diff --git a/rules/linux/builtin/lnx_susp_dev_tcp.yml b/rules/linux/builtin/lnx_susp_dev_tcp.yml index 53880d80c..3c9b00d8c 100644 --- a/rules/linux/builtin/lnx_susp_dev_tcp.yml +++ b/rules/linux/builtin/lnx_susp_dev_tcp.yml @@ -8,20 +8,21 @@ references: - https://book.hacktricks.xyz/shells/shells/linux - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1046/T1046.md#atomic-test-1---port-scan date: 2021/12/10 +modified: 2022/01/10 logsource: product: linux detection: keyword: - - "cat /dev/tcp/" - - "echo >/dev/tcp/" - - "bash -i >& /dev/tcp/" - - "sh -i >& /dev/udp/" - - "0<&196;exec 196<>/dev/tcp/" - - "exec 5<>/dev/tcp/" - - "(sh)0>/dev/tcp/" - - "bash -c 'bash -i >& /dev/tcp/" - - "echo -e '#!/bin/bash\nbash -i >& /dev/tcp/" + - 'cat /dev/tcp/' + - 'echo >/dev/tcp/' + - 'bash -i >& /dev/tcp/' + - 'sh -i >& /dev/udp/' + - '0<&196;exec 196<>/dev/tcp/' + - 'exec 5<>/dev/tcp/' + - '(sh)0>/dev/tcp/' + - 'bash -c ''bash -i >& /dev/tcp/' + - 'echo -e ''#!/bin/bash\nbash -i >& /dev/tcp/' condition: 1 of keyword falsepositives: - Unknown diff --git a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml index 30dbc30b7..bc300a247 100644 --- a/rules/windows/file_event/win_fe_creation_scr_binary_file.yml +++ b/rules/windows/file_event/win_fe_creation_scr_binary_file.yml @@ -8,7 +8,7 @@ author: frack113 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1546.002/T1546.002.md date: 2021/12/29 -modified: 2022/01/08 +modified: 2022/01/10 logsource: product: windows category: file_event @@ -16,11 +16,13 @@ detection: selection: TargetFilename|endswith: '.scr' filter: - Image|endswith: '\Kindle.exe' + Image|endswith: + - '\Kindle.exe' + - '\Bin\ccSvcHst.exe' # Symantec Endpoint Protection condition: selection and not 1 of filter* falsepositives: - Unkown level: medium tags: - attack.persistence - - attack.t1546.002 \ No newline at end of file + - attack.t1546.002 diff --git a/rules/windows/file_event/win_fe_csharp_compile_artefact.yml b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml new file mode 100644 index 000000000..8fdf2aa2d --- /dev/null +++ b/rules/windows/file_event/win_fe_csharp_compile_artefact.yml @@ -0,0 +1,24 @@ +title: Dynamic C Sharp Compile Artefact +id: e4a74e34-ecde-4aab-b2fb-9112dd01aed0 +status: experimental +description: | + When C# is compiled dynamically, a .cmdline file will be created as a part of the process. + Certain processes are not typically observed compiling C# code, but can do so without touching disk. + This can be used to unpack a payload for execution +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1027.004/T1027.004.md#atomic-test-2---dynamic-c-compile +date: 2022/01/09 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '.cmdline' + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.defense_evasion + - attack.t1027.004 diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml new file mode 100644 index 000000000..c9913e6b7 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_iofilestream.yml @@ -0,0 +1,26 @@ +title: Suspicious IO.FileStream +id: 70ad982f-67c8-40e0-a955-b920c2fa05cb +status: experimental +description: Open a handle on the drive volume via the \\.\ DOS device path specifier and perform direct access read of the first few bytes of the volume. +date: 2022/01/09 +modified: 2022/01/10 +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1006/T1006.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - New-Object + - IO.FileStream + - '\\.\' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: medium +tags: + - attack.defense_evasion + - attack.t1070.003 diff --git a/rules/windows/process_creation/win_pc_iis_http_logging.yml b/rules/windows/process_creation/win_pc_iis_http_logging.yml new file mode 100644 index 000000000..4843a988b --- /dev/null +++ b/rules/windows/process_creation/win_pc_iis_http_logging.yml @@ -0,0 +1,26 @@ +title: Disable Windows IIS HTTP Logging +id: e4ed6030-ffe5-4e6a-8a8a-ab3c1ab9d94e +status: experimental +description: Disables HTTP logging on a Windows IIS web server as seen by Threat Group 3390 (Bronze Union) +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md#atomic-test-1---disable-windows-iis-http-logging +date: 2022/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \appcmd.exe + CommandLine|contains|all: + - set + - config + - '/section:httplogging' + - '/dontLog:true' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1562.002 diff --git a/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml b/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml new file mode 100644 index 000000000..d42eda483 --- /dev/null +++ b/rules/windows/process_creation/win_pc_netsh_fw_enable_group_rule.yml @@ -0,0 +1,30 @@ +title: Netsh Allow Group Policy on Microsoft Defender Firewall +id: 347906f3-e207-4d18-ae5b-a9403d6bcdef +status: experimental +description: Adversaries may modify system firewalls in order to bypass controls limiting network usage +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-3---allow-smb-and-rdp-on-microsoft-defender-firewall + - https://docs.microsoft.com/en-us/troubleshoot/windows-server/networking/netsh-advfirewall-firewall-control-firewall-behavior +date: 2022/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\netsh.exe' + CommandLine|contains|all: + - advfirewall + - firewall + - set + - rule + - 'group=' + - new + - 'enable=Yes' + condition: selection +falsepositives: + - Legitimate administration +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004 \ No newline at end of file diff --git a/rules/windows/process_creation/win_powershell_xor_commandline.yml b/rules/windows/process_creation/win_powershell_xor_commandline.yml index c3eaa2599..55ed270f2 100644 --- a/rules/windows/process_creation/win_powershell_xor_commandline.yml +++ b/rules/windows/process_creation/win_powershell_xor_commandline.yml @@ -2,9 +2,9 @@ title: Suspicious XOR Encoded PowerShell Command Line id: bb780e0c-16cf-4383-8383-1e5471db6cf9 status: test description: Detects suspicious powershell process which includes bxor command, alternative obfuscation method to b64 encoded commands. -author: Sami Ruohonen, Harish Segar (improvement) +author: Sami Ruohonen, Harish Segar (improvement), Tim Shelton date: 2018/09/05 -modified: 2021/11/27 +modified: 2022/01/10 logsource: category: process_creation product: windows @@ -15,7 +15,10 @@ detection: filter: CommandLine|contains: - 'bxor' - - 'join' + - '-join ' + - "-join'" + - '-join"' + - '-join`' - 'char' false_positives: ParentImage: diff --git a/rules/windows/process_creation/win_susp_firewall_disable.yml b/rules/windows/process_creation/win_susp_firewall_disable.yml index 59eefccbb..ebcb5e299 100644 --- a/rules/windows/process_creation/win_susp_firewall_disable.yml +++ b/rules/windows/process_creation/win_susp_firewall_disable.yml @@ -6,17 +6,28 @@ author: Fatih Sirin references: - https://www.winhelponline.com/blog/enable-and-disable-windows-firewall-quickly-using-command-line/ - https://app.any.run/tasks/210244b9-0b6b-4a2c-83a3-04bd3175d017/ + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-1---disable-microsoft-defender-firewall date: 2019/11/01 -modified: 2021/11/27 +modified: 2022/01/09 logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - netsh firewall set opmode mode=disable - - netsh advfirewall set * state off - condition: selection + selection_1: + CommandLine|contains|all: + - netsh + - firewall + - set + - opmode + - 'mode=disable' + selection_2: + CommandLine|contains|all: + - netsh + - advfirewall + - set + - state + - 'off' + condition: 1 of selection_* falsepositives: - Legitimate administration level: medium diff --git a/rules/windows/registry_event/sysmon_reg_office_security.yml b/rules/windows/registry_event/sysmon_reg_office_security.yml index eac91c79d..1ef9cf359 100644 --- a/rules/windows/registry_event/sysmon_reg_office_security.yml +++ b/rules/windows/registry_event/sysmon_reg_office_security.yml @@ -4,10 +4,11 @@ status: experimental description: Detects registry changes to Office macro settings author: Trent Liffick (@tliffick) date: 2020/05/22 -modified: 2021/07/12 +modified: 2022/01/10 references: - Internal Research - https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/ + - https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/ tags: - attack.defense_evasion - attack.t1112 diff --git a/rules/windows/registry_event/win_re_disable_defender_firewall.yml b/rules/windows/registry_event/win_re_disable_defender_firewall.yml new file mode 100644 index 000000000..522cd2799 --- /dev/null +++ b/rules/windows/registry_event/win_re_disable_defender_firewall.yml @@ -0,0 +1,27 @@ +title: Disable Microsoft Defender Firewall via Registry +id: 974515da-6cc5-4c95-ae65-f97f9150ec7f +description: Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage +author: frack113 +date: 2022/01/09 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.004/T1562.004.md#atomic-test-2---disable-microsoft-defender-firewall-via-registry +logsource: + category: registry_event + product: windows +detection: + selection: + EventType: SetValue + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall + #HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall + TargetObject|startswith: HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ + TargetObject|endswith: \EnableFirewall + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1562.004