From 9f608172ab5bc67195c2c50580f69d20b3e699e2 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Wed, 4 May 2022 15:29:14 +0200 Subject: [PATCH 01/54] Create registry_set_scr_file_executed_by_rundll32.yml --- ...stry_set_scr_file_executed_by_rundll32.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml new file mode 100644 index 000000000..8f609fcbd --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -0,0 +1,33 @@ +title: Registry Key set after .scr file execution with Rundll32 +id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce +description: Detects registry key established after .scr file execution using Rundll32 through desk.cpl +status: experimental +date: 2022/05/04 +modified: 2022/05/04 +author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) +references: + - https://twitter.com/VakninHai/status/1517027824984547329 + - https://twitter.com/pabraeken/status/998627081360695297 +logsource: + product: windows + category: registry_set +detection: + selection: + EventType: SetValue + Image|endswith: '\rundll32.exe' + registry_1: + TargetObject|contains: '\Control Panel\Desktop\ScreenSaveActive' + Details: '1' + registry_2: + TargetObject|contains: '\Control Panel\Desktop\ScreenSaveTimeOut' + Details: 900 + registry_3: + TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE' + Details|endswith: '.scr' + condition: selection and 1 of registry_* +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218.011 \ No newline at end of file From d632b9438a212e4ace7b41a2b85138acfd0dc312 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Wed, 4 May 2022 16:13:36 +0200 Subject: [PATCH 02/54] Update registry_set_scr_file_executed_by_rundll32.yml --- .../registry_set/registry_set_scr_file_executed_by_rundll32.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 8f609fcbd..62c96fd6e 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -8,6 +8,7 @@ author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) references: - https://twitter.com/VakninHai/status/1517027824984547329 - https://twitter.com/pabraeken/status/998627081360695297 + - https://jstnk9.github.io/jstnk9/research/InstallScreenSaver-SCR-files logsource: product: windows category: registry_set From 111b4f76232eae1d78f1468e7d17f90f6738ab32 Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Fri, 6 May 2022 10:31:40 +0200 Subject: [PATCH 03/54] added filter --- ...istry_set_scr_file_executed_by_rundll32.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 62c96fd6e..9a496aa04 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -16,18 +16,18 @@ detection: selection: EventType: SetValue Image|endswith: '\rundll32.exe' - registry_1: - TargetObject|contains: '\Control Panel\Desktop\ScreenSaveActive' - Details: '1' - registry_2: - TargetObject|contains: '\Control Panel\Desktop\ScreenSaveTimeOut' - Details: 900 - registry_3: + registry: TargetObject|contains: '\Control Panel\Desktop\SCRNSAVE.EXE' Details|endswith: '.scr' - condition: selection and 1 of registry_* + filter: + Details|contains: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\system32\' + - 'C:\Windows\SysWow64\' + condition: selection and registry and not filter falsepositives: - - Unknown + - legitimate use of screen saver level: medium tags: - attack.defense_evasion From c3d01b94b48bf71c1de0aeb34c633ffb1d85f2b9 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 8 May 2022 11:07:52 +0200 Subject: [PATCH 04/54] Explorer.exe FP --- .../file_event/file_event_win_susp_dropper.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_event/file_event_win_susp_dropper.yml b/rules/windows/file_event/file_event_win_susp_dropper.yml index 46e8d1cd3..c41b3d5a5 100644 --- a/rules/windows/file_event/file_event_win_susp_dropper.yml +++ b/rules/windows/file_event/file_event_win_susp_dropper.yml @@ -6,7 +6,7 @@ author: frack113 references: - Malware Sandbox date: 2022/03/09 -modified: 2022/04/28 +modified: 2022/05/08 logsource: product: windows category: file_event @@ -14,6 +14,11 @@ detection: selection: Image|endswith: '.exe' TargetFilename|endswith: '.exe' + filter_whitelist: + Image: + - 'C:\Windows\System32\msiexec.exe' + - 'C:\Windows\system32\cleanmgr.exe' + - 'C:\Windows\explorer.exe' filter_update: Image: 'C:\WINDOWS\system32\svchost.exe' TargetFilename|startswith: 'C:\Windows\SoftwareDistribution\Download\Install\' @@ -21,10 +26,6 @@ detection: filter_tiworker: Image|startswith: 'C:\Windows\WinSxS\' Image|endswith: '\TiWorker.exe' - filter_msiexec: - Image: 'C:\Windows\System32\msiexec.exe' - filter_cleanmgr: - Image: 'C:\WINDOWS\system32\cleanmgr.exe' filter_programfiles: - Image|startswith: - 'C:\Program Files\' From 02fb704d9fcaafff2d030aa8070d7de019614d42 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 10:23:38 +0200 Subject: [PATCH 05/54] chore: remove trailing whitespace --- tests/test_rules.py | 90 ++++++++++++++++++++++----------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 0133f0b53..b947798e1 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -57,7 +57,7 @@ class TestRules(unittest.TestCase): # if extension != ".yml": # files_with_incorrect_extensions.append(file) - # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + + # self.assertEqual(files_with_incorrect_extensions, [], Fore.RED + # "There are rule files with extensions other than .yml") def test_legal_trademark_violations(self): @@ -70,9 +70,9 @@ class TestRules(unittest.TestCase): if tm in file_data: files_with_legal_issues.append(file) - self.assertEqual(files_with_legal_issues, [], Fore.RED + + self.assertEqual(files_with_legal_issues, [], Fore.RED + "There are rule files which contains a trademark or reference that doesn't comply with the respective trademark requirements - please remove the trademark to avoid legal issues") - + def test_optional_tags(self): files_with_incorrect_tags = [] tags_pattern = re.compile(r"cve\.\d+\.\d+|attack\.t\d+\.*\d*|attack\.[a-z_]+|car\.\d{4}-\d{2}-\d{3}") @@ -84,7 +84,7 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has the invalid tag <{}>".format(file, tag)) files_with_incorrect_tags.append(file) - self.assertEqual(files_with_incorrect_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_confirm_correct_mitre_tags(self): @@ -98,7 +98,7 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has the following incorrect tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) - self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + "There are rules with incorrect/unknown MITRE Tags. (please inform us about new tags that are not yet supported in our tests) and check the correct tags here: https://attack.mitre.org/ ") def test_duplicate_tags(self): @@ -112,10 +112,10 @@ class TestRules(unittest.TestCase): if tag in known_tags: print(Fore.RED + "Rule {} has the duplicate tag {}".format(file, tag)) files_with_incorrect_mitre_tags.append(file) - else: + else: known_tags.append(tag) - self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + + self.assertEqual(files_with_incorrect_mitre_tags, [], Fore.RED + "There are rules with duplicate tags") def test_look_for_duplicate_filters(self): @@ -144,7 +144,7 @@ class TestRules(unittest.TestCase): detection = self.get_rule_part(file_path=file, part_name="detection") check_list_or_recurse_on_dict(detection, 1) - self.assertEqual(files_with_duplicate_filters, [], Fore.RED + + self.assertEqual(files_with_duplicate_filters, [], Fore.RED + "There are rules with duplicate filters") def test_field_name_with_space(self): @@ -202,28 +202,28 @@ class TestRules(unittest.TestCase): # detections not the same count can't be the same if len(detection1) != len(detection2): - return False - + return False + for named_condition in detection1: #don't check timeframes if named_condition == "timeframe": continue - - # condition clause must be the same too + + # condition clause must be the same too if named_condition == "condition": if detection1["condition"] != detection2["condition"]: return False else: continue - + # Named condition must exist in both rule files if named_condition not in detection2: return False - + #can not be the same if len is not equal if len(detection1[named_condition]) != len(detection2[named_condition]): return False - + for condition in detection1[named_condition]: if type(condition) != str: @@ -231,7 +231,7 @@ class TestRules(unittest.TestCase): if condition not in detection2[named_condition]: return False - + condition_value1 = detection1[named_condition][condition] condition_value2 = detection2[named_condition][condition] if condition_value1 != condition_value2: @@ -259,7 +259,7 @@ class TestRules(unittest.TestCase): files_and_their_detections[file] = detection - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are rule files with exactly the same detection logic.") def test_source_eventlog(self): @@ -271,7 +271,7 @@ class TestRules(unittest.TestCase): if "'source': 'eventlog'" in detection_str: faulty_detections.append(file) - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are detections with 'Source: Eventlog'. This does not add value to the detection.") def test_event_id_instead_of_process_creation(self): @@ -282,7 +282,7 @@ class TestRules(unittest.TestCase): if re.search(r'.*EventID: (?:1|4688)\s*$', line) and file not in faulty_detections: faulty_detections.append(file) - self.assertEqual(faulty_detections, [], Fore.YELLOW + + self.assertEqual(faulty_detections, [], Fore.YELLOW + "There are rules still using Sysmon 1 or Event ID 4688. Please migrate to the process_creation category.") def test_missing_id(self): @@ -295,14 +295,14 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) elif len(id) != 36: print(Fore.YELLOW + "Rule {} has a malformed 'id' (not 36 chars).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif id in dict_id.keys(): print(Fore.YELLOW + "Rule {} has the same 'id' than {} must be unique.".format(file,dict_id[id])) faulty_rules.append(file) else: dict_id[id] = file - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") def test_optional_related(self): @@ -321,7 +321,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'related' field that isn't a list.".format(file)) faulty_rules.append(file) else: - # should probably test if we have only 'id' and 'type' ... + # should probably test if we have only 'id' and 'type' ... type_ok = True for ref in related_lst: id_str = ref['id'] @@ -333,7 +333,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'related/type' invalid value.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'related' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") def test_sysmon_rule_without_eventid(self): @@ -352,7 +352,7 @@ class TestRules(unittest.TestCase): if not found: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using sysmon events but with no EventID specified") def test_missing_date(self): @@ -405,7 +405,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) elif modifiedfield[4] != '/' or modifiedfield[7] != '/': print(Fore.YELLOW + "Rule {} has a malformed 'modified' (should be YYYY/MM/DD).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'modified' fields. (create one, e.g. date: 2019/01/14)") @@ -424,11 +424,11 @@ class TestRules(unittest.TestCase): if status_str: if not status_str in valid_status: print(Fore.YELLOW + "Rule {} has a invalid 'status' (check wiki).".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif status_str == "unsupported": print(Fore.YELLOW + "Rule {} has the unsupported 'status', can not be in rules directory".format(file)) faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'status' fields. (check https://github.com/SigmaHQ/sigma/wiki/Specification)") @@ -463,7 +463,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'fields' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'fields' fields. (has to be a list of values even if it contains only a single value)") def test_optional_falsepositives(self): @@ -476,7 +476,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'falsepositives' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") # Upgrade Detection Rule License 1.1 @@ -490,7 +490,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'author' field that isn't a string.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'author' fields. (has to be a string even if it contains many author)") def test_optional_license(self): @@ -524,7 +524,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'tlp' field with not valid value.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'tlp' fields. (https://www.cisa.gov/tlp)") def test_optional_target(self): @@ -537,7 +537,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a 'target' field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'target' fields. (has to be a list of values even if it contains only a single value)") def test_references(self): @@ -554,7 +554,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a references field that isn't a list.".format(file)) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed 'references' fields. (has to be a list of values even if it contains only a single value)") def test_references_plural(self): @@ -576,7 +576,7 @@ class TestRules(unittest.TestCase): filename = os.path.basename(file) if filename in name_lst: print(Fore.YELLOW + "Rule {} is a duplicate file name.".format(file)) - faulty_rules.append(file) + faulty_rules.append(file) elif filename[-4:] != ".yml": print(Fore.YELLOW + "Rule {} has a invalid extension (.yml).".format(file)) faulty_rules.append(file) @@ -591,7 +591,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) name_lst.append(filename) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") def test_title(self): @@ -638,7 +638,7 @@ class TestRules(unittest.TestCase): print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing))) faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") def test_invalid_logsource_attributes(self): @@ -654,7 +654,7 @@ class TestRules(unittest.TestCase): if not logsource: print(Fore.RED + "Rule {} has no 'logsource'.".format(file)) faulty_rules.append(file) - continue + continue valid = True for key in logsource: if key.lower() not in valid_logsource: @@ -666,9 +666,9 @@ class TestRules(unittest.TestCase): if not valid: faulty_rules.append(file) - self.assertEqual(faulty_rules, [], Fore.RED + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'logsource' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#log-source") - + def test_selection_list_one_value(self): faulty_rules = [] @@ -690,7 +690,7 @@ class TestRules(unittest.TestCase): # #valid = False if not valid: faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") def test_condition_operator_casesensitive(self): @@ -707,13 +707,13 @@ class TestRules(unittest.TestCase): elif item.lower() == 'and' and not item == 'and': valid = False elif item.lower() == 'not' and not item == 'not': - valid = False + valid = False elif item.lower() == 'of' and not item == 'of': - valid = False + valid = False if not valid: print(Fore.RED + "Rule {} has a invalid condition '{}' : 'or','and','not','of' are lowercase".format(file,detection["condition"])) faulty_rules.append(file) - + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using condition whitout lowercase operator") def get_mitre_data(): @@ -728,7 +728,7 @@ def get_mitre_data(): MITRE_PHASE_NAMES = set() MITRE_TOOLS = [] MITRE_GROUPS = [] - # Techniques + # Techniques enterprise_techniques = lift.get_enterprise_techniques() for t in enterprise_techniques: MITRE_TECHNIQUE_NAMES.append(t['name'].lower().replace(' ', '_').replace('-', '_')) @@ -757,7 +757,7 @@ def get_mitre_data(): if 'external_id' in r: MITRE_GROUPS.append(r['external_id'].lower()) - # Debugging + # Debugging print("MITRE ATT&CK LIST LENGTHS: %d %d %d %d %d" % (len(MITRE_TECHNIQUES), len(MITRE_TECHNIQUE_NAMES), len(list(MITRE_PHASE_NAMES)), len(MITRE_GROUPS), len(MITRE_TOOLS))) # Combine all IDs to a big tag list From 1c5ba05eb35fb4ba60b48af7fae31636ead7c4ba Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Mon, 9 May 2022 10:44:55 +0200 Subject: [PATCH 06/54] Update registry_set_scr_file_executed_by_rundll32.yml --- .../registry_set/registry_set_scr_file_executed_by_rundll32.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 9a496aa04..a55309b67 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -23,8 +23,6 @@ detection: Details|contains: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - - 'C:\Windows\system32\' - - 'C:\Windows\SysWow64\' condition: selection and registry and not filter falsepositives: - legitimate use of screen saver From dbd68bf3f078619ba850686c621b0589667a4f73 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 13:37:43 +0200 Subject: [PATCH 07/54] chore: test rules: capitalization on FP list entries Entires to the false positive list should begin with a capital letter. e.g. Unkown instead of unkown. Fixed the existing rules accordingly --- ...icrosoft365_impossible_travel_activity.yml | 2 +- rules/network/zeek/zeek_dns_nkn.yml | 2 +- .../zeek_smb_converted_win_lm_namedpipe.yml | 2 +- rules/network/zeek/zeek_susp_kerberos_rc4.yml | 2 +- rules/web/web_apache_threading_error.yml | 2 +- rules/web/win_webshell_regeorg.yml | 2 +- ..._applocker_file_was_not_allowed_to_run.yml | 2 +- .../security/win_account_discovery.yml | 2 +- .../security/win_gpo_scheduledtasks.yml | 2 +- .../security/win_lateral_movement_condrv.yml | 2 +- .../builtin/security/win_lm_namedpipe.yml | 2 +- .../security/win_privesc_cve_2020_1472.yml | 2 +- .../win_system_application_sysmon_crash.yml | 2 +- .../driver_load/driver_load_susp_temp_use.yml | 2 +- .../file_event_win_susp_clr_logs.yml | 4 ++-- .../file_event_win_susp_desktop_ini.yml | 2 +- .../image_load_uipromptforcreds_dlls.yml | 2 +- .../net_connection_win_susp_rdp.yml | 2 +- .../posh_pm_get_addbaccount.yml | 2 +- .../proc_access_win_mimikatz_trough_winrm.yml | 2 +- .../proc_creation_win_attrib_hiding_files.yml | 4 ++-- .../proc_creation_win_susp_csc_folder.yml | 4 ++-- .../proc_creation_win_susp_ngrok_pua.yml | 2 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 8 +++---- .../proc_creation_win_susp_svchost_no_cli.yml | 6 +++--- ...tion_win_susp_use_of_vsjitdebugger_bin.yml | 2 +- ...roc_creation_win_xsl_script_processing.yml | 2 +- .../registry_set_powershell_in_run_keys.yml | 6 +++--- .../sysmon_wmi_event_subscription.yml | 2 +- tests/test_rules.py | 21 ++++++++++++++++++- 30 files changed, 59 insertions(+), 40 deletions(-) diff --git a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml index 11ff77811..7136534ab 100644 --- a/rules/cloud/m365/microsoft365_impossible_travel_activity.yml +++ b/rules/cloud/m365/microsoft365_impossible_travel_activity.yml @@ -18,7 +18,7 @@ detection: status: success condition: selection falsepositives: - - + - Unknown level: medium tags: - attack.initial_access diff --git a/rules/network/zeek/zeek_dns_nkn.yml b/rules/network/zeek/zeek_dns_nkn.yml index eafbcd529..35c1bc3d6 100644 --- a/rules/network/zeek/zeek_dns_nkn.yml +++ b/rules/network/zeek/zeek_dns_nkn.yml @@ -24,5 +24,5 @@ fields: - id.resp_h - answers falsepositives: - - unknown + - Unknown level: low diff --git a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml index e9b886aa5..68c8c83f0 100644 --- a/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml +++ b/rules/network/zeek/zeek_smb_converted_win_lm_namedpipe.yml @@ -35,7 +35,7 @@ detection: - 'MsFteWds' condition: selection1 and not selection2 falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high tags: - attack.lateral_movement diff --git a/rules/network/zeek/zeek_susp_kerberos_rc4.yml b/rules/network/zeek/zeek_susp_kerberos_rc4.yml index 173944db0..d71b2ec56 100644 --- a/rules/network/zeek/zeek_susp_kerberos_rc4.yml +++ b/rules/network/zeek/zeek_susp_kerberos_rc4.yml @@ -18,7 +18,7 @@ detection: service|startswith: '$' condition: selection and not computer_acct falsepositives: - - normal enterprise SPN requests activity + - Normal enterprise SPN requests activity level: medium tags: - attack.credential_access diff --git a/rules/web/web_apache_threading_error.yml b/rules/web/web_apache_threading_error.yml index ca2c3e4e3..fdbf79f30 100644 --- a/rules/web/web_apache_threading_error.yml +++ b/rules/web/web_apache_threading_error.yml @@ -14,5 +14,5 @@ detection: - '__pthread_tpp_change_priority: Assertion `new_prio == -1 || (new_prio >= fifo_min_prio && new_prio <= fifo_max_prio)' condition: keywords falsepositives: - - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 + - 3rd party apache modules - https://bz.apache.org/bugzilla/show_bug.cgi?id=46185 level: medium diff --git a/rules/web/win_webshell_regeorg.yml b/rules/web/win_webshell_regeorg.yml index 7e38813c7..145f51802 100644 --- a/rules/web/win_webshell_regeorg.yml +++ b/rules/web/win_webshell_regeorg.yml @@ -29,7 +29,7 @@ fields: - cs-method - cs-User-Agent falsepositives: - - web applications that use the same URL parameters as ReGeorg + - Web applications that use the same URL parameters as ReGeorg level: high tags: - attack.persistence diff --git a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml index 9e28f7ab9..85b0dd888 100644 --- a/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml +++ b/rules/windows/builtin/applocker/win_applocker_file_was_not_allowed_to_run.yml @@ -28,7 +28,7 @@ fields: - FileHash - Fqbn falsepositives: - - need tuning applocker or add exceptions in SIEM + - Need tuning applocker or add exceptions in SIEM level: medium tags: - attack.execution diff --git a/rules/windows/builtin/security/win_account_discovery.yml b/rules/windows/builtin/security/win_account_discovery.yml index c5798b2c3..344bd7246 100644 --- a/rules/windows/builtin/security/win_account_discovery.yml +++ b/rules/windows/builtin/security/win_account_discovery.yml @@ -34,5 +34,5 @@ detection: - ObjectName|contains: 'admin' condition: selection and selection_object falsepositives: - - if source account name is not an admin then its super suspicious + - If source account name is not an admin then its super suspicious level: high diff --git a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml index 031277636..5ab6628d6 100644 --- a/rules/windows/builtin/security/win_gpo_scheduledtasks.yml +++ b/rules/windows/builtin/security/win_gpo_scheduledtasks.yml @@ -22,7 +22,7 @@ detection: - '%%4417' condition: selection falsepositives: - - if the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks + - If the source IP is not localhost then it's super suspicious, better to monitor both local and remote changes to GPO scheduledtasks level: high tags: - attack.persistence diff --git a/rules/windows/builtin/security/win_lateral_movement_condrv.yml b/rules/windows/builtin/security/win_lateral_movement_condrv.yml index faf084994..9e5d69097 100644 --- a/rules/windows/builtin/security/win_lateral_movement_condrv.yml +++ b/rules/windows/builtin/security/win_lateral_movement_condrv.yml @@ -24,5 +24,5 @@ detection: ObjectName: '\Device\ConDrv' condition: selection falsepositives: - - legal admin action + - Legal admin action level: low diff --git a/rules/windows/builtin/security/win_lm_namedpipe.yml b/rules/windows/builtin/security/win_lm_namedpipe.yml index a5a4abc1d..79fb3d013 100644 --- a/rules/windows/builtin/security/win_lm_namedpipe.yml +++ b/rules/windows/builtin/security/win_lm_namedpipe.yml @@ -38,7 +38,7 @@ detection: - 'sql\query' condition: selection1 and not false_positives falsepositives: - - update the excluded named pipe to filter out any newly observed legit named pipe + - Update the excluded named pipe to filter out any newly observed legit named pipe level: high tags: - attack.lateral_movement diff --git a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml index 225208a98..2a8eebdbd 100644 --- a/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml +++ b/rules/windows/builtin/security/win_privesc_cve_2020_1472.yml @@ -23,6 +23,6 @@ detection: PasswordLastSet: '-' condition: selection and not filter falsepositives: - - automatic DC computer account password change + - Automatic DC computer account password change - Legitimate DC computer account password change level: high diff --git a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml index 953145060..5f73f0aee 100644 --- a/rules/windows/builtin/system/win_system_application_sysmon_crash.yml +++ b/rules/windows/builtin/system/win_system_application_sysmon_crash.yml @@ -14,7 +14,7 @@ detection: Caption: 'sysmon64.exe - Application Error' condition: selection falsepositives: - - none + - Unknown level: high tags: - attack.t1562 diff --git a/rules/windows/driver_load/driver_load_susp_temp_use.yml b/rules/windows/driver_load/driver_load_susp_temp_use.yml index fbaec49c6..3bd13f623 100755 --- a/rules/windows/driver_load/driver_load_susp_temp_use.yml +++ b/rules/windows/driver_load/driver_load_susp_temp_use.yml @@ -13,7 +13,7 @@ detection: ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - - there is a relevant set of false positives depending on applications in the environment + - There is a relevant set of false positives depending on applications in the environment level: high tags: - attack.persistence diff --git a/rules/windows/file_event/file_event_win_susp_clr_logs.yml b/rules/windows/file_event/file_event_win_susp_clr_logs.yml index 7cc42eda4..afedb81f4 100644 --- a/rules/windows/file_event/file_event_win_susp_clr_logs.yml +++ b/rules/windows/file_event/file_event_win_susp_clr_logs.yml @@ -1,6 +1,6 @@ title: Suspcious CLR Logs Creation id: e4b63079-6198-405c-abd7-3fe8b0ce3263 -description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. +description: Detects suspicious .NET assembly executions. Could detect using Cobalt Strike's command execute-assembly. references: - https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html - https://bohops.com/2021/03/16/investigating-net-clr-usage-log-tampering-techniques-for-edr-evasion/ @@ -33,5 +33,5 @@ detection: - 'svchost' condition: selection falsepositives: - - https://twitter.com/SBousseaden/status/1388064061087260675 - rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process + - Rundll32.exe with zzzzInvokeManagedCustomActionOutOfProc in command line and msiexec.exe as parent process - https://twitter.com/SBousseaden/status/1388064061087260675 level: high diff --git a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml index 119379751..3dbda7a44 100755 --- a/rules/windows/file_event/file_event_win_susp_desktop_ini.yml +++ b/rules/windows/file_event/file_event_win_susp_desktop_ini.yml @@ -21,7 +21,7 @@ detection: condition: selection and not filter falsepositives: - Operations performed through Windows SCCM or equivalent - - read only access list authority + - Read only access list authority level: medium tags: - attack.persistence diff --git a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml index 54b267a98..f60f06682 100644 --- a/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml +++ b/rules/windows/image_load/image_load_uipromptforcreds_dlls.yml @@ -38,5 +38,5 @@ detection: - Image|contains: '\Local\Microsoft\OneDrive\' condition: selection and not filter falsepositives: - - other legitimate processes loading those DLLs in your environment. + - Other legitimate processes loading those DLLs in your environment. level: medium diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_susp_rdp.yml index f94985f7a..70b019528 100755 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_susp_rdp.yml @@ -41,7 +41,7 @@ detection: condition: selection and not filter falsepositives: - Other Remote Desktop RDP tools - - domain controller using dns.exe + - Domain controller using dns.exe level: high tags: - attack.lateral_movement diff --git a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml index 79f2a00d5..6305b90d1 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_get_addbaccount.yml @@ -22,5 +22,5 @@ detection: - 'DatabasePath ' condition: selection falsepositives: - - unknown + - Unknown level: high diff --git a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml index c461c3a2c..d87221f9d 100755 --- a/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml +++ b/rules/windows/process_access/proc_access_win_mimikatz_trough_winrm.yml @@ -26,5 +26,5 @@ tags: - attack.t1021.006 - attack.s0002 falsepositives: - - low + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml index a06d44563..9775594dc 100644 --- a/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/proc_creation_win_attrib_hiding_files.yml @@ -24,8 +24,8 @@ fields: - ParentCommandLine - User falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini + - IgfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - Msiexec.exe hiding desktop.ini level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml index 3fbae6f32..8dcca7ac3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml @@ -32,6 +32,6 @@ detection: - '\ProgramData\Microsoft\Windows Defender Advanced Threat Protection' condition: selection and not filter falsepositives: - - https://twitter.com/gN3mes1s/status/1206874118282448897 - - https://twitter.com/gabriele_pippi/status/1206907900268072962 + - Legitimate software from program files - https://twitter.com/gN3mes1s/status/1206874118282448897 + - Legitimate Microsoft software - https://twitter.com/gabriele_pippi/status/1206907900268072962 level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index 9dc7023c9..0c38d37eb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -41,5 +41,5 @@ detection: condition: 1 of selection* falsepositives: - Another tool that uses the command line switches of Ngrok - - ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) + - Ngrok http 3978 (https://docs.microsoft.com/en-us/azure/bot-service/bot-service-debug-channel-ngrok?view=azure-bot-service-4.0) level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index ea3b72cae..659f33375 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -59,8 +59,8 @@ falsepositives: - WebTorrent - WhatsApp - WordPress.com - - atom - - gitkraken - - slack - - teams + - Atom + - Gitkraken + - Slack + - Teams level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml index ac875f0d8..66137f852 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_svchost_no_cli.yml @@ -9,14 +9,14 @@ date: 2019/12/28 modified: 2021/02/24 tags: - attack.defense_evasion - - attack.privilege_escalation + - attack.privilege_escalation - attack.t1055 logsource: category: process_creation product: windows detection: selection1: - CommandLine|endswith: 'svchost.exe' + CommandLine|endswith: 'svchost.exe' selection2: Image|endswith: '\svchost.exe' filter: @@ -29,5 +29,5 @@ fields: - CommandLine - ParentCommandLine falsepositives: - - rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf + - Rpcnet.exe / rpcnetp.exe which is a lojack style software. https://www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf level: critical diff --git a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml index 50654354a..2b71b9c66 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_use_of_vsjitdebugger_bin.yml @@ -24,6 +24,6 @@ detection: Image|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - - the process spawned by vsjitdebugger.exe is uncommon. + - The process spawned by vsjitdebugger.exe is uncommon. level: medium diff --git a/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml b/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml index b861ce72e..22869e556 100644 --- a/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml +++ b/rules/windows/process_creation/proc_creation_win_xsl_script_processing.yml @@ -29,7 +29,7 @@ detection: condition: selection and not false_positives falsepositives: - WMIC.exe FP depend on scripts and administrative methods used in the monitored environment. - - msxsl.exe is not installed by default, so unlikely. + - Msxsl.exe is not installed by default, so unlikely. - Static format arguments - https://petri.com/command-line-wmi-part-3 level: medium tags: diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index 548685764..fe96bec51 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -11,12 +11,12 @@ logsource: category: registry_set product: windows detection: - selection: + selection: EventType: SetValue - TargetObject|contains: + TargetObject|contains: - '\Software\Microsoft\Windows\CurrentVersion\Run' - '\Software\Microsoft\Windows\CurrentVersion\RunOnce' - Details|contains: + Details|contains: - 'powershell' - 'FromBase64String' - '.DownloadFile(' diff --git a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml index c47194cf2..20d7041bb 100644 --- a/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml +++ b/rules/windows/wmi_event/sysmon_wmi_event_subscription.yml @@ -16,7 +16,7 @@ detection: - 21 condition: selector falsepositives: - - exclude legitimate (vetted) use of WMI event subscription in your network + - Exclude legitimate (vetted) use of WMI event subscription in your network level: high tags: - attack.persistence diff --git a/tests/test_rules.py b/tests/test_rules.py index b947798e1..7bbbd89a9 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -466,7 +466,7 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'fields' fields. (has to be a list of values even if it contains only a single value)") - def test_optional_falsepositives(self): + def test_optional_falsepositives_listtype(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): falsepositives_str = self.get_rule_part(file_path=file, part_name="falsepositives") @@ -479,6 +479,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with malformed optional 'falsepositives' fields. (has to be a list of values even if it contains only a single value)") + def test_optional_falsepositives_capital(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + fps = self.get_rule_part(file_path=file, part_name="falsepositives") + if fps: + for fp in fps: + # first letter should be capital + try: + if fp[0].upper() != fp[0]: + print(Fore.YELLOW + "Rule {} defines a falsepositive that does not start with a capital letter: '{}'.".format(file, fp)) + faulty_rules.append(file) + except TypeError as err: + print("TypeError Exception for rule {}".format(file)) + print("Error: {}".format(err)) + print("Maybe you created an empty falsepositive item?") + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with false positives that don't start with a capital letter (e.g. 'unknown' should be 'Unknown')") + # Upgrade Detection Rule License 1.1 def test_optional_author(self): faulty_rules = [] From b991a5be5257df207531695999de7fcc1b305805 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 14:43:49 +0200 Subject: [PATCH 08/54] chore: test rules: warn on errors or invalid FP reasons also adapted the existing rules to pass the tests --- .../lnx_auditd_susp_histfile_operations.yml | 2 +- ...reation_macos_susp_histfile_operations.yml | 2 +- ...verted_win_susp_raccess_sensitive_fext.yml | 2 +- .../win_susp_raccess_sensitive_fext.yml | 2 +- .../powershell_script/posh_ps_timestomp.yml | 2 +- .../proc_creation_win_cmd_delete.yml | 8 ++++---- .../proc_creation_win_dsim_remove.yml | 4 ++-- .../registry_set_disable_fonction_user.yml | 12 +++++------ .../registry_set_hide_fonction_user.yml | 12 +++++------ .../registry_set_powershell_in_run_keys.yml | 2 +- .../registry_set_set_nopolicies_user.yml | 6 +++--- tests/test_rules.py | 20 +++++++++++++++++++ 12 files changed, 47 insertions(+), 27 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml index cd613bb72..4eaefc716 100644 --- a/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml +++ b/rules/linux/auditd/lnx_auditd_susp_histfile_operations.yml @@ -29,7 +29,7 @@ fields: - key falsepositives: - Legitimate administrative activity - - Ligitimate software, cleaning hist file + - Legitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml index ff2c21434..501651898 100644 --- a/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml +++ b/rules/macos/process_creation/proc_creation_macos_susp_histfile_operations.yml @@ -22,7 +22,7 @@ detection: condition: selection falsepositives: - Legitimate administrative activity - - Ligitimate software, cleaning hist file + - Legitimate software, cleaning hist file level: medium tags: - attack.credential_access diff --git a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml index d2fc92f84..ff4e1bdb2 100644 --- a/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml +++ b/rules/network/zeek/zeek_smb_converted_win_susp_raccess_sensitive_fext.yml @@ -32,7 +32,7 @@ fields: - SubjectUserName - RelativeTargetName falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software + - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files level: medium tags: diff --git a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml index 61b204cab..3a896b3de 100644 --- a/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml +++ b/rules/windows/builtin/security/win_susp_raccess_sensitive_fext.yml @@ -34,6 +34,6 @@ fields: - SubjectUserName - RelativeTargetName falsepositives: - - Help Desk operator doing backup or re-imaging end user machine or pentest or backup software + - Help Desk operator doing backup or re-imaging end user machine or backup software - Users working with these data types or exchanging message files level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml index 348a66a39..ac9457f21 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_timestomp.yml @@ -26,5 +26,5 @@ detection: - '[IO.File]::SetLastWriteTime' condition: selection_ioc falsepositives: - - Legitimeate admin script + - Legitimate admin script level: medium diff --git a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml index 6b9cba57b..9c8a3796b 100644 --- a/rules/windows/process_creation/proc_creation_win_cmd_delete.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_delete.yml @@ -1,4 +1,4 @@ -title: Windows Cmd Delete File +title: Windows Cmd Delete File id: 379fa130-190e-4c3f-b7bc-6c8e834485f3 status: experimental description: | @@ -17,13 +17,13 @@ detection: - CommandLine|contains|all: - 'del ' - /f - - CommandLine|contains|all: + - CommandLine|contains|all: - rmdir - /s - - /q + - /q condition: selection falsepositives: - - Legitim script + - Legitimate script level: low tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml index fef0d5ff6..a6cd04c13 100644 --- a/rules/windows/process_creation/proc_creation_win_dsim_remove.yml +++ b/rules/windows/process_creation/proc_creation_win_dsim_remove.yml @@ -11,7 +11,7 @@ logsource: product: windows detection: selection_dismhost: - Image|endswith: '\DismHost.exe' + Image|endswith: '\DismHost.exe' ParentCommandLine|contains|all: - '/online' - '/Disable-Feature' @@ -30,7 +30,7 @@ detection: #/quiet condition: 1 of selection_* falsepositives: - - Legitim script + - Legitimate script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml index fb26e12b4..7e420359c 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml @@ -11,9 +11,9 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools' - 'SOFTWARE\Policies\Microsoft\Windows\System\DisableCMD' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableTaskmgr' @@ -22,14 +22,14 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableLockWorkstation' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff' Details: 'DWORD (0x00000001)' - selection_set_0: + selection_set_0: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' - Details: 'DWORD (0x00000000)' + Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml b/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml index e8821183c..8b0ad1aa2 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_fonction_user.yml @@ -11,24 +11,24 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideClock' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower' - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' Details: 'DWORD (0x00000001)' - selection_set_0: + selection_set_0: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowInfoTip' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowCompColor' - Details: 'DWORD (0x00000000)' + Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml index fe96bec51..eec5ae64d 100644 --- a/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml +++ b/rules/windows/registry/registry_set/registry_set_powershell_in_run_keys.yml @@ -26,7 +26,7 @@ detection: - ' -encodedcommand ' condition: selection falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.persistence diff --git a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml index 41ec6e700..bad56879e 100644 --- a/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml +++ b/rules/windows/registry/registry_set/registry_set_set_nopolicies_user.yml @@ -11,9 +11,9 @@ logsource: category: registry_set product: windows detection: - selection_set_1: + selection_set_1: EventType: SetValue - TargetObject|endswith: + TargetObject|endswith: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoLogOff' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoRun' @@ -27,7 +27,7 @@ detection: Details: 'DWORD (0x00000001)' condition: selection_set_1 falsepositives: - - Legitim admin script + - Legitimate admin script level: medium tags: - attack.defense_evasion diff --git a/tests/test_rules.py b/tests/test_rules.py index 7bbbd89a9..a4feaac69 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -498,6 +498,26 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with false positives that don't start with a capital letter (e.g. 'unknown' should be 'Unknown')") + def test_optional_falsepositives_blocked_content(self): + faulty_rules = [] + banned_words = ["none", "pentest", "penetration test"] + common_typos = ["unkown", "ligitimate", "legitim ", "legitimeate"] + for file in self.yield_next_rule_file_path(self.path_to_rules): + fps = self.get_rule_part(file_path=file, part_name="falsepositives") + if fps: + for fp in fps: + for typo in common_typos: + if fp == "Unknow" or typo in fp.lower(): + print(Fore.YELLOW + "Rule {} defines a falsepositive with a common typo: '{}'.".format(file, typo)) + faulty_rules.append(file) + for banned_word in banned_words: + if banned_word in fp.lower(): + print(Fore.YELLOW + "Rule {} defines a falsepositive with an invalid reason: '{}'.".format(file, banned_word)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules with invalid false positive definitions (e.g. Pentest, None or common typos)") + # Upgrade Detection Rule License 1.1 def test_optional_author(self): faulty_rules = [] From ef3bc33288fb807ca86125604696b89a45bd9f9e Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 15:20:39 +0200 Subject: [PATCH 09/54] fix: remove unneeded file read --- tests/test_rules.py | 2 -- 1 file changed, 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index a4feaac69..bf9de5254 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -158,7 +158,6 @@ class TestRules(unittest.TestCase): faulty_fieldnames = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) detection = self.get_rule_part(file_path = file, part_name = "detection") key_iterator(detection, faulty_fieldnames) @@ -188,7 +187,6 @@ class TestRules(unittest.TestCase): faulty_detections = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - yaml = self.get_rule_yaml(file_path = file) detection = self.get_rule_part(file_path = file, part_name = "detection") if "all of them" in detection["condition"]: From 3b556c728a8ea3e69c93bb9c6df1cf85e6961797 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 15:41:47 +0200 Subject: [PATCH 10/54] fix: DeprecationWarning: invalid escape sequence '\.' --- tests/test_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index bf9de5254..cddfcfc40 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -608,7 +608,7 @@ class TestRules(unittest.TestCase): def test_file_names(self): faulty_rules = [] name_lst = [] - filename_pattern = re.compile('[a-z0-9_]{10,70}\.yml') + filename_pattern = re.compile(r'[a-z0-9_]{10,70}\.yml') for file in self.yield_next_rule_file_path(self.path_to_rules): filename = os.path.basename(file) if filename in name_lst: @@ -629,7 +629,7 @@ class TestRules(unittest.TestCase): name_lst.append(filename) self.assertEqual(faulty_rules, [], Fore.RED + - "There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is '[a-z0-9_]{10,70}\.yml' and it has to contain at least an underline character.") + r'There are rules with malformed file names (too short, too long, uppercase letters, a minus sign etc.). Please see the file names used in our repository and adjust your file names accordingly. The pattern for a valid file name is \'[a-z0-9_]{10,70}\.yml\' and it has to contain at least an underline character.') def test_title(self): faulty_rules = [] From f6e893dde5f2ba45c5e7e927ae8188b044806b16 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 16:05:19 +0200 Subject: [PATCH 11/54] chore: test rules: check that title is given in the first line --- tests/test_rules.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index cddfcfc40..53e0b5f32 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -678,6 +678,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with non-conform 'title' fields. Please check: https://github.com/SigmaHQ/sigma/wiki/Rule-Creation-Guide#title") + def test_title_in_first_line(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + yaml = self.get_rule_yaml(file) + + # skip multi-part yaml + if len(yaml) > 1: + continue + + # this propably is not the best way to check whether + # title is the attribute given in the 1st line + # (also assumes dict keeps the order from the input file) + if list(yaml[0].keys())[0] != "title": + print(Fore.RED + "Rule {} does not have its 'title' attribute in the first line".format(file)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules without the 'title' attribute in their first line.") + def test_invalid_logsource_attributes(self): faulty_rules = [] valid_logsource = [ From 654e9e9b9cb8a90c8841a7207dd2f6109fb9c7d5 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 9 May 2022 16:05:33 +0200 Subject: [PATCH 12/54] fix: typo --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 53e0b5f32..bc444666c 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -621,7 +621,7 @@ class TestRules(unittest.TestCase): print(Fore.YELLOW + "Rule {} has a file name too long >70.".format(file)) faulty_rules.append(file) elif len(filename) < 14: - print(Fore.YELLOW + "Rule {} has a file name too sort <10.".format(file)) + print(Fore.YELLOW + "Rule {} has a file name too short <10.".format(file)) faulty_rules.append(file) elif filename_pattern.match(filename) == None or not '_' in filename: print(Fore.YELLOW + "Rule {} has a file name that doesn't match our standard.".format(file)) From c1a99350e68604d086f009244352f01fac040a33 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 9 May 2022 19:27:11 +0200 Subject: [PATCH 13/54] Add file_event_win_werfault_dll_hijacking --- .../file_event_win_werfault_dll_hijacking.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml diff --git a/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml new file mode 100644 index 000000000..ebfeeba36 --- /dev/null +++ b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml @@ -0,0 +1,29 @@ +title: Creation of an WerFault.exe in Invalid Folder +id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 +status: experimental +description: Detects WerFault dll hijacking by coping it to a custom folder +author: frack113 +references: + - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ +date: 2022/05/09 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: + - '\WerFault.exe' + - '\wer.dll' + filter_whitelist: + TargetFilename|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + - 'C:\Windows\WinSxS\' + condition: selection and not filter_whitelist +falsepositives: + - Unknown +level: medium +tags: + - attack.persistence + - attack.defense_evasion + - attack.t1574.001 From b987752cfe5b05b9df2affa22782d3885b8bd411 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 9 May 2022 19:26:51 +0100 Subject: [PATCH 14/54] Small update - Updated regini rules to take into consideration OriginalFileName - Added another function to execute execute click-once via rundll32 (dfshim) --- rules/windows/process_creation/proc_creation_win_regini.yml | 3 ++- .../process_creation/proc_creation_win_regini_ads.yml | 6 ++++-- .../proc_creation_win_susp_rundll32_activity.yml | 4 ++++ 3 files changed, 10 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_regini.yml b/rules/windows/process_creation/proc_creation_win_regini.yml index 3c85a7789..226bba272 100644 --- a/rules/windows/process_creation/proc_creation_win_regini.yml +++ b/rules/windows/process_creation/proc_creation_win_regini.yml @@ -17,7 +17,8 @@ logsource: product: windows detection: selection: - Image|endswith: '\regini.exe' + - Image|endswith: '\regini.exe' + - OriginalFileName: 'REGINI.EXE' filter: CommandLine|re: ':[^ \\\\]' # to avoid intersection with ADS rule condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index 3673e52b8..f2a91f3e1 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -17,9 +17,11 @@ logsource: product: windows detection: selection: - Image|endswith: '\regini.exe' + - Image|endswith: '\regini.exe' + - OriginalFileName: 'REGINI.EXE' + selection_re: CommandLine|re: ':[^ \\\\]' - condition: selection + condition: selection and selection_re fields: - ParentImage - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml index 76bdf7c29..1548c6b21 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml @@ -7,6 +7,7 @@ references: - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - https://twitter.com/Hexacorn/status/885258886428725250 - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 + - https://twitter.com/nas_bench/status/1433344116071583746 date: 2019/01/16 modified: 2021/12/04 logsource: @@ -68,6 +69,9 @@ detection: - CommandLine|contains|all: - 'dfshim.dll' - 'ShOpenVerbApplication' + - CommandLine|contains|all: + - 'dfshim.dll' + - 'ShOpenVerbShortcut' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment From 5151fc25c925a1e8a4c2e30d50b188cc6732e052 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 9 May 2022 19:28:50 +0100 Subject: [PATCH 15/54] Updated "modified" field --- rules/windows/process_creation/proc_creation_win_regini.yml | 2 +- rules/windows/process_creation/proc_creation_win_regini_ads.yml | 2 +- .../proc_creation_win_susp_rundll32_activity.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_regini.yml b/rules/windows/process_creation/proc_creation_win_regini.yml index 226bba272..c8ce2752f 100644 --- a/rules/windows/process_creation/proc_creation_win_regini.yml +++ b/rules/windows/process_creation/proc_creation_win_regini.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/08 -modified: 2021/05/24 +modified: 2022/05/09 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_regini_ads.yml b/rules/windows/process_creation/proc_creation_win_regini_ads.yml index f2a91f3e1..4541b899f 100644 --- a/rules/windows/process_creation/proc_creation_win_regini_ads.yml +++ b/rules/windows/process_creation/proc_creation_win_regini_ads.yml @@ -11,7 +11,7 @@ tags: - attack.defense_evasion author: Eli Salem, Sander Wiebing, oscd.community date: 2020/10/12 -modified: 2021/05/24 +modified: 2022/05/09 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml index 1548c6b21..9ee1096ec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml @@ -9,7 +9,7 @@ references: - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 - https://twitter.com/nas_bench/status/1433344116071583746 date: 2019/01/16 -modified: 2021/12/04 +modified: 2022/05/09 logsource: category: process_creation product: windows From 574df099f9d091aab43b9dc025c51729c9e073ef Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 9 May 2022 20:38:25 +0000 Subject: [PATCH 16/54] Adds allow for spotify streaming, which uses this service --- rules/proxy/proxy_ua_bitsadmin_susp_tld.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml index 953c84a77..6516f0304 100644 --- a/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml +++ b/rules/proxy/proxy_ua_bitsadmin_susp_tld.yml @@ -2,9 +2,9 @@ title: Bitsadmin to Uncommon TLD id: 9eb68894-7476-4cd6-8752-23b51f5883a7 status: experimental description: Detects Bitsadmin connections to domains with uncommon TLDs - https://twitter.com/jhencinski/status/1102695118455349248 - https://isc.sans.edu/forums/diary/Investigating+Microsoft+BITS+Activity/23281/ -author: Florian Roth +author: Florian Roth, Tim Shelton date: 2019/03/07 -modified: 2021/08/09 +modified: 2022/05/09 logsource: category: proxy detection: @@ -15,6 +15,7 @@ detection: - '.com' - '.net' - '.org' + - '.scdn.co' # spotify streaming condition: selection and not falsepositives fields: - ClientIP From 6aa0064c28e7868797dc02d3491b8022017a52ff Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 9 May 2022 23:23:07 +0000 Subject: [PATCH 17/54] adding support for splitting out domain and user for nt authority, since its split in the application into 2 fields, only works for system currently. not aware of other examples --- tools/sigma/backends/hawk.py | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 71d897fe4..f6dac6fc9 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -217,6 +217,9 @@ class HAWKBackend(SingleTextQueryBackend): if value[-2:] == "\\\\": value = value[:-2] + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + if endsWith and not startsWith: nodeRet['args']['str']['value'] = value + "$" elif startsWith and not endsWith: @@ -240,6 +243,9 @@ class HAWKBackend(SingleTextQueryBackend): if value[0:17] == 'Microsoft-Windows': value = value[18:] + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value # return json.dumps(nodeRet) return nodeRet @@ -255,6 +261,10 @@ class HAWKBackend(SingleTextQueryBackend): #return json.dumps(nodeRet) return nodeRet else: + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value if notNode: nodeRet["args"]["comparison"]["value"] = "!=" @@ -302,6 +312,8 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['args']['str']['value'] = 'null' ret['children'].append( nodeRet ) elif type(item) == str and "*" in item: + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in item.upper(): + item = item.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') item = item.replace("*", "EEEESTAREEE") item = re.escape(item) item = item.replace("EEEESTAREEE", ".*") @@ -316,6 +328,7 @@ class HAWKBackend(SingleTextQueryBackend): if item[-2:] == "\\\\": item = item[:-2] + if endsWith and not startsWith: nodeRet['args']['str']['value'] = item + "$" elif startsWith and not endsWith: @@ -336,11 +349,16 @@ class HAWKBackend(SingleTextQueryBackend): # custom, since we trim up string size in log to save bytes key = nodeRet['key'] value = nodeRet['args']['str']['value'] + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + if key == 'provider__name': nodeRet['key'] = "product_name" if value[0:17] == 'Microsoft-Windows': value = value[18:] - nodeRet['args']['str']['value'] = value + + nodeRet['args']['str']['value'] = value ret['children'].append( nodeRet ) retAnd = { "id" : "and", "key": "And", "children" : [ ret ] } @@ -354,6 +372,10 @@ class HAWKBackend(SingleTextQueryBackend): nodeRet['rule_id'] = str(uuid.uuid4()) if type(value) == SigmaRegularExpressionModifier: value = self.generateValueNode(value, True) + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + nodeRet['args']['str']['value'] = value nodeRet['args']['str']['regex'] = "true" if notNode: From 0709758651d15e2aa916807c1a987cc370064577 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 9 May 2022 23:23:35 +0000 Subject: [PATCH 18/54] Adding updates for zeek, as well as some missing sections for windows. internal review of rules will continue. --- tools/config/hawk.yml | 31 +++++++++++++++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index c0cf3838f..730128346 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -233,7 +233,8 @@ logsources: zeek: product: zeek conditions: - vendor_name: "Zeek IDS" + vendor_name: "Zeek" + vendor_type: "IDS" azure-signin: product: azure service: signinlogs @@ -258,6 +259,11 @@ logsources: conditions: vendor_name: "Microsoft" product_name: "Azure" + microsoft-servicebus-client: + product: windows + service: microsoft-servicebus-client + conditions: + channel: 'Microsoft-ServiceBus-Client' windows-application: product: windows service: application @@ -351,6 +357,14 @@ logsources: conditions: product_name: 'PowerShell' vendor_id: 4104 + windows-ps-classic-start: + category: ps_classic_start + product: windows + conditions: + EventID: 400 + rewrite: + product: windows + service: powershell-classic windows-ps-classic-provider: product: windows category: ps_classic_provider_start @@ -430,6 +444,9 @@ logsources: conditions: product_name: "Sysmon" vendor_id: 14 + #dns: + # category: dns + # conditions: qflow: product: qflow netflow: @@ -537,7 +554,6 @@ fieldmappings: DetectionSource: value Priority: event_priority event_type_id: vendor_id - eventtype: vendor_type destination.port: ip_dport user: correlation_username User: correlation_username @@ -568,3 +584,14 @@ fieldmappings: user-agent: http_user_agent cs-User-Agent: http_user_agent r-dns: http_host + id_orig_h: ip_src + id_orig_p: ip_src_port + id_resp_h: ip_dst + id_resp_p: ip_dst_port + host: ip_src + hostname: ip_src_host + port_num: ip_dst_port + query: dns_query + orig_ip_bytes: net_if_out_bytes + resp_ip_bytes: net_if_in_bytes + QNAME: qname From 5f0ca0549255f34705960e95c693d949108df2a5 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 9 May 2022 23:54:40 +0000 Subject: [PATCH 19/54] Adding FP filter for cylance --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 1f7310c25..f61512924 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -4,8 +4,9 @@ description: Detects the usage of the direct syscall of NtOpenProcess which migh references: - https://medium.com/falconforce/falconfriday-direct-system-calls-and-cobalt-strike-bofs-0xff14-741fa8e1bdd6 status: experimental -author: Christian Burkard +author: Christian Burkard, Tim Shelton date: 2021/07/28 +modified: 2022/05/09 logsource: category: process_access product: windows @@ -13,6 +14,9 @@ detection: selection: CallTrace|startswith: 'UNKNOWN' condition: selection + falsepositive1: + TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe' + SourceImage: 'C:\Windows\Explorer.EXE' falsepositives: - Unknown level: critical From db6d32c6b9d73b1f29c4b22b07f618f506e70c16 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Mon, 9 May 2022 23:55:37 +0000 Subject: [PATCH 20/54] Adding condition update --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index f61512924..3ea0b69c5 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -13,10 +13,10 @@ logsource: detection: selection: CallTrace|startswith: 'UNKNOWN' - condition: selection falsepositive1: TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe' SourceImage: 'C:\Windows\Explorer.EXE' + condition: selection and not 1 of falsepositive* falsepositives: - Unknown level: critical From 278e825794f0ab1209f4f04db635d23adc67dab3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 01:45:17 +0000 Subject: [PATCH 21/54] fixing hawk backend fields for zeek. wrong character --- tools/config/hawk.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 730128346..1a0bb8902 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -584,10 +584,10 @@ fieldmappings: user-agent: http_user_agent cs-User-Agent: http_user_agent r-dns: http_host - id_orig_h: ip_src - id_orig_p: ip_src_port - id_resp_h: ip_dst - id_resp_p: ip_dst_port + id.orig_h: ip_src + id.orig_p: ip_src_port + id.resp_h: ip_dst + id.resp_p: ip_dst_port host: ip_src hostname: ip_src_host port_num: ip_dst_port From 8674e26218a50e77d59f869df9ebd4ef6f97f6b3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 01:50:46 +0000 Subject: [PATCH 22/54] adding cardinality of each group by to include source address. otherwise lookups will only be using "command" for example --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index f6dac6fc9..e9eb45839 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -434,7 +434,7 @@ class HAWKBackend(SingleTextQueryBackend): "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, }, "args": { - "columns" : [ self.cleanKey(agg.groupfield) ], + "columns" : [ "ip_src", self.cleanKey(agg.groupfield) ], "comparison": { "value": "%s" % agg.cond_op }, "threshold": { "value": int(agg.condition) }, "limit": { "value": min_count } From 50a4a02364f459d9e633084153c1c5fdea0c80a3 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 01:51:37 +0000 Subject: [PATCH 23/54] adding additional field with ip_src as initial cardinal --- tools/sigma/backends/hawk.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index e9eb45839..278f78306 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -456,7 +456,7 @@ class HAWKBackend(SingleTextQueryBackend): "limit" : { "order" : "3", "source" : "time_offset", "type" : "int", "objectKey" : "limit" }, }, "args": { - "columns" : [ self.cleanKey(agg.groupfield) ], + "columns" : [ "ip_src", self.cleanKey(agg.groupfield) ], "comparison": { "value": "%s" % agg.cond_op }, "threshold": { "value": int(agg.condition) }, "limit": { "value": min_count } From c64197233d3a1ef8686c02613cec7b4a34e86f25 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 02:19:23 +0000 Subject: [PATCH 24/54] fixing error in translation --- tools/sigma/backends/hawk.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/tools/sigma/backends/hawk.py b/tools/sigma/backends/hawk.py index 278f78306..20a064d18 100644 --- a/tools/sigma/backends/hawk.py +++ b/tools/sigma/backends/hawk.py @@ -199,6 +199,10 @@ class HAWKBackend(SingleTextQueryBackend): if key.lower() in ("logname","source"): self.logname = value if type(value) == str and "*" in value: + + if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): + value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') + value = value.replace("*", "EEEESTAREEE") value = re.escape(value) value = value.replace("EEEESTAREEE", ".*") @@ -217,9 +221,6 @@ class HAWKBackend(SingleTextQueryBackend): if value[-2:] == "\\\\": value = value[:-2] - if (nodeRet['key'] == 'correlation_username' or nodeRet['key'] == 'target_username') and 'NT AUTHORITY\\SYS' in value.upper(): - value = value.replace('NT AUTHORITY\\SYSTEM', 'SYSTEM') - if endsWith and not startsWith: nodeRet['args']['str']['value'] = value + "$" elif startsWith and not endsWith: From fdc1a1711a148579b3319df24f721014bb621dc9 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 03:07:14 +0000 Subject: [PATCH 25/54] adding ip6 non routable filter --- rules/network/zeek/zeek_rdp_public_listener.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 1f41a07f9..be1c81ef9 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -13,7 +13,7 @@ logsource: product: zeek service: rdp detection: - selection: + selection1: id.orig_h|startswith: - '192.168.' - '10.' @@ -33,10 +33,14 @@ detection: - '172.29.' - '172.30.' - '172.31.' + selection2: + id.orig_h|re: + - '^fe[c-f][0-9a-f]\:' # deprecated (RFC 3879) + - '^f[c-d][0-9a-f]\:' # current (RFC 1918) #approved_rdp: #dst_ip: #- x.x.x.x - condition: not selection #and not approved_rdp + condition: not selection* #and not approved_rdp fields: - id.orig_h - id.resp_h From ad727e11e979bb86e03bef15da2df05d79e31d9e Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 03:39:16 +0000 Subject: [PATCH 26/54] adding additional zeek categories to sort out false positive matching --- tools/config/hawk.yml | 301 ++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 301 insertions(+) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 1a0bb8902..42ff226c1 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -235,6 +235,307 @@ logsources: conditions: vendor_name: "Zeek" vendor_type: "IDS" + zeek-category-firewall: + category: firewall + rewrite: + product: zeek + service: conn + zeek-category-dns: + category: dns + rewrite: + product: zeek + service: dns + zeek-category-proxy: + category: proxy + rewrite: + product: zeek + service: http + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-conn: + product: zeek + service: conn + conditions: + hawk_source: "conn.log" + zeek-conn_long: + product: zeek + service: conn_long + conditions: + hawk_source: "conn_long.log" + zeek-dce_rpc: + product: zeek + service: dce_rpc + conditions: + hawk_source: "dce_rpc.log" + zeek-dns: + product: zeek + service: dns + conditions: + hawk_source: "dns.log" + zeek-dnp3: + product: zeek + service: dnp3 + conditions: + hawk_source: "dnp3.log" + zeek-dpd: + product: zeek + service: dpd + conditions: + hawk_source: "dpd.log" + zeek-files: + product: zeek + service: files + conditions: + hawk_source: "files.log" + zeek-ftp: + product: zeek + service: ftp + conditions: + hawk_source: "ftp.log" + zeek-gquic: + product: zeek + service: gquic + conditions: + hawk_source: "gquic.log" + zeek-http: + product: zeek + service: http + conditions: + hawk_source: "http.log" + zeek-http2: + product: zeek + service: http2 + conditions: + hawk_source: "http2.log" + zeek-intel: + product: zeek + service: intel + conditions: + hawk_source: "intel.log" + zeek-irc: + product: zeek + service: irc + conditions: + hawk_source: "irc.log" + zeek-kerberos: + product: zeek + service: kerberos + conditions: + hawk_source: "kerberos.log" + zeek-known_certs: + product: zeek + service: known_certs + conditions: + hawk_source: "known_certs.log" + zeek-known_hosts: + product: zeek + service: known_hosts + conditions: + hawk_source: "known_hosts.log" + zeek-known_modbus: + product: zeek + service: known_modbus + conditions: + hawk_source: "known_modbus.log" + zeek-known_services: + product: zeek + service: known_services + conditions: + hawk_source: "known_services.log" + zeek-modbus: + product: zeek + service: modbus + conditions: + hawk_source: "modbus.log" + zeek-modbus_register_change: + product: zeek + service: modbus_register_change + conditions: + hawk_source: "modbus_register_change.log" + zeek-mqtt_connect: + product: zeek + service: mqtt_connect + conditions: + hawk_source: "mqtt_connect.log" + zeek-mqtt_publish: + product: zeek + service: mqtt_publish + conditions: + hawk_source: "mqtt_publish.log" + zeek-mqtt_subscribe: + product: zeek + service: mqtt_subscribe + conditions: + hawk_source: "mqtt_subscribe.log" + zeek-mysql: + product: zeek + service: mysql + conditions: + hawk_source: "mysql.log" + zeek-notice: + product: zeek + service: notice + conditions: + hawk_source: "notice.log" + zeek-ntlm: + product: zeek + service: ntlm + conditions: + hawk_source: "ntlm.log" + zeek-ntp: + product: zeek + service: ntp + conditions: + hawk_source: "ntp.log" + zeek-ocsp: + product: zeek + service: ntp + conditions: + hawk_source: "ocsp.log" + zeek-pe: + product: zeek + service: pe + conditions: + hawk_source: "pe.log" + zeek-pop3: + product: zeek + service: pop3 + conditions: + hawk_source: "pop3.log" + zeek-radius: + product: zeek + service: radius + conditions: + hawk_source: "radius.log" + zeek-rdp: + product: zeek + service: rdp + conditions: + hawk_source: "rdp.log" + zeek-rfb: + product: zeek + service: rfb + conditions: + hawk_source: "rfb.log" + zeek-sip: + product: zeek + service: sip + conditions: + hawk_source: "sip.log" + zeek-smb_files: + product: zeek + service: smb_files + conditions: + hawk_source: "smb_files.log" + zeek-smb_mapping: + product: zeek + service: smb_mapping + conditions: + hawk_source: "smb_mapping.log" + zeek-smtp: + product: zeek + service: smtp + conditions: + hawk_source: "smtp.log" + zeek-smtp_links: + product: zeek + service: smtp_links + conditions: + hawk_source: "smtp_links.log" + zeek-snmp: + product: zeek + service: snmp + conditions: + hawk_source: "snmp.log" + zeek-socks: + product: zeek + service: socks + conditions: + hawk_source: "socks.log" + zeek-software: + product: zeek + service: software + conditions: + hawk_source: "software.log" + zeek-ssh: + product: zeek + service: ssh + conditions: + hawk_source: "ssh.log" + zeek-ssl: + product: zeek + service: ssl + conditions: + hawk_source: "tls.log" + zeek-tls: # In case people call it TLS even though orig log is called ssl, but dataset is tls so may cause confusion so cover that + product: zeek + service: tls + conditions: + hawk_source: "tls.log" + zeek-syslog: + product: zeek + service: syslog + conditions: + hawk_source: "syslog.log" + zeek-tunnel: + product: zeek + service: tunnel + conditions: + hawk_source: "tunnel.log" + zeek-traceroute: + product: zeek + service: traceroute + conditions: + hawk_source: "traceroute.log" + zeek-weird: + product: zeek + service: weird + conditions: + hawk_source: "weird.log" + zeek-x509: + product: zeek + service: x509 + conditions: + hawk_source: "x509.log" + zeek-ip_search: + product: zeek + service: network + conditions: + hawk_source: + - "conn.log" + - "conn_long.log" + - "dce_rpc.log" + - "dhcp.log" + - "dnp3.log" + - "dns.log" + - "ftp.log" + - "gquic.log" + - "http.log" + - "irc.log" + - "kerberos.log" + - "modbus.log" + - "mqtt_connect.log" + - "mqtt_publish.log" + - "mqtt_subscribe.log" + - "mysql.log" + - "ntlm.log" + - "ntp.log" + - "radius.log" + - "rfb.log" + - "sip.log" + - "smb_files.log" + - "smb_mapping.log" + - "smtp.log" + - "smtp_links.log" + - "snmp.log" + - "socks.log" + - "ssh.log" + - "tls.log" #SSL + - "tunnel.log" + - "weird.log" azure-signin: product: azure service: signinlogs From b4fdb13e8ab9b8bba1de86d7f73de3e56c64de8d Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 10 May 2022 11:07:40 +0200 Subject: [PATCH 27/54] chore: test rules: check for unused selections --- .../proc_creation_lnx_webshell_detection.yml | 10 +++--- ...oc_creation_win_reg_defender_tampering.yml | 3 +- .../proc_creation_win_reg_lsass_ppl.yml | 3 +- tests/test_rules.py | 32 +++++++++++++++++++ 4 files changed, 41 insertions(+), 7 deletions(-) diff --git a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml index 6a8b600a2..4816e3fe1 100644 --- a/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_webshell_detection.yml @@ -5,7 +5,7 @@ description: Detects suspicious sub processes of web server processes references: - https://www.acunetix.com/blog/articles/web-shells-101-using-php-introduction-web-shells-part-2/ date: 2021/10/15 -modified: 2022/03/14 +modified: 2022/05/09 author: Florian Roth tags: - attack.persistence @@ -26,18 +26,18 @@ detection: ParentCommandLine|contains|all: - '/bin/java' - 'tomcat' - selection_websphere: # ? just guessing + selection_websphere: # ? just guessing ParentCommandLine|contains|all: - '/bin/java' - 'websphere' selection_sub_processes: - Image|endswith: + Image|endswith: - '/whoami' - '/ifconfig' - '/usr/bin/ip' - '/bin/uname' - condition: selection_sub_processes and ( selection_general or selection_tomcat ) + condition: selection_sub_processes and ( selection_general or selection_tomcat or selection_websphere) falsepositives: - - Web applications that invoke Linux command line tools + - Web applications that invoke Linux command line tools level: critical diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml index 5a5d32ced..88b58785a 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml @@ -6,6 +6,7 @@ references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth date: 2022/03/22 +modified: 2022/05/09 logsource: category: process_creation product: windows @@ -22,7 +23,7 @@ detection: CommandLine|contains: - 'Real-Time Protection' - 'TamperProtection' - condition: selection + condition: selection and selection_target falsepositives: - Legitimate use level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml index b84fc5db8..5a2eaee7f 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_lsass_ppl.yml @@ -6,6 +6,7 @@ references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ author: Florian Roth date: 2022/03/22 +modified: 2022/05/09 logsource: category: process_creation product: windows @@ -21,7 +22,7 @@ detection: CommandLine|contains: - 'Real-Time Protection' - 'TamperProtection' - condition: selection + condition: selection and selection_target falsepositives: - Unlikely level: high diff --git a/tests/test_rules.py b/tests/test_rules.py index bc444666c..c3d3af0c6 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -749,6 +749,38 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") + def test_unused_selection(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + condition = detection["condition"] + wildcard_selections = re.compile(r"\sof\s([\w\*]+)(?:$|\s|\))") + + # skip rules containing aggregations + if type(condition) == list: + continue + + for selection in detection: + if selection == "condition": + continue + if selection == "timeframe": + continue + if selection in condition: + continue + # find all wildcards in condition + found = False + for wildcard_selection in wildcard_selections.findall(condition): + # wildcard matches selection + if re.search(wildcard_selection.replace(r"*", r".*"), selection) is not None: + found = True + break + # selection was not found in condition + if not found: + print(Fore.RED + "Rule {} has an unused selection '{}'".format(file, selection)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections") + def test_condition_operator_casesensitive(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From 0b72aff084d5bc304ca2cfbc647cd8a8b4cdded1 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 10 May 2022 11:25:09 +0200 Subject: [PATCH 28/54] chore: test rules: check title has no . in the end --- tests/test_rules.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index c3d3af0c6..e5abc79d0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -667,6 +667,9 @@ class TestRules(unittest.TestCase): if title.startswith("Detects "): print(Fore.RED + "Rule {} has a title that starts with 'Detects'".format(file)) faulty_rules.append(file) + if title.endswith("."): + print(Fore.RED + "Rule {} has a title that ends with '.'".format(file)) + faulty_rules.append(file) wrong_casing = [] for word in title.split(" "): if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): From cf975127b696b373e25cecf7a3c89eb9881f441e Mon Sep 17 00:00:00 2001 From: jstnk9 Date: Tue, 10 May 2022 11:41:19 +0200 Subject: [PATCH 29/54] title modified --- .../registry_set_scr_file_executed_by_rundll32.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index a55309b67..64f967dc0 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -1,6 +1,6 @@ -title: Registry Key set after .scr file execution with Rundll32 +title: ScreenSaver Registry Key Set id: 40b6e656-4e11-4c0c-8772-c1cc6dae34ce -description: Detects registry key established after .scr file execution using Rundll32 through desk.cpl +description: Detects registry key established after masqueraded .scr file execution using Rundll32 through desk.cpl status: experimental date: 2022/05/04 modified: 2022/05/04 From 232fd9ad17ef2ceee9a72b8d5312bb57f11b25bf Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 13:19:22 +0000 Subject: [PATCH 30/54] removing duplicate --- tools/config/hawk.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tools/config/hawk.yml b/tools/config/hawk.yml index 42ff226c1..d97911d79 100644 --- a/tools/config/hawk.yml +++ b/tools/config/hawk.yml @@ -250,11 +250,6 @@ logsources: rewrite: product: zeek service: http - zeek-rdp: - product: zeek - service: rdp - conditions: - hawk_source: "rdp.log" zeek-conn: product: zeek service: conn From 112b715dd6c77796b27e88923127875662c65cf7 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Tue, 10 May 2022 17:12:43 +0200 Subject: [PATCH 31/54] chore: test rules: reactivate single value list check --- .../azure_kubernetes_admission_controller.yml | 6 ++-- .../cloud/azure/azure_kubernetes_cronjob.yml | 8 ++--- ...permissions_elevation_via_activitylogs.yml | 3 +- .../azure/azure_suppression_rule_created.yml | 7 ++--- .../gcp_kubernetes_admission_controller.yml | 10 +++---- .../okta/okta_unauthorized_access_to_app.yml | 3 +- rules/compliance/workstation_was_locked.yml | 3 +- .../linux/auditd/lnx_auditd_audio_capture.yml | 9 ++---- .../auditd/lnx_auditd_susp_c2_commands.yml | 3 +- .../lnx_auditd_systemd_service_creation.yml | 5 ++-- ...d_unzip_hidden_zip_files_steganography.yml | 3 +- ...ation_lnx_bpftrace_unsafe_option_usage.yml | 8 ++--- .../proc_creation_lnx_local_account.yml | 18 ++++-------- .../proc_creation_lnx_local_groups.yml | 9 ++---- ...oc_creation_lnx_schedule_task_job_cron.yml | 6 ++-- .../proc_creation_macos_applescript.yml | 6 ++-- .../proc_creation_macos_binary_padding.yml | 12 +++----- .../proc_creation_macos_create_account.yml | 6 ++-- ...proc_creation_macos_find_cred_in_files.yml | 6 ++-- .../proc_creation_macos_gui_input_capture.yml | 3 +- .../proc_creation_macos_local_account.yml | 21 +++++--------- .../proc_creation_macos_local_groups.yml | 12 +++----- ...creation_macos_remote_system_discovery.yml | 9 ++---- ..._creation_macos_schedule_task_job_cron.yml | 6 ++-- rules/proxy/proxy_telegram_api.yml | 3 +- ...uter_cve_2021_20090_2021_20091_exploit.yml | 6 ++-- ...web_cve_2010_5278_exploitation_attempt.yml | 3 +- ...in_alert_active_directory_user_control.yml | 3 +- .../security/win_susp_lsass_dump_generic.yml | 3 +- .../win_rare_schtask_creation.yml | 3 +- ...win_defender_tamper_protection_trigger.yml | 3 +- ...e_event_win_cve_2021_1675_printspooler.yml | 3 +- .../file_event_win_iso_file_recent.yml | 5 ++-- ...le_event_win_mimimaktz_memssp_log_file.yml | 5 ++-- .../image_load/image_load_susp_fax_dll.yml | 9 ++---- .../image_load/image_load_susp_image_load.yml | 3 +- ...d_susp_office_dotnet_assembly_dll_load.yml | 3 +- ...e_load_susp_office_dotnet_clr_dll_load.yml | 3 +- ...e_load_susp_office_dotnet_gac_dll_load.yml | 3 +- ...mage_load_susp_office_dsparse_dll_load.yml | 3 +- ...age_load_susp_office_kerberos_dll_load.yml | 3 +- .../image_load_suspicious_vss_ps_load.yml | 9 +++--- ...e_load_svchost_dll_search_order_hijack.yml | 6 ++-- .../image_load_uac_bypass_via_dism.yml | 9 ++---- .../posh_pm_clear_powershell_history.yml | 14 +++++---- .../posh_pm_remote_powershell_session.yml | 3 +- .../posh_ps_clear_powershell_history.yml | 11 +++++-- ...sh_ps_clearing_windows_console_history.yml | 5 ++-- ...ccess_win_in_memory_assembly_execution.yml | 3 +- ...proc_access_win_rare_proc_access_lsass.yml | 5 ++-- ...proc_access_win_susp_proc_access_lsass.yml | 5 ++-- ...ll_elevated_msi_spawned_cmd_powershell.yml | 3 +- .../proc_creation_win_apt_dragonfly.yml | 3 +- .../proc_creation_win_apt_gallium.yml | 5 ++-- .../proc_creation_win_apt_greenbug_may20.yml | 3 +- ...reation_win_apt_lazarus_activity_apr21.yml | 14 ++++----- ...reation_win_apt_lazarus_activity_dec20.yml | 5 ++-- ..._creation_win_apt_muddywater_dnstunnel.yml | 9 ++---- .../proc_creation_win_apt_sourgrum.yml | 7 ++--- .../proc_creation_win_apt_taidoor.yml | 6 ++-- .../proc_creation_win_apt_unc2452_cmds.yml | 7 ++--- .../proc_creation_win_apt_winnti_pipemon.yml | 6 ++-- .../proc_creation_win_apt_zxshell.yml | 3 +- .../proc_creation_win_bitsadmin_download.yml | 16 ++++------ .../proc_creation_win_bypass_squiblytwo.yml | 3 +- .../proc_creation_win_cleanwipe.yml | 3 +- .../proc_creation_win_control_panel_item.yml | 5 ++-- ...roc_creation_win_crime_maze_ransomware.yml | 6 ++-- .../proc_creation_win_dotnet.yml | 3 +- ...proc_creation_win_expand_cabinet_files.yml | 3 +- ...roc_creation_win_exploit_cve_2020_1048.yml | 6 ++-- ..._creation_win_fsutil_drive_enumeration.yml | 3 +- ...tion_win_install_reg_debugger_backdoor.yml | 3 +- ...n_local_system_owner_account_discovery.yml | 3 +- ...data_exfiltration_by_using_datasvcutil.yml | 3 +- ...suspicious_driver_installed_by_pnputil.yml | 3 +- ...eation_win_mal_hermetic_wiper_activity.yml | 5 ++-- .../proc_creation_win_mal_ryuk.yml | 3 +- .../proc_creation_win_malware_formbook.yml | 3 +- ...on_win_malware_trickbot_recon_activity.yml | 9 ++---- ...c_creation_win_malware_trickbot_wermgr.yml | 9 ++---- ...roc_creation_win_mimikatz_command_line.yml | 6 ++-- .../proc_creation_win_msdeploy.yml | 3 +- .../proc_creation_win_msiexec_execute_dll.yml | 4 +-- ...oc_creation_win_powershell_amsi_bypass.yml | 6 ++-- ...wershell_cmdline_specific_comb_methods.yml | 3 +- ..._creation_win_powershell_dll_execution.yml | 6 ++-- ...in_powershell_reverse_shell_connection.yml | 3 +- ...ershell_suspicious_parameter_variation.yml | 3 +- ...reation_win_powershell_xor_commandline.yml | 3 +- ...roc_creation_win_proc_dump_rdrleakdiag.yml | 4 +-- .../proc_creation_win_reg_enable_rdp.yml | 5 ++-- .../proc_creation_win_renamed_jusched.yml | 3 +- .../proc_creation_win_renamed_paexec.yml | 3 +- ...eation_win_script_event_consumer_spawn.yml | 3 +- ..._creation_win_sdbinst_shim_persistence.yml | 3 +- ...oc_creation_win_shadow_copies_deletion.yml | 3 +- .../proc_creation_win_shell_spawn_by_java.yml | 3 +- ...c_creation_win_susp_crackmapexec_flags.yml | 3 +- ...creation_win_susp_dctask64_proc_inject.yml | 6 ++-- ...roc_creation_win_susp_disable_eventlog.yml | 6 ++-- .../proc_creation_win_susp_ditsnap.yml | 6 ++-- ...ion_win_susp_emotet_rundll32_execution.yml | 6 ++-- ...tion_win_susp_execution_path_webserver.yml | 3 +- .../proc_creation_win_susp_explorer.yml | 9 ++---- .../proc_creation_win_susp_findstr.yml | 3 +- .../proc_creation_win_susp_ngrok_pua.yml | 3 +- ...c_creation_win_susp_powershell_enc_cmd.yml | 3 +- ...oc_creation_win_susp_powershell_encode.yml | 7 ++--- ...n_win_susp_powershell_getprocess_lsass.yml | 5 ++-- .../proc_creation_win_susp_print.yml | 15 ++++------ .../proc_creation_win_susp_rar_flags.yml | 3 +- ...roc_creation_win_susp_rasdial_activity.yml | 3 +- ...c_creation_win_susp_regsvr32_anomalies.yml | 7 ++--- ...in_susp_rundll32_js_runhtmlapplication.yml | 3 +- ...ation_win_susp_rundll32_spawn_explorer.yml | 6 ++-- ...oc_creation_win_susp_runonce_execution.yml | 9 ++---- ...proc_creation_win_susp_screensaver_reg.yml | 8 ++--- ...ion_win_susp_service_dacl_modification.yml | 3 +- ...proc_creation_win_susp_squirrel_lolbin.yml | 3 +- ...proc_creation_win_susp_sysprep_appdata.yml | 6 ++-- ...oc_creation_win_susp_tracker_execution.yml | 12 +++----- ...roc_creation_win_susp_vbscript_unc2452.yml | 5 ++-- .../proc_creation_win_susp_winzip.yml | 3 +- .../proc_creation_win_susp_wsl_lolbin.yml | 3 +- .../proc_creation_win_susp_wuauclt.yml | 3 +- ...proc_creation_win_wmi_spwns_powershell.yml | 6 ++-- .../proc_creation_win_wsreset_uac_bypass.yml | 3 +- ...registry_event_apt_oceanlotus_registry.yml | 5 ++-- .../registry_event_bypass_via_wsreset.yml | 3 +- .../registry_event_runkey_winekey.yml | 3 +- .../registry_set_disable_fonction_user.yml | 3 +- .../registry_set_globalflags_persistence.yml | 3 +- .../registry_set_persistence_search_order.yml | 3 +- .../registry_set_susp_service_installed.yml | 3 +- tests/test_rules.py | 29 +++++++++---------- 136 files changed, 278 insertions(+), 475 deletions(-) diff --git a/rules/cloud/azure/azure_kubernetes_admission_controller.yml b/rules/cloud/azure/azure_kubernetes_admission_controller.yml index 884360c34..3e2dbbbae 100644 --- a/rules/cloud/azure/azure_kubernetes_admission_controller.yml +++ b/rules/cloud/azure/azure_kubernetes_admission_controller.yml @@ -12,14 +12,12 @@ logsource: service: activitylogs detection: selection1: - properties.message|startswith: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO properties.message|endswith: - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE selection2: - properties.message|startswith: - - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/ADMISSIONREGISTRATION.K8S.IO properties.message|endswith: - /MUTATINGWEBHOOKCONFIGURATIONS/WRITE - /VALIDATINGWEBHOOKCONFIGURATIONS/WRITE diff --git a/rules/cloud/azure/azure_kubernetes_cronjob.yml b/rules/cloud/azure/azure_kubernetes_cronjob.yml index ec22988cb..146f196aa 100644 --- a/rules/cloud/azure/azure_kubernetes_cronjob.yml +++ b/rules/cloud/azure/azure_kubernetes_cronjob.yml @@ -14,14 +14,12 @@ logsource: service: activitylogs detection: selection1: - properties.message|startswith: - - MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH + properties.message|startswith: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/BATCH properties.message|endswith: - /CRONJOBS/WRITE - /JOBS/WRITE selection2: - properties.message|startswith: - - MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH + properties.message|startswith: MICROSOFT.CONTAINERSERVICE/MANAGEDCLUSTERS/BATCH properties.message|endswith: - /CRONJOBS/WRITE - /JOBS/WRITE @@ -32,5 +30,5 @@ tags: - attack.privilege_escalation - attack.execution falsepositives: - - Azure Kubernetes CronJob/Job may be done by a system administrator. + - Azure Kubernetes CronJob/Job may be done by a system administrator. - If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml index 82994da37..37c184fd9 100644 --- a/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml +++ b/rules/cloud/azure/azure_subscription_permissions_elevation_via_activitylogs.yml @@ -11,8 +11,7 @@ logsource: service: activitylogs detection: selection1: - properties.message: - - MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION + properties.message: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION condition: selection1 level: high falsepositives: diff --git a/rules/cloud/azure/azure_suppression_rule_created.yml b/rules/cloud/azure/azure_suppression_rule_created.yml index 1edf50649..7c079c960 100644 --- a/rules/cloud/azure/azure_suppression_rule_created.yml +++ b/rules/cloud/azure/azure_suppression_rule_created.yml @@ -11,13 +11,12 @@ logsource: service: activitylogs detection: selection: - properties.message: - - MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE + properties.message: MICROSOFT.SECURITY/ALERTSSUPPRESSIONRULES/WRITE condition: selection level: medium tags: - attack.impact falsepositives: - - Suppression Rule being created may be performed by a system administrator. - - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Suppression Rule being created may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - Suppression Rule created from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml index 67cfdabe6..9bdabb295 100644 --- a/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml +++ b/rules/cloud/gcp/gcp_kubernetes_admission_controller.yml @@ -12,16 +12,14 @@ logsource: service: gcp.audit detection: selection1: - gcp.audit.method_name|startswith: - - admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. - gcp.audit.method_name|endswith: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.mutatingwebhookconfigurations. + gcp.audit.method_name|endswith: - create - patch - replace selection2: - gcp.audit.method_name|startswith: - - admissionregistration.k8s.io.v*.validatingwebhookconfigurations. - gcp.audit.method_name|endswith: + gcp.audit.method_name|startswith: admissionregistration.k8s.io.v*.validatingwebhookconfigurations. + gcp.audit.method_name|endswith: - create - patch - replace diff --git a/rules/cloud/okta/okta_unauthorized_access_to_app.yml b/rules/cloud/okta/okta_unauthorized_access_to_app.yml index 69480d462..c9ce5ab4d 100644 --- a/rules/cloud/okta/okta_unauthorized_access_to_app.yml +++ b/rules/cloud/okta/okta_unauthorized_access_to_app.yml @@ -13,8 +13,7 @@ logsource: service: okta detection: selection: - displaymessage: - - User attempted unauthorized access to app + displaymessage: User attempted unauthorized access to app condition: selection level: medium tags: diff --git a/rules/compliance/workstation_was_locked.yml b/rules/compliance/workstation_was_locked.yml index 50e682026..3c679197e 100644 --- a/rules/compliance/workstation_was_locked.yml +++ b/rules/compliance/workstation_was_locked.yml @@ -15,8 +15,7 @@ logsource: service: security detection: selection: - EventID: - - 4800 + EventID: 4800 condition: selection falsepositives: - Unknown diff --git a/rules/linux/auditd/lnx_auditd_audio_capture.yml b/rules/linux/auditd/lnx_auditd_audio_capture.yml index fff85facd..cfb085506 100644 --- a/rules/linux/auditd/lnx_auditd_audio_capture.yml +++ b/rules/linux/auditd/lnx_auditd_audio_capture.yml @@ -15,12 +15,9 @@ logsource: detection: selection: type: EXECVE - a0: - - arecord - a1: - - '-vv' - a2: - - '-fdat' + a0: arecord + a1: '-vv' + a2: '-fdat' condition: selection tags: - attack.collection diff --git a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml index 7bd2b3b07..7641995de 100644 --- a/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml +++ b/rules/linux/auditd/lnx_auditd_susp_c2_commands.yml @@ -12,8 +12,7 @@ logsource: service: auditd detection: selection: - key: - - 'susp_activity' + key: 'susp_activity' condition: selection falsepositives: - Admin or User activity diff --git a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml index da6a25d92..96bfcc8be 100644 --- a/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml +++ b/rules/linux/auditd/lnx_auditd_systemd_service_creation.yml @@ -16,12 +16,11 @@ detection: type: 'PATH' nametype: 'CREATE' name_1: - name|startswith: + name|startswith: - '/usr/lib/systemd/system/' - '/etc/systemd/system/' name_2: - name|contains: - - '/.config/systemd/user/' + name|contains: '/.config/systemd/user/' condition: path and 1 of name_* falsepositives: - Admin work like legit service installs. diff --git a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml index 08684b463..6673e20bf 100644 --- a/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml +++ b/rules/linux/auditd/lnx_auditd_unzip_hidden_zip_files_steganography.yml @@ -19,8 +19,7 @@ logsource: detection: commands: type: EXECVE - a0: - - unzip + a0: unzip a1: a1|endswith: - '.jpg' diff --git a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml index d6723d8e0..a0c4b717f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml +++ b/rules/linux/process_creation/proc_creation_lnx_bpftrace_unsafe_option_usage.yml @@ -3,7 +3,7 @@ id: f8341cb2-ee25-43fa-a975-d8a5a9714b39 status: experimental description: Detects the usage of the unsafe bpftrace option author: Andreas Hunkeler (@Karneades) -tags: +tags: - attack.execution - attack.t1059.004 references: @@ -15,10 +15,8 @@ logsource: product: linux detection: selection1: - Image|endswith: - - 'bpftrace' - CommandLine|contains: - - '--unsafe' + Image|endswith: 'bpftrace' + CommandLine|contains: '--unsafe' condition: selection1 falsepositives: - Legitimate usage of the unsafe option diff --git a/rules/linux/process_creation/proc_creation_lnx_local_account.yml b/rules/linux/process_creation/proc_creation_lnx_local_account.yml index a8e4cdaf2..2b1791a11 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_account.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_account.yml @@ -12,25 +12,19 @@ logsource: product: linux detection: selection_1: - Image|endswith: - - '/lastlog' + Image|endswith: '/lastlog' selection_2: - CommandLine|contains: - - '''x:0:''' + CommandLine|contains: '''x:0:''' selection_3: - Image|endswith: - - '/cat' + Image|endswith: '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_4: - Image|endswith: - - '/id' + Image|endswith: '/id' selection_5: - Image|endswith: - - '/lsof' - CommandLine|contains: - - '-u' + Image|endswith: '/lsof' + CommandLine|contains: '-u' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml index 1dad31c4d..5ba646c21 100644 --- a/rules/linux/process_creation/proc_creation_lnx_local_groups.yml +++ b/rules/linux/process_creation/proc_creation_lnx_local_groups.yml @@ -12,13 +12,10 @@ logsource: product: linux detection: selection_1: - Image|endswith: - - '/groups' + Image|endswith: '/groups' selection_2: - Image|endswith: - - '/cat' - CommandLine|contains: - - '/etc/group' + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml index a8c45fd7e..0a78a6256 100644 --- a/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml +++ b/rules/linux/process_creation/proc_creation_lnx_schedule_task_job_cron.yml @@ -12,10 +12,8 @@ logsource: product: linux detection: selection: - Image|endswith: - - 'crontab' - CommandLine|contains: - - '/tmp/' + Image|endswith: 'crontab' + CommandLine|contains: '/tmp/' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_applescript.yml b/rules/macos/process_creation/proc_creation_macos_applescript.yml index 35f8c42da..1c4308a70 100644 --- a/rules/macos/process_creation/proc_creation_macos_applescript.yml +++ b/rules/macos/process_creation/proc_creation_macos_applescript.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/osascript' - CommandLine|contains|all: - - '-e' + Image|endswith: '/osascript' + CommandLine|contains: '-e' condition: selection falsepositives: - Application installers might contain scripts as part of the installation process. diff --git a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml index fd3cfb82c..107d98437 100644 --- a/rules/macos/process_creation/proc_creation_macos_binary_padding.yml +++ b/rules/macos/process_creation/proc_creation_macos_binary_padding.yml @@ -12,15 +12,11 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '/truncate' - CommandLine|contains: - - '-s' + Image|endswith: '/truncate' + CommandLine|contains: '-s' selection2: - Image|endswith: - - '/dd' - CommandLine|contains: - - 'if=' + Image|endswith: '/dd' + CommandLine|contains: 'if=' filter: CommandLine|contains: 'of=' condition: selection1 or (selection2 and not filter) diff --git a/rules/macos/process_creation/proc_creation_macos_create_account.yml b/rules/macos/process_creation/proc_creation_macos_create_account.yml index 573af8117..a000b5eb8 100644 --- a/rules/macos/process_creation/proc_creation_macos_create_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_create_account.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/dscl' - CommandLine|contains: - - 'create' + Image|endswith: '/dscl' + CommandLine|contains: 'create' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml index 220f44f01..ae273c242 100644 --- a/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml +++ b/rules/macos/process_creation/proc_creation_macos_find_cred_in_files.yml @@ -12,10 +12,8 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '/grep' - CommandLine|contains: - - 'password' + Image|endswith: '/grep' + CommandLine|contains: 'password' selection2: CommandLine|contains: 'laZagne' condition: selection1 or selection2 diff --git a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml index bb18b8a3a..ac814a811 100644 --- a/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml +++ b/rules/macos/process_creation/proc_creation_macos_gui_input_capture.yml @@ -13,8 +13,7 @@ logsource: category: process_creation detection: selection1: - Image: - - '/usr/sbin/osascript' + Image: '/usr/sbin/osascript' selection2: CommandLine|contains|all: - '-e' diff --git a/rules/macos/process_creation/proc_creation_macos_local_account.yml b/rules/macos/process_creation/proc_creation_macos_local_account.yml index 5274f9fbc..75dd152ca 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_account.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_account.yml @@ -12,34 +12,27 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/dscl' + Image|endswith: '/dscl' CommandLine|contains|all: - 'list' - '/users' selection_2: - Image|endswith: - - '/dscacheutil' + Image|endswith: '/dscacheutil' CommandLine|contains|all: - '-q' - 'user' selection_3: - CommandLine|contains: - - '''x:0:''' + CommandLine|contains: '''x:0:''' selection_4: - Image|endswith: - - '/cat' + Image|endswith: '/cat' CommandLine|contains: - '/etc/passwd' - '/etc/sudoers' selection_5: - Image|endswith: - - '/id' + Image|endswith: '/id' selection_6: - Image|endswith: - - '/lsof' - CommandLine|contains: - - '-u' + Image|endswith: '/lsof' + CommandLine|contains: '-u' condition: 1 of selection* falsepositives: - Legitimate administration activities diff --git a/rules/macos/process_creation/proc_creation_macos_local_groups.yml b/rules/macos/process_creation/proc_creation_macos_local_groups.yml index ff1fa3e08..4701c17c3 100644 --- a/rules/macos/process_creation/proc_creation_macos_local_groups.yml +++ b/rules/macos/process_creation/proc_creation_macos_local_groups.yml @@ -12,19 +12,15 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/dscacheutil' + Image|endswith: '/dscacheutil' CommandLine|contains|all: - '-q' - 'group' selection_2: - Image|endswith: - - '/cat' - CommandLine|contains: - - '/etc/group' + Image|endswith: '/cat' + CommandLine|contains: '/etc/group' selection_3: - Image|endswith: - - '/dscl' + Image|endswith: '/dscl' CommandLine|contains|all: - '-list' - '/groups' diff --git a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml index 2ebcdf856..3aa5400fa 100644 --- a/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml +++ b/rules/macos/process_creation/proc_creation_macos_remote_system_discovery.yml @@ -12,13 +12,10 @@ logsource: product: macos detection: selection_1: - Image|endswith: - - '/arp' - CommandLine|contains: - - '-a' + Image|endswith: '/arp' + CommandLine|contains: '-a' selection_2: - Image|endswith: - - '/ping' + Image|endswith: '/ping' CommandLine|contains: - ' 10.' #10.0.0.0/8 - ' 192.168.' #192.168.0.0/16 diff --git a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml index b0e4558d4..98db020a8 100644 --- a/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml +++ b/rules/macos/process_creation/proc_creation_macos_schedule_task_job_cron.yml @@ -12,10 +12,8 @@ logsource: product: macos detection: selection: - Image|endswith: - - '/crontab' - CommandLine|contains: - - '/tmp/' + Image|endswith: '/crontab' + CommandLine|contains: '/tmp/' condition: selection falsepositives: - Legitimate administration activities diff --git a/rules/proxy/proxy_telegram_api.yml b/rules/proxy/proxy_telegram_api.yml index c8803a0a1..c2a5ac293 100644 --- a/rules/proxy/proxy_telegram_api.yml +++ b/rules/proxy/proxy_telegram_api.yml @@ -13,8 +13,7 @@ logsource: category: proxy detection: selection: - r-dns: - - 'api.telegram.org' # Often used by Bots + r-dns: 'api.telegram.org' # Often used by Bots filter: c-useragent|contains: # Used https://core.telegram.org/bots/samples for this list diff --git a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml index 869a932e9..4cf8badf1 100644 --- a/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml +++ b/rules/web/web_arcadyan_router_cve_2021_20090_2021_20091_exploit.yml @@ -17,12 +17,12 @@ tags: - attack.t1190 - cve.2021.20090 - cve.2021.20091 -logsource: +logsource: category: webserver detection: path_traversal: - c-uri|contains: # CVE-2021-20090 (Bypass Auth: Path Traversal) - - '..%2f' + # CVE-2021-20090 (Bypass Auth: Path Traversal) + c-uri|contains: '..%2f' config_file_inj: c-uri|contains|all: # Chaining of CVE-2021-20090 (Bypass Auth) and CVE-2021-20091 (Config File Injection) - '..%2f' diff --git a/rules/web/web_cve_2010_5278_exploitation_attempt.yml b/rules/web/web_cve_2010_5278_exploitation_attempt.yml index 368ddf6ec..7b97de252 100644 --- a/rules/web/web_cve_2010_5278_exploitation_attempt.yml +++ b/rules/web/web_cve_2010_5278_exploitation_attempt.yml @@ -13,8 +13,7 @@ logsource: category: webserver detection: selection: - c-uri|contains: - - /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 + c-uri|contains: /manager/controllers/default/resource/tvs.php?class_key=../../../../../../../../../../windows/win.ini%00 condition: selection falsepositives: - Scanning from Nuclei diff --git a/rules/windows/builtin/security/win_alert_active_directory_user_control.yml b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml index aa61b3585..6dba9193c 100644 --- a/rules/windows/builtin/security/win_alert_active_directory_user_control.yml +++ b/rules/windows/builtin/security/win_alert_active_directory_user_control.yml @@ -15,8 +15,7 @@ detection: selection_base: EventID: 4704 selection_keywords: - PrivilegeList|contains: - - 'SeEnableDelegationPrivilege' + PrivilegeList|contains: 'SeEnableDelegationPrivilege' condition: all of selection* falsepositives: - Unknown diff --git a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml index 9d4815c54..824d0f1ec 100644 --- a/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml +++ b/rules/windows/builtin/security/win_susp_lsass_dump_generic.yml @@ -67,8 +67,7 @@ detection: - C:\Windows\Temp\asgard2-agent\ - C:\ProgramData\Microsoft\Windows Defender\Platform\ filter2: - ProcessName|startswith: - - 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions + ProcessName|startswith: 'C:\Program Files' # too many false positives with legitimate AV and EDR solutions filter3: ProcessName: 'C:\Windows\CCM\CcmExec.exe' condition: 1 of selection_* and not 1 of filter* diff --git a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml index 363596a2f..3d19e70af 100644 --- a/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml +++ b/rules/windows/builtin/taskscheduler/win_rare_schtask_creation.yml @@ -12,8 +12,7 @@ detection: selection: EventID: 106 filter1: - TaskName: - - \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan + TaskName: \Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan timeframe: 7d condition: selection and not 1 of filter* | count() by TaskName < 5 falsepositives: diff --git a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml index 69ea17366..a87228d9f 100644 --- a/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml +++ b/rules/windows/builtin/windefend/win_defender_tamper_protection_trigger.yml @@ -17,8 +17,7 @@ logsource: service: windefend detection: selection: - EventID: - - 5013 + EventID: 5013 Value|endswith: - '\Windows Defender\DisableAntiSpyware = 0x1()' - '\Real-Time Protection\DisableRealtimeMonitoring = (Current)' diff --git a/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml b/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml index 462ef78b8..045ca1dbf 100644 --- a/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml +++ b/rules/windows/file_event/file_event_win_cve_2021_1675_printspooler.yml @@ -21,8 +21,7 @@ logsource: product: windows detection: selection: - TargetFilename|contains: - - 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' + TargetFilename|contains: 'C:\Windows\System32\spool\drivers\x64\3\old\1\123' condition: selection fields: - ComputerName diff --git a/rules/windows/file_event/file_event_win_iso_file_recent.yml b/rules/windows/file_event/file_event_win_iso_file_recent.yml index da522c721..c4ec55e2e 100644 --- a/rules/windows/file_event/file_event_win_iso_file_recent.yml +++ b/rules/windows/file_event/file_event_win_iso_file_recent.yml @@ -14,13 +14,12 @@ logsource: category: file_event detection: selection: - TargetFilename|endswith: + TargetFilename|endswith: - '.iso.lnk' - '.img.lnk' - '.vhd.lnk' - '.vhdx.lnk' - TargetFilename|contains: - - '\Microsoft\Windows\Recent\' + TargetFilename|contains: '\Microsoft\Windows\Recent\' condition: selection falsepositives: - Cases in which a user mounts an image file for legitimate reasons diff --git a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml index 526903249..11a4e147f 100644 --- a/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml +++ b/rules/windows/file_event/file_event_win_mimimaktz_memssp_log_file.yml @@ -12,10 +12,9 @@ tags: logsource: product: windows category: file_event -detection: +detection: mimikatz_memssp_filename: - TargetFilename|endswith: - - 'mimilsa.log' + TargetFilename|endswith: 'mimilsa.log' condition: mimikatz_memssp_filename falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_susp_fax_dll.yml b/rules/windows/image_load/image_load_susp_fax_dll.yml index b49be7ca9..e9d31e38c 100644 --- a/rules/windows/image_load/image_load_susp_fax_dll.yml +++ b/rules/windows/image_load/image_load_susp_fax_dll.yml @@ -12,13 +12,10 @@ logsource: product: windows detection: selection: - Image|endswith: - - fxssvc.exe - ImageLoaded|endswith: - - ualapi.dll + Image|endswith: fxssvc.exe + ImageLoaded|endswith: ualapi.dll filter: - ImageLoaded|startswith: - - C:\Windows\WinSxS\ + ImageLoaded|startswith: C:\Windows\WinSxS\ condition: selection and not filter falsepositives: - Unlikely diff --git a/rules/windows/image_load/image_load_susp_image_load.yml b/rules/windows/image_load/image_load_susp_image_load.yml index ff5ca7bfe..5b4a32a59 100755 --- a/rules/windows/image_load/image_load_susp_image_load.yml +++ b/rules/windows/image_load/image_load_susp_image_load.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\notepad.exe' + Image|endswith: '\notepad.exe' ImageLoaded|endswith: - '\samlib.dll' - '\WinSCard.dll' diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml index 6feea67a4..39d6afed7 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_assembly_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\assembly\' + ImageLoaded|startswith: 'C:\Windows\assembly\' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml index 2cb835dfa..6c721153a 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_clr_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|contains: - - '\clr.dll' + ImageLoaded|contains: '\clr.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml index fc8c755b5..4fb4fd360 100755 --- a/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dotnet_gac_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|startswith: - - 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' + ImageLoaded|startswith: 'C:\Windows\Microsoft.NET\assembly\GAC_MSIL' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml index 649f5d309..adcd6b0ab 100755 --- a/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_dsparse_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|contains: - - '\dsparse.dll' + ImageLoaded|contains: '\dsparse.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml index f72268538..dd54239f2 100755 --- a/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml +++ b/rules/windows/image_load/image_load_susp_office_kerberos_dll_load.yml @@ -17,8 +17,7 @@ detection: - '\powerpnt.exe' - '\excel.exe' - '\outlook.exe' - ImageLoaded|endswith: - - '\kerberos.dll' + ImageLoaded|endswith: '\kerberos.dll' condition: selection falsepositives: - Alerts on legitimate macro usage as well, will need to filter as appropriate diff --git a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml index 1d9b98d2c..6ad311ec0 100644 --- a/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml +++ b/rules/windows/image_load/image_load_suspicious_vss_ps_load.yml @@ -7,18 +7,17 @@ date: 2021/07/07 modified: 2022/05/06 references: - 1bd85e1caa1415ebdc8852c91e37bbb7 - - https://twitter.com/am0nsec/status/1412232114980982787 + - https://twitter.com/am0nsec/status/1412232114980982787 tags: - attack.defense_evasion - - attack.impact + - attack.impact - attack.t1490 logsource: category: image_load product: windows detection: selection: - ImageLoaded|endswith: - - '\vss_ps.dll' + ImageLoaded|endswith: '\vss_ps.dll' filter: Image|endswith: - '\svchost.exe' @@ -39,4 +38,4 @@ detection: condition: selection and not filter falsepositives: - Unknown -level: high +level: high diff --git a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml index 02a3bf323..626eb21ae 100755 --- a/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/image_load_svchost_dll_search_order_hijack.yml @@ -12,15 +12,13 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\svchost.exe' + Image|endswith: '\svchost.exe' ImageLoaded|endswith: - '\tsmsisrv.dll' - '\tsvipsrv.dll' - '\wlbsctrl.dll' filter: - ImageLoaded|startswith: - - 'C:\Windows\WinSxS\' + ImageLoaded|startswith: 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml index ff1fba982..595d310d5 100644 --- a/rules/windows/image_load/image_load_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/image_load_uac_bypass_via_dism.yml @@ -18,13 +18,10 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\dism.exe' - ImageLoaded|endswith: - - '\dismcore.dll' + Image|endswith: '\dism.exe' + ImageLoaded|endswith: '\dismcore.dll' filter: - ImageLoaded: - - 'C:\Windows\System32\Dism\dismcore.dll' + ImageLoaded: 'C:\Windows\System32\Dism\dismcore.dll' condition: selection and not filter falsepositives: - Actions of a legitimate telnet client diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 8faa41211..6f1b38273 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -6,7 +6,7 @@ related: status: experimental description: Detects keywords that could indicate clearing PowerShell history date: 2019/10/25 -modified: 2021/10/16 +modified: 2022/05/10 author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a @@ -23,14 +23,18 @@ detection: - 'del' - 'Remove-Item' - 'rm' - Payload|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' + Payload|contains|all: '(Get-PSReadlineOption).HistorySavePath' selection_payload_2: Payload|contains|all: - 'Set-PSReadlineOption' - - '–HistorySaveStyle' + - '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both - 'SaveNothing' - condition: selection_payload_1 or selection_payload_2 + selection_payload_3: + Payload|contains|all: + - 'Set-PSReadlineOption' + - '-HistorySaveStyle' + - 'SaveNothing' + condition: 1 of selection_* falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml index a33d80aea..7edd8a19b 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_remote_powershell_session.yml @@ -22,8 +22,7 @@ detection: - ' = ServerRemoteHost ' # HostName: 'ServerRemoteHost' french : Nom d’hôte = - 'wsmprovhost.exe' # HostApplication|contains: 'wsmprovhost.exe' french Application hôte = false_positive_1: - ContextInfo|contains: - - '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' + ContextInfo|contains: '\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psm1' condition: selection and not 1 of false_positive* falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index d1902e7f8..ec727f8b5 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -9,6 +9,7 @@ author: Ilyas Ochkov, Jonhnathan Ribeiro, Daniil Yugoslavskiy, oscd.community references: - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a date: 2022/01/25 +modified: 2022/05/10 logsource: product: windows category: ps_script @@ -19,12 +20,16 @@ detection: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains|all: - - '(Get-PSReadlineOption).HistorySavePath' + ScriptBlockText|contains|all: '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption' - - '–HistorySaveStyle' + - '–HistorySaveStyle' # not sure if the homoglyph –/- is intended, just checking for both + - 'SaveNothing' + selection_3: + ScriptBlockText|contains|all: + - 'Set-PSReadlineOption' + - '-HistorySaveStyle' - 'SaveNothing' condition: 1 of selection_* falsepositives: diff --git a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml index eec0a0b9b..0e1f00f76 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clearing_windows_console_history.yml @@ -11,10 +11,9 @@ references: logsource: product: windows category: ps_script -detection: +detection: selection1: - ScriptBlockText|contains: - - Clear-History + ScriptBlockText|contains: Clear-History selection2a: ScriptBlockText|contains: - Remove-Item diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml index 3d748a08d..3e02c246a 100644 --- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml @@ -72,8 +72,7 @@ detection: - TargetImage|endswith: '\Microsoft VS Code\Code.exe' - CallTrace|contains: '|C:\WINDOWS\System32\RPCRT4.dll+' # attempt to save the rule with a broader filter filter_set_1: - SourceImage: - - 'C:\WINDOWS\Explorer.EXE' + SourceImage: 'C:\WINDOWS\Explorer.EXE' TargetImage: - 'C:\WINDOWS\system32\backgroundTaskHost.exe' - 'C:\WINDOWS\explorer.exe' diff --git a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml index 98ba8e4d1..9390c1a4e 100644 --- a/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_rare_proc_access_lsass.yml @@ -59,8 +59,7 @@ detection: SourceImage|startswith: - 'C:\Program Files\' - 'C:\Program Files (x86)\' - SourceImage|contains: - - 'Antivirus' + SourceImage|contains: 'Antivirus' filter7: SourceImage: 'C:\WINDOWS\system32\wbem\wmiprvse.exe' filter8: @@ -69,7 +68,7 @@ detection: SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: + SourceImage|endswith: - '\thor64.exe' - '\thor.exe' # Generic Filter for 0x1410 filter (caused by so many programs like DropBox updates etc.) diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index fa47b67be..1ae2217af 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -77,8 +77,7 @@ detection: SourceImage|startswith: - 'C:\Progra Files\' - 'C:\Progra Files (x86)\' - SourceImage|contains: - - 'Antivirus' + SourceImage|contains: 'Antivirus' filter_mrt: SourceImage: 'C:\WINDOWS\system32\MRT.exe' GrantedAccess: '0x1418' @@ -86,7 +85,7 @@ detection: SourceImage: 'C:\Program Files\Common Files\McAfee\MMSSHost\MMSSHOST.exe' filter_nextron: SourceImage|startswith: 'C:\Windows\Temp\asgard2-agent\' - SourceImage|endswith: + SourceImage|endswith: - '\thor64.exe' - '\thor.exe' GrantedAccess: '0x1fffff' diff --git a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml index 661b19510..4d1e94480 100644 --- a/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_always_install_elevated_msi_spawned_cmd_powershell.yml @@ -19,8 +19,7 @@ detection: ParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentImage|endswith: - - 'tmp' + ParentImage|endswith: 'tmp' condition: image and parent_image fields: - Image diff --git a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml index 0fac43cee..3512ee434 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_dragonfly.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\crackmapexec.exe' + Image|endswith: '\crackmapexec.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml index 8b731bfb3..ffabc8685 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_gallium.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_gallium.yml @@ -13,7 +13,7 @@ references: - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn800669(v=ws.11) tags: - attack.credential_access - - attack.t1212 + - attack.t1212 - attack.command_and_control - attack.t1071 logsource: @@ -25,8 +25,7 @@ detection: - ':\Program Files(x86)\' - ':\Program Files\' legitimate_executable: - sha1: - - 'e570585edc69f9074cb5e8a790708336bd45ca0f' + sha1: 'e570585edc69f9074cb5e8a790708336bd45ca0f' condition: legitimate_executable and not legitimate_process_path falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml index 1b6cebf75..2e78e6e83 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_greenbug_may20.yml @@ -25,8 +25,7 @@ detection: - '/transfer' - 'CSIDL_APPDATA' selection2: - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE' + CommandLine|contains: 'CSIDL_SYSTEM_DRIVE' selection3: CommandLine|contains: - '\msf.ps1' diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml index 9926930f7..43aa1fd55 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_apr21.yml @@ -7,7 +7,7 @@ references: tags: - attack.g0032 - attack.execution - - attack.t1106 + - attack.t1106 author: Bhabesh Raj date: 2021/04/20 modified: 2021/06/27 @@ -20,15 +20,11 @@ detection: - 'mshta' - '.zip' selection2: - ParentImage: - - 'C:\Windows\System32\wbem\wmiprvse.exe' - Image: - - 'C:\Windows\System32\mshta.exe' + ParentImage: 'C:\Windows\System32\wbem\wmiprvse.exe' + Image: 'C:\Windows\System32\mshta.exe' selection3: - ParentImage|contains: - - ':\Users\Public\' - Image: - - 'C:\Windows\System32\rundll32.exe' + ParentImage|contains: ':\Users\Public\' + Image: 'C:\Windows\System32\rundll32.exe' condition: 1 of selection* falsepositives: - Should not be any false positives diff --git a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml index dec51827b..163796a0f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_lazarus_activity_dec20.yml @@ -8,7 +8,7 @@ references: tags: - attack.g0032 - attack.execution - - attack.t1059 + - attack.t1059 author: Florian Roth date: 2020/12/23 modified: 2021/06/27 @@ -32,8 +32,7 @@ detection: - ' > %temp%\~' # Network share discovery selection4: - CommandLine|contains: - - '.255 10 C:\ProgramData\' + CommandLine|contains: '.255 10 C:\ProgramData\' condition: 1 of selection* falsepositives: - Overlap with legitimate process activity in some cases (especially selection 3 and 4) diff --git a/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml b/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml index e4f571891..eab960716 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_muddywater_dnstunnel.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\powershell.exe' - ParentImage|endswith: - - '\excel.exe' - CommandLine|contains: - - 'DataExchange.dll' + Image|endswith: '\powershell.exe' + ParentImage|endswith: '\excel.exe' + CommandLine|contains: 'DataExchange.dll' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml index 5cfbb594c..4fa710af6 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sourgrum.yml @@ -22,7 +22,7 @@ detection: selection1: Image|contains: 'windows\system32\Physmem.sys' selection2: - Image|contains: + Image|contains: - 'Windows\system32\ime\SHARED\WimBootConfigurations.ini' - 'Windows\system32\ime\IMEJP\WimBootConfigurations.ini' - 'Windows\system32\ime\IMETC\WimBootConfigurations.ini' @@ -31,10 +31,9 @@ detection: - 'windows\system32\filepath2' - 'windows\system32\ime' registry_command: - CommandLine|contains: - - 'reg add' + CommandLine|contains: 'reg add' registry_key: - CommandLine|contains: + CommandLine|contains: - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{7c857801-7381-11cf-884d-00aa004b2e24}\inprocserver32' - 'HKEY_LOCAL_MACHINE\software\classes\clsid\{cf4cc405-e2c5-4ddd-b3ce-5e7582d8c9fa}\inprocserver32' condition: selection1 or selection2 or (selection3 and registry_command and registry_key) diff --git a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml index 7edbbc58c..443cace83 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_taidoor.yml @@ -16,11 +16,9 @@ detection: - 'dll,MyStart' - 'dll MyStart' selection2a: - CommandLine|endswith: - - ' MyStart' + CommandLine|endswith: ' MyStart' selection2b: - CommandLine|contains: - - 'rundll32.exe' + CommandLine|contains: 'rundll32.exe' condition: selection1 or ( selection2a and selection2b ) falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml index be14932ea..58d0e330c 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_unc2452_cmds.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - '7z.exe a -v500m -mx9 -r0 -p' + CommandLine|contains: '7z.exe a -v500m -mx9 -r0 -p' selection2: ParentCommandLine|contains|all: - 'wscript.exe' @@ -32,14 +31,14 @@ detection: ParentCommandLine|contains: 'C:\Windows' CommandLine|contains: 'cmd.exe /C ' selection4: - CommandLine|contains|all: + CommandLine|contains|all: - 'rundll32 c:\windows\' - '.dll ' specific1: ParentImage|endswith: '\rundll32.exe' Image|endswith: '\dllhost.exe' filter1: - CommandLine: + CommandLine: - ' ' - '' condition: selection1 or selection2 or selection3 or selection4 or ( specific1 and not filter1 ) diff --git a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml index 12cb48791..ec4d3aefb 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml @@ -12,11 +12,9 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'setup0.exe -p' + CommandLine|contains: 'setup0.exe -p' selection2: - CommandLine|contains|all: - - 'setup.exe' + CommandLine|contains|all: 'setup.exe' CommandLine|endswith: - '-x:0' - '-x:1' diff --git a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml index d47b54577..251f7b728 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_zxshell.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' CommandLine|contains: - 'zxFunction' - 'RemoteDiskXXXXX' diff --git a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml index 508bc93c9..f2f783ef8 100644 --- a/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml +++ b/rules/windows/process_creation/proc_creation_win_bitsadmin_download.yml @@ -11,30 +11,26 @@ tags: - attack.persistence - attack.t1197 - attack.s0190 - - attack.t1036.003 + - attack.t1036.003 date: 2017/03/09 modified: 2021/07/16 -author: Michael Haag, FPT.EagleEye +author: Michael Haag, FPT.EagleEye logsource: category: process_creation product: windows detection: selection1: - Image|endswith: - - '\bitsadmin.exe' + Image|endswith: '\bitsadmin.exe' susp_flag_1: - CommandLine|contains: - - ' /transfer ' + CommandLine|contains: ' /transfer ' susp_flag_2: CommandLine|contains: - ' /create ' - ' /addfile ' http_flag: - CommandLine|contains: - - 'http' + CommandLine|contains: 'http' selection2: - CommandLine|contains: - - 'copy bitsadmin.exe' + CommandLine|contains: 'copy bitsadmin.exe' condition: (selection1 and susp_flag_2 and http_flag) or (selection1 and susp_flag_1) or selection2 fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml index c49a2c2fc..b36661bce 100644 --- a/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/proc_creation_win_bypass_squiblytwo.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection_one: - Image|endswith: - - '\wmic.exe' + Image|endswith: '\wmic.exe' CommandLine|contains|all: - wmic - format diff --git a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml index 01a59704d..6ddcd6289 100644 --- a/rules/windows/process_creation/proc_creation_win_cleanwipe.yml +++ b/rules/windows/process_creation/proc_creation_win_cleanwipe.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\SepRemovalToolNative_x64.exe' + Image|endswith: '\SepRemovalToolNative_x64.exe' selection2: Image|endswith: '\CATClean.exe' CommandLine|contains: '--uninstall' diff --git a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml index 3b3d79819..b0773efe7 100644 --- a/rules/windows/process_creation/proc_creation_win_control_panel_item.yml +++ b/rules/windows/process_creation/proc_creation_win_control_panel_item.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1196/ - https://ired.team/offensive-security/code-execution/code-execution-through-control-panel-add-ins date: 2020/06/22 -modified: 2022/03/31 +modified: 2022/05/10 logsource: product: windows category: process_creation @@ -27,8 +27,7 @@ detection: Image|endswith: '\reg.exe' CommandLine|contains: 'add' selection3: - CommandLine|contains: - - 'CurrentVersion\\Control Panel\\CPLs' + CommandLine|contains: 'CurrentVersion\Control Panel\CPLs' condition: (selection1 and not filter and not fp1_igfx) or (selection2 and selection3) falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml index 8a2ddd09c..af24a4df5 100644 --- a/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml +++ b/rules/windows/process_creation/proc_creation_win_crime_maze_ransomware.yml @@ -21,10 +21,8 @@ logsource: detection: # Dropper selection1: - ParentImage|endswith: - - '\WINWORD.exe' - Image|endswith: - - '.tmp' + ParentImage|endswith: '\WINWORD.exe' + Image|endswith: '.tmp' # Binary Execution selection2: Image|endswith: '\wmic.exe' diff --git a/rules/windows/process_creation/proc_creation_win_dotnet.yml b/rules/windows/process_creation/proc_creation_win_dotnet.yml index 94d171008..22899b5ed 100644 --- a/rules/windows/process_creation/proc_creation_win_dotnet.yml +++ b/rules/windows/process_creation/proc_creation_win_dotnet.yml @@ -17,8 +17,7 @@ detection: CommandLine|endswith: - '.dll' - '.csproj' - Image|endswith: - - '\dotnet.exe' + Image|endswith: '\dotnet.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml index b05acd63f..1202cc9f2 100644 --- a/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml +++ b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\expand.exe' + Image|endswith: '\expand.exe' CommandLine|contains: - '.cab' - '/F:' diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml index 99e1ac1cb..2baea071a 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml @@ -12,16 +12,14 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'Add-PrinterPort -Name' + CommandLine|contains: 'Add-PrinterPort -Name' selection2: CommandLine|contains: - '.exe' - '.dll' - '.bat' selection3: - CommandLine|contains: - - 'Generic / Text Only' + CommandLine|contains: 'Generic / Text Only' condition: ( selection1 and selection2 ) or selection3 falsepositives: - New printer port install on host diff --git a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml index 379d807d8..2439d79a9 100644 --- a/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_fsutil_drive_enumeration.yml @@ -16,8 +16,7 @@ detection: binary_2: OriginalFileName: 'fsutil.exe' selection: - CommandLine|contains: - - 'drives' + CommandLine|contains: 'drives' condition: (1 of binary_*) and selection falsepositives: - Certain software or administrative tasks may trigger false positivies. diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index 2c07f3ef8..3e1c63bf0 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - '\CurrentVersion\Image File Execution Options\' + CommandLine|contains|all: '\CurrentVersion\Image File Execution Options\' CommandLine|contains: - 'sethc.exe' - 'utilman.exe' diff --git a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml index 27c50a03e..a7f26efec 100644 --- a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml +++ b/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml @@ -28,8 +28,7 @@ detection: - 'dir ' - '\Users\' filter_1: - CommandLine|contains: - - ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" + CommandLine|contains: ' rmdir ' # don't match on 'dir' "C:\Windows\System32\cmd.exe" /q /c rmdir /s /q "C:\Users\XX\AppData\Local\Microsoft\OneDrive\19.232.1124.0005" selection_2: Image|endswith: - '\net.exe' diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml index 673b9d38d..9f1eee3d9 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml @@ -20,8 +20,7 @@ detection: CommandLine|contains|all: - '/in:' - '/out:' - Image|endswith: - - '\DataSvcUtil.exe' + Image|endswith: '\DataSvcUtil.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml index 7e08a32ab..a0b6f4c7d 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_suspicious_driver_installed_by_pnputil.yml @@ -22,8 +22,7 @@ detection: - '-a' - '/add-driver' - '.inf' - Image|endswith: - - '\pnputil.exe' + Image|endswith: '\pnputil.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 053380a11..fe63247ce 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -11,10 +11,9 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\policydefinitions\postgresql.exe' + Image|endswith: '\policydefinitions\postgresql.exe' selection2: - - CommandLine|contains: + - CommandLine|contains: - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - ' 1> \\127.0.0.1\ADMIN$\__16' - CommandLine|contains|all: diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index ed7b06d2c..94f16fdd8 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -15,8 +15,7 @@ detection: Image|endswith: - '\net.exe' - '\net1.exe' - CommandLine|contains|all: - - 'stop' + CommandLine|contains|all: 'stop' CommandLine|contains: - 'samss' - 'audioendpointbuilder' diff --git a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml index 7984ee402..1d8f28bbe 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_formbook.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_formbook.yml @@ -21,8 +21,7 @@ detection: ParentCommandLine|startswith: - 'C:\Windows\System32\' - 'C:\Windows\SysWOW64\' - ParentCommandLine|endswith: - - '.exe' + ParentCommandLine|endswith: '.exe' selection2: - CommandLine|contains|all: - '/c' diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml index ebba96eab..cae16b444 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_recon_activity.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\cmd.exe' - Image|endswith: - - '\nltest.exe' - CommandLine|contains: - - '/domain_trusts /all_trusts' + ParentImage|endswith: '\cmd.exe' + Image|endswith: '\nltest.exe' + CommandLine|contains: '/domain_trusts /all_trusts' condition: selection falsepositives: - Rare System Admin Activity diff --git a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml index 38d6626a5..8dd7d3d8f 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_trickbot_wermgr.yml @@ -13,12 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\wermgr.exe' - ParentImage|endswith: - - '\rundll32.exe' - ParentCommandLine|contains: - - 'DllRegisterServer' + Image|endswith: '\wermgr.exe' + ParentImage|endswith: '\rundll32.exe' + ParentCommandLine|contains: 'DllRegisterServer' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml index d8555d7cf..81afa4eff 100644 --- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml @@ -36,8 +36,7 @@ detection: - process - vault mimikatz_separator: - CommandLine|contains: - - '::' + CommandLine|contains: '::' function_names: # To cover functions from modules that are not in module_names (likely too generic) CommandLine|contains: - 'aadcookie' #misc module @@ -52,8 +51,7 @@ detection: - 'mstsc' #ts module - 'multirdp' #ts module filter_1: - CommandLine|contains: - - 'function Convert-GuidToCompressedGuid' + CommandLine|contains: 'function Convert-GuidToCompressedGuid' condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter* falsepositives: - Legitimate Administrator using tool for password recovery diff --git a/rules/windows/process_creation/proc_creation_win_msdeploy.yml b/rules/windows/process_creation/proc_creation_win_msdeploy.yml index aa5cec86c..b4a8128e3 100644 --- a/rules/windows/process_creation/proc_creation_win_msdeploy.yml +++ b/rules/windows/process_creation/proc_creation_win_msdeploy.yml @@ -18,8 +18,7 @@ detection: - 'verb:sync' - '-source:RunCommand' - '-dest:runCommand' - Image|endswith: - - '\msdeploy.exe' + Image|endswith: '\msdeploy.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 5f6d5acc2..29828e102 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -16,9 +16,7 @@ logsource: detection: selection: Image|endswith: '\msiexec.exe' - CommandLine|contains|all: - - ' /y' - #- '.dll' + CommandLine|contains|all: ' /y' filter_apple: CommandLine|contains: - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index 2c58a5c20..f030d7aad 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -13,11 +13,9 @@ logsource: product: windows detection: selection1: - CommandLine|contains: - - 'System.Management.Automation.AmsiUtils' + CommandLine|contains: 'System.Management.Automation.AmsiUtils' selection2: - CommandLine|contains: - - 'amsiInitFailed' + CommandLine|contains: 'amsiInitFailed' condition: selection1 and selection2 falsepositives: - Potential Admin Activity diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml index 9448e1ec9..953a15d66 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_specific_comb_methods.yml @@ -43,8 +43,7 @@ detection: - 'Xor' selection6: Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'cOnvErTTO-SECUreStRIng' + CommandLine|contains: 'cOnvErTTO-SECUreStRIng' condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml index befce328c..3f4c07db0 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_dll_execution.yml @@ -12,11 +12,9 @@ logsource: product: windows detection: selection1: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' selection2: - Description|contains: - - 'Windows-Hostprozess (Rundll32)' + Description|contains: 'Windows-Hostprozess (Rundll32)' selection3: CommandLine|contains: - 'Default.GetString' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index 58199e0fa..9d10dbb79 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -17,8 +17,7 @@ logsource: detection: selection: Image|endswith: '\powershell.exe' - CommandLine|contains: - - 'new-object system.net.sockets.tcpclient' + CommandLine|contains: 'new-object system.net.sockets.tcpclient' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml index 5eab70d41..f1c2d0234 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_suspicious_parameter_variation.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\Powershell.exe' + Image|endswith: '\Powershell.exe' CommandLine|contains: - ' -windowstyle h ' - ' -windowstyl h' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml index 487acdcbd..fbe446452 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_xor_commandline.yml @@ -21,8 +21,7 @@ detection: - '-join`' - 'char' false_positives: - ParentImage: - - C:\Program Files\Amazon\SSM\ssm-document-worker.exe + ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe condition: selection and filter and not false_positives falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml index 8b8145bca..abb3d0378 100644 --- a/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml +++ b/rules/windows/process_creation/proc_creation_win_proc_dump_rdrleakdiag.yml @@ -6,6 +6,7 @@ references: - https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/ author: Florian Roth date: 2022/01/04 +modified: 2022/05/10 tags: - attack.defense_evasion - attack.t1036 @@ -16,8 +17,7 @@ logsource: detection: selection1: Image|endswith: '\rdrleakdiag.exe' - CommandLine|contains|all: - - '/fullmemdmp' + CommandLine|contains: '/fullmemdmp' selection2: CommandLine|contains|all: - '/fullmemdmp' diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 41a4ad907..7b56642af 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -3,7 +3,7 @@ id: 0d5675be-bc88-4172-86d3-1e96a4476536 status: experimental description: Detects the execution of reg.exe and subsequent command line arguments for enabling RDP service on the host author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' -references: +references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 modified: 2022/03/15 @@ -12,8 +12,7 @@ logsource: category: process_creation detection: selection1: - Image|endswith: - - '\reg.exe' + Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - '\SYSTEM\CurrentControlSet\Control\Terminal Server' diff --git a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml index 6976b23af..b731b8c88 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_jusched.yml @@ -16,8 +16,7 @@ detection: selection2: Description: Java(TM) Update Scheduler filter: - Image|endswith: - - '\jusched.exe' + Image|endswith: '\jusched.exe' condition: (selection1 or selection2) and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index c73a9ce5d..49b5972b0 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection1: - Product|contains: - - 'PAExec' + Product|contains: 'PAExec' selection2: - Imphash: - 11D40A7B7876288F919AB819CC2D9802 diff --git a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml index 120e7670a..a9c63570e 100644 --- a/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml +++ b/rules/windows/process_creation/proc_creation_win_script_event_consumer_spawn.yml @@ -15,8 +15,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\scrcons.exe' + ParentImage|endswith: '\scrcons.exe' Image|endswith: - '\svchost.exe' - '\dllhost.exe' diff --git a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml index e1113ee4b..e50a66e49 100644 --- a/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/proc_creation_win_sdbinst_shim_persistence.yml @@ -19,8 +19,7 @@ detection: Image|endswith: '\sdbinst.exe' CommandLine|contains: '.sdb' filter: - CommandLine|contains: - - 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) + CommandLine|contains: 'iisexpressshim.sdb' # normal behaviour for IIS Express (e.g. https://www.hybrid-analysis.com/sample/15d4ff941f77f7bdfc9dfb2399b7b952a0a2c860976ef3e835998ff4796e5e91?environmentId=120) condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml index cadb49794..03710bf57 100644 --- a/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_shadow_copies_deletion.yml @@ -33,8 +33,7 @@ detection: - shadow # will match "delete shadows" and "shadowcopy delete" and "shadowstorage" - delete selection2: - Image|endswith: - - '\wbadmin.exe' + Image|endswith: '\wbadmin.exe' CommandLine|contains|all: - delete - catalog diff --git a/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml b/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml index 13073ec7d..360b6a07f 100644 --- a/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml +++ b/rules/windows/process_creation/proc_creation_win_shell_spawn_by_java.yml @@ -15,8 +15,7 @@ logsource: detection: selection: ParentImage|endswith: '\java.exe' - Image|endswith: - - '\cmd.exe' + Image|endswith: '\cmd.exe' filter: ParentImage|contains: 'build' # excluding CI build agents CommandLine|contains: 'build' # excluding CI build agents diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml index 6cc5e378c..ed6ba646a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_flags.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection_special: - CommandLine|contains: - - ' -M pe_inject ' + CommandLine|contains: ' -M pe_inject ' selection_execute: CommandLine|contains|all: - ' --local-auth' diff --git a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml index 30deb267c..be735dbd3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_dctask64_proc_inject.yml @@ -14,11 +14,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\dctask64.exe' + Image|endswith: '\dctask64.exe' filter: - CommandLine|contains: - - 'DesktopCentral_Agent\agent' + CommandLine|contains: 'DesktopCentral_Agent\agent' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml index 664d3d691..0d6f91371 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml @@ -17,15 +17,13 @@ logsource: product: windows detection: selection_tools: - CommandLine|contains: - - 'logman ' + CommandLine|contains: 'logman ' selection_action: CommandLine|contains: - 'stop ' - 'delete ' selection_service: - CommandLine|contains: - - EventLog-System + CommandLine|contains: EventLog-System condition: all of selection* falsepositives: - Legitimate deactivation by administrative staff diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml index 899c82581..780851390 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml @@ -13,11 +13,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\ditsnap.exe' + Image|endswith: '\ditsnap.exe' selection2: - CommandLine|contains: - - 'ditsnap.exe' + CommandLine|contains: 'ditsnap.exe' condition: selection or selection2 falsepositives: - Legitimate admin usage diff --git a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml index e36f67c40..548e20722 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml @@ -16,8 +16,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\rundll32.exe' + Image|endswith: '\rundll32.exe' CommandLine|endswith: - ',RunDLL' - ',Control_RunDLL' @@ -28,8 +27,7 @@ detection: - '.dll",Control_RunDLL' - '.dll'',Control_RunDLL' filter_ide: - ParentImage|endswith: - - '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe + ParentImage|endswith: '\tracker.exe' #When Visual Studio compile NodeJS program, it might use MSBuild to create tracker.exe and then, the tracker.exe fork rundll32.exe condition: selection and not filter_ide and not filter_legitimate_dll falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml index 8f63d9810..90ec98835 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_execution_path_webserver.yml @@ -19,8 +19,7 @@ detection: - 'bin\' - '\Tools\' - '\SMSComponent\' - ParentImage|endswith: - - '\services.exe' + ParentImage|endswith: '\services.exe' condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml index 8b8c71f02..08a99c7ea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_explorer.yml @@ -12,12 +12,9 @@ logsource: product: windows detection: selection: - Image|endswith: - - \explorer.exe - ParentImage|endswith: - - \cmd.exe - CommandLine|contains: - - explorer.exe + Image|endswith: \explorer.exe + ParentImage|endswith: \cmd.exe + CommandLine|contains: explorer.exe condition: selection falsepositives: - Legitimate explorer.exe run from cmd.exe diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml index 204e9b0e0..d8294d91a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_findstr.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_findstr.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selectionFindstr: - CommandLine|contains: - - findstr + CommandLine|contains: findstr selection_V_L: CommandLine|contains|all: - /V diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml index 0c38d37eb..24b1dfcf3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml @@ -32,8 +32,7 @@ detection: - '--config' - '.yml' selection3: - Image|endswith: - - 'ngrok.exe' + Image|endswith: 'ngrok.exe' CommandLine|contains: - ' tcp ' - ' http ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml index 025f56012..3ecfbf9b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml @@ -34,8 +34,7 @@ detection: - ' UwB' - ' cwB' selection5: - CommandLine|contains: - - '.exe -ENCOD ' + CommandLine|contains: '.exe -ENCOD ' falsepositive1: CommandLine|contains|all: - ' -ExecutionPolicy' diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml index 511113af3..781fbe875 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml @@ -1,7 +1,7 @@ -title: Suspicious Execution of Powershell with Base64 +title: Suspicious Execution of Powershell with Base64 id: fb843269-508c-4b76-8b8d-88679db22ce7 status: experimental -description: Commandline to lauch powershell with a base64 payload +description: Commandline to lauch powershell with a base64 payload author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-20---powershell-invoke-known-malicious-cmdlets @@ -22,8 +22,7 @@ detection: - ' -enco' - ' -ec ' filter: - CommandLine|contains: - - ' -Encoding ' + CommandLine|contains: ' -Encoding ' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml index bffd87a36..623460262 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml @@ -14,9 +14,8 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - 'Get-Process lsass' + CommandLine|contains: 'Get-Process lsass' condition: selection -falsepositives: +falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_print.yml b/rules/windows/process_creation/proc_creation_win_susp_print.yml index 85f863d3c..6bfa9327e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_print.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_print.yml @@ -13,19 +13,14 @@ logsource: product: windows detection: selection1: - Image|endswith: - - \print.exe - CommandLine|startswith: - - print + Image|endswith: \print.exe + CommandLine|startswith: print selection2: - CommandLine|contains: - - /D + CommandLine|contains: /D exeCondition: - CommandLine|contains: - - .exe + CommandLine|contains: .exe cmdExclude: - CommandLine|contains: - - print.exe + CommandLine|contains: print.exe condition: selection1 and selection2 and exeCondition and not cmdExclude falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml b/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml index 4c9a56dc6..28e8f04fa 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rar_flags.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection_password: - CommandLine|contains: - - ' -hp' + CommandLine|contains: ' -hp' selection_other: CommandLine|contains: - ' -m' diff --git a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml index bf1f81614..0be3e83c4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rasdial_activity.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - rasdial.exe + Image|endswith: rasdial.exe condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index 41133d360..dbd7fd1fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -10,7 +10,7 @@ references: - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ tags: - attack.defense_evasion - - attack.t1218.010 + - attack.t1218.010 - car.2019-04-002 - car.2019-04-003 logsource: @@ -28,8 +28,7 @@ detection: ParentImage|endswith: '\cmd.exe' selection4: Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: - - '/i:' + CommandLine|contains|all: '/i:' CommandLine|contains: - 'http' - 'ftp' @@ -45,7 +44,7 @@ detection: Image|endswith: '\regsvr32.exe' selection8: Image|endswith: '\regsvr32.exe' - CommandLine|contains: + CommandLine|contains: - '\AppData\Local' - 'C:\Users\Public' condition: 1 of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml index 3c704f06d..dfef79f64 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml @@ -18,8 +18,7 @@ detection: - 'javascript' - '..\..\mshtml,RunHTMLApplication' selection2: - CommandLine|contains: - - ';document.write();GetObject("script' + CommandLine|contains: ';document.write();GetObject("script' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml index 1141e5ed2..aabc317a5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml @@ -14,10 +14,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\rundll32.exe' - Image|endswith: - - '\explorer.exe' + ParentImage|endswith: '\rundll32.exe' + Image|endswith: '\explorer.exe' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml index 119acb1a7..9602b809b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_runonce_execution.yml @@ -13,14 +13,11 @@ logsource: category: process_creation detection: process_name: - Image|endswith: - - '\runonce.exe' + Image|endswith: '\runonce.exe' process_description: - Description: - - 'Run Once Wrapper' + Description: 'Run Once Wrapper' command_line: - CommandLine|contains: - - ' /AlternateShellStartup' + CommandLine|contains: ' /AlternateShellStartup' condition: (process_name or process_description) and command_line falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml b/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml index 5d49d1c87..74b4f0871 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_screensaver_reg.yml @@ -21,19 +21,19 @@ detection: CommandLine|contains: - 'HKEY_CURRENT_USER\Control Panel\Desktop' - 'HKCU\Control Panel\Desktop' - selection_option_1: # /force Active ScreenSaveActive + selection_option_1: # /force Active ScreenSaveActive CommandLine|contains|all: - '/v ScreenSaveActive' - '/t REG_SZ' - '/d 1' - '/f' - selection_option_2: # /force set ScreenSaveTimeout + selection_option_2: # /force set ScreenSaveTimeout CommandLine|contains|all: - '/v ScreenSaveTimeout' - '/t REG_SZ' - '/d ' - '/f' - selection_option_3: # /force set ScreenSaverIsSecure + selection_option_3: # /force set ScreenSaverIsSecure CommandLine|contains|all: - '/v ScreenSaverIsSecure' - '/t REG_SZ' @@ -48,5 +48,5 @@ detection: - '/f' condition: selection_reg and 1 of selection_option_* falsepositives: - - GPO + - GPO level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml index 0943f410e..c52d6fce2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\sc.exe' + Image|endswith: '\sc.exe' CommandLine|contains|all: - 'sdset' - 'D;;' diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 659f33375..050db47f5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -22,8 +22,7 @@ detection: - '--processStart' - '--processStartAndWait' - '--createShortcut' - CommandLine|contains|all: - - '.exe' + CommandLine|contains|all: '.exe' filter1: CommandLine|contains|all: - 'C:\Users\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml index 7ae1b13a7..f89eb5b11 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_sysprep_appdata.yml @@ -13,10 +13,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\sysprep.exe' - CommandLine|contains: - - '\AppData\' + Image|endswith: '\sysprep.exe' + CommandLine|contains: '\AppData\' condition: selection falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment diff --git a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml index 4f44f47df..c904134ce 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml @@ -12,17 +12,13 @@ logsource: product: windows detection: process_name: - Image|endswith: - - '\tracker.exe' + Image|endswith: '\tracker.exe' process_description: - Description: - - 'Tracker' + Description: 'Tracker' commandline_param1: - CommandLine|contains: - - ' /d ' + CommandLine|contains: ' /d ' commandline_param2: - CommandLine|contains: - - ' /c ' + CommandLine|contains: ' /c ' condition: (process_name or process_description) and commandline_param1 and commandline_param2 falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml index f440ffb2a..cc1721cc0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vbscript_unc2452.yml @@ -11,15 +11,14 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - 'Execute' - 'CreateObject' - 'RegRead' - 'window.close' - '\Microsoft\Windows\CurrentVersion' filter: - CommandLine|contains: - - '\Software\Microsoft\Windows\CurrentVersion\Run' + CommandLine|contains: '\Software\Microsoft\Windows\CurrentVersion\Run' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_winzip.yml b/rules/windows/process_creation/proc_creation_win_susp_winzip.yml index 28b69faf7..44f4b16b8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winzip.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winzip.yml @@ -19,8 +19,7 @@ detection: - 'winzip.exe' - 'winzip64.exe' selection_password: - CommandLine|contains: - - '-s"' + CommandLine|contains: '-s"' selection_other: CommandLine|contains: - ' -min ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml index f69ca2899..ca60aca3d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\wsl.exe' + Image|endswith: '\wsl.exe' CommandLine|contains: - ' -e ' - ' --exec ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index ada2fa1e8..47969d52a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -21,8 +21,7 @@ detection: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - '.dll' - Image|endswith: - - '\wuauclt.exe' + Image|endswith: '\wuauclt.exe' filter: CommandLine|contains: - ' /ClassId ' diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 90b422eab..b82d40c70 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -13,10 +13,8 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\wmiprvse.exe' - Image|endswith: - - '\powershell.exe' + ParentImage|endswith: '\wmiprvse.exe' + Image|endswith: '\powershell.exe' filter_null1: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression diff --git a/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml index 612ecd044..2cf0a1ed6 100644 --- a/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_wsreset_uac_bypass.yml @@ -14,8 +14,7 @@ logsource: product: windows detection: selection: - ParentImage|endswith: - - '\WSreset.exe' + ParentImage|endswith: '\WSreset.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml index cd6eefdbf..49c0ad34f 100755 --- a/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml +++ b/rules/windows/registry/registry_event/registry_event_apt_oceanlotus_registry.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - ioc_1: + ioc_1: TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' ioc_2: TargetObject|startswith: @@ -29,8 +29,7 @@ detection: - Application - DefaultIcon selection2: - TargetObject|startswith: - - 'HKCU\' + TargetObject|startswith: 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' diff --git a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml index 08c3f7ea2..39233ad58 100644 --- a/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml +++ b/rules/windows/registry/registry_event/registry_event_bypass_via_wsreset.yml @@ -13,8 +13,7 @@ logsource: product: windows detection: selection: - TargetObject|endswith: - - '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' + TargetObject|endswith: '\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command' condition: selection fields: - ComputerName diff --git a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml index 38219ed86..1e891ab5f 100644 --- a/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml +++ b/rules/windows/registry/registry_event/registry_event_runkey_winekey.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection: - TargetObject|endswith: - - 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' + TargetObject|endswith: 'Software\Microsoft\Windows\CurrentVersion\Run\Backup Mgr' condition: selection fields: - ComputerName diff --git a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml index 7e420359c..e809c72bc 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_fonction_user.yml @@ -24,8 +24,7 @@ detection: Details: 'DWORD (0x00000001)' selection_set_0: EventType: SetValue - TargetObject|endswith: - - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' + TargetObject|endswith: 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\shutdownwithoutlogon' Details: 'DWORD (0x00000000)' condition: 1 of selection_set_* falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml index 0134365bc..c86fbee0c 100755 --- a/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_globalflags_persistence.yml @@ -12,8 +12,7 @@ logsource: product: windows detection: selection_reg1: - TargetObject|contains: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' selection_reg2: - TargetObject|contains|all: - '\Image File Execution Options\' diff --git a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml index aad55f31b..6189ac57e 100644 --- a/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml +++ b/rules/windows/registry/registry_set/registry_set_persistence_search_order.yml @@ -48,8 +48,7 @@ detection: - 'C:\Program Files\Windows Defender\' Image|endswith: '\MsMpEng.exe' filter_nvidia: - Details|contains: - - '\FileRepository\nvmdi.inf' + Details|contains: '\FileRepository\nvmdi.inf' filter_edge: Image|endswith: '\MicrosoftEdgeUpdateComRegisterShell64.exe' filter_dx: diff --git a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml index dcd941a43..b1eb7f852 100755 --- a/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml +++ b/rules/windows/registry/registry_set/registry_set_susp_service_installed.yml @@ -23,8 +23,7 @@ detection: - '\procmon64.exe' - '\procmon.exe' selection_3: - Details|contains: - - '\WINDOWS\system32\Drivers\PROCEXP152.SYS' + Details|contains: '\WINDOWS\system32\Drivers\PROCEXP152.SYS' condition: selection_1 and not selection_2 and not selection_3 falsepositives: - Other legimate tools using this service names and drivers. Note - clever attackers may easily bypass this detection by just renaming the services. Therefore just Medium-level and don't rely on it. diff --git a/tests/test_rules.py b/tests/test_rules.py index e5abc79d0..de5a2ff24 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -732,23 +732,22 @@ class TestRules(unittest.TestCase): def test_selection_list_one_value(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): - detection = self.get_rule_part(file_path=file, part_name="detection") - if detection: - valid = True - for key in detection: - if isinstance(detection[key],list): - if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + valid = True + for key in detection: + if isinstance(detection[key],list): + if len(detection[key]) == 1 and not isinstance(detection[key][0],str): #rule with only list of Keywords term print(Fore.RED + "Rule {} has the selection ({}) with a list of only 1 element in detection".format(file, key)) valid = False - #deactivate because more than 170 rules have to be corrected - # if isinstance(detection[key],dict): - # for sub_key in detection[key]: - # if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" - # if len(detection[key][sub_key]) == 1: - # print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) - # #valid = False - if not valid: - faulty_rules.append(file) + if isinstance(detection[key],dict): + for sub_key in detection[key]: + if isinstance(detection[key][sub_key],list): #split in 2 if as get a error "int has not len()" + if len(detection[key][sub_key]) == 1: + print (Fore.RED + "Rule {} has the selection ({}/{}) with a list of only 1 value in detection".format(file, key, sub_key)) + valid = False + if not valid: + faulty_rules.append(file) self.assertEqual(faulty_rules, [], Fore.RED + "There are rules using list with only 1 element") From d072472b25d7cbd1e8913fcd15e9fc62ca46ea13 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 21:29:05 +0000 Subject: [PATCH 32/54] filtering out dnsZoneScope --- .../builtin/security/win_account_backdoor_dcsync_rights.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml index 4fb27b2df..9218d3288 100644 --- a/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml +++ b/rules/windows/builtin/security/win_account_backdoor_dcsync_rights.yml @@ -4,7 +4,7 @@ description: backdooring domain object to grant the rights associated with DCSyn Extended Right cmdlet, will allow to re-obtain the pwd hashes of any user/computer status: experimental date: 2019/04/03 -modified: 2022/05/05 +modified: 2022/05/10 author: Samir Bousseaden; Roberto Rodriguez @Cyb3rWard0g; oscd.community; Tim Shelton references: - https://twitter.com/menasec1/status/1111556090137903104 @@ -24,7 +24,9 @@ detection: - '1131f6aa-9c07-11d1-f79f-00c04fc2dcd2' - '89e95b76-444d-4c62-991a-0facbeda640c' filter1: - ObjectType: 'dnsNode' + ObjectType: + - 'dnsNode' + - 'dnsZoneScope' condition: selection and not 1 of filter* falsepositives: - New Domain Controller computer account, check user SIDs within the value attribute of event 5136 and verify if it's a regular user or DC computer account. From b68e491055386c40b2c5a43b4c218a43ce788efd Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 22:18:58 +0000 Subject: [PATCH 33/54] updating ipv4 private ranges --- rules/network/zeek/zeek_rdp_public_listener.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index be1c81ef9..44b252cfe 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -35,8 +35,8 @@ detection: - '172.31.' selection2: id.orig_h|re: - - '^fe[c-f][0-9a-f]\:' # deprecated (RFC 3879) - - '^f[c-d][0-9a-f]\:' # current (RFC 1918) + - '^fd' + - '^2620:83:800f' #approved_rdp: #dst_ip: #- x.x.x.x From af32096ead21b5549cfc4a807e5acc05941e0e72 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Tue, 10 May 2022 22:19:51 +0000 Subject: [PATCH 34/54] moving to startswith --- rules/network/zeek/zeek_rdp_public_listener.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index 44b252cfe..c4727a0c9 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -34,7 +34,7 @@ detection: - '172.30.' - '172.31.' selection2: - id.orig_h|re: + id.orig_h|startswith: - '^fd' - '^2620:83:800f' #approved_rdp: From 6f92a11c0200645d6187d1b4251dc16b84c99164 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Wed, 11 May 2022 11:06:09 +0200 Subject: [PATCH 35/54] chore: test rules: check for all modifier with single item --- .../posh_pm_clear_powershell_history.yml | 7 ++++--- .../posh_ps_clear_powershell_history.yml | 7 ++++--- .../proc_creation_win_apt_winnti_pipemon.yml | 7 ++++--- ...reation_win_install_reg_debugger_backdoor.yml | 7 ++++--- .../proc_creation_win_mal_ryuk.yml | 7 ++++--- .../proc_creation_win_msiexec_execute_dll.yml | 2 +- ...proc_creation_win_susp_regsvr32_anomalies.yml | 11 ++++++++--- .../proc_creation_win_susp_squirrel_lolbin.yml | 7 ++++--- tests/test_rules.py | 16 ++++++++++++++++ 9 files changed, 49 insertions(+), 22 deletions(-) diff --git a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml index 6f1b38273..0d36117af 100644 --- a/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_module/posh_pm_clear_powershell_history.yml @@ -18,12 +18,13 @@ logsource: category: ps_module definition: PowerShell Module Logging must be enabled detection: - selection_payload_1: + selection_1a_payload: Payload|contains: - 'del' - 'Remove-Item' - 'rm' - Payload|contains|all: '(Get-PSReadlineOption).HistorySavePath' + selection_1b_payload: + Payload|contains: '(Get-PSReadlineOption).HistorySavePath' selection_payload_2: Payload|contains|all: - 'Set-PSReadlineOption' @@ -34,7 +35,7 @@ detection: - 'Set-PSReadlineOption' - '-HistorySaveStyle' - 'SaveNothing' - condition: 1 of selection_* + condition: 1 of selection_payload_* or all of selection_1* falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml index ec727f8b5..d9b2bdb47 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_clear_powershell_history.yml @@ -15,12 +15,13 @@ logsource: category: ps_script definition: Script block logging must be enabled detection: - selection_1: + selection1a: ScriptBlockText|contains: - 'del' - 'Remove-Item' - 'rm' - ScriptBlockText|contains|all: '(Get-PSReadlineOption).HistorySavePath' + selection1b: + ScriptBlockText|contains: '(Get-PSReadlineOption).HistorySavePath' selection_2: ScriptBlockText|contains|all: - 'Set-PSReadlineOption' @@ -31,7 +32,7 @@ detection: - 'Set-PSReadlineOption' - '-HistorySaveStyle' - 'SaveNothing' - condition: 1 of selection_* + condition: 1 of selection_* or all of selection1* falsepositives: - Legitimate PowerShell scripts level: medium diff --git a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml index ec4d3aefb..23c50fe2f 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_winnti_pipemon.yml @@ -13,13 +13,14 @@ logsource: detection: selection1: CommandLine|contains: 'setup0.exe -p' - selection2: - CommandLine|contains|all: 'setup.exe' + selection2a: + CommandLine|contains: 'setup.exe' + selection2b: CommandLine|endswith: - '-x:0' - '-x:1' - '-x:2' - condition: 1 of selection* + condition: selection1 or all of selection2* falsepositives: - Legitimate setups that use similar flags level: critical diff --git a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml index 3e1c63bf0..af0f12009 100644 --- a/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml +++ b/rules/windows/process_creation/proc_creation_win_install_reg_debugger_backdoor.yml @@ -11,8 +11,9 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: '\CurrentVersion\Image File Execution Options\' + selection1: + CommandLine|contains: '\CurrentVersion\Image File Execution Options\' + selection2: CommandLine|contains: - 'sethc.exe' - 'utilman.exe' @@ -21,7 +22,7 @@ detection: - 'narrator.exe' - 'displayswitch.exe' - 'atbroker.exe' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml index 94f16fdd8..c6991a184 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_ryuk.yml @@ -11,16 +11,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: - '\net.exe' - '\net1.exe' - CommandLine|contains|all: 'stop' + CommandLine|contains: 'stop' + selection2: CommandLine|contains: - 'samss' - 'audioendpointbuilder' - 'unistoresvc_?????' - condition: selection + condition: all of selection* falsepositives: - Unlikely level: critical diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml index 29828e102..e7f778b71 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_execute_dll.yml @@ -16,7 +16,7 @@ logsource: detection: selection: Image|endswith: '\msiexec.exe' - CommandLine|contains|all: ' /y' + CommandLine|contains: ' /y' filter_apple: CommandLine|contains: - '\MsiExec.exe" /Y "C:\Program Files\Bonjour\mdnsNSP.dll' diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml index dbd7fd1fe..82c0c02b9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml @@ -26,11 +26,16 @@ detection: selection3: Image|endswith: '\regsvr32.exe' ParentImage|endswith: '\cmd.exe' - selection4: + selection4a: Image|endswith: '\regsvr32.exe' - CommandLine|contains|all: '/i:' - CommandLine|contains: + CommandLine|contains|all: + - '/i:' - 'http' + CommandLine|endswith: 'scrobj.dll' + selection4b: + Image|endswith: '\regsvr32.exe' + CommandLine|contains|all: + - '/i:' - 'ftp' CommandLine|endswith: 'scrobj.dll' selection5: diff --git a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml index 050db47f5..797350510 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_squirrel_lolbin.yml @@ -16,19 +16,20 @@ logsource: category: process_creation product: windows detection: - selection: + selection1: Image|endswith: '\update.exe' # Check if folder Name matches executed binary \\(?P[^\\]*)\\Update.*Start.{2}(?P\1)\.exe (example: https://regex101.com/r/SGSQGz/2) + CommandLine|contains: '.exe' + selection2: CommandLine|contains: - '--processStart' - '--processStartAndWait' - '--createShortcut' - CommandLine|contains|all: '.exe' filter1: CommandLine|contains|all: - 'C:\Users\' - '\AppData\Local\Discord\Update.exe' - ' --processStart Discord.exe' - condition: selection and not 1 of filter* + condition: all of selection* and not 1 of filter* falsepositives: - 1Clipboard - Beaker Browser diff --git a/tests/test_rules.py b/tests/test_rules.py index de5a2ff24..dada5b768 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -783,6 +783,22 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with unused selections") + def test_all_value_modifier_single_item(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + detection = self.get_rule_part(file_path=file, part_name="detection") + if detection: + for search_identifier in detection: + if isinstance(detection[search_identifier],dict): + for field in detection[search_identifier]: + if "|all" in field and not isinstance(detection[search_identifier][field],list): + print (Fore.RED + "Rule {} uses the 'all' modifier on a single item in selection ({}/{})".format(file, search_identifier, field)) + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with |all modifier only having one item. " + + "Single item values are not allowed to have an all modifier as some back-ends cannot support it. " + + "If you use it as a workaround to duplicate a field in a selection, use a new selection instead.") + def test_condition_operator_casesensitive(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): From df8c6c118f3fdc7a553ef94d0489fa72c2fae90d Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 11 May 2022 18:59:14 +0700 Subject: [PATCH 36/54] Create win_security_krbrelayup_service_installation.yml Detects service creation from KrbRelayUp tool --- ...curity_krbrelayup_service_installation.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml new file mode 100644 index 000000000..c8d499353 --- /dev/null +++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml @@ -0,0 +1,22 @@ +title: KrbRelayUp Service Installation +id: e97d9903-53b2-41fc-8cb9-889ed4093e80 +status: experimental +description: Detects service creation from KrbRelayUp tool. +author: Sittikorn S +date: 2022/05/11 +references: + - https://github.com/Dec0ne/KrbRelayUp +logsource: + product: windows + category: system +detection: + selection: + EventID: '7045' + ServiceName: 'KrbSCM' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1543 From 800669d90cf0a5406d8c0df27acbc88363624360 Mon Sep 17 00:00:00 2001 From: Sittikorn S <61369934+BlackB0lt@users.noreply.github.com> Date: Wed, 11 May 2022 18:59:37 +0700 Subject: [PATCH 37/54] Update win_security_krbrelayup_service_installation.yml --- .../system/win_security_krbrelayup_service_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml index c8d499353..aa73179e9 100644 --- a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml @@ -12,7 +12,7 @@ logsource: detection: selection: EventID: '7045' - ServiceName: 'KrbSCM' + ServiceName: 'KrbSCM' condition: selection falsepositives: - Unknown From 20e09530cf917977c1b97bdd97a5f9f4ea165345 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 11 May 2022 14:07:47 +0000 Subject: [PATCH 38/54] removing leading carrot. moved to startswith usage --- rules/network/zeek/zeek_rdp_public_listener.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index c4727a0c9..d5ec40b24 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -35,8 +35,8 @@ detection: - '172.31.' selection2: id.orig_h|startswith: - - '^fd' - - '^2620:83:800f' + - 'fd' + - '2620:83:800f' #approved_rdp: #dst_ip: #- x.x.x.x From 3f3f9862597626b4b9e351c5f36ed55695a59513 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 11 May 2022 14:30:14 +0000 Subject: [PATCH 39/54] unifying detection --- rules/network/zeek/zeek_rdp_public_listener.yml | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/rules/network/zeek/zeek_rdp_public_listener.yml b/rules/network/zeek/zeek_rdp_public_listener.yml index d5ec40b24..8674e33f3 100644 --- a/rules/network/zeek/zeek_rdp_public_listener.yml +++ b/rules/network/zeek/zeek_rdp_public_listener.yml @@ -13,7 +13,7 @@ logsource: product: zeek service: rdp detection: - selection1: + selection: id.orig_h|startswith: - '192.168.' - '10.' @@ -33,14 +33,12 @@ detection: - '172.29.' - '172.30.' - '172.31.' - selection2: - id.orig_h|startswith: - 'fd' - '2620:83:800f' #approved_rdp: #dst_ip: #- x.x.x.x - condition: not selection* #and not approved_rdp + condition: not selection #and not approved_rdp fields: - id.orig_h - id.resp_h From fe312319d3f4d794aa93178fe1962e8fab8deed0 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 May 2022 13:01:24 +0200 Subject: [PATCH 40/54] Update win_security_krbrelayup_service_installation.yml --- .../system/win_security_krbrelayup_service_installation.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml index aa73179e9..3ab241a79 100644 --- a/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml +++ b/rules/windows/builtin/system/win_security_krbrelayup_service_installation.yml @@ -1,7 +1,7 @@ title: KrbRelayUp Service Installation id: e97d9903-53b2-41fc-8cb9-889ed4093e80 status: experimental -description: Detects service creation from KrbRelayUp tool. +description: Detects service creation from KrbRelayUp tool used for privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings) author: Sittikorn S date: 2022/05/11 references: From ccfa7742da1867cf082f21defb080813ab58c58a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 May 2022 13:59:49 +0200 Subject: [PATCH 41/54] Update file_event_win_werfault_dll_hijacking.yml --- .../file_event_win_werfault_dll_hijacking.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml index ebfeeba36..a089cd21e 100644 --- a/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml +++ b/rules/windows/file_event/file_event_win_werfault_dll_hijacking.yml @@ -1,7 +1,7 @@ -title: Creation of an WerFault.exe in Invalid Folder +title: Creation of an WerFault.exe in Unusual Folder id: 28a452f3-786c-4fd8-b8f2-bddbe9d616d1 status: experimental -description: Detects WerFault dll hijacking by coping it to a custom folder +description: Detects WerFault copoed to a suspicious folder, which could be a sign of WerFault DLL hijacking author: frack113 references: - https://www.bleepingcomputer.com/news/security/hackers-are-now-hiding-malware-in-windows-event-logs/ @@ -15,14 +15,14 @@ detection: - '\WerFault.exe' - '\wer.dll' filter_whitelist: - TargetFilename|startswith: - - 'C:\Windows\System32\' - - 'C:\Windows\SysWOW64\' - - 'C:\Windows\WinSxS\' + TargetFilename|contains: + - '\System32\' + - '\SysWOW64\' + - '\WinSxS\' condition: selection and not filter_whitelist falsepositives: - Unknown -level: medium +level: high tags: - attack.persistence - attack.defense_evasion From 26e041f13ac8c03f1df9156450de23bc97f876c4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 May 2022 21:48:05 +0200 Subject: [PATCH 42/54] fix: VSCode icacls --- .../proc_creation_win_file_permission_modifications.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml index d4bce635d..a32df9b76 100644 --- a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml +++ b/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml @@ -6,7 +6,7 @@ author: Jakob Weinzettl, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md date: 2019/10/23 -modified: 2022/02/11 +modified: 2022/05/12 logsource: category: process_creation product: windows @@ -26,6 +26,8 @@ detection: CommandLine|contains|all: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - 'S-1-5-19:F' + filter_programs: + CommandLine|contains: '\AppData\Local\Programs\Microsoft VS Code' condition: selection or selection2 and not 1 of filter* fields: - ComputerName From 93caa592486166908eb6358ea43a6dc35fb9ff00 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 12 May 2022 21:56:46 +0200 Subject: [PATCH 43/54] fix: lowercase false positive --- .../registry_set/registry_set_scr_file_executed_by_rundll32.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml index 64f967dc0..83eb3a245 100644 --- a/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml +++ b/rules/windows/registry/registry_set/registry_set_scr_file_executed_by_rundll32.yml @@ -25,7 +25,7 @@ detection: - 'C:\Windows\SysWOW64\' condition: selection and registry and not filter falsepositives: - - legitimate use of screen saver + - Legitimate use of screen saver level: medium tags: - attack.defense_evasion From d8a3ca6919318dfdb91d4bb561774c813cf57389 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 May 2022 23:27:48 +0100 Subject: [PATCH 44/54] Updated Rules to Use OriginalFileName --- .../proc_creation_win_esentutl_webcache.yml | 9 ++-- .../proc_creation_win_susp_vaultcmd.yml | 9 ++-- ...ation_win_susp_webdav_client_execution.yml | 10 ++-- ...proc_creation_win_susp_where_execution.yml | 4 +- .../proc_creation_win_susp_whoami.yml | 5 +- .../proc_creation_win_susp_whoami_anomaly.yml | 7 +-- ...proc_creation_win_susp_winrm_execution.yml | 10 ++-- .../proc_creation_win_susp_wmi_execution.yml | 5 +- .../proc_creation_win_susp_wsl_lolbin.yml | 10 ++-- .../proc_creation_win_susp_wuauclt.yml | 10 ++-- ...proc_creation_win_susp_wuauclt_cmdline.yml | 11 ++-- .../proc_creation_win_suspicious_ad_reco.yml | 9 ++-- .../proc_creation_win_uac_cmstp.yml | 10 ++-- .../proc_creation_win_uac_wsreset.yml | 4 +- ..._creation_win_using_sc_to_hide_sevices.yml | 4 +- ...eation_win_vmtoolsd_susp_child_process.yml | 16 +++--- .../proc_creation_win_webshell_detection.yml | 50 ++++++++++++------- .../proc_creation_win_whoami_as_priv_user.yml | 9 ++-- .../proc_creation_win_whoami_as_system.yml | 12 +++-- .../proc_creation_win_whoami_priv.yml | 9 ++-- ...roc_creation_win_win10_sched_task_0day.yml | 8 +-- ...proc_creation_win_wmi_spwns_powershell.yml | 10 ++-- .../proc_creation_win_wmic_reconnaissance.yml | 15 +++--- .../proc_creation_win_wmic_remote_command.yml | 13 +++-- .../proc_creation_win_wmic_remote_service.yml | 11 ++-- ...c_creation_win_wmic_remove_application.yml | 8 +-- 26 files changed, 171 insertions(+), 107 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml index 15a863b09..4e7dbfd6f 100644 --- a/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml +++ b/rules/windows/process_creation/proc_creation_win_esentutl_webcache.yml @@ -7,16 +7,19 @@ references: - https://redcanary.com/threat-detection-report/threats/qbot/ author: frack113 date: 2022/02/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \esentutl.exe + selection_img: + - Image|endswith: '\esentutl.exe' + - OriginalFileName: 'esentutl.exe' + selection_cli: CommandLine|contains|all: - '/r ' - '\Windows\WebCache' - condition: selection + condition: all of selection* falsepositives: - Legitimate use level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml index df9664b18..349e2eaef 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml @@ -4,16 +4,19 @@ status: experimental description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe author: frack113 date: 2022/04/08 +modified: 2022/05/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\VaultCmd.exe' + selection_img: + - Image|endswith: '\VaultCmd.exe' + - OriginalFileName|contains: 'VAULTCMD.EXE' + selection_cli: CommandLine|contains: '/listcreds:' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index 4149781b4..9b7049047 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -7,15 +7,17 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html date: 2020/05/02 -modified: 2021/11/27 +modified: 2022/05/15 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\rundll32.exe' + selection_img: + - Image|endswith: '\rundll32.exe' + - OriginalFileName|contains: 'RUNDLL32.EXE' + selection_cli: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index e35eaa87e..26ea30cd8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -9,12 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md author: frack113 date: 2021/12/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: where_exe: - Image|endswith: '\where.exe' + - Image|endswith: '\where.exe' + - OriginalFileName|contains: 'where.exe' where_opt: CommandLine|contains: - 'Bookmarks' diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml index 5b2ac21c6..0a08cfcc4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml @@ -7,13 +7,14 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ date: 2018/08/13 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' condition: selection falsepositives: - Admin activity diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml index f802e6ef6..17442a1e2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth date: 2021/08/12 -modified: 2021/08/26 +modified: 2021/05/12 tags: - attack.discovery - attack.t1033 @@ -17,9 +17,10 @@ logsource: product: windows detection: selection: - Image|endswith: '\whoami.exe' + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' filter1: - ParentImage|endswith: + ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' filter2: diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index 3fc44a897..f1d4aa9ff 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -7,18 +7,20 @@ references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ date: 2020/10/07 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cscript.exe' + selection_img: + - Image|endswith: '\cscript.exe' + - OriginalFileName|contains: 'cscript.exe' + selection_cli: CommandLine|contains|all: - 'winrm' - 'invoke Create wmicimv2/Win32_' - '-r:http' - condition: selection + condition: all of selection* falsepositives: - Legitimate use for administartive purposes. Unlikely diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml index 1df08c0d7..893e12dad 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml @@ -8,13 +8,14 @@ references: - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ date: 2019/01/16 -modified: 2022/01/07 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\wmic.exe' + - Image|endswith: '\wmic.exe' + - OriginalFileName|contains: 'wmic.exe' selection2: CommandLine|contains|all: - 'process' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml index ca60aca3d..d64fed803 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml @@ -6,17 +6,19 @@ author: 'oscd.community, Zach Stanford @svch0st' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ date: 2020/10/05 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\wsl.exe' + selection_img: + - Image|endswith: '\wsl.exe' + - OriginalFileName|contains: 'wsl.exe' + selection_cli: CommandLine|contains: - ' -e ' - ' --exec ' - condition: selection + condition: all of selection* falsepositives: - Automation and orchestration scripts may use this method execute scripts etc level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index 47969d52a..5acea5c92 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2021/11/18 +modified: 2022/05/12 tags: - attack.command_and_control - attack.execution @@ -16,17 +16,19 @@ logsource: product: windows category: process_creation detection: - selection: + selection_cli: CommandLine|contains|all: - '/UpdateDeploymentProvider' - '/RunHandlerComServer' - '.dll' - Image|endswith: '\wuauclt.exe' + selection_img: + - Image|endswith: '\wuauclt.exe' + - OriginalFileName|contains: 'wuauclt.exe' filter: CommandLine|contains: - ' /ClassId ' - ' wuaueng.dll ' - condition: selection and not filter + condition: all of selection* and not filter falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml index 9b89cc9c4..fe0f33894 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -6,14 +6,17 @@ author: Florian Roth references: - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/26 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\Wuauclt.exe' - CommandLine|endswith: '\Wuauclt.exe' - condition: selection + selection_img: + - Image|endswith: '\Wuauclt.exe' + - OriginalFileName|contains: 'Wuauclt.exe' + selection_cli: + CommandLine|endswith: '\Wuauclt.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index 9723e3670..72df4555e 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -9,14 +9,17 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 +modified: 2022/05/12 logsource: product: windows category: process_creation detection: - test_5: - Image|endswith: '\wmic.exe' + selection_img: + - Image|endswith: '\wmic.exe' + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains: ' group' - condition: test_5 + condition: all of selection* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml index fcf0bf8be..6598f6956 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml @@ -7,17 +7,19 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\cmstp.exe' + selection_img: + - Image|endswith: '\cmstp.exe' + - OriginalFileName|contains: 'CMSTP.EXE' + selection_cli: CommandLine|contains: - '/s' - '/au' - condition: selection + condition: all of selection* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml index 877ffb1b4..844b99aa1 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows @@ -14,7 +14,7 @@ detection: selection: ParentImage|endswith: '\wsreset.exe' filter: - Image|endswith: '\conhost.exe' + OriginalFileName|contains: 'CONHOST.EXE' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index ebc8bf7af..9c9b7c07d 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -7,12 +7,14 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: sc: - Image|endswith: '\sc.exe' + - Image|endswith: '\sc.exe' + - OriginalFileName|contains: 'sc.exe' cli: CommandLine|contains|all: - 'sdset' diff --git a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml index cdecb338e..b9f86190a 100644 --- a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml @@ -8,7 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 -modified: 2021/10/10 +modified: 2022/05/12 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -24,13 +24,13 @@ logsource: detection: selection: ParentImage|endswith: '\vmtoolsd.exe' - Image|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\rundll32.exe' - - '\regsvr32.exe' - - '\wscript.exe' - - '\cscript.exe' + OriginalFileName|contains: + - 'Cmd.Exe' + - 'PowerShell.EXE' + - 'RUNDLL32.EXE' + - 'REGSVR32.EXE' + - 'wscript.exe' + - 'cscript.exe' filter: CommandLine|contains: - '\VMware\VMware Tools\poweron-vm-default.bat' diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 23695d2da..78dafb326 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -27,50 +27,62 @@ detection: - '\caddy.exe' - '\ws_tomcatservice.exe' selection_webserver_characteristics_tomcat1: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - ParentImage|contains: + ParentImage|contains: - '-tomcat-' - '\tomcat' selection_webserver_characteristics_tomcat2: - ParentImage|endswith: + ParentImage|endswith: - '\java.exe' - '\javaw.exe' - CommandLine|contains: + CommandLine|contains: - 'catalina.jar' - 'CATALINA_HOME' susp_net_utility: - Image|endswith: - - '\net.exe' - - '\net1.exe' + OriginalFileName|contains: + - 'net.exe' + - 'net1.exe' CommandLine|contains: - ' user ' - ' use ' - ' group ' susp_ping_utility: - Image|endswith: '\ping.exe' + OriginalFileName|contains: 'ping.exe' CommandLine|contains: ' -n ' susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm susp_wmic_utility: - Image|endswith: '\wmic.exe' - CommandLine|contains: ' /node:' + OriginalFileName|contains: 'wmic.exe' + CommandLine|contains: ' /node:' susp_misc_discovery_binaries: - Image|endswith: + - Image|endswith: - '\whoami.exe' - '\systeminfo.exe' - '\quser.exe' - - '\ipconfig.exe' - - '\pathping.exe' - - '\tracert.exe' - - '\netstat.exe' - - '\schtasks.exe' - - '\vssadmin.exe' - - '\wevtutil.exe' - - '\tasklist.exe' + - '\ipconfig.exe' + - '\pathping.exe' + - '\tracert.exe' + - '\netstat.exe' + - '\schtasks.exe' + - '\vssadmin.exe' + - '\wevtutil.exe' + - '\tasklist.exe' + - OriginalFileName|contains: + - 'whoami.exe' + - 'sysinfo.exe' + - 'quser.exe' + - 'ipconfig.exe' + - 'pathping.exe' + - 'tracert.exe' + - 'netstat.exe' + - 'schtasks.exe' + - 'VSSADMIN.EXE' + - 'wevtutil.exe' + - 'tasklist.exe' susp_misc_discovery_commands: CommandLine|contains: - ' Test-NetConnection ' diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml index 70b93cd68..6b01133ee 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml @@ -7,6 +7,7 @@ references: - https://nsudo.m2team.org/en-us/ author: Florian Roth date: 2022/01/28 +modified: 2022/05/12 tags: - attack.privilege_escalation - attack.discovery @@ -15,10 +16,12 @@ logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: 'TrustedInstaller' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName|contains: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml index 20812efdf..20e27b851 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml @@ -6,21 +6,23 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2022/01/28 +modified: 2022/05/12 tags: - attack.privilege_escalation - - attack.discovery + - attack.discovery - attack.t1033 logsource: category: process_creation product: windows detection: - selection: + selection_user: User|contains: # covers many language settings - 'AUTHORI' - 'AUTORI' - Image|endswith: '\whoami.exe' - condition: selection + selection_img: + - OriginalFileName|contains: 'whoami.exe' + - Image|endswith: '\whoami.exe' + condition: all of selection* falsepositives: - Possible name overlap with NT AUHTORITY substring to cover all languages level: high diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index 3cd02819c..fc6c57ad4 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -6,6 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth date: 2021/05/05 +modified: 2022/05/12 tags: - attack.privilege_escalation - attack.discovery @@ -14,10 +15,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\whoami.exe' + selection_img: + - Image|endswith: '\whoami.exe' + - OriginalFileName|contains: 'whoami.exe' + selection_cli: CommandLine|contains: '/priv' - condition: selection + condition: all of selection* falsepositives: - Administrative activity (rare lookups on current privileges) level: high diff --git a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml index 5627d30b2..da078ae57 100644 --- a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml @@ -6,19 +6,21 @@ author: Olaf Hartong references: - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe date: 2019/05/22 -modified: 2021/11/27 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: + selection_img: Image|endswith: '\schtasks.exe' + OriginalFileName|contains: 'schtasks.exe' + selection_cli: CommandLine|contains|all: - '/change' - '/TN' - '/RU' - '/RP' - condition: selection + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index b82d40c70..2bf9ff4ec 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -7,19 +7,21 @@ references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis / @Karneades date: 2019/04/03 -modified: 2021/02/24 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: + selection_parent: ParentImage|endswith: '\wmiprvse.exe' - Image|endswith: '\powershell.exe' + selection_img: + - Image|endswith: '\powershell.exe' + - OriginalFileName|contains: 'PowerShell.EXE' filter_null1: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression CommandLine: null - condition: selection and not filter_null1 and not filter_null2 + condition: all of selection* and not filter_null1 and not filter_null2 falsepositives: - AppvClient - CCM diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index de1dd67a6..21d5fa6cb 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -7,20 +7,23 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe - CommandLine|contains: - - process + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: + CommandLine|contains: + - process - qfe filter: CommandLine|contains|all: #rule id 526be59f-a573-4eea-b5f7-f0973207634d for `wmic process call create #{process_to_execute}` - call - - create - condition: selection and not filter + - create + condition: all of selection* and not filter falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index f082d4db9..2eb165ae5 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -7,21 +7,24 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/03/13 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - process - call - - create - condition: selection + - create + condition: all of selection* falsepositives: - Unknown -level: medium +level: medium tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index 17a29f777..eadebed2e 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -7,6 +7,7 @@ description: | A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable author: frack113 +modified: 2022/05/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic @@ -15,12 +16,14 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains|all: - '/node:' - - service - condition: selection + - service + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index a6e659657..54028776c 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -10,10 +10,12 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: \WMIC.exe + selection_img: + - Image|endswith: \WMIC.exe + - OriginalFileName|contains: 'wmic.exe' + selection_cli: CommandLine|contains: call uninstall - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium From 1e494e508a8e06c849111b533bfae85baa91bdcd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 12 May 2022 23:28:14 +0100 Subject: [PATCH 45/54] Update proc_creation_win_powershell_defender_exclusion.yml Added ' -ExclusionIpAddress' Option --- .../proc_creation_win_powershell_defender_exclusion.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml index 85c5b6258..65baa60a6 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_defender_exclusion.yml @@ -11,13 +11,13 @@ tags: - attack.t1562.001 author: Florian Roth date: 2021/04/29 -modified: 2022/03/04 +modified: 2022/05/12 logsource: category: process_creation product: windows detection: selection1: - CommandLine|contains: + CommandLine|contains: - 'Add-MpPreference ' - 'Set-MpPreference ' selection2: @@ -25,6 +25,7 @@ detection: - ' -ExclusionPath ' - ' -ExclusionExtension ' - ' -ExclusionProcess ' + - ' -ExclusionIpAddress ' condition: all of selection* falsepositives: - Possible Admin Activity From 58f1d6fa2c679198f2932e3c361d5fa827effa95 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Fri, 13 May 2022 08:20:30 +0200 Subject: [PATCH 46/54] Create FUNDING.yml --- .github/FUNDING.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/FUNDING.yml diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml new file mode 100644 index 000000000..7959554a1 --- /dev/null +++ b/.github/FUNDING.yml @@ -0,0 +1,13 @@ +# These are supported funding model platforms + +github: [thomaspatzke] +patreon: # Replace with a single Patreon username +open_collective: # Replace with a single Open Collective username +ko_fi: # Replace with a single Ko-fi username +tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel +community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry +liberapay: # Replace with a single Liberapay username +issuehunt: # Replace with a single IssueHunt username +otechie: # Replace with a single Otechie username +lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry +custom: # Replace with up to 4 custom sponsorship URLs e.g., ['link1', 'link2'] From 2e689eca546c297a9c9f75e45d42834fcb73fad2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 13 May 2022 11:52:31 +0100 Subject: [PATCH 47/54] Quick Fix - Removed "Contains" modifier from "OriginalFileName" across all rules. - Added "Image" field back in the rules highlighted by Florian --- .../file_rename_win_not_dll_to_dll.yml | 6 +++--- .../proc_creation_win_creation_mavinject_dll.yml | 7 ++++--- .../proc_creation_win_susp_advancedrun.yml | 4 ++-- .../proc_creation_win_susp_ftp.yml | 4 ++-- .../proc_creation_win_susp_psloglist.yml | 5 +++-- ...creation_win_susp_trolleyexpress_procdump.yml | 3 ++- .../proc_creation_win_susp_vaultcmd.yml | 4 ++-- ...creation_win_susp_webdav_client_execution.yml | 4 ++-- .../proc_creation_win_susp_where_execution.yml | 4 ++-- .../proc_creation_win_susp_whoami.yml | 4 ++-- .../proc_creation_win_susp_whoami_anomaly.yml | 4 ++-- .../proc_creation_win_susp_winrm_execution.yml | 4 ++-- .../proc_creation_win_susp_wmi_execution.yml | 4 ++-- .../proc_creation_win_susp_wsl_lolbin.yml | 4 ++-- .../proc_creation_win_susp_wuauclt.yml | 4 ++-- .../proc_creation_win_susp_wuauclt_cmdline.yml | 4 ++-- .../proc_creation_win_suspicious_ad_reco.yml | 4 ++-- .../proc_creation_win_tool_nircmd.yml | 4 ++-- .../proc_creation_win_uac_cmstp.yml | 4 ++-- .../proc_creation_win_uac_wsreset.yml | 5 +++-- ...roc_creation_win_using_sc_to_hide_sevices.yml | 4 ++-- ..._creation_win_vmtoolsd_susp_child_process.yml | 16 ++++++++++++---- .../proc_creation_win_webshell_detection.yml | 10 +++++----- .../proc_creation_win_whoami_as_priv_user.yml | 4 ++-- .../proc_creation_win_whoami_as_system.yml | 4 ++-- .../proc_creation_win_whoami_priv.yml | 4 ++-- .../proc_creation_win_win10_sched_task_0day.yml | 4 ++-- .../proc_creation_win_wmi_spwns_powershell.yml | 4 ++-- .../proc_creation_win_wmic_reconnaissance.yml | 4 ++-- .../proc_creation_win_wmic_remote_command.yml | 4 ++-- .../proc_creation_win_wmic_remote_service.yml | 4 ++-- ...proc_creation_win_wmic_remove_application.yml | 3 ++- 32 files changed, 82 insertions(+), 69 deletions(-) diff --git a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml index 698b6de4c..c2bf984cf 100644 --- a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location author: frack113 date: 2022/02/19 -modified: 2022/03/13 +modified: 2022/05/13 logsource: product: windows category: file_rename @@ -15,10 +15,10 @@ detection: to_dll: TargetFilename|endswith: '.dll' filter_from_dll: - - OriginalFilename|endswith: + - OriginalFilename|endswith: - '.dll' - '.tmp' # VSCode FP - - OriginalFilename|contains: + - OriginalFilename: - '.dll.' - '\SquirrelTemp\temp' filter_tiworker: diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml index 33776066d..81d2cea24 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml @@ -3,6 +3,7 @@ id: 4f73421b-5a0b-4bbf-a892-5a7fb99bea66 status: experimental author: frack113 date: 2021/07/12 +modified: 2022/05/13 description: Injects arbitrary DLL into running process specified by process ID. Requires Windows 10. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218/T1218.md @@ -18,11 +19,11 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /INJECTRUNNING' - '.dll' # space some time in the end - OriginalFileName|contains: mavinject - condition: selection + OriginalFileName: mavinject + condition: selection fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml index 60de68d90..79ce72384 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml @@ -9,13 +9,13 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth date: 2022/01/20 -modified: 2022/05/05 +modified: 2022/05/13 logsource: product: windows category: process_creation detection: selection: - - OriginalFileName|contains: 'AdvancedRun.exe' + - OriginalFileName: 'AdvancedRun.exe' - CommandLine|contains|all: - ' /EXEFilename ' - ' /Run' diff --git a/rules/windows/process_creation/proc_creation_win_susp_ftp.yml b/rules/windows/process_creation/proc_creation_win_susp_ftp.yml index 4cdecc4be..3672b3102 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ftp.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ftp.yml @@ -6,7 +6,7 @@ author: Victor Sergeev, oscd.community references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Ftp.yml date: 2020/10/09 -modified: 2021/11/27 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -14,7 +14,7 @@ detection: ftp_path: Image|endswith: 'ftp.exe' ftp_metadata: - OriginalFileName|contains: 'ftp.exe' + OriginalFileName: 'ftp.exe' cmd_with_script_modifier: CommandLine|contains: '-s:' parent_path: diff --git a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml index 01fe56869..c9c183005 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_psloglist.yml @@ -8,6 +8,7 @@ references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList author: Nasreddine Bencherchali @nas_bench date: 2021/12/18 +modified: 2022/05/13 tags: - attack.discovery - attack.t1087 @@ -18,7 +19,7 @@ logsource: product: windows detection: selection1: - OriginalFileName|contains: 'psloglist' + OriginalFileName: 'psloglist' selection2: Image|endswith: - '\psloglist.exe' @@ -32,7 +33,7 @@ detection: - '-s' - '/s' other: - CommandLine|contains|all: + CommandLine|contains|all: - 'security' - 'accepteula' condition: (1 of selection*) or (flags and other) diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index bbaf07923..97247c0a6 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/_xpn_/status/1491557187168178176 - https://www.youtube.com/watch?v=Ie831jF0bb0 date: 2022/02/10 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -25,7 +26,7 @@ detection: renamed: Image|endswith: '\TrolleyExpress.exe' filter_renamed: - OriginalFileName|contains: 'CtxInstall' + OriginalFileName: 'CtxInstall' filter_empty: OriginalFileName: null condition: selection or ( renamed and not 1 of filter* ) diff --git a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml index 349e2eaef..03e4273c5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_vaultcmd.yml @@ -4,7 +4,7 @@ status: experimental description: List credentials currently stored in Windows Credential Manager via the native Windows utility vaultcmd.exe author: frack113 date: 2022/04/08 -modified: 2022/05/12 +modified: 2022/05/13 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.004/T1555.004.md#atomic-test-1---access-saved-credentials-via-vaultcmd logsource: @@ -13,7 +13,7 @@ logsource: detection: selection_img: - Image|endswith: '\VaultCmd.exe' - - OriginalFileName|contains: 'VAULTCMD.EXE' + - OriginalFileName: 'VAULTCMD.EXE' selection_cli: CommandLine|contains: '/listcreds:' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml index 9b7049047..b72a7eb93 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_webdav_client_execution.yml @@ -7,14 +7,14 @@ references: - https://github.com/OTRF/detection-hackathon-apt29/issues/17 - https://threathunterplaybook.com/evals/apt29/detections/7.B.4_C10730EA-6345-4934-AA0F-B0EFCA0C4BA6.html date: 2020/05/02 -modified: 2022/05/15 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\rundll32.exe' - - OriginalFileName|contains: 'RUNDLL32.EXE' + - OriginalFileName: 'RUNDLL32.EXE' selection_cli: CommandLine|contains: 'C:\windows\system32\davclnt.dll,DavSetCookie' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml index 26ea30cd8..0ef708805 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_where_execution.yml @@ -9,14 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1217/T1217.md author: frack113 date: 2021/12/13 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: where_exe: - Image|endswith: '\where.exe' - - OriginalFileName|contains: 'where.exe' + - OriginalFileName: 'where.exe' where_opt: CommandLine|contains: - 'Bookmarks' diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml index 0a08cfcc4..43a1d2f91 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami.yml @@ -7,14 +7,14 @@ references: - https://brica.de/alerts/alert/public/1247926/agent-tesla-keylogger-delivered-inside-a-power-iso-daa-archive/ - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ date: 2018/08/13 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\whoami.exe' - - OriginalFileName|contains: 'whoami.exe' + - OriginalFileName: 'whoami.exe' condition: selection falsepositives: - Admin activity diff --git a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml index 17442a1e2..af58e32c9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_whoami_anomaly.yml @@ -7,7 +7,7 @@ references: - https://app.any.run/tasks/7eaba74e-c1ea-400f-9c17-5e30eee89906/ author: Florian Roth date: 2021/08/12 -modified: 2021/05/12 +modified: 2022/05/13 tags: - attack.discovery - attack.t1033 @@ -18,7 +18,7 @@ logsource: detection: selection: - Image|endswith: '\whoami.exe' - - OriginalFileName|contains: 'whoami.exe' + - OriginalFileName: 'whoami.exe' filter1: ParentImage|endswith: - '\cmd.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml index f1d4aa9ff..7cba36749 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_winrm_execution.yml @@ -7,14 +7,14 @@ references: - https://twitter.com/bohops/status/994405551751815170 - https://redcanary.com/blog/lateral-movement-winrm-wmi/ date: 2020/10/07 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\cscript.exe' - - OriginalFileName|contains: 'cscript.exe' + - OriginalFileName: 'cscript.exe' selection_cli: CommandLine|contains|all: - 'winrm' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml index 893e12dad..dad73ada0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml @@ -8,14 +8,14 @@ references: - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ date: 2019/01/16 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection: - Image|endswith: '\wmic.exe' - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection2: CommandLine|contains|all: - 'process' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml index d64fed803..d848aa6fe 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml @@ -6,14 +6,14 @@ author: 'oscd.community, Zach Stanford @svch0st' references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Wsl/ date: 2020/10/05 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\wsl.exe' - - OriginalFileName|contains: 'wsl.exe' + - OriginalFileName: 'wsl.exe' selection_cli: CommandLine|contains: - ' -e ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml index 5acea5c92..8369716b3 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt.yml @@ -6,7 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 -modified: 2022/05/12 +modified: 2022/05/13 tags: - attack.command_and_control - attack.execution @@ -23,7 +23,7 @@ detection: - '.dll' selection_img: - Image|endswith: '\wuauclt.exe' - - OriginalFileName|contains: 'wuauclt.exe' + - OriginalFileName: 'wuauclt.exe' filter: CommandLine|contains: - ' /ClassId ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml index fe0f33894..421478a0f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_wuauclt_cmdline.yml @@ -6,14 +6,14 @@ author: Florian Roth references: - https://redcanary.com/blog/blackbyte-ransomware/ date: 2022/02/26 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\Wuauclt.exe' - - OriginalFileName|contains: 'Wuauclt.exe' + - OriginalFileName: 'Wuauclt.exe' selection_cli: CommandLine|endswith: '\Wuauclt.exe' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml index 72df4555e..89f588498 100644 --- a/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml +++ b/rules/windows/process_creation/proc_creation_win_suspicious_ad_reco.yml @@ -9,14 +9,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1069.001/T1069.001.md author: frack113 date: 2021/12/12 -modified: 2022/05/12 +modified: 2022/05/13 logsource: product: windows category: process_creation detection: selection_img: - Image|endswith: '\wmic.exe' - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: ' group' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml index aba7d1347..414d3c9b9 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_nircmd.yml @@ -4,7 +4,7 @@ status: experimental description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' date: 2022/01/24 -modified: 2022/05/06 +modified: 2022/05/13 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ @@ -18,7 +18,7 @@ logsource: product: windows detection: selection_org: - OriginalFileName|contains: 'NirCmd.exe' + OriginalFileName: 'NirCmd.exe' combo_exec: CommandLine|contains: - ' exec ' diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml index 6598f6956..d7dbc5930 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml @@ -7,14 +7,14 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md date: 2019/10/24 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: '\cmstp.exe' - - OriginalFileName|contains: 'CMSTP.EXE' + - OriginalFileName: 'CMSTP.EXE' selection_cli: CommandLine|contains: - '/s' diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml index 844b99aa1..9cec27839 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml @@ -6,7 +6,7 @@ author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd references: - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -14,7 +14,8 @@ detection: selection: ParentImage|endswith: '\wsreset.exe' filter: - OriginalFileName|contains: 'CONHOST.EXE' + - Image|endswith: '\conhost.exe' + - OriginalFileName: 'CONHOST.EXE' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml index 9c9b7c07d..838c0c83b 100644 --- a/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml +++ b/rules/windows/process_creation/proc_creation_win_using_sc_to_hide_sevices.yml @@ -7,14 +7,14 @@ references: - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ date: 2021/12/20 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: sc: - Image|endswith: '\sc.exe' - - OriginalFileName|contains: 'sc.exe' + - OriginalFileName: 'sc.exe' cli: CommandLine|contains|all: - 'sdset' diff --git a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml index b9f86190a..5c430866b 100644 --- a/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml +++ b/rules/windows/process_creation/proc_creation_win_vmtoolsd_susp_child_process.yml @@ -8,7 +8,7 @@ tags: - attack.t1059 author: behops, Bhabesh Raj date: 2021/10/08 -modified: 2022/05/12 +modified: 2022/05/13 references: - https://bohops.com/2021/10/08/analyzing-and-detecting-a-vmtools-persistence-technique/ fields: @@ -22,9 +22,17 @@ logsource: category: process_creation product: windows detection: - selection: + selection_parent: ParentImage|endswith: '\vmtoolsd.exe' - OriginalFileName|contains: + selection_img: + - Image|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\rundll32.exe' + - '\regsvr32.exe' + - '\wscript.exe' + - '\cscript.exe' + - OriginalFileName: - 'Cmd.Exe' - 'PowerShell.EXE' - 'RUNDLL32.EXE' @@ -37,4 +45,4 @@ detection: - '\VMware\VMware Tools\poweroff-vm-default.bat' - '\VMware\VMware Tools\resume-vm-default.bat' - '\VMware\VMware Tools\suspend-vm-default.bat' - condition: selection and not filter + condition: all of selection* and not filter diff --git a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml index 78dafb326..c9a10ddbf 100644 --- a/rules/windows/process_creation/proc_creation_win_webshell_detection.yml +++ b/rules/windows/process_creation/proc_creation_win_webshell_detection.yml @@ -7,7 +7,7 @@ references: - https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html - https://unit42.paloaltonetworks.com/bumblebee-webshell-xhunt-campaign/ date: 2017/01/01 -modified: 2021/03/17 +modified: 2022/05/13 tags: - attack.persistence - attack.t1505.003 @@ -41,7 +41,7 @@ detection: - 'catalina.jar' - 'CATALINA_HOME' susp_net_utility: - OriginalFileName|contains: + OriginalFileName: - 'net.exe' - 'net1.exe' CommandLine|contains: @@ -49,14 +49,14 @@ detection: - ' use ' - ' group ' susp_ping_utility: - OriginalFileName|contains: 'ping.exe' + OriginalFileName: 'ping.exe' CommandLine|contains: ' -n ' susp_change_dir: CommandLine|contains: - '&cd&echo' # china chopper web shell - 'cd /d ' # https://www.computerhope.com/cdhlp.htm susp_wmic_utility: - OriginalFileName|contains: 'wmic.exe' + OriginalFileName: 'wmic.exe' CommandLine|contains: ' /node:' susp_misc_discovery_binaries: - Image|endswith: @@ -71,7 +71,7 @@ detection: - '\vssadmin.exe' - '\wevtutil.exe' - '\tasklist.exe' - - OriginalFileName|contains: + - OriginalFileName: - 'whoami.exe' - 'sysinfo.exe' - 'quser.exe' diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml index 6b01133ee..d37b66104 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_priv_user.yml @@ -7,7 +7,7 @@ references: - https://nsudo.m2team.org/en-us/ author: Florian Roth date: 2022/01/28 -modified: 2022/05/12 +modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery @@ -19,7 +19,7 @@ detection: selection_user: User|contains: 'TrustedInstaller' selection_img: - - OriginalFileName|contains: 'whoami.exe' + - OriginalFileName: 'whoami.exe' - Image|endswith: '\whoami.exe' condition: all of selection* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml index 20e27b851..03fff8773 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_as_system.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2022/05/12 +modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery @@ -20,7 +20,7 @@ detection: - 'AUTHORI' - 'AUTORI' selection_img: - - OriginalFileName|contains: 'whoami.exe' + - OriginalFileName: 'whoami.exe' - Image|endswith: '\whoami.exe' condition: all of selection* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml index fc6c57ad4..bd98b67a3 100644 --- a/rules/windows/process_creation/proc_creation_win_whoami_priv.yml +++ b/rules/windows/process_creation/proc_creation_win_whoami_priv.yml @@ -6,7 +6,7 @@ references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/whoami author: Florian Roth date: 2021/05/05 -modified: 2022/05/12 +modified: 2022/05/13 tags: - attack.privilege_escalation - attack.discovery @@ -17,7 +17,7 @@ logsource: detection: selection_img: - Image|endswith: '\whoami.exe' - - OriginalFileName|contains: 'whoami.exe' + - OriginalFileName: 'whoami.exe' selection_cli: CommandLine|contains: '/priv' condition: all of selection* diff --git a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml index da078ae57..c3e4f3737 100644 --- a/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml +++ b/rules/windows/process_creation/proc_creation_win_win10_sched_task_0day.yml @@ -6,14 +6,14 @@ author: Olaf Hartong references: - https://github.com/SandboxEscaper/polarbearrepo/tree/master/bearlpe date: 2019/05/22 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: Image|endswith: '\schtasks.exe' - OriginalFileName|contains: 'schtasks.exe' + OriginalFileName: 'schtasks.exe' selection_cli: CommandLine|contains|all: - '/change' diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 2bf9ff4ec..750a2cc57 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -7,7 +7,7 @@ references: - https://any.run/report/68bc255f9b0db6a0d30a8f2dadfbee3256acfe12497bf93943bc1eab0735e45e/a2385d6f-34f7-403c-90d3-b1f9d2a90a5e author: Markus Neis / @Karneades date: 2019/04/03 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows @@ -16,7 +16,7 @@ detection: ParentImage|endswith: '\wmiprvse.exe' selection_img: - Image|endswith: '\powershell.exe' - - OriginalFileName|contains: 'PowerShell.EXE' + - OriginalFileName: 'PowerShell.EXE' filter_null1: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression diff --git a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml index 21d5fa6cb..ac6ec4bbd 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_reconnaissance.yml @@ -7,14 +7,14 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: \WMIC.exe - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: - process diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml index 2eb165ae5..395005d21 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml @@ -7,14 +7,14 @@ references: - https://securelist.com/moonbounce-the-dark-side-of-uefi-firmware/105468/ - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/03/13 -modified: 2022/05/12 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: \WMIC.exe - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml index eadebed2e..c938237c9 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remote_service.yml @@ -7,18 +7,18 @@ description: | A common feedback message is that "No instance(s) Available" if the service queried is not running. A common error message is "Node - (provided IP or default) ERROR Description =The RPC server is unavailable" if the provided remote host is unreacheable author: frack113 -modified: 2022/05/12 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wmic date: 2022/01/01 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: \WMIC.exe - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains|all: - '/node:' diff --git a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml index 54028776c..260821395 100644 --- a/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml +++ b/rules/windows/process_creation/proc_creation_win_wmic_remove_application.yml @@ -6,13 +6,14 @@ author: frac113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic date: 2022/01/28 +modified: 2022/05/13 logsource: category: process_creation product: windows detection: selection_img: - Image|endswith: \WMIC.exe - - OriginalFileName|contains: 'wmic.exe' + - OriginalFileName: 'wmic.exe' selection_cli: CommandLine|contains: call uninstall condition: all of selection* From ae2ddae5aaacf6676c446714cb0dcd74b85e7aef Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 13 May 2022 15:28:22 +0100 Subject: [PATCH 48/54] Fix Requested Changes --- rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml | 4 ++-- .../proc_creation_win_creation_mavinject_dll.yml | 4 +++- .../proc_creation_win_susp_trolleyexpress_procdump.yml | 2 +- .../proc_creation_win_wmi_spwns_powershell.yml | 2 +- 4 files changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml index c2bf984cf..4b9ad9667 100644 --- a/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml +++ b/rules/windows/file_rename/file_rename_win_not_dll_to_dll.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036/T1036.md#atomic-test-1---system-file-copied-to-unusual-location author: frack113 date: 2022/02/19 -modified: 2022/05/13 +modified: 2022/03/13 logsource: product: windows category: file_rename @@ -18,7 +18,7 @@ detection: - OriginalFilename|endswith: - '.dll' - '.tmp' # VSCode FP - - OriginalFilename: + - OriginalFilename|contains: - '.dll.' - '\SquirrelTemp\temp' filter_tiworker: diff --git a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml index 81d2cea24..1996c9d8f 100644 --- a/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_creation_mavinject_dll.yml @@ -22,7 +22,9 @@ detection: CommandLine|contains|all: - ' /INJECTRUNNING' - '.dll' # space some time in the end - OriginalFileName: mavinject + OriginalFileName: + - 'mavinject32.exe' + - 'mavinject64.exe' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml index 97247c0a6..38bb8998a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_trolleyexpress_procdump.yml @@ -26,7 +26,7 @@ detection: renamed: Image|endswith: '\TrolleyExpress.exe' filter_renamed: - OriginalFileName: 'CtxInstall' + OriginalFileName|contains: 'CtxInstall' filter_empty: OriginalFileName: null condition: selection or ( renamed and not 1 of filter* ) diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 750a2cc57..990ae8eb8 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -21,7 +21,7 @@ detection: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression CommandLine: null - condition: all of selection* and not filter_null1 and not filter_null2 + condition: all of selection* and not filter_null* falsepositives: - AppvClient - CCM From 4241a5d13ee4ab18e36b7ee337e2bc22a12a75e2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 13 May 2022 15:33:48 +0100 Subject: [PATCH 49/54] Update proc_creation_win_wmi_spwns_powershell.yml --- .../process_creation/proc_creation_win_wmi_spwns_powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml index 990ae8eb8..750a2cc57 100644 --- a/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_wmi_spwns_powershell.yml @@ -21,7 +21,7 @@ detection: CommandLine: 'null' filter_null2: # some backends need the null value in a separate expression CommandLine: null - condition: all of selection* and not filter_null* + condition: all of selection* and not filter_null1 and not filter_null2 falsepositives: - AppvClient - CCM From 196aa6d83d9f4a47ffc9941df64f62e77ae0a2c8 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 14 May 2022 09:42:32 +0200 Subject: [PATCH 50/54] move deprecated rules --- .../windows}/image_load_susp_winword_wmidll_load.yml | 0 .../windows/le_event_win_hktl_createminidump.yml | 0 .../windows}/posh_ps_access_to_chrome_login_data.yml | 0 .../windows}/registry_event_asep_reg_keys_modification.yml | 0 .../windows}/win_lateral_movement_condrv.yml | 0 5 files changed, 0 insertions(+), 0 deletions(-) rename {rules/windows/image_load => rules-deprecated/windows}/image_load_susp_winword_wmidll_load.yml (100%) rename rules/windows/file_event/file_event_win_hktl_createminidump.yml => rules-deprecated/windows/le_event_win_hktl_createminidump.yml (100%) rename {rules/windows/powershell/powershell_script => rules-deprecated/windows}/posh_ps_access_to_chrome_login_data.yml (100%) rename {rules/windows/registry/registry_event => rules-deprecated/windows}/registry_event_asep_reg_keys_modification.yml (100%) rename {rules/windows/builtin/security => rules-deprecated/windows}/win_lateral_movement_condrv.yml (100%) diff --git a/rules/windows/image_load/image_load_susp_winword_wmidll_load.yml b/rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml similarity index 100% rename from rules/windows/image_load/image_load_susp_winword_wmidll_load.yml rename to rules-deprecated/windows/image_load_susp_winword_wmidll_load.yml diff --git a/rules/windows/file_event/file_event_win_hktl_createminidump.yml b/rules-deprecated/windows/le_event_win_hktl_createminidump.yml similarity index 100% rename from rules/windows/file_event/file_event_win_hktl_createminidump.yml rename to rules-deprecated/windows/le_event_win_hktl_createminidump.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml b/rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_access_to_chrome_login_data.yml rename to rules-deprecated/windows/posh_ps_access_to_chrome_login_data.yml diff --git a/rules/windows/registry/registry_event/registry_event_asep_reg_keys_modification.yml b/rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml similarity index 100% rename from rules/windows/registry/registry_event/registry_event_asep_reg_keys_modification.yml rename to rules-deprecated/windows/registry_event_asep_reg_keys_modification.yml diff --git a/rules/windows/builtin/security/win_lateral_movement_condrv.yml b/rules-deprecated/windows/win_lateral_movement_condrv.yml similarity index 100% rename from rules/windows/builtin/security/win_lateral_movement_condrv.yml rename to rules-deprecated/windows/win_lateral_movement_condrv.yml From 67e78ef455bccb94f2aa52c743b0f87415635e62 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Sun, 15 May 2022 17:23:53 +0000 Subject: [PATCH 51/54] FP: ignoreing microsoft edge when performing NtOpenProcess --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 3ea0b69c5..8fb5a4413 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -6,7 +6,7 @@ references: status: experimental author: Christian Burkard, Tim Shelton date: 2021/07/28 -modified: 2022/05/09 +modified: 2022/05/15 logsource: category: process_access product: windows @@ -16,6 +16,9 @@ detection: falsepositive1: TargetImage: 'C:\Program Files\Cylance\Desktop\CylanceUI.exe' SourceImage: 'C:\Windows\Explorer.EXE' + falsepositive2: + TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' + SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 71249ff7e030db37117b18485087324d57bb9c8f Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Sun, 15 May 2022 17:33:31 +0000 Subject: [PATCH 52/54] FP: ignoring microsoft vc redistributable when performing NtOpenProcess --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 8fb5a4413..bdb7d7a13 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -19,6 +19,9 @@ detection: falsepositive2: TargetImage: 'C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe' SourceImage: 'C:\Program Files (x86)\Microsoft\Temp\*\MicrosoftEdgeUpdate.exe' + falsepositive3: + TargetImage|endswith: 'vcredist_x64.exe' + SourceImage|endswith: 'vcredist_x64.exe' condition: selection and not 1 of falsepositive* falsepositives: - Unknown From 10190154737631e1da6543a695c6a20994d743d1 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Sun, 15 May 2022 17:35:02 +0000 Subject: [PATCH 53/54] FP: ignoring vmware to systeminfo.exe --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index bdb7d7a13..985cf2ce0 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -22,6 +22,9 @@ detection: falsepositive3: TargetImage|endswith: 'vcredist_x64.exe' SourceImage|endswith: 'vcredist_x64.exe' + falsepositive3: + TargetImage: 'C:\Windows\system32\systeminfo.exe' + SourceImage|endswith: 'setup64.exe' #vmware condition: selection and not 1 of falsepositive* falsepositives: - Unknown From ca6b4d7862d29c4579a029e2a68c23b83c733e75 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Sun, 15 May 2022 17:41:22 +0000 Subject: [PATCH 54/54] FP: fixing error in labels --- .../proc_access_win_direct_syscall_ntopenprocess.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml index 985cf2ce0..41ad52be8 100755 --- a/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml +++ b/rules/windows/process_access/proc_access_win_direct_syscall_ntopenprocess.yml @@ -22,7 +22,7 @@ detection: falsepositive3: TargetImage|endswith: 'vcredist_x64.exe' SourceImage|endswith: 'vcredist_x64.exe' - falsepositive3: + falsepositive4: TargetImage: 'C:\Windows\system32\systeminfo.exe' SourceImage|endswith: 'setup64.exe' #vmware condition: selection and not 1 of falsepositive*