] + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + if key == 'provider__name': nodeRet['key'] = "product_name" if value[0:17] == 'Microsoft-Windows': value = value[18:] - nodeRet['args']['str']['value'] = value + + nodeRet['args']['str']['value'] = value ret['children'].append( nodeRet ) retAnd = { "id" : "and", "key": "And", "children" : [ ret ] } @@ -354,6 +373,10 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: value = self.generateValueNode(value, True) + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: @@ -412,7 +435,7 @@ class HAWKBackend(SingleTextQueryBackend): "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, }, "args": { - "columns" : [ self.cleanKey(agg.groupfield) ], + "columns" : [ "ip_src", self.cleanKey(agg.groupfield) ], "comparison": { "value": "%s" % agg.cond_op }, "threshold": { "value": int(agg.condition) }, "limit": { "value": min_count } @@ -434,7 +457,7 @@ class HAWKBackend(SingleTextQueryBackend): "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, }, "args": { - "columns" : [ self.cleanKey(agg.groupfield) ], + "columns" : [ "ip_src", self.cleanKey(agg.groupfield) ], "comparison": { "value": "%s" % agg.cond_op }, "threshold": { "value": int(agg.condition) }, "limit": { "value": min_count }