From e0b3f91b2a0d8d1a3f1feab364e6ff550d7dc86d Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 8 Aug 2018 23:15:13 +0200 Subject: [PATCH 01/32] Removed empty line --- tools/sigma/backends/elasticsearch.py | 1 - 1 file changed, 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index ce5a16374..fc058c588 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -153,7 +153,6 @@ class ElasticsearchDSLBackend(RulenameCommentMixin, BaseBackend): break raise NotImplementedError("%s : The '%s' aggregation operator is not yet implemented for this backend"%(self.title, funcname)) - def generateBefore(self, parsed): self.queries.append({'query': {'constant_score': {'filter': {}}}}) From 2715c44173d9f34fce9cd4c9905f7f3cae2f6b88 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 13 Aug 2018 23:50:05 +0200 Subject: [PATCH 02/32] Converted first Sysmon rule to generic process_execution rule --- .../bitsadmin_download.yml} | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) rename rules/windows/{sysmon/sysmon_bitsadmin_download.yml => process_execution/bitsadmin_download.yml} (94%) diff --git a/rules/windows/sysmon/sysmon_bitsadmin_download.yml b/rules/windows/process_execution/bitsadmin_download.yml similarity index 94% rename from rules/windows/sysmon/sysmon_bitsadmin_download.yml rename to rules/windows/process_execution/bitsadmin_download.yml index 170b71d03..2e1f4e03d 100644 --- a/rules/windows/sysmon/sysmon_bitsadmin_download.yml +++ b/rules/windows/process_execution/bitsadmin_download.yml @@ -11,11 +11,10 @@ tags: - attack.s0190 author: Michael Haag logsource: + category: process_creation product: windows - service: sysmon detection: selection: - EventID: 1 Image: - '*\bitsadmin.exe' CommandLine: From 430972231f294706c3caa9ccb32638c66e04d7b0 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 13 Aug 2018 23:50:44 +0200 Subject: [PATCH 03/32] Added generic sysmon configuration with process_execution config --- tools/config/generic/sysmon.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 tools/config/generic/sysmon.yml diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml new file mode 100644 index 000000000..ab9d94d8d --- /dev/null +++ b/tools/config/generic/sysmon.yml @@ -0,0 +1,6 @@ +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 1 From 320bb9f8c461f9404dfecb250c2dc94be4be4bfa Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 14 Aug 2018 21:28:17 +0200 Subject: [PATCH 04/32] Added rewrite config to generic sysmon configuration --- tools/config/generic/sysmon.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index ab9d94d8d..63eab0c16 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -4,3 +4,6 @@ logsources: product: windows conditions: EventID: 1 + rewrite: + category: null + service: sysmon From 1d7722c1cb35413b31ba0497619fba627b07221b Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 27 Aug 2018 00:17:27 +0200 Subject: [PATCH 05/32] Added configuration and field mapping chains Missing: field name mapping of log source conditions. --- tools/sigma/backends/base.py | 2 +- tools/sigma/config/exceptions.py | 3 ++ tools/sigma/config/mapping.py | 65 ++++++++++++++++++++++++++++++-- tools/sigma/configuration.py | 46 +++++++++++++++++++++- tools/sigmac | 37 +++++++++--------- 5 files changed, 129 insertions(+), 24 deletions(-) diff --git a/tools/sigma/backends/base.py b/tools/sigma/backends/base.py index 4b6a5e1ef..563d5738c 100644 --- a/tools/sigma/backends/base.py +++ b/tools/sigma/backends/base.py @@ -51,7 +51,7 @@ class BaseBackend: passing the object instance to it. """ super().__init__() - if not isinstance(sigmaconfig, (sigma.configuration.SigmaConfiguration, None)): + if not isinstance(sigmaconfig, (sigma.configuration.SigmaConfiguration, sigma.configuration.SigmaConfigurationChain, None)): raise TypeError("SigmaConfiguration object expected") self.backend_options = backend_options self.sigmaconfig = sigmaconfig diff --git a/tools/sigma/config/exceptions.py b/tools/sigma/config/exceptions.py index 31d2b8124..cafdff8d7 100644 --- a/tools/sigma/config/exceptions.py +++ b/tools/sigma/config/exceptions.py @@ -17,5 +17,8 @@ class SigmaConfigParseError(Exception): pass +class FieldMappingError(SigmaConfigParseError): + pass + class SigmaRuleFilterParseException(Exception): pass diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index f5829cd35..a62123acb 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -15,7 +15,7 @@ # along with this program. If not, see . from sigma.parser.condition import ConditionOR -from .exceptions import SigmaConfigParseError +from .exceptions import SigmaConfigParseError, FieldMappingError # Field Mapping Definitions def FieldMapping(source, target=None): @@ -47,6 +47,9 @@ class SimpleFieldMapping: def resolve_fieldname(self, fieldname): return self.target + def __str__(self): + return "SimpleFieldMapping: {} -> {}".format(self.source, self.target) + class MultiFieldMapping(SimpleFieldMapping): """1:n field mapping that expands target field names into OR conditions""" target_type = list @@ -58,8 +61,8 @@ class MultiFieldMapping(SimpleFieldMapping): cond.add((fieldname, value)) return cond - def resolve_fieldname(self, fieldname): - return self.target + def __str__(self): + return "MultiFieldMapping: {} -> [{}]".format(self.source, ", ".join(self.target)) class ConditionalFieldMapping(SimpleFieldMapping): """ @@ -131,3 +134,59 @@ class ConditionalFieldMapping(SimpleFieldMapping): return self.default else: return fieldname + +# Field mappimg chain +class FieldMappingChain(object): + """ + Chain of field mappings and fields used for calculation of a field mapping in chained conversion + configurations. + + A chain of field mappings may fan out, as one field can map into multiple target fields and these + must be propagated further. As the whole chain must be completed at configuration parse time, a + restriction applies to conditional field mappings. These are calculated at rule conversion time and + therefore it is not possible to decide further mappings after conditionals and these may only appear + in the last configuration. This case could be solved by calculation of field mappings at rule conversion + time, but it is not considered as important enough to be implemented at this time. + """ + def __init__(self, fieldname): + """Initialize field mapping chain with given field name.""" + self.fieldmappings = set([fieldname]) + + def append(self, config): + """Propagate current possible field mappings with field mapping from configuration""" + if ConditionalFieldMapping in { type(fieldmapping) for fieldmapping in self.fieldmappings }: # conditional field mapping appeared before, abort. + raise FieldMappingError("Conditional field mappings are only allowed in last configuration if configurations are chained.") + + fieldmappings = set() + if type(self.fieldmappings) == str: + current_fieldmappings = {self.fieldmappings} + else: + current_fieldmappings = self.fieldmappings + + for fieldname in current_fieldmappings: + mapping = config.get_fieldmapping(fieldname) + if type(mapping) in (SimpleFieldMapping, ConditionalFieldMapping): + fieldmappings.add(mapping.resolve_fieldname(fieldname)) + elif type(mapping) == MultiFieldMapping: + fieldmappings.update(mapping.resolve_fieldname(fieldname)) + else: + raise TypeError("Type '{}' is not supported by FieldMappingChain".format(str(type(mapping)))) + + if len(fieldmappings) == 1: + self.fieldmappings = fieldmappings.pop() + else: + self.fieldmappings = fieldmappings + + def resolve(self, key, value, sigmaparser): + if type(self.fieldmappings) == str: # one field mapping + return (self.fieldmappings, value) + elif isinstance(self.fieldmappings, SimpleFieldMapping): + return self.fieldmappings.resolve(key, value, sigmaparser) + elif type(self.fieldmappings) == set: + cond = ConditionOR() + for mapping in self.fieldmappings: + if type(mapping) == str: + cond.add((mapping, value)) + elif isinstance(mapping, SimpleFieldMapping): + cond.add(mapping.resolve(key, value, sigmaparser)) + return cond diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 47e0290bc..d9b221918 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -17,7 +17,49 @@ import yaml from sigma.parser.condition import ConditionAND, ConditionOR from sigma.config.exceptions import SigmaConfigParseError -from sigma.config.mapping import FieldMapping +from sigma.config.mapping import FieldMapping, FieldMappingChain + +# Chain of multiple configurations +class SigmaConfigurationChain(list): + """ + Chain of SigmaConfiguration objects. Behaves like a list of Sigma configuration objects on the one side and + like a SigmaConfiguration object on the other. All methods are applied to the given parameters in the order + of addition of the configurations. + """ + def __init__(self, *args, **kwargs): + super().__init__(*args, **kwargs) + self.backend = None + self.defaultindex = None + + def append(self, config): + super().append(config) + self.defaultindex = config.defaultindex + + def get_fieldmapping(self, fieldname): + """Return mapped fieldname by iterative application of each config stored in configuration chain.""" + if self: + fieldmappings = FieldMappingChain(fieldname) + for config in self: + fieldmappings.append(config) + return fieldmappings + else: + return FieldMapping(fieldname) + + def get_logsource(self, category, product, service): + """Return merged log source definition of all logosurces that match criteria across all Sigma conversion configurations in chain.""" + matching = [logsource for config in self for logsource in config.logsources if logsource.matches(category, product, service)] + return SigmaLogsourceConfiguration(matching, self.defaultindex) + + def set_backend(self, backend): + """Set backend for all sigma conversion configurations in chain.""" + self.backend = backend + for config in self: + config.set_backend(backend) + + def get_indexfield(self): + """Get index condition if index field name is configured""" + if self.backend is not None: + return self.backend.index_field # Configuration class SigmaConfiguration: @@ -81,7 +123,7 @@ class SigmaConfiguration: def get_indexfield(self): """Get index condition if index field name is configured""" - if self.backend != None: + if self.backend is not None: return self.backend.index_field class SigmaLogsourceConfiguration: diff --git a/tools/sigmac b/tools/sigmac index 2a3811624..12d1ae30c 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -24,7 +24,7 @@ import itertools import logging from sigma.parser.collection import SigmaCollectionParser from sigma.parser.exceptions import SigmaCollectionParseError, SigmaParseError -from sigma.configuration import SigmaConfiguration +from sigma.configuration import SigmaConfiguration, SigmaConfigurationChain from sigma.config.exceptions import SigmaConfigParseError, SigmaRuleFilterParseException from sigma.filter import SigmaRuleFilter import sigma.backends.discovery as backends @@ -83,7 +83,7 @@ Multiple log source specifications are AND linked. """) argparser.add_argument("--target", "-t", default="es-qs", choices=backends.getBackendDict().keys(), help="Output target format") argparser.add_argument("--target-list", "-l", action="store_true", help="List available output target formats") -argparser.add_argument("--config", "-c", help="Configuration with field name and index mapping for target environment") +argparser.add_argument("--config", "-c", action="append", help="Configurations with field name and index mapping for target environment. Multiple configurations are merged into one. Last config is authorative in case of conflicts.") argparser.add_argument("--output", "-o", default=None, help="Output file or filename prefix if multiple files are generated") argparser.add_argument("--backend-option", "-O", action="append", help="Options and switches that are passed to the backend") argparser.add_argument("--defer-abort", "-d", action="store_true", help="Don't abort on parse or conversion errors, proceed with next rule. The exit code from the last error is returned") @@ -113,24 +113,25 @@ if cmdargs.filter: print("Parse error in Sigma rule filter expression: %s" % str(e), file=sys.stderr) sys.exit(9) -sigmaconfig = SigmaConfiguration() +sigmaconfigs = SigmaConfigurationChain() if cmdargs.config: - try: - conffile = cmdargs.config - f = open(conffile) - sigmaconfig = SigmaConfiguration(f) - except OSError as e: - print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr) - exit(5) - except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: - print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr) - exit(6) - except SigmaConfigParseError as e: - print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr) - exit(7) + for conffile in cmdargs.config: + try: + f = open(conffile) + sigmaconfig = SigmaConfiguration(f) + sigmaconfigs.append(sigmaconfig) + except OSError as e: + print("Failed to open Sigma configuration file %s: %s" % (conffile, str(e)), file=sys.stderr) + exit(5) + except (yaml.parser.ParserError, yaml.scanner.ScannerError) as e: + print("Sigma configuration file %s is no valid YAML: %s" % (conffile, str(e)), file=sys.stderr) + exit(6) + except SigmaConfigParseError as e: + print("Sigma configuration parse error in %s: %s" % (conffile, str(e)), file=sys.stderr) + exit(7) backend_options = BackendOptions(cmdargs.backend_option) -backend = backends.getBackend(cmdargs.target)(sigmaconfig, backend_options) +backend = backends.getBackend(cmdargs.target)(sigmaconfigs, backend_options) filename = cmdargs.output if filename: try: @@ -146,7 +147,7 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): print_verbose("* Processing Sigma input %s" % (sigmafile)) try: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfig, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) results = parser.generate(backend) for result in results: print(result, file=out) From 210f7ac044b7a64ded142111679a504f60412ab8 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 12 Sep 2018 22:29:51 +0200 Subject: [PATCH 06/32] Rewrote logsource definition merging to set generator --- tools/sigma/configuration.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index d9b221918..f032da09b 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -142,9 +142,9 @@ class SigmaLogsourceConfiguration: self.conditions = None elif type(logsource) == list and all([isinstance(o, SigmaLogsourceConfiguration) for o in logsource]): # list of SigmaLogsourceConfigurations: merge according to mergemethod # Merge category, product and service - categories = set([ ls.category for ls in logsource if ls.category != None ]) - products = set([ ls.product for ls in logsource if ls.product != None ]) - services = set([ ls.service for ls in logsource if ls.service != None]) + categories = { ls.category for ls in logsource if ls.category is not None } + products = { ls.product for ls in logsource if ls.product is not None } + services = { ls.service for ls in logsource if ls.service is not None } if len(categories) > 1 or len(products) > 1 or len(services) > 1: raise ValueError("Merged SigmaLogsourceConfigurations must have disjunct categories (%s), products (%s) and services (%s)" % (str(categories), str(products), str(services))) From d81946df399475ae321c031f870e722d3fa35d5e Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 12 Sep 2018 23:31:51 +0200 Subject: [PATCH 07/32] Stacked configurations - Added log source rewriting - Removed log source merging condition type setting - Simplified SigmaLogsourceConfiguration constructor - Condition is generated in SigmaParser instead of SigmaLogsourceConfiguration Missing: - Merging of raw config dict for backends that rely on this (es-dsl) --- tools/config/generic/sysmon.yml | 2 +- tools/sigma/configuration.py | 96 +++++++++++++++------------------ tools/sigma/parser/condition.py | 27 ++++------ tools/sigma/parser/rule.py | 29 ++++++++++ 4 files changed, 81 insertions(+), 73 deletions(-) diff --git a/tools/config/generic/sysmon.yml b/tools/config/generic/sysmon.yml index 63eab0c16..327d5a036 100644 --- a/tools/config/generic/sysmon.yml +++ b/tools/config/generic/sysmon.yml @@ -5,5 +5,5 @@ logsources: conditions: EventID: 1 rewrite: - category: null + product: windows service: sysmon diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index f032da09b..1a38dc249 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -47,7 +47,13 @@ class SigmaConfigurationChain(list): def get_logsource(self, category, product, service): """Return merged log source definition of all logosurces that match criteria across all Sigma conversion configurations in chain.""" - matching = [logsource for config in self for logsource in config.logsources if logsource.matches(category, product, service)] + matching = list() + for config in self: + for logsource in config.logsources: + if logsource.matches(category, product, service): + matching.append(logsource) + if logsource.rewrite is not None: + category, product, service = logsource.rewrite return SigmaLogsourceConfiguration(matching, self.defaultindex) def set_backend(self, backend): @@ -69,7 +75,6 @@ class SigmaConfiguration: self.config = None self.fieldmappings = dict() self.logsources = dict() - self.logsourcemerging = SigmaLogsourceConfiguration.MM_AND self.defaultindex = None self.backend = None else: @@ -85,11 +90,6 @@ class SigmaConfiguration: if type(self.fieldmappings) != dict: raise SigmaConfigParseError("Fieldmappings must be a map") - try: - self.logsourcemerging = config['logsourcemerging'] - except KeyError: - self.logsourcemerging = SigmaLogsourceConfiguration.MM_AND - try: self.defaultindex = config['defaultindex'] except KeyError: @@ -119,7 +119,7 @@ class SigmaConfiguration: if type(logsources) != dict: raise SigmaConfigParseError("Logsources must be a map") for name, logsource in logsources.items(): - self.logsources.append(SigmaLogsourceConfiguration(logsource, self.defaultindex, name, self.logsourcemerging, self.get_indexfield())) + self.logsources.append(SigmaLogsourceConfiguration(logsource, self.defaultindex)) def get_indexfield(self): """Get index condition if index field name is configured""" @@ -128,19 +128,27 @@ class SigmaConfiguration: class SigmaLogsourceConfiguration: """Contains the definition of a log source""" - MM_AND = "and" # Merge all conditions with AND - MM_OR = "or" # Merge all conditions with OR - - def __init__(self, logsource=None, defaultindex=None, name=None, mergemethod=MM_AND, indexfield=None): - self.name = name - self.indexfield = indexfield + def __init__(self, logsource=None, defaultindex=None): if logsource == None: # create empty object + self.merged = False self.category = None self.product = None self.service = None self.index = list() - self.conditions = None - elif type(logsource) == list and all([isinstance(o, SigmaLogsourceConfiguration) for o in logsource]): # list of SigmaLogsourceConfigurations: merge according to mergemethod + self.conditions = list() # a list of (field, value) tuples which are OR-linked in the generated query. May also contain such a list as list element (in case of merged log sources) + self.rewrite = None + elif type(logsource) == list and all([isinstance(o, SigmaLogsourceConfiguration) for o in logsource]): # list of SigmaLogsourceConfigurations: merge + self.merged = True + if any([ ls.merged for ls in logsource ]): # Ensure that already merged objects are not merged again + raise TypeError("Nested merging of SigmaLogsourceConfiguration objects is not allowed") + rewrites = { ls.rewrite for ls in logsource if ls.rewrite is not None } + if len(rewrites) > 1: + raise ValueError("More than one matching log source contains a rewrite part") + elif len(rewrites) == 1: + self.rewrite = rewrites.pop() + else: + self.rewrite = None + # Merge category, product and service categories = { ls.category for ls in logsource if ls.category is not None } products = { ls.product for ls in logsource if ls.product is not None } @@ -171,28 +179,9 @@ class SigmaLogsourceConfiguration: else: raise TypeError("Default index must be string or list of strings") - # "merge" index field (should never differ between instances because it is provided by backend class - indexfields = [ ls.indexfield for ls in logsource if ls.indexfield != None ] - try: - self.indexfield = indexfields[0] - except IndexError: - self.indexfield = None - - # Merge conditions according to mergemethod - if mergemethod == self.MM_AND: - cond = ConditionAND() - elif mergemethod == self.MM_OR: - cond = ConditionOR() - else: - raise ValueError("Mergemethod must be '%s' or '%s'" % (self.MM_AND, self.MM_OR)) - for ls in logsource: - if ls.conditions != None: - cond.add(ls.conditions) - if len(cond) > 0: - self.conditions = cond - else: - self.conditions = None + self.conditions = [ ls.conditions for ls in logsource if ls.conditions ] # build list of list of (field, value) tuples as base for merged query condition. elif type(logsource) == dict: # create logsource configuration from parsed yaml + self.merged = False if 'category' in logsource and type(logsource['category']) != str \ or 'product' in logsource and type(logsource['product']) != str \ or 'service' in logsource and type(logsource['service']) != str: @@ -212,6 +201,18 @@ class SigmaLogsourceConfiguration: if self.category == None and self.product == None and self.service == None: raise SigmaConfigParseError("Log source definition will not match") + try: + if type(logsource['rewrite']) is not dict: + raise SigmaConfigParseError("Rewrite rule must be a map") + rewrite = logsource['rewrite'] + if not { 'category', 'product', 'service' }.issuperset(rewrite.keys()): + raise SigmaConfigParseError("Rewrite rule in log source configuration may only contain the keys 'category', 'product' and 'service'") + if { str } != { type(value) for value in rewrite.values() }: + raise SigmaConfigParseError("Rewrite rule values may only contain strings") + self.rewrite = tuple((rewrite.get(key) for key in ( 'category', 'product', 'service' ))) # build a (category, product, service) tuple from dict + except KeyError: + self.rewrite = None + if 'index' in logsource: index = logsource['index'] if type(index) not in (str, list): @@ -228,15 +229,12 @@ class SigmaLogsourceConfiguration: # from a merge, where default index handling applies. self.index = [] - if 'conditions' in logsource: + try: if type(logsource['conditions']) != dict: raise SigmaConfigParseError("Logsource conditions must be a map") - cond = ConditionAND() - for key, value in logsource['conditions'].items(): - cond.add((key, value)) - self.conditions = cond - else: - self.conditions = None + self.conditions = [ (field, value) for field, value in logsource['conditions'].items() ] # build list of (field, value) tuples as base for query condition + except KeyError: + self.conditions = list() else: raise SigmaConfigParseError("Logsource definitions must be maps") @@ -253,15 +251,5 @@ class SigmaLogsourceConfiguration: if searched: return True - def get_indexcond(self): - """Get index condition if index field name is configured""" - cond = ConditionOR() - if self.indexfield: - for index in self.index: - cond.add((self.indexfield, index)) - return cond - else: - return None - def __str__(self): return "[ LogSourceConfiguration: %s %s %s indices: %s ]" % (self.category, self.product, self.service, str(self.index)) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index e2f687ba2..5a74c10bf 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -335,26 +335,17 @@ class SigmaConditionParser: if len(tokens) != 1: # parse tree must begin with exactly one node raise ValueError("Parse tree must have exactly one start node!") - querycond = tokens[0] + query_cond = tokens[0] - logsource = self.sigmaParser.get_logsource() - if logsource != None: - # 4. Integrate conditions from configuration - if logsource.conditions != None: - cond = ConditionAND() - cond.add(logsource.conditions) - cond.add(querycond) - querycond = cond + # 4. Integrate conditions from logsources in configurations + ls_cond = self.sigmaParser.get_logsource_condition() + if ls_cond is not None: + cond = ConditionAND() + cond.add(ls_cond) + cond.add(query_cond) + query_cond = cond - # 5. Integrate index conditions if applicable for backend - indexcond = logsource.get_indexcond() - if indexcond != None: - cond = ConditionAND() - cond.add(indexcond) - cond.add(querycond) - querycond = cond - - return querycond + return query_cond def __str__(self): return str(self.parsedSearch) diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index 6560aaa33..c37d6b8ed 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -135,3 +135,32 @@ class SigmaParser: service = None return self.config.get_logsource(category, product, service) + + def get_logsource_condition(self): + logsource = self.get_logsource() + if logsource is None: + return None + else: + if logsource.merged: # Merged log source, flatten nested list of condition items + kvconds = [ item for sublscond in logsource.conditions for item in sublscond ] + else: # Simple log sources already contain flat list of conditions items + kvconds = logsource.conditions + + # AND-link condition items + cond = ConditionAND() + for kvcond in kvconds: + cond.add(kvcond) + + # Add index condition if supported by backend and defined in log source + index_field = self.config.get_indexfield() + indices = logsource.index + if len(indices) > 0 and index_field is not None: # at least one index given and backend knows about indices in conditions + if len(indices) > 1: # More than one index, search in all by ORing them together + index_cond = ConditionOR() + for index in indices: + index_cond.add((index_field, index)) + cond.add(index_cond) + else: # only one index, add directly to AND from above + cond.add((index_field, indices[0])) + + return cond From ba76f04fe68dd53447127dd95783e2e4ae28b1e2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 13 Sep 2018 13:49:36 +0200 Subject: [PATCH 08/32] Merging of raw configurations in configuration chains --- tools/sigma/configuration.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 1a38dc249..c03effc3f 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -30,10 +30,18 @@ class SigmaConfigurationChain(list): super().__init__(*args, **kwargs) self.backend = None self.defaultindex = None + self.config = dict() + + for config in self: + self.postprocess_config(config) def append(self, config): super().append(config) + self.postprocess_config(config) + + def postprocess_config(self, config): self.defaultindex = config.defaultindex + self.config.update(config.config) def get_fieldmapping(self, fieldname): """Return mapped fieldname by iterative application of each config stored in configuration chain.""" From 2330306db171e59931abdf9dcbc878c67c21e604 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 13 Sep 2018 14:55:05 +0200 Subject: [PATCH 09/32] Added merged field mapping and log sources dict to config chain --- tools/sigma/configuration.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index c03effc3f..3cbcda783 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -31,6 +31,8 @@ class SigmaConfigurationChain(list): self.backend = None self.defaultindex = None self.config = dict() + self.fieldmappings = dict() + self.logsources = dict() for config in self: self.postprocess_config(config) @@ -42,6 +44,8 @@ class SigmaConfigurationChain(list): def postprocess_config(self, config): self.defaultindex = config.defaultindex self.config.update(config.config) + self.fieldmappings.update(config.fieldmappings) + self.logsources.update(config.logsources) def get_fieldmapping(self, fieldname): """Return mapped fieldname by iterative application of each config stored in configuration chain.""" From 41a8ef2fd99561ceff024cea8bb3f5027c1f58cf Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 13 Sep 2018 14:56:31 +0200 Subject: [PATCH 10/32] Implemented resolve_fieldname in FieldMappingChain --- tools/sigma/config/mapping.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index a62123acb..97d5a5caf 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -190,3 +190,21 @@ class FieldMappingChain(object): elif isinstance(mapping, SimpleFieldMapping): cond.add(mapping.resolve(key, value, sigmaparser)) return cond + + def resolve_fieldname(self, fieldname): + if type(self.fieldmappings) == str: # one field mapping + return self.fieldmappings + elif isinstance(self.fieldmappings, SimpleFieldMapping): + return self.fieldmappings.resolve_fieldname(fieldname) + elif type(self.fieldmappings) == set: + mappings = set() + for mapping in self.fieldmappings: + if type(mapping) == str: + mappings.add(mapping) + elif isinstance(mapping, SimpleFieldMapping): + resolved_mapping = mapping.resolve_fieldname(fieldname) + try: + mappings.update(iter(resolved_mapping)) + except TypeError: + mappings.add(resolved_mapping) + return list(mappings) From 2fbf17ff3446b2748b9601f87f6b3ba5791757f2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Thu, 13 Sep 2018 16:22:29 +0200 Subject: [PATCH 11/32] Addition and resolution of field mapping chains explicitely checks for list --- tools/sigma/config/mapping.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index 97d5a5caf..8e5150e1f 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -166,7 +166,11 @@ class FieldMappingChain(object): for fieldname in current_fieldmappings: mapping = config.get_fieldmapping(fieldname) if type(mapping) in (SimpleFieldMapping, ConditionalFieldMapping): - fieldmappings.add(mapping.resolve_fieldname(fieldname)) + resolved_mapping = mapping.resolve_fieldname(fieldname) + if type(resolved_mapping) is list: + fieldmappings.update(resolved_mapping) + else: + fieldmappings.add(resolved_mapping) elif type(mapping) == MultiFieldMapping: fieldmappings.update(mapping.resolve_fieldname(fieldname)) else: @@ -203,8 +207,8 @@ class FieldMappingChain(object): mappings.add(mapping) elif isinstance(mapping, SimpleFieldMapping): resolved_mapping = mapping.resolve_fieldname(fieldname) - try: - mappings.update(iter(resolved_mapping)) - except TypeError: + if type(resolved_mapping) is list: + mappings.update(resolved_mapping) + else: mappings.add(resolved_mapping) return list(mappings) From e28bc35cad07e74a8fc110816f19406568da39f2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 6 Oct 2018 23:38:35 +0200 Subject: [PATCH 12/32] Apply field mappings in generation of log source condition --- tools/sigma/parser/rule.py | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/tools/sigma/parser/rule.py b/tools/sigma/parser/rule.py index c37d6b8ed..80cd736c0 100644 --- a/tools/sigma/parser/rule.py +++ b/tools/sigma/parser/rule.py @@ -146,9 +146,15 @@ class SigmaParser: else: # Simple log sources already contain flat list of conditions items kvconds = logsource.conditions + # Apply field mappings + mapped_kvconds = list() + for field, value in kvconds: + mapping = self.config.get_fieldmapping(field) + mapped_kvconds.append(mapping.resolve(field, value, self)) + # AND-link condition items cond = ConditionAND() - for kvcond in kvconds: + for kvcond in mapped_kvconds: cond.add(kvcond) # Add index condition if supported by backend and defined in log source From a61b3d352a122c979d21fba0029e1f097dec3f8f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 15 Oct 2018 15:24:18 +0200 Subject: [PATCH 13/32] Added test cases * Generic log sources * Splunk index queries --- Makefile | 3 +++ tools/config/splunk-windows-all-index.yml | 6 ++++++ 2 files changed, 9 insertions(+) create mode 100644 tools/config/splunk-windows-all-index.yml diff --git a/Makefile b/Makefile index b98424094..b89f01134 100644 --- a/Makefile +++ b/Makefile @@ -35,6 +35,7 @@ test-sigmac: ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'level=xcritical' rules/ > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t splunk -f 'foo=bar' rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/elk-windows.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -t kibana rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-windows.yml -Ooutput=curl -t kibana rules/ > /dev/null @@ -44,6 +45,8 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-linux.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/elk-defaultindex.yml -t xpack-watcher rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/splunk-windows-all-index.yml -t splunk rules/ > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/generic/sysmon.yml -c tools/config/splunk-windows-all.yml -t splunk rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -c tools/config/logpoint-windows-all.yml -t logpoint rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t grep rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null diff --git a/tools/config/splunk-windows-all-index.yml b/tools/config/splunk-windows-all-index.yml new file mode 100644 index 000000000..60f05f0ec --- /dev/null +++ b/tools/config/splunk-windows-all-index.yml @@ -0,0 +1,6 @@ +logsources: + windows: + product: windows + index: windows +fieldmappings: + EventID: EventCode From 265ce115a067a2b04f03ed83cb455cd3370ef4f2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 16 Oct 2018 13:57:51 +0200 Subject: [PATCH 14/32] Fixed conditional field mapping usage in mapping chains --- tools/sigma/config/mapping.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index 8e5150e1f..a054ffd3f 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -165,14 +165,14 @@ class FieldMappingChain(object): for fieldname in current_fieldmappings: mapping = config.get_fieldmapping(fieldname) - if type(mapping) in (SimpleFieldMapping, ConditionalFieldMapping): + if type(mapping) in (SimpleFieldMapping, MultiFieldMapping): resolved_mapping = mapping.resolve_fieldname(fieldname) if type(resolved_mapping) is list: fieldmappings.update(resolved_mapping) else: fieldmappings.add(resolved_mapping) - elif type(mapping) == MultiFieldMapping: - fieldmappings.update(mapping.resolve_fieldname(fieldname)) + elif type(mapping) == ConditionalFieldMapping: + fieldmappings.add(mapping) else: raise TypeError("Type '{}' is not supported by FieldMappingChain".format(str(type(mapping)))) From 44ff9d154e2fdaed6d72efbf223e368fa55c7aac Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 16 Oct 2018 14:53:12 +0200 Subject: [PATCH 15/32] Increased test coverage for mapping corner cases --- Makefile | 1 + tests/config-multiple_mapping-2.yml | 4 ++++ tests/config-multiple_mapping.yml | 4 ++++ tests/mapping-conditional-multi.yml | 14 ++++++++++++++ 4 files changed, 23 insertions(+) create mode 100644 tests/config-multiple_mapping-2.yml create mode 100644 tests/config-multiple_mapping.yml create mode 100644 tests/mapping-conditional-multi.yml diff --git a/Makefile b/Makefile index b89f01134..3ab434711 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,7 @@ test-sigmac: coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t fieldlist rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=plain -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs -o $(TMPOUT) tests/collection_repeat.yml > /dev/null + coverage run -a --include=$(COVSCOPE) tools/sigmac -t kibana -c tests/config-multiple_mapping.yml -c tests/config-multiple_mapping-2.yml tests/mapping-conditional-multi.yml > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t xpack-watcher -O output=foobar -O es=es -O foobar rules/windows/builtin/win_susp_failed_logons_single_source.yml > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/not_existing.yml > /dev/null ! coverage run -a --include=$(COVSCOPE) tools/sigmac -t es-qs tests/invalid_yaml.yml > /dev/null diff --git a/tests/config-multiple_mapping-2.yml b/tests/config-multiple_mapping-2.yml new file mode 100644 index 000000000..5e5e7f457 --- /dev/null +++ b/tests/config-multiple_mapping-2.yml @@ -0,0 +1,4 @@ +fieldmappings: + event_id: + - event_id + - eventid diff --git a/tests/config-multiple_mapping.yml b/tests/config-multiple_mapping.yml new file mode 100644 index 000000000..544c890b9 --- /dev/null +++ b/tests/config-multiple_mapping.yml @@ -0,0 +1,4 @@ +fieldmappings: + EventID: + - event_id + - EventID diff --git a/tests/mapping-conditional-multi.yml b/tests/mapping-conditional-multi.yml new file mode 100644 index 000000000..1f7193f48 --- /dev/null +++ b/tests/mapping-conditional-multi.yml @@ -0,0 +1,14 @@ +title: Contional mapping with multiple targets +status: test +description: Logpoint configuration causes conditional mapping with multiple results +author: Thomas Patzke +logsource: + product: windows + service: security +detection: + selection: + EventID: 4624 + SubjectAccountName: Test + condition: selection +fields: + - EventID From 0e4842962ba70b2b4c6b96449c4c847d45b443a5 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 4 Nov 2018 22:16:20 +0100 Subject: [PATCH 16/32] Added tests --- tests/config-multiple_mapping-2.yml | 3 +++ tests/config-multiple_mapping.yml | 1 + tests/mapping-conditional-multi.yml | 1 + tools/sigma/config/mapping.py | 6 ++++++ 4 files changed, 11 insertions(+) diff --git a/tests/config-multiple_mapping-2.yml b/tests/config-multiple_mapping-2.yml index 5e5e7f457..6f98fd4e5 100644 --- a/tests/config-multiple_mapping-2.yml +++ b/tests/config-multiple_mapping-2.yml @@ -2,3 +2,6 @@ fieldmappings: event_id: - event_id - eventid + subject_account_name: + EventID=1234: san + EventID=4624: subject_accountname diff --git a/tests/config-multiple_mapping.yml b/tests/config-multiple_mapping.yml index 544c890b9..c62944314 100644 --- a/tests/config-multiple_mapping.yml +++ b/tests/config-multiple_mapping.yml @@ -2,3 +2,4 @@ fieldmappings: EventID: - event_id - EventID + SubjectAccountName: subject_account_name diff --git a/tests/mapping-conditional-multi.yml b/tests/mapping-conditional-multi.yml index 1f7193f48..1eca3e107 100644 --- a/tests/mapping-conditional-multi.yml +++ b/tests/mapping-conditional-multi.yml @@ -12,3 +12,4 @@ detection: condition: selection fields: - EventID + - SubjectAccountName diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index a054ffd3f..bb5086694 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -135,6 +135,9 @@ class ConditionalFieldMapping(SimpleFieldMapping): else: return fieldname + def __str__(self): + return "ConditionalFieldMapping: {} -> {}".format(self.source, self.target) + # Field mappimg chain class FieldMappingChain(object): """ @@ -212,3 +215,6 @@ class FieldMappingChain(object): else: mappings.add(resolved_mapping) return list(mappings) + + def __str__(self): + return "FieldMappingChain: {}".format(self.fieldmappings) From 418f8d10a373ac7aec2dd5e6b75c8d75e41b6f61 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 4 Nov 2018 23:00:04 +0100 Subject: [PATCH 17/32] Wrap conditions generated by mappings into sub-expression --- tools/sigma/config/mapping.py | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index bb5086694..953e37ac5 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -14,7 +14,7 @@ # You should have received a copy of the GNU Lesser General Public License # along with this program. If not, see . -from sigma.parser.condition import ConditionOR +from sigma.parser.condition import ConditionOR, NodeSubexpression from .exceptions import SigmaConfigParseError, FieldMappingError # Field Mapping Definitions @@ -59,7 +59,7 @@ class MultiFieldMapping(SimpleFieldMapping): cond = ConditionOR() for fieldname in self.target: cond.add((fieldname, value)) - return cond + return NodeSubexpression(cond) def __str__(self): return "MultiFieldMapping: {} -> [{}]".format(self.source, ", ".join(self.target)) @@ -125,7 +125,7 @@ class ConditionalFieldMapping(SimpleFieldMapping): cond = ConditionOR() for target in targets: cond.add((target, value)) - return cond + return NodeSubexpression(cond) else: # no mapping found return (key, value) @@ -185,6 +185,7 @@ class FieldMappingChain(object): self.fieldmappings = fieldmappings def resolve(self, key, value, sigmaparser): + print(key, value) if type(self.fieldmappings) == str: # one field mapping return (self.fieldmappings, value) elif isinstance(self.fieldmappings, SimpleFieldMapping): @@ -196,7 +197,7 @@ class FieldMappingChain(object): cond.add((mapping, value)) elif isinstance(mapping, SimpleFieldMapping): cond.add(mapping.resolve(key, value, sigmaparser)) - return cond + return NodeSubexpression(cond) def resolve_fieldname(self, fieldname): if type(self.fieldmappings) == str: # one field mapping From 42ed8acec9184cbb9ba9893feae51c385a712ee8 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 4 Nov 2018 23:28:40 +0100 Subject: [PATCH 18/32] Improved test coverage * Adding tests * Removal of coverage measurement for debugging code --- Makefile | 3 +++ tools/sigma/config/mapping.py | 8 ++++---- tools/sigma/configuration.py | 2 +- tools/sigma/parser/base.py | 2 +- tools/sigma/parser/condition.py | 8 ++++---- tools/sigmac | 4 ++-- 6 files changed, 15 insertions(+), 12 deletions(-) diff --git a/Makefile b/Makefile index 3ab434711..a0234c390 100644 --- a/Makefile +++ b/Makefile @@ -14,7 +14,10 @@ test-yaml: yamllint rules test-sigmac: + coverage run -a --include=$(COVSCOPE) tools/sigmac + coverage run -a --include=$(COVSCOPE) tools/sigmac -h coverage run -a --include=$(COVSCOPE) tools/sigmac -l + ! coverage run -a --include=$(COVSCOPE) tools/sigmac -rvd -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -O rulecomment -rvdI -t es-qs rules/ > /dev/null coverage run -a --include=$(COVSCOPE) tools/sigmac -rvdI -t kibana rules/ > /dev/null diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index 953e37ac5..bf5342cc3 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -47,7 +47,7 @@ class SimpleFieldMapping: def resolve_fieldname(self, fieldname): return self.target - def __str__(self): + def __str__(self): # pragma: no cover return "SimpleFieldMapping: {} -> {}".format(self.source, self.target) class MultiFieldMapping(SimpleFieldMapping): @@ -61,7 +61,7 @@ class MultiFieldMapping(SimpleFieldMapping): cond.add((fieldname, value)) return NodeSubexpression(cond) - def __str__(self): + def __str__(self): # pragma: no cover return "MultiFieldMapping: {} -> [{}]".format(self.source, ", ".join(self.target)) class ConditionalFieldMapping(SimpleFieldMapping): @@ -135,7 +135,7 @@ class ConditionalFieldMapping(SimpleFieldMapping): else: return fieldname - def __str__(self): + def __str__(self): # pragma: no cover return "ConditionalFieldMapping: {} -> {}".format(self.source, self.target) # Field mappimg chain @@ -217,5 +217,5 @@ class FieldMappingChain(object): mappings.add(resolved_mapping) return list(mappings) - def __str__(self): + def __str__(self): # pragma: no cover return "FieldMappingChain: {}".format(self.fieldmappings) diff --git a/tools/sigma/configuration.py b/tools/sigma/configuration.py index 3cbcda783..8e46c87c7 100644 --- a/tools/sigma/configuration.py +++ b/tools/sigma/configuration.py @@ -263,5 +263,5 @@ class SigmaLogsourceConfiguration: if searched: return True - def __str__(self): + def __str__(self): # pragma: no cover return "[ LogSourceConfiguration: %s %s %s indices: %s ]" % (self.category, self.product, self.service, str(self.index)) diff --git a/tools/sigma/parser/base.py b/tools/sigma/parser/base.py index 6f9f2f989..1ba304e43 100644 --- a/tools/sigma/parser/base.py +++ b/tools/sigma/parser/base.py @@ -63,5 +63,5 @@ class SimpleParser: if self.state not in self.finalstates: raise SigmaParseError("Unexpected end of aggregation expression, state=%d" % (self.state)) - def __str__(self): + def __str__(self): # pragma: no cover return "[ Parsed: %s ]" % (" ".join(["%s=%s" % (key, val) for key, val in self.__dict__.items() ])) diff --git a/tools/sigma/parser/condition.py b/tools/sigma/parser/condition.py index 5a74c10bf..3b4f40fa3 100644 --- a/tools/sigma/parser/condition.py +++ b/tools/sigma/parser/condition.py @@ -79,7 +79,7 @@ class SigmaConditionToken: else: raise NotImplementedError("SigmaConditionToken can only be compared against token type constants") - def __str__(self): + def __str__(self): # pragma: no cover return "[ Token: %s: '%s' ]" % (self.tokenstr[self.type], self.matched) class SigmaConditionTokenizer: @@ -126,7 +126,7 @@ class SigmaConditionTokenizer: else: raise TypeError("SigmaConditionTokenizer constructor expects string or list, got %s" % (type(condition))) - def __str__(self): + def __str__(self): # pragma: no cover return " ".join([str(token) for token in self.tokens]) def __iter__(self): @@ -160,7 +160,7 @@ class ParseTreeNode: def __init__(self): raise NotImplementedError("ConditionBase is no usable class") - def __str__(self): + def __str__(self): # pragma: no cover return "[ %s: %s ]" % (self.__doc__, str([str(item) for item in self.items])) class ConditionBase(ParseTreeNode): @@ -347,7 +347,7 @@ class SigmaConditionParser: return query_cond - def __str__(self): + def __str__(self): # pragma: no cover return str(self.parsedSearch) def __len__(self): diff --git a/tools/sigmac b/tools/sigmac index 12d1ae30c..de1e7af0e 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -40,7 +40,7 @@ def print_verbose(*args, **kwargs): if cmdargs.verbose or cmdargs.debug: print(*args, **kwargs) -def print_debug(*args, **kwargs): +def print_debug(*args, **kwargs): # pragme: no cover if cmdargs.debug: print(*args, **kwargs) @@ -93,7 +93,7 @@ argparser.add_argument("--debug", "-D", action="store_true", help="Debugging out argparser.add_argument("inputs", nargs="*", help="Sigma input files") cmdargs = argparser.parse_args() -if cmdargs.debug: +if cmdargs.debug: # pragma: no cover logger.setLevel(logging.DEBUG) if cmdargs.target_list: From faeaf1dfef730c2b3576db6d79003397c0e4863c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 6 Jan 2019 23:45:53 +0100 Subject: [PATCH 19/32] Added first version of generic sigma rules conversion tool --- tools/sigma2genericsigma | 162 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100755 tools/sigma2genericsigma diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma new file mode 100755 index 000000000..3f61a5165 --- /dev/null +++ b/tools/sigma2genericsigma @@ -0,0 +1,162 @@ +#!/usr/bin/env python3 +# Convert Sigma rules with EventIDs to rules with generic log sources + +from argparse import ArgumentParser +import yaml +import sys +from pathlib import Path + +class Output(object): + """Output base class""" + def write(self, *args, **kwargs): + self.f.write(*args, **kwargs) + +class SingleFileOutput(Output): + """Output into single file with multiple YAML documents. Each input file is announced with comment.""" + def __init__(self, name): + self.f = open(name, "x") + self.first = True + + def new_output(self, name): + """Announce new Sigma rule as input and start new YAML document.""" + self.current = name + if self.first: + self.first = False + else: + self.write("---") + self.f.write("# Sigma rule: {}\n".format(name)) + + def finish(self): + self.f.close() + +class StdoutOutput(SingleFileOutput): + """Like SingleFileOutput, just for standard output""" + def __init__(self): + self.f = sys.stdout + self.first = True + + def finish(self): + pass + +class DirectoryOutput(Output): + """Output each input file into a corresponding output file in target directory.""" + def __init__(self, dirpath): + self.d = dirpath + self.f = None + + def new_output(self, path): + if self.f is not None: + self.f.close() + self.f = (self.d / path.name).open("x") + +def get_output(output): + if output is None: + return StdoutOutput() + + path = Path(output) + if path.is_dir(): + return DirectoryOutput(path) + else: + return SingleFileOutput(output) + +class SigmaYAMLDumper(yaml.Dumper): + """YAML dumper that increases amount of indentation, e.g. for lists""" + def increase_indent(self, flow=False, indentless=False): + return super().increase_indent(flow, False) + +class AmbiguousRuleException(TypeError): + def __init__(self, ids): + super().__init__() + self.ids = ids + + def __str__(self): + return(", ".join([str(eid) for eid in self.ids])) + +def convert_to_generic(yamldoc): + changed = False + product = yamldoc["logsource"]["product"] + service = yamldoc["logsource"]["service"] + if product == "windows" and service in ("sysmon", "security"): + # Currently, only Windows Security or Sysmon are relevant + eventids = set() + for name, detection in yamldoc["detection"].items(): # first collect all event ids + if name == "condition" or type(detection) is not dict: + continue + + try: + eventid = detection["EventID"] + try: # expect that EventID attribute contains a list + eventids.update(eventid) + except TypeError: # if this fails, it's a plain value + eventids.add(eventid) + except KeyError: # No EventID attribute + pass + + if 1 in eventids and service == "sysmon" or \ + 4688 in eventids and service == "security": + if len(eventids) == 1: # only convert if one EventID collected, else it gets complicated + # remove all EventID definitions + for name, detection in yamldoc["detection"].items(): + if name == "condition" or type(detection) is not dict: + continue + try: + del detection["EventID"] + except KeyError: + pass + + # rewrite log source + yamldoc["logsource"] = { + "category": "process_creation", + "product": "windows" + } + + changed = True + else: # raise an exception to print a warning message to make user aware about the issue + raise AmbiguousRuleException(eventids) + return changed + +def get_input_paths(args): + if args.recursive: + return [ p for pathname in args.sigma for p in Path(pathname).glob("**/*") if p.is_file() ] + else: + return [ Path(sigma) for sigma in args.sigma ] + +argparser = ArgumentParser(description="Convert between classical and generic log source Sigma rules.") +argparser.add_argument("--output", "-o", help="Output file or directory. Default: standard output.") +argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory") +argparser.add_argument("--verbose", "-v", action="store_true", help="Verbose output") +argparser.add_argument("sigma", nargs="+", help="Sigma rule file(s) that should be converted") +args = argparser.parse_args() + +input_paths = get_input_paths(args) +output = get_output(args.output) + +for path in input_paths: + try: + f = path.open("r") + except OSError as e: + print("Error while reading Sigma rule {}: {}".format(path, str(e)), file=sys.stderr) + sys.exit(1) + + try: + yamldocs = yaml.safe_load_all(f) + except yaml.YAMLError as e: + print("YAML parse error while parsing Sigma rule {}: {}".format(path, str(e)), file=sys.stderr) + sys.exit(2) + + yamldoc_num = 0 + for yamldoc in yamldocs: + yamldoc_num += 1 + try: + if convert_to_generic(yamldoc): + # only write output if changed + try: + output.new_output(path) + output.write(yaml.dump(yamldoc, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) + except OSError as e: + print("Error while writing result: {}".format(str(e)), file=sys.stderr) + sys.exit(2) + except AmbiguousRuleException as e: + print("Rule {} in file {} contains multiple EventIDs: {}".format(yamldoc_num, str(path), str(e)), file=sys.stderr) + +output.finish() From bf9a567afd681c02130736fbe39b8df01a06a58f Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 6 Jan 2019 23:57:09 +0100 Subject: [PATCH 20/32] Fixed issues in converter --- tools/sigma2genericsigma | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 3f61a5165..25ff78cea 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -23,7 +23,7 @@ class SingleFileOutput(Output): if self.first: self.first = False else: - self.write("---") + self.f.write("---\n") self.f.write("# Sigma rule: {}\n".format(name)) def finish(self): @@ -43,11 +43,16 @@ class DirectoryOutput(Output): def __init__(self, dirpath): self.d = dirpath self.f = None + self.path = None def new_output(self, path): - if self.f is not None: - self.f.close() - self.f = (self.d / path.name).open("x") + if self.path is None or self.path != path: + if self.f is not None: + self.f.close() + self.f = (self.d / path.name).open("x") + self.path = path + else: # same file, just ourpur separator + self.f.write("---\n") def get_output(output): if output is None: @@ -74,8 +79,12 @@ class AmbiguousRuleException(TypeError): def convert_to_generic(yamldoc): changed = False - product = yamldoc["logsource"]["product"] - service = yamldoc["logsource"]["service"] + try: + product = yamldoc["logsource"]["product"] + service = yamldoc["logsource"]["service"] + except KeyError: + return False + if product == "windows" and service in ("sysmon", "security"): # Currently, only Windows Security or Sysmon are relevant eventids = set() From 9f56b9e99b18256344e6f0289e3d063c0671d262 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Tue, 8 Jan 2019 23:27:16 +0100 Subject: [PATCH 21/32] Output all YAML documents if one changed Some Sigma rule collections contain YAML documents that reduce to almost nothing because they only contain EventID definitions. Previous behavior would filter the part with the remaining selection. --- tools/sigma2genericsigma | 40 ++++++++++++++++++++++------------------ 1 file changed, 22 insertions(+), 18 deletions(-) diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 25ff78cea..5e0e4a039 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -15,16 +15,18 @@ class SingleFileOutput(Output): """Output into single file with multiple YAML documents. Each input file is announced with comment.""" def __init__(self, name): self.f = open(name, "x") + self.path = None self.first = True - def new_output(self, name): + def new_output(self, path): """Announce new Sigma rule as input and start new YAML document.""" - self.current = name - if self.first: - self.first = False - else: - self.f.write("---\n") - self.f.write("# Sigma rule: {}\n".format(name)) + if self.path is None or self.path != path: + if self.first: + self.first = False + else: + self.f.write("---\n") + self.path = path + self.f.write("# Sigma rule: {}\n".format(path)) def finish(self): self.f.close() @@ -33,6 +35,7 @@ class StdoutOutput(SingleFileOutput): """Like SingleFileOutput, just for standard output""" def __init__(self): self.f = sys.stdout + self.path = None self.first = True def finish(self): @@ -51,8 +54,6 @@ class DirectoryOutput(Output): self.f.close() self.f = (self.d / path.name).open("x") self.path = path - else: # same file, just ourpur separator - self.f.write("---\n") def get_output(output): if output is None: @@ -148,24 +149,27 @@ for path in input_paths: sys.exit(1) try: - yamldocs = yaml.safe_load_all(f) + yamldocs = list(yaml.safe_load_all(f)) except yaml.YAMLError as e: print("YAML parse error while parsing Sigma rule {}: {}".format(path, str(e)), file=sys.stderr) sys.exit(2) yamldoc_num = 0 + changed = False for yamldoc in yamldocs: yamldoc_num += 1 + output.new_output(path) try: - if convert_to_generic(yamldoc): - # only write output if changed - try: - output.new_output(path) - output.write(yaml.dump(yamldoc, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) - except OSError as e: - print("Error while writing result: {}".format(str(e)), file=sys.stderr) - sys.exit(2) + changed |= convert_to_generic(yamldoc) except AmbiguousRuleException as e: + changed = False print("Rule {} in file {} contains multiple EventIDs: {}".format(yamldoc_num, str(path), str(e)), file=sys.stderr) + if changed: # only write output if changed + try: + output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) + except OSError as e: + print("Error while writing result: {}".format(str(e)), file=sys.stderr) + sys.exit(2) + output.finish() From e5858581281b974827babdf6af9cb823654b4f57 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 13 Jan 2019 23:04:55 +0100 Subject: [PATCH 22/32] Optimization in conversion to generic rules * only create necessary output files in directory output mode * delete empty detections and empty detection sections * Merge equal documents * Merge reduced collections into one YAML document in common case --- tools/sigma2genericsigma | 45 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 44 insertions(+), 1 deletion(-) diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 5e0e4a039..144e16c11 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -47,13 +47,23 @@ class DirectoryOutput(Output): self.d = dirpath self.f = None self.path = None + self.opened = None def new_output(self, path): if self.path is None or self.path != path: if self.f is not None: self.f.close() - self.f = (self.d / path.name).open("x") self.path = path + self.opened = False # opening file is deferred to first write + + def write(self, *args, **kwargs): + if not self.opened: + self.f = (self.d / self.path.name).open("x") + super().write(*args, **kwargs) + + def finish(self): + if self.f is not None: + self.f.close() def get_output(output): if output is None: @@ -106,6 +116,7 @@ def convert_to_generic(yamldoc): 4688 in eventids and service == "security": if len(eventids) == 1: # only convert if one EventID collected, else it gets complicated # remove all EventID definitions + empty_name = list() for name, detection in yamldoc["detection"].items(): if name == "condition" or type(detection) is not dict: continue @@ -114,6 +125,15 @@ def convert_to_generic(yamldoc): except KeyError: pass + if detection == {}: # detection was reduced to nothing - remove it later + empty_name.append(name) + + for name in empty_name: # delete empty detections + del yamldoc["detection"][name] + + if yamldoc["detection"] == {}: # delete detection section if empty + del yamldoc["detection"] + # rewrite log source yamldoc["logsource"] = { "category": "process_creation", @@ -165,6 +185,29 @@ for path in input_paths: changed = False print("Rule {} in file {} contains multiple EventIDs: {}".format(yamldoc_num, str(path), str(e)), file=sys.stderr) + yamldocs_idx = list(zip(range(len(yamldocs)), yamldocs)) + delete = set() + for i, yamldoc_a in yamldocs_idx: # iterate over all yaml document pairs + for j, yamldoc_b in yamldocs_idx: + if j <= i: # symmetric relation, skip same comparisons + continue + if yamldoc_a == yamldoc_b: + delete.add(j) + + for i in reversed(sorted(delete)): # delete double yaml documents + del yamldocs[i] + + # Common special case: two yaml docs, one global and one remainder of multiple following docs - merge them + try: + if len(yamldocs) == 2 and \ + yamldocs[0]["action"] == "global" and \ + "action" not in yamldocs[1] and \ + set(yamldocs[0].keys()) & set(yamldocs[1].keys()) == set(): # last condition: no common keys + yamldocs[0].update(yamldocs[1]) + del yamldocs[1] + except KeyError: + pass + if changed: # only write output if changed try: output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) From 7634128143f834810b5d8dee81ea1db626b23156 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sun, 13 Jan 2019 23:53:11 +0100 Subject: [PATCH 23/32] Generate list of converted file in conversion to generic rules --- tools/sigma2genericsigma | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 144e16c11..54217caee 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -154,12 +154,16 @@ def get_input_paths(args): argparser = ArgumentParser(description="Convert between classical and generic log source Sigma rules.") argparser.add_argument("--output", "-o", help="Output file or directory. Default: standard output.") argparser.add_argument("--recursive", "-r", action="store_true", help="Recursive traversal of directory") -argparser.add_argument("--verbose", "-v", action="store_true", help="Verbose output") +argparser.add_argument("--converted-list", "-c", help="Write list of rule files that were successfully converted (default: stdout)") argparser.add_argument("sigma", nargs="+", help="Sigma rule file(s) that should be converted") args = argparser.parse_args() input_paths = get_input_paths(args) output = get_output(args.output) +if args.converted_list: + fconv = open(args.converted_list, "w") +else: + fconv = sys.stdout for path in input_paths: try: @@ -211,6 +215,7 @@ for path in input_paths: if changed: # only write output if changed try: output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) + print(path, file=fconv) except OSError as e: print("Error while writing result: {}".format(str(e)), file=sys.stderr) sys.exit(2) From 4e83bfeb16b797120265ea1f9dd6c3457671880e Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 14 Jan 2019 22:54:26 +0100 Subject: [PATCH 24/32] Fixed merge bugs --- tools/sigma/config/mapping.py | 1 - tools/sigmac | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/tools/sigma/config/mapping.py b/tools/sigma/config/mapping.py index bf5342cc3..8cbaf2e07 100644 --- a/tools/sigma/config/mapping.py +++ b/tools/sigma/config/mapping.py @@ -185,7 +185,6 @@ class FieldMappingChain(object): self.fieldmappings = fieldmappings def resolve(self, key, value, sigmaparser): - print(key, value) if type(self.fieldmappings) == str: # one field mapping return (self.fieldmappings, value) elif isinstance(self.fieldmappings, SimpleFieldMapping): diff --git a/tools/sigmac b/tools/sigmac index a747615ea..1030d2fa2 100755 --- a/tools/sigmac +++ b/tools/sigmac @@ -154,7 +154,7 @@ for sigmafile in get_inputs(cmdargs.inputs, cmdargs.recurse): f = sigmafile else: f = sigmafile.open(encoding='utf-8') - parser = SigmaCollectionParser(f, sigmaconfig, rulefilter) + parser = SigmaCollectionParser(f, sigmaconfigs, rulefilter) results = parser.generate(backend) for result in results: print(result, file=out) From 2fd88c837d6abcfab64a3ca38faa3b72bce48645 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 14 Jan 2019 23:54:05 +0100 Subject: [PATCH 25/32] Added generic sigma rule support to WDATP backend * Process creation rules --- tools/sigma/backends/wdatp.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/wdatp.py b/tools/sigma/backends/wdatp.py index 8d5407a28..44cae5471 100644 --- a/tools/sigma/backends/wdatp.py +++ b/tools/sigma/backends/wdatp.py @@ -123,12 +123,17 @@ class WindowsDefenderATPBackend(SingleTextQueryBackend): def generate(self, sigmaparser): self.table = None try: - self.product = sigmaparser.parsedyaml['logsource']['product'] - self.service = sigmaparser.parsedyaml['logsource']['service'] + self.category = sigmaparser.parsedyaml['logsource'].setdefault('category', None) + self.product = sigmaparser.parsedyaml['logsource'].setdefault('product', None) + self.service = sigmaparser.parsedyaml['logsource'].setdefault('service', None) except KeyError: + self.category = None self.product = None self.service = None + if (self.category, self.product, self.service) == ("process_creation", "windows", None): + self.table = "ProcessCreationEvents" + return super().generate(sigmaparser) def generateBefore(self, parsed): From 7622b174152cb5d6ee41bc51141cae1175ea9096 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Mon, 14 Jan 2019 23:58:25 +0100 Subject: [PATCH 26/32] Moved test rule to final location/naming scheme --- .../win_process_creation_bitsadmin_download.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_execution/bitsadmin_download.yml => process_creation/win_process_creation_bitsadmin_download.yml} (100%) diff --git a/rules/windows/process_execution/bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml similarity index 100% rename from rules/windows/process_execution/bitsadmin_download.yml rename to rules/windows/process_creation/win_process_creation_bitsadmin_download.yml From 4bc4c94a91cc2e9cda3b0b82615e3255a409b98a Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 16 Jan 2019 22:37:32 +0100 Subject: [PATCH 27/32] sigma2genericsigma: preserve dict order --- tools/sigma2genericsigma | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 54217caee..92d63130b 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -158,6 +158,12 @@ argparser.add_argument("--converted-list", "-c", help="Write list of rule files argparser.add_argument("sigma", nargs="+", help="Sigma rule file(s) that should be converted") args = argparser.parse_args() +# Define order-preserving representer from dicts/maps +def yaml_preserve_order(self, dict_data): + return self.represent_mapping("tag:yaml.org,2002:map", dict_data.items()) + +yaml.add_representer(dict, yaml_preserve_order) + input_paths = get_input_paths(args) output = get_output(args.output) if args.converted_list: From ba64f485ac9f8b7f890d7864d98c7991da9ff9d2 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 16 Jan 2019 22:41:42 +0100 Subject: [PATCH 28/32] Added generic Windows audit log configuration --- tools/config/generic/windows-audit.yml | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 tools/config/generic/windows-audit.yml diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml new file mode 100644 index 000000000..38f320e7f --- /dev/null +++ b/tools/config/generic/windows-audit.yml @@ -0,0 +1,11 @@ +logsources: + process_creation: + category: process_creation + product: windows + conditions: + EventID: 4688 + rewrite: + product: windows + service: security +fieldmappings: + Image: NewProcessName From 96eb4609447eba4ce7ad976bbc16af6f0c3d9691 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 16 Jan 2019 23:36:31 +0100 Subject: [PATCH 29/32] Converted Sysmon/1 and Security/4688 to generic process creation rules --- rules/windows/builtin/win_hack_rubeus.yml | 52 ------- .../builtin/win_mavinject_proc_inj.yml | 38 ----- .../builtin/win_multiple_suspicious_cli.yml | 112 ------------- .../builtin/win_plugx_susp_exe_locations.yml | 146 ----------------- .../builtin/win_possible_applocker_bypass.yml | 44 ------ .../builtin/win_powershell_b64_shellcode.yml | 44 ------ rules/windows/builtin/win_psexesvc_start.yml | 21 --- rules/windows/builtin/win_susp_cli_escape.yml | 57 ------- .../win_susp_commands_recon_activity.yml | 73 --------- .../builtin/win_susp_iss_module_install.yml | 36 ----- .../builtin/win_susp_msiexec_web_install.yml | 34 ---- rules/windows/builtin/win_susp_ntdsutil.yml | 34 ---- .../builtin/win_susp_powershell_enc_cmd.yml | 43 ----- .../win_susp_powershell_hidden_b64_cmd.yml | 82 ---------- rules/windows/builtin/win_susp_procdump.yml | 49 ------ .../builtin/win_susp_process_creations.yml | 136 ---------------- rules/windows/builtin/win_susp_ps_appdata.yml | 39 ----- .../builtin/win_susp_rasdial_activity.yml | 32 ---- .../builtin/win_susp_run_locations.yml | 38 ----- .../builtin/win_susp_rundll32_activity.yml | 51 ------ rules/windows/builtin/win_susp_svchost.yml | 49 ------ .../builtin/win_susp_sysprep_appdata.yml | 37 ----- .../builtin/win_susp_sysvol_access.yml | 36 ----- rules/windows/builtin/win_susp_whoami.yml | 36 ----- ..._wmi_persistence_script_event_consumer.yml | 36 ----- .../windows/malware/sysmon_malware_dridex.yml | 40 ----- .../malware/sysmon_malware_notpetya.yml | 43 ----- .../malware/sysmon_malware_wannacry.yml | 41 ----- rules/windows/malware/win_mal_adwind.yml | 56 ------- rules/windows/malware/win_mal_wannacry.yml | 67 -------- .../powershell/powershell_xor_commandline.yml | 29 ---- .../powershell_xor_commandline.yml | 16 ++ .../win_attrib_hiding_files.yml | 30 ++++ .../win_bypass_squiblytwo.yml | 34 ++++ .../process_creation/win_cmdkey_recon.yml | 22 +++ .../win_cmstp_com_object_access.yml | 32 ++++ .../win_exploit_cve_2015_1641.yml} | 15 +- .../win_exploit_cve_2017_0261.yml | 18 +++ .../win_exploit_cve_2017_11882.yml | 20 +++ .../win_exploit_cve_2017_8759.yml} | 17 +- .../process_creation/win_hack_rubeus.yml | 29 ++++ .../process_creation/win_lethalhta.yml | 18 +++ .../process_creation/win_mal_adwind.yml | 48 ++++++ .../process_creation/win_mal_wannacry.yml | 33 ++++ .../process_creation/win_malware_dridex.yml | 22 +++ .../process_creation/win_malware_notpetya.yml | 39 +++++ .../win_malware_script_dropper.yml | 33 ++++ .../process_creation/win_malware_wannacry.yml | 37 +++++ .../win_mavinject_proc_inj.yml | 24 +++ .../win_mshta_spawn_shell.yml | 37 +++++ .../win_multiple_suspicious_cli.yml | 56 +++++++ .../process_creation/win_office_shell.yml | 52 +++++++ .../win_plugx_susp_exe_locations.yml | 88 +++++++++++ .../win_possible_applocker_bypass.yml | 27 ++++ .../win_powershell_amsi_bypass.yml | 25 +++ .../win_powershell_b64_shellcode.yml | 24 +++ .../win_powershell_dll_execution.yml | 28 ++++ .../win_powershell_download.yml | 23 +++ .../win_powershell_renamed_ps.yml | 26 ++++ ...ershell_suspicious_parameter_variation.yml | 61 ++++++++ .../process_creation/win_psexesvc_start.yml | 19 +++ .../win_sdbinst_shim_persistence.yml | 23 +++ .../win_shell_spawn_susp_program.yml | 33 ++++ .../win_susp_certutil_command.yml | 42 +++++ .../process_creation/win_susp_cli_escape.yml | 27 ++++ .../win_susp_cmd_http_appdata.yml | 23 +++ .../win_susp_commands_recon_activity.yml | 42 +++++ .../win_susp_control_dll_load.yml | 23 +++ .../process_creation/win_susp_exec_folder.yml | 33 ++++ .../win_susp_execution_path.yml | 26 ++++ .../win_susp_execution_path_webserver.yml | 28 ++++ .../win_susp_iss_module_install.yml | 21 +++ .../process_creation/win_susp_mmc_source.yml | 21 +++ .../win_susp_msiexec_web_install.yml | 19 +++ .../win_susp_net_execution.yml | 33 ++++ .../process_creation/win_susp_ntdsutil.yml | 19 +++ .../process_creation/win_susp_ping_hex_ip.yml | 21 +++ .../win_susp_powershell_enc_cmd.yml | 25 +++ .../win_susp_powershell_hidden_b64_cmd.yml | 70 +++++++++ .../win_susp_powershell_parent_combo.yml | 29 ++++ .../process_creation/win_susp_procdump.yml | 28 ++++ .../win_susp_process_creations.yml | 65 ++++++++ .../process_creation/win_susp_ps_appdata.yml | 20 +++ .../win_susp_rasdial_activity.yml | 17 ++ .../win_susp_recon_activity.yml | 23 +++ .../win_susp_regsvr32_anomalies.yml | 38 +++++ .../win_susp_run_locations.yml | 23 +++ .../win_susp_rundll32_activity.yml | 35 +++++ .../win_susp_schtask_creation.yml | 27 ++++ .../win_susp_script_execution.yml | 24 +++ .../process_creation/win_susp_svchost.yml | 24 +++ .../win_susp_sysprep_appdata.yml | 21 +++ .../win_susp_sysvol_access.yml | 22 +++ .../win_susp_taskmgr_localsystem.yml} | 15 +- .../win_susp_taskmgr_parent.yml | 23 +++ .../win_susp_tscon_localsystem.yml | 19 +++ .../win_susp_tscon_rdp_redirect.yml | 19 +++ .../win_susp_vssadmin_ntds_activity.yml | 31 ++++ .../process_creation/win_susp_whoami.yml | 22 +++ .../win_susp_wmi_execution.yml | 31 ++++ .../win_system_exe_anomaly.yml | 33 ++++ .../win_vul_java_remote_debugging.yml | 19 +++ .../win_webshell_detection.yml | 31 ++++ .../process_creation/win_webshell_spawn.yml | 30 ++++ ..._wmi_persistence_script_event_consumer.yml | 22 +++ .../win_workflow_compiler.yml | 22 +++ .../sysmon/sysmon_attrib_hiding_files.yml | 31 ---- .../sysmon/sysmon_bypass_squiblytwo.yml | 36 ----- rules/windows/sysmon/sysmon_cmdkey_recon.yml | 23 --- .../sysmon/sysmon_cmstp_com_object_access.yml | 34 ---- .../sysmon/sysmon_exploit_cve_2017_0261.yml | 19 --- .../sysmon/sysmon_exploit_cve_2017_11882.yml | 21 --- rules/windows/sysmon/sysmon_lethalhta.yml | 19 --- .../sysmon/sysmon_malware_script_dropper.yml | 34 ---- .../sysmon/sysmon_mshta_spawn_shell.yml | 39 ----- rules/windows/sysmon/sysmon_office_shell.yml | 53 ------- .../sysmon_plugx_susp_exe_locations.yml | 147 ------------------ .../sysmon/sysmon_powershell_amsi_bypass.yml | 27 ---- .../sysmon_powershell_dll_execution.yml | 31 ---- .../sysmon/sysmon_powershell_download.yml | 25 --- .../sysmon/sysmon_powershell_renamed_ps.yml | 27 ---- ...ershell_suspicious_parameter_variation.yml | 62 -------- .../sysmon_sdbinst_shim_persistence.yml | 24 --- .../sysmon_shell_spawn_susp_program.yml | 35 ----- .../sysmon/sysmon_susp_certutil_command.yml | 67 -------- .../sysmon/sysmon_susp_cmd_http_appdata.yml | 23 --- .../sysmon/sysmon_susp_control_dll_load.yml | 24 --- .../sysmon/sysmon_susp_exec_folder.yml | 35 ----- .../sysmon/sysmon_susp_execution_path.yml | 27 ---- .../sysmon_susp_execution_path_webserver.yml | 29 ---- .../windows/sysmon/sysmon_susp_mmc_source.yml | 22 --- .../sysmon/sysmon_susp_net_execution.yml | 35 ----- .../sysmon/sysmon_susp_ping_hex_ip.yml | 23 --- .../sysmon_susp_powershell_parent_combo.yml | 30 ---- .../sysmon/sysmon_susp_recon_activity.yml | 24 --- .../sysmon/sysmon_susp_regsvr32_anomalies.yml | 51 ------ .../sysmon/sysmon_susp_schtask_creation.yml | 28 ---- .../sysmon/sysmon_susp_script_execution.yml | 25 --- rules/windows/sysmon/sysmon_susp_svchost.yml | 25 --- .../sysmon/sysmon_susp_taskmgr_parent.yml | 24 --- .../sysmon/sysmon_susp_tscon_localsystem.yml | 20 --- .../sysmon/sysmon_susp_tscon_rdp_redirect.yml | 33 ---- .../sysmon_susp_vssadmin_ntds_activity.yml | 34 ---- .../sysmon/sysmon_susp_wmi_execution.yml | 32 ---- .../sysmon/sysmon_system_exe_anomaly.yml | 35 ----- .../sysmon_vul_java_remote_debugging.yml | 20 --- .../sysmon/sysmon_webshell_detection.yml | 32 ---- .../windows/sysmon/sysmon_webshell_spawn.yml | 31 ---- .../sysmon/sysmon_workflow_compiler.yml | 24 --- 149 files changed, 2170 insertions(+), 3096 deletions(-) delete mode 100644 rules/windows/builtin/win_hack_rubeus.yml delete mode 100644 rules/windows/builtin/win_mavinject_proc_inj.yml delete mode 100644 rules/windows/builtin/win_multiple_suspicious_cli.yml delete mode 100644 rules/windows/builtin/win_plugx_susp_exe_locations.yml delete mode 100644 rules/windows/builtin/win_possible_applocker_bypass.yml delete mode 100644 rules/windows/builtin/win_powershell_b64_shellcode.yml delete mode 100644 rules/windows/builtin/win_psexesvc_start.yml delete mode 100644 rules/windows/builtin/win_susp_cli_escape.yml delete mode 100644 rules/windows/builtin/win_susp_commands_recon_activity.yml delete mode 100644 rules/windows/builtin/win_susp_iss_module_install.yml delete mode 100644 rules/windows/builtin/win_susp_msiexec_web_install.yml delete mode 100644 rules/windows/builtin/win_susp_ntdsutil.yml delete mode 100644 rules/windows/builtin/win_susp_powershell_enc_cmd.yml delete mode 100644 rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml delete mode 100644 rules/windows/builtin/win_susp_procdump.yml delete mode 100644 rules/windows/builtin/win_susp_process_creations.yml delete mode 100644 rules/windows/builtin/win_susp_ps_appdata.yml delete mode 100644 rules/windows/builtin/win_susp_rasdial_activity.yml delete mode 100644 rules/windows/builtin/win_susp_run_locations.yml delete mode 100644 rules/windows/builtin/win_susp_rundll32_activity.yml delete mode 100644 rules/windows/builtin/win_susp_svchost.yml delete mode 100644 rules/windows/builtin/win_susp_sysprep_appdata.yml delete mode 100644 rules/windows/builtin/win_susp_sysvol_access.yml delete mode 100644 rules/windows/builtin/win_susp_whoami.yml delete mode 100644 rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml delete mode 100644 rules/windows/malware/sysmon_malware_dridex.yml delete mode 100644 rules/windows/malware/sysmon_malware_notpetya.yml delete mode 100644 rules/windows/malware/sysmon_malware_wannacry.yml delete mode 100644 rules/windows/malware/win_mal_adwind.yml delete mode 100644 rules/windows/malware/win_mal_wannacry.yml delete mode 100644 rules/windows/powershell/powershell_xor_commandline.yml create mode 100644 rules/windows/process_creation/powershell_xor_commandline.yml create mode 100644 rules/windows/process_creation/win_attrib_hiding_files.yml create mode 100644 rules/windows/process_creation/win_bypass_squiblytwo.yml create mode 100644 rules/windows/process_creation/win_cmdkey_recon.yml create mode 100644 rules/windows/process_creation/win_cmstp_com_object_access.yml rename rules/windows/{sysmon/sysmon_exploit_cve_2015_1641.yml => process_creation/win_exploit_cve_2015_1641.yml} (73%) create mode 100644 rules/windows/process_creation/win_exploit_cve_2017_0261.yml create mode 100644 rules/windows/process_creation/win_exploit_cve_2017_11882.yml rename rules/windows/{sysmon/sysmon_exploit_cve_2017_8759.yml => process_creation/win_exploit_cve_2017_8759.yml} (68%) create mode 100644 rules/windows/process_creation/win_hack_rubeus.yml create mode 100644 rules/windows/process_creation/win_lethalhta.yml create mode 100644 rules/windows/process_creation/win_mal_adwind.yml create mode 100644 rules/windows/process_creation/win_mal_wannacry.yml create mode 100644 rules/windows/process_creation/win_malware_dridex.yml create mode 100644 rules/windows/process_creation/win_malware_notpetya.yml create mode 100644 rules/windows/process_creation/win_malware_script_dropper.yml create mode 100644 rules/windows/process_creation/win_malware_wannacry.yml create mode 100644 rules/windows/process_creation/win_mavinject_proc_inj.yml create mode 100644 rules/windows/process_creation/win_mshta_spawn_shell.yml create mode 100644 rules/windows/process_creation/win_multiple_suspicious_cli.yml create mode 100644 rules/windows/process_creation/win_office_shell.yml create mode 100644 rules/windows/process_creation/win_plugx_susp_exe_locations.yml create mode 100644 rules/windows/process_creation/win_possible_applocker_bypass.yml create mode 100644 rules/windows/process_creation/win_powershell_amsi_bypass.yml create mode 100644 rules/windows/process_creation/win_powershell_b64_shellcode.yml create mode 100644 rules/windows/process_creation/win_powershell_dll_execution.yml create mode 100644 rules/windows/process_creation/win_powershell_download.yml create mode 100644 rules/windows/process_creation/win_powershell_renamed_ps.yml create mode 100644 rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml create mode 100644 rules/windows/process_creation/win_psexesvc_start.yml create mode 100644 rules/windows/process_creation/win_sdbinst_shim_persistence.yml create mode 100644 rules/windows/process_creation/win_shell_spawn_susp_program.yml create mode 100644 rules/windows/process_creation/win_susp_certutil_command.yml create mode 100644 rules/windows/process_creation/win_susp_cli_escape.yml create mode 100644 rules/windows/process_creation/win_susp_cmd_http_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_commands_recon_activity.yml create mode 100644 rules/windows/process_creation/win_susp_control_dll_load.yml create mode 100644 rules/windows/process_creation/win_susp_exec_folder.yml create mode 100644 rules/windows/process_creation/win_susp_execution_path.yml create mode 100644 rules/windows/process_creation/win_susp_execution_path_webserver.yml create mode 100644 rules/windows/process_creation/win_susp_iss_module_install.yml create mode 100644 rules/windows/process_creation/win_susp_mmc_source.yml create mode 100644 rules/windows/process_creation/win_susp_msiexec_web_install.yml create mode 100644 rules/windows/process_creation/win_susp_net_execution.yml create mode 100644 rules/windows/process_creation/win_susp_ntdsutil.yml create mode 100644 rules/windows/process_creation/win_susp_ping_hex_ip.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_enc_cmd.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_parent_combo.yml create mode 100644 rules/windows/process_creation/win_susp_procdump.yml create mode 100644 rules/windows/process_creation/win_susp_process_creations.yml create mode 100644 rules/windows/process_creation/win_susp_ps_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_rasdial_activity.yml create mode 100644 rules/windows/process_creation/win_susp_recon_activity.yml create mode 100644 rules/windows/process_creation/win_susp_regsvr32_anomalies.yml create mode 100644 rules/windows/process_creation/win_susp_run_locations.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_activity.yml create mode 100644 rules/windows/process_creation/win_susp_schtask_creation.yml create mode 100644 rules/windows/process_creation/win_susp_script_execution.yml create mode 100644 rules/windows/process_creation/win_susp_svchost.yml create mode 100644 rules/windows/process_creation/win_susp_sysprep_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_sysvol_access.yml rename rules/windows/{sysmon/sysmon_susp_taskmgr_localsystem.yml => process_creation/win_susp_taskmgr_localsystem.yml} (55%) create mode 100644 rules/windows/process_creation/win_susp_taskmgr_parent.yml create mode 100644 rules/windows/process_creation/win_susp_tscon_localsystem.yml create mode 100644 rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml create mode 100644 rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml create mode 100644 rules/windows/process_creation/win_susp_whoami.yml create mode 100644 rules/windows/process_creation/win_susp_wmi_execution.yml create mode 100644 rules/windows/process_creation/win_system_exe_anomaly.yml create mode 100644 rules/windows/process_creation/win_vul_java_remote_debugging.yml create mode 100644 rules/windows/process_creation/win_webshell_detection.yml create mode 100644 rules/windows/process_creation/win_webshell_spawn.yml create mode 100644 rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml create mode 100644 rules/windows/process_creation/win_workflow_compiler.yml delete mode 100644 rules/windows/sysmon/sysmon_attrib_hiding_files.yml delete mode 100644 rules/windows/sysmon/sysmon_bypass_squiblytwo.yml delete mode 100644 rules/windows/sysmon/sysmon_cmdkey_recon.yml delete mode 100644 rules/windows/sysmon/sysmon_cmstp_com_object_access.yml delete mode 100644 rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml delete mode 100644 rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml delete mode 100644 rules/windows/sysmon/sysmon_lethalhta.yml delete mode 100644 rules/windows/sysmon/sysmon_malware_script_dropper.yml delete mode 100644 rules/windows/sysmon/sysmon_mshta_spawn_shell.yml delete mode 100644 rules/windows/sysmon/sysmon_office_shell.yml delete mode 100644 rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_dll_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_download.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_renamed_ps.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml delete mode 100644 rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml delete mode 100644 rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_certutil_command.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_control_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_exec_folder.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_execution_path.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_mmc_source.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_net_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_recon_activity.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_schtask_creation.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_script_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_svchost.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_wmi_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_system_exe_anomaly.yml delete mode 100644 rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml delete mode 100644 rules/windows/sysmon/sysmon_webshell_detection.yml delete mode 100644 rules/windows/sysmon/sysmon_webshell_spawn.yml delete mode 100644 rules/windows/sysmon/sysmon_workflow_compiler.yml diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml deleted file mode 100644 index 1d03d7836..000000000 --- a/rules/windows/builtin/win_hack_rubeus.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -action: global -title: Rubeus Hack Tool -description: Detects command line parameters used by Rubeus hack tool -author: Florian Roth -references: - - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ -date: 2018/12/19 -tags: - - attack.credential_access - - attack.t1003 - - attack.s0005 -detection: - condition: selection -falsepositives: - - unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' \ No newline at end of file diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml deleted file mode 100644 index 4b2757140..000000000 --- a/rules/windows/builtin/win_mavinject_proc_inj.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -action: global -title: MavInject Process Injection -status: experimental -description: Detects process injection using the signed Windows tool Mavinject32.exe -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 -author: Florian Roth -date: 2018/12/12 -tags: - - attack.process_injection - - attack.t1055 - - attack.signed_binary_proxy_execution - - attack.t1218 -detection: - condition: selection -falsepositives: - - unknown -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /INJECTRUNNING *' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /INJECTRUNNING *' diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml deleted file mode 100644 index 3065dad27..000000000 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ /dev/null @@ -1,112 +0,0 @@ -action: global -title: Quick Execution of a Series of Suspicious Commands -description: Detects multiple suspicious process in a limited timeframe -status: experimental -references: - - https://car.mitre.org/wiki/CAR-2013-04-002 -author: juju4 -modified: 2012/12/11 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe -# others - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe -# others - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 \ No newline at end of file diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml deleted file mode 100644 index b2520542e..000000000 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,146 +0,0 @@ -title: Executable used by PlugX in Uncommon Location -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -tags: - - attack.s0013 -logsource: - product: windows - service: security -detection: - - # CamMute - selection_cammute: - EventID: 4688 - CommandLine: '*\CamMute.exe' - filter_cammute: - EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 4688 - CommandLine: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 4688 - CommandLine: '*\Google\Chrome\application\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 4688 - CommandLine: '*\dvcemumanager.exe' - filter_devemu: - EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 4688 - CommandLine: '*\Gadget.exe' - filter_gadget: - EventID: 4688 - CommandLine: '*\Windows Media Player\*' - - # HTML Help Workshop - selection_hcc: - EventID: 4688 - CommandLine: '*\hcc.exe' - filter_hcc: - EventID: 4688 - CommandLine: '*\HTML Help Workshop\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 4688 - CommandLine: '*\hkcmd.exe' - filter_hkcmd: - EventID: 4688 - CommandLine: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' - - # McAfee component - selection_mc: - EventID: 4688 - CommandLine: '*\Mc.exe' - filter_mc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 4688 - CommandLine: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 4688 - CommandLine: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' - - # Microsoft Security Center - selection_msseces: - EventID: 4688 - CommandLine: '*\msseces.exe' - filter_msseces: - EventID: 4688 - CommandLine: '*\Microsoft Security Center\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 4688 - CommandLine: '*\OInfoP11.exe' - filter_oinfo: - EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\*' - - # OLE View - selection_oleview: - EventID: 4688 - CommandLine: '*\OleView.exe' - filter_oleview: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - # RC - selection_rc: - EventID: 4688 - CommandLine: '*\rc.exe' - filter_rc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml deleted file mode 100644 index 894a5e1f7..000000000 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ /dev/null @@ -1,44 +0,0 @@ -action: global -title: Possible Applocker Bypass -description: Detects execution of executables that can be used to bypass Applocker whitelisting -status: experimental -references: - - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ -author: juju4 -tags: - - attack.defense_evasion -detection: - selection: - CommandLine: - - '*\msdt.exe*' - - '*\installutil.exe*' - - '*\regsvcs.exe*' - - '*\regasm.exe*' - - '*\regsvr32.exe*' - - '*\msbuild.exe*' - - '*\ieexec.exe*' - - '*\mshta.exe*' - # higher risk of false positives -# - '*\cscript.EXE*' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml deleted file mode 100644 index 7ccb1bffe..000000000 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ /dev/null @@ -1,44 +0,0 @@ -action: global -title: PowerShell Base64 Encoded Shellcode -description: Detects Base64 encoded Shellcode -status: experimental -references: - - https://twitter.com/cyb3rops/status/1063072865992523776 -author: Florian Roth -date: 2018/11/17 -tags: - - attack.defense_evasion - - attack.t1036 -detection: - condition: selection1 and selection2 -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*AAAAYInlM*' - selection2: - ProcessCommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*AAAAYInlM*' - selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' - diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml deleted file mode 100644 index 08e517099..000000000 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: PsExec Service Start -description: Detects a PsExec service start -author: Florian Roth -date: 2018/03/13 -modified: 2012/12/11 -tags: - - attack.execution - - attack.t1035 - - attack.s0029 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: 'C:\Windows\PSEXESVC.exe' - condition: 1 of them -falsepositives: - - Administrative activity -level: low \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml deleted file mode 100644 index 47b6ad7c0..000000000 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ /dev/null @@ -1,57 +0,0 @@ -action: global -title: Suspicious Commandline Escape -description: Detects suspicious process that use escape characters -status: experimental -references: - - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 - - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ -author: juju4 -modified: 2018/12/11 -tags: - - attack.defense_evasion - - attack.t1140 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml deleted file mode 100644 index 3710465fd..000000000 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -action: global -title: Reconnaissance Activity with Net Command -status: experimental -description: 'Detects a set of commands often used in recon stages by different attack groups' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 - - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis -date: 2018/08/22 -modified: 2018/12/11 -tags: - - attack.discovery - - attack.t1073 - - attack.t1012 -detection: - timeframe: 15s - condition: selection | count() by CommandLine > 4 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml deleted file mode 100644 index 061265531..000000000 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: IIS Native-Code Module Command Line Installation -description: Detects suspicious IIS native-code module installations via command line -status: experimental -references: - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ -author: Florian Roth -modified: 2012/12/11 -tags: - - attack.persistence - - attack.t1100 -detection: - condition: selection -falsepositives: - - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\APPCMD.EXE install module /name:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\APPCMD.EXE install module /name:*' diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml deleted file mode 100644 index 3fd59bd01..000000000 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -action: global -title: MsiExec Web Install -status: experimental -description: Detects suspicious msiexec proess starts with web addreses as parameter -references: - - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ -author: Florian Roth -date: 2018/02/09 -modified: 2012/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* msiexec*:\/\/*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* msiexec*:\/\/*' diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml deleted file mode 100644 index 0dd7b2051..000000000 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -action: global -title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) -description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -status: experimental -references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm -author: Thomas Patzke -tags: - - attack.credential_access - - attack.t1003 -detection: - selection: - CommandLine: '*\ntdsutil.exe *' - condition: selection -falsepositives: - - NTDS maintenance -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml deleted file mode 100644 index 1a6b9d7f0..000000000 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -action: global -title: Suspicious Encoded PowerShell Command Line -description: Detects suspicious powershell process starts with base64 encoded commands -status: experimental -references: - - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth -date: 2018/09/03 -detection: - selection: - CommandLine: - # Command starts with '$' symbol - - '* -e JAB*' - - '* -enc JAB*' - - '* -encodedcommand JAB*' - # Google Rapid Response - falsepositive1: - Image: '*\GRR\*' - # PowerSponse deployments - falsepositive2: - CommandLine: '* -ExecutionPolicy remotesigned *' - condition: selection and not 1 of falsepositive* -falsepositives: - - GRR powershell hacks - - PowerSponse Deployments -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml deleted file mode 100644 index 39d664d44..000000000 --- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml +++ /dev/null @@ -1,82 +0,0 @@ -title: Malicious Base64 encoded PowerShell Keywords in command lines -status: experimental -description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -references: - - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ -tags: - - attack.execution - - attack.t1086 -author: John Lambert (rule) -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - encoded: - EventID: 4688 - Image: '*\powershell.exe' - CommandLine: '* hidden *' - selection: - EventID: 4688 - CommandLine: - # bitsadmin transfer - - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - # chunk_size - - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - - '*JGNodW5rX3Npem*' - - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - - '*RjaHVua19zaXpl*' - - '*Y2h1bmtfc2l6Z*' - # IO.Compression - - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - - '*lPLkNvbXByZXNzaW9u*' - - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - - '*SU8uQ29tcHJlc3Npb2*' - - '*Ty5Db21wcmVzc2lvb*' - # IO.MemoryStream - - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - - '*lPLk1lbW9yeVN0cmVhb*' - - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - - '*SU8uTWVtb3J5U3RyZWFt*' - - '*Ty5NZW1vcnlTdHJlYW*' - # GetChunk - - '*4ARwBlAHQAQwBoAHUAbgBrA*' - - '*5HZXRDaHVua*' - - '*AEcAZQB0AEMAaAB1AG4Aaw*' - - '*LgBHAGUAdABDAGgAdQBuAGsA*' - - '*LkdldENodW5r*' - - '*R2V0Q2h1bm*' - # THREAD INFO64 - - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - - '*RIUkVBRF9JTkZPNj*' - - '*SFJFQURfSU5GTzY0*' - - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - - '*VEhSRUFEX0lORk82N*' - # CreateRemoteThread - - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - - '*cmVhdGVSZW1vdGVUaHJlYW*' - - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - # memmove - - '*0AZQBtAG0AbwB2AGUA*' - - '*1lbW1vdm*' - - '*AGUAbQBtAG8AdgBlA*' - - '*bQBlAG0AbQBvAHYAZQ*' - - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' - - condition: encoded and selection -falsepositives: - - Penetration tests -level: high diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml deleted file mode 100644 index 6909f423d..000000000 --- a/rules/windows/builtin/win_susp_procdump.yml +++ /dev/null @@ -1,49 +0,0 @@ -action: global -title: Suspicious Use of Procdump -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2018/10/30 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.credential_access - - attack.t1003 -detection: - condition: selection and selection1 and selection2 -falsepositives: - - Unlikely, because no one should dump an lsass process memory - - Another tool that uses the command line switches of Procdump -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - selection1: - ProcessCommandLine: - - "* -ma *" - selection2: - ProcessCommandLine: - - '* lsass.exe*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - selection1: - CommandLine: - - "* -ma *" - selection2: - CommandLine: - - '* lsass.exe*' - diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml deleted file mode 100644 index 10512e5ca..000000000 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ /dev/null @@ -1,136 +0,0 @@ ---- -action: global -title: Suspicious Process Creation -description: Detects suspicious process starts on Windows systems based on keywords -status: experimental -references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - - https://twitter.com/subTee/status/872244674609676288 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples - - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html - - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - - https://twitter.com/vector_sec/status/896049052642533376 -author: Florian Roth -modified: 2012/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml deleted file mode 100644 index c7f1354e0..000000000 --- a/rules/windows/builtin/win_susp_ps_appdata.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: PowerShell Script Run in AppData -status: experimental -description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -references: - - https://twitter.com/JohnLaTwC/status/1082851155481288706 - - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 -author: Florian Roth -date: 2019/01/09 -logsource: - product: windows - service: sysmon -detection: - condition: selection -falsepositives: - - Administrative scripts -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml deleted file mode 100644 index 76676cfbf..000000000 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ /dev/null @@ -1,32 +0,0 @@ -action: global -title: Suspicious RASdial Activity -description: Detects suspicious process related to rasdial.exe -status: experimental -references: - - https://twitter.com/subTee/status/891298217907830785 -author: juju4 -detection: - selection: - CommandLine: - - 'rasdial' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml deleted file mode 100644 index 11a26b524..000000000 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ /dev/null @@ -1,38 +0,0 @@ -action: global -title: Suspicious Process Start Locations -description: Detects suspicious process run from unusual locations -status: experimental -references: - - https://car.mitre.org/wiki/CAR-2013-05-002 -author: juju4 -tags: - - attack.defense_evasion - - attack.t1036 -detection: - selection: - CommandLine: - - "*:\\RECYCLER\\*" - - "*:\\SystemVolumeInformation\\*" - - "%windir%\\Tasks\\*" - - "%systemroot%\\debug\\*" - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml deleted file mode 100644 index 872f40557..000000000 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ /dev/null @@ -1,51 +0,0 @@ -action: global -title: Suspicious Rundll32 Activity -description: Detects suspicious process related to rundll32 based on arguments -status: experimental -references: - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - - https://twitter.com/Hexacorn/status/885258886428725250 - - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 -tags: - - attack.defense_evasion - - attack.execution - - attack.t1085 -author: juju4 -detection: - selection: - CommandLine: - # match with or without rundll32.exe to try to catch evasion - - '*\rundll32.exe* url.dll,*OpenURL *' - - '*\rundll32.exe* url.dll,*OpenURLA *' - - '*\rundll32.exe* url.dll,*FileProtocolHandler *' - - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' - - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' - - '*\rundll32.exe javascript:*' - - '* url.dll,*OpenURL *' - - '* url.dll,*OpenURLA *' - - '* url.dll,*FileProtocolHandler *' - - '* zipfldr.dll,*RouteTheCall *' - - '* Shell32.dll,*Control_RunDLL *' - - '* javascript:*' - - '*.RegisterXLL*' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 -level: medium diff --git a/rules/windows/builtin/win_susp_svchost.yml b/rules/windows/builtin/win_susp_svchost.yml deleted file mode 100644 index 9405f77d7..000000000 --- a/rules/windows/builtin/win_susp_svchost.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -action: global -title: Suspicious Svchost Processes -description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder -author: Florian Roth, @c_APT_ure -date: 2018/10/26 -status: experimental -references: - - https://twitter.com/Moti_B/status/1002280132143394816 - - https://twitter.com/Moti_B/status/1002280287840153601 -falsepositives: - - Renamed %SystemRoot%s -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\svchost.exe' - filter1: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - filter2: - CommandLine: '* -k *' - filter3: - Image: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not ( filter1 or filter2 or filter3 ) ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\svchost.exe' - # Deactivated as long as some backends do not fully support the 'null' expression - # filter2: - # ProcessCommandLine: - # - null # Missing KB3004375 and Group Policy setting - # - '* -k *' - filter3: - NewProcessName: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not filter3 - - diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml deleted file mode 100644 index 236c690b6..000000000 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -action: global -title: Sysprep on AppData Folder -status: experimental -description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -references: - - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b -author: Florian Roth -date: 2018/06/22 -modified: 2018/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml deleted file mode 100644 index f79a58cd3..000000000 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: Suspicious SYSVOL Domain Group Policy Access -status: experimental -description: Detects Access to Domain Group Policies stored in SYSVOL -references: - - https://adsecurity.org/?p=2288 - - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis -date: 2018/04/09 -modified: 2018/12/11 -tags: - - attack.credential_access - - attack.t1003 -detection: - condition: selection -falsepositives: - - administrative activity -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*\SYSVOL\*\policies\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\SYSVOL\*\policies\*' diff --git a/rules/windows/builtin/win_susp_whoami.yml b/rules/windows/builtin/win_susp_whoami.yml deleted file mode 100644 index 3d8ab3d4d..000000000 --- a/rules/windows/builtin/win_susp_whoami.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: Whoami Execution -status: experimental -description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 -author: Florian Roth -date: 2018/05/22 -tags: - - attack.discovery - - attack.t1033 -detection: - condition: selection -falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: 'whoami' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\whoami.exe' diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml deleted file mode 100644 index ecedd03fd..000000000 --- a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: WMI Persistence - Script Event Consumer -status: experimental -description: Detects WMI script event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Thomas Patzke -date: 2018/03/07 -tags: - - attack.execution - - attack.persistence - - attack.t1047 -detection: - selection: - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - ParentImage: 'C:\Windows\System32\svchost.exe' - condition: selection -falsepositives: - - Legitimate event consumers -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml deleted file mode 100644 index 9f351c5e7..000000000 --- a/rules/windows/malware/sysmon_malware_dridex.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -action: global -title: Dridex Process Pattern -status: experimental -description: Detects typical Dridex process patterns -references: - - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 -author: Florian Roth -date: 2019/01/10 -logsource: - product: windows - service: sysmon -detection: - condition: 1 of them -falsepositives: - - Unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' - selection2: - EventID: 1 - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*' \ No newline at end of file diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml deleted file mode 100644 index b6d8e50d0..000000000 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: NotPetya Ransomware Activity -status: experimental -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil -author: Florian Roth, Tom Ueltschi -references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 -tags: - - attack.execution - - attack.credential_access - - attack.defense_evasion - - attack.t1085 - - attack.t1070 - - attack.t1003 -logsource: - product: windows - service: sysmon -detection: - fsutil_clean_journal: - EventID: 1 - Image: '*\fsutil.exe' - CommandLine: '* deletejournal *' - pipe_com: - EventID: 1 - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' - event_clean: - EventID: 1 - Image: '*\wevtutil.exe' - CommandLine: '* cl *' - rundll32_dash1: - EventID: 1 - Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' - perfc_keyword: - - '*\perfc.dat*' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Admin activity -level: critical - diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml deleted file mode 100644 index ee87ca239..000000000 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: WannaCry Ransomware via Sysmon -status: experimental -description: Detects WannaCry ransomware activity via Sysmon -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\@WanaDecryptor@*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' - selection2: - EventID: 1 - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - - '*@Please_Read_Me@.txt*' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Diskpart.exe usage to manage partitions on the local hard drive -level: critical - - diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml deleted file mode 100644 index e75b3094b..000000000 --- a/rules/windows/malware/win_mal_adwind.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -action: global -title: Adwind RAT / JRAT -status: experimental -description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -references: - - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi -date: 2017/11/10 -modified: 2018/12/11 -detection: - condition: selection -level: high ---- -# Windows Security Eventlog: Process Creation with Full Command Line -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\AppData\Roaming\Oracle*\java*.exe *' - - '*cscript.exe *Retrive*.vbs *' ---- -# Sysmon: Process Creation (ID 1) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\AppData\Roaming\Oracle\bin\java*.exe' ---- -# Sysmon: File Creation (ID 11) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename: - - '*\AppData\Roaming\Oracle\bin\java*.exe' - - '*\Retrive*.vbs' ---- -# Sysmon: Registry Value Set (ID 13) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' - Details: '%AppData%\Roaming\Oracle\bin\*' diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml deleted file mode 100644 index 89a95be39..000000000 --- a/rules/windows/malware/win_mal_wannacry.yml +++ /dev/null @@ -1,67 +0,0 @@ -action: global -title: WannaCry Ransomware -description: Detects WannaCry Ransomware Activity -status: experimental -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -author: Florian Roth -detection: - selection1: - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - condition: 1 of them -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - NewProcessName: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml deleted file mode 100644 index 57e4c60ec..000000000 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ /dev/null @@ -1,29 +0,0 @@ -action: global -title: Suspicious XOR Encoded PowerShell Command Line -description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. -status: experimental -author: Sami Ruohonen -date: 2018/09/05 -detection: - selection: - CommandLine: - - '* -bxor*' - condition: selection -falsepositives: - - unknown -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/process_creation/powershell_xor_commandline.yml b/rules/windows/process_creation/powershell_xor_commandline.yml new file mode 100644 index 000000000..b6274ff57 --- /dev/null +++ b/rules/windows/process_creation/powershell_xor_commandline.yml @@ -0,0 +1,16 @@ +title: Suspicious XOR Encoded PowerShell Command Line +description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. +status: experimental +author: Sami Ruohonen +date: 2018/09/05 +detection: + selection: + CommandLine: + - '* -bxor*' + condition: selection +falsepositives: + - unknown +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml new file mode 100644 index 000000000..b86350d61 --- /dev/null +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -0,0 +1,30 @@ +title: Hiding files with attrib.exe +status: experimental +description: Detects usage of attrib.exe to hide files from users. +author: Sami Ruohonen +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\attrib.exe' + CommandLine: '* +h *' + ini: + CommandLine: '*\desktop.ini *' + intel: + ParentImage: '*\cmd.exe' + CommandLine: +R +H +S +A \*.cui + ParentCommandLine: C:\WINDOWS\system32\\*.bat + condition: selection and not (ini or intel) +fields: + - CommandLine + - ParentCommandLine + - User +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1158 +falsepositives: + - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - msiexec.exe hiding desktop.ini +level: low diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml new file mode 100644 index 000000000..94e8515b2 --- /dev/null +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -0,0 +1,34 @@ +title: SquiblyTwo +status: experimental +description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash +references: + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 +tags: + - attack.defense_evasion + - attack.t1047 +author: Markus Neis / Florian Roth +falsepositives: + - Unknown +level: medium +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\wmic.exe' + CommandLine: + - wmic * *format:\"http* + - wmic * /format:'http + - wmic * /format:http* + selection2: + Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + CommandLine: + - '* *format:\"http*' + - '* /format:''http' + - '* /format:http*' + condition: 1 of them diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml new file mode 100644 index 000000000..8ec873a87 --- /dev/null +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -0,0 +1,22 @@ +title: Cmdkey Cached Credentials Recon +status: experimental +description: Detects usage of cmdkey to look for cached credentials +references: + - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation + - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx +author: jmallette +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\cmdkey.exe' + CommandLine: '* /list *' + condition: selection +fields: + - CommandLine + - ParentCommandLine + - User +falsepositives: + - Legitimate administrative tasks. +level: low diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml new file mode 100644 index 000000000..5faf82be6 --- /dev/null +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -0,0 +1,32 @@ +title: CMSTP UAC Bypass via COM Object Access +status: stable +description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.execution + - attack.t1088 + - attack.t1191 + - attack.g0069 +author: Nik Seetharaman +references: + - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ + - https://twitter.com/hFireF0X/status/897640081053364225 +logsource: + category: process_creation + product: windows +detection: + selection1: + ParentCommandLine: '*\DllHost.exe' + selection2: + ParentCommandLine: + - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' + condition: selection1 and selection2 +fields: + - CommandLine + - ParentCommandLine + - Hashes +falsepositives: + - Legitimate CMSTP use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml similarity index 73% rename from rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml rename to rules/windows/process_creation/win_exploit_cve_2015_1641.yml index d4abdd93c..ce3befeae 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -7,14 +7,13 @@ references: author: Florian Roth date: 2018/02/22 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\MicroScMgmt.exe ' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\MicroScMgmt.exe ' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml new file mode 100644 index 000000000..fcfabffcf --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -0,0 +1,18 @@ +title: Exploit for CVE-2017-0261 +status: experimental +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +references: + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html +author: Florian Roth +date: 2018/02/22 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\FLTLDR.exe*' + condition: selection +falsepositives: + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) +level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml new file mode 100644 index 000000000..922d2ea57 --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -0,0 +1,20 @@ +title: Droppers exploiting CVE-2017-11882 +status: experimental +description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe +references: + - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 + - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw +author: Florian Roth +date: 2017/11/23 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\EQNEDT32.EXE' + condition: selection +fields: + - CommandLine +falsepositives: + - unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml similarity index 68% rename from rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml rename to rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 7267b3d3e..b08742ff1 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,4 +1,4 @@ -title: Exploit for CVE-2017-8759 +title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 @@ -6,14 +6,13 @@ references: author: Florian Roth date: 15.09.2017 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\csc.exe' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\csc.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml new file mode 100644 index 000000000..16884c73b --- /dev/null +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -0,0 +1,29 @@ +title: Rubeus Hack Tool +description: Detects command line parameters used by Rubeus hack tool +author: Florian Roth +references: + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ +date: 2018/12/19 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' + condition: selection +falsepositives: + - unlikely +level: critical diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml new file mode 100644 index 000000000..86d4dac8a --- /dev/null +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -0,0 +1,18 @@ +title: MSHTA spwaned by SVCHOST as seen in LethalHTA +status: experimental +description: Detects MSHTA.EXE spwaned by SVCHOST described in report +references: + - https://codewhitesec.blogspot.com/2018/07/lethalhta.html +author: Markus Neis +date: 2018/06/07 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\svchost.exe' + Image: '*\mshta.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml new file mode 100644 index 000000000..916c2f4c0 --- /dev/null +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -0,0 +1,48 @@ +action: global +title: Adwind RAT / JRAT +status: experimental +description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +references: + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +author: Florian Roth, Tom Ueltschi +date: 2017/11/10 +modified: 2018/12/11 +detection: + condition: selection +level: high +--- +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandLine: + - '*\AppData\Roaming\Oracle*\java*.exe *' + - '*cscript.exe *Retrive*.vbs *' +--- +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\AppData\Roaming\Oracle\bin\java*.exe' +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename: + - '*\AppData\Roaming\Oracle\bin\java*.exe' + - '*\Retrive*.vbs' +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + Details: '%AppData%\Roaming\Oracle\bin\*' diff --git a/rules/windows/process_creation/win_mal_wannacry.yml b/rules/windows/process_creation/win_mal_wannacry.yml new file mode 100644 index 000000000..c8571db81 --- /dev/null +++ b/rules/windows/process_creation/win_mal_wannacry.yml @@ -0,0 +1,33 @@ +title: WannaCry Ransomware +description: Detects WannaCry Ransomware Activity +status: experimental +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + selection2: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\WanaDecryptor*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml new file mode 100644 index 000000000..aa3c5aac3 --- /dev/null +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -0,0 +1,22 @@ +title: Dridex Process Pattern +status: experimental +description: Detects typical Dridex process patterns +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 +author: Florian Roth +date: 2019/01/10 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' + selection2: + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' + condition: 1 of them +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml new file mode 100644 index 000000000..d35144875 --- /dev/null +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -0,0 +1,39 @@ +title: NotPetya Ransomware Activity +status: experimental +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive + C is deleted and windows eventlogs are cleared using wevtutil +author: Florian Roth, Tom Ueltschi +references: + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +tags: + - attack.execution + - attack.credential_access + - attack.defense_evasion + - attack.t1085 + - attack.t1070 + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + fsutil_clean_journal: + Image: '*\fsutil.exe' + CommandLine: '* deletejournal *' + pipe_com: + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' + event_clean: + Image: '*\wevtutil.exe' + CommandLine: '* cl *' + rundll32_dash1: + Image: '*\rundll32.exe' + CommandLine: '*.dat,#1' + perfc_keyword: + - '*\perfc.dat*' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Admin activity +level: critical diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml new file mode 100644 index 000000000..2c14688d0 --- /dev/null +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -0,0 +1,33 @@ +title: WScript or CScript Dropper +status: experimental +description: Detects wscript/cscript executions of scripts located in user directories +author: Margaritis Dimitrios (idea), Florian Roth (rule) +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '* C:\Users\*.jse *' + - '* C:\Users\*.vbe *' + - '* C:\Users\*.js *' + - '* C:\Users\*.vba *' + - '* C:\Users\*.vbs *' + - '* C:\ProgramData\*.jse *' + - '* C:\ProgramData\*.vbe *' + - '* C:\ProgramData\*.js *' + - '* C:\ProgramData\*.vba *' + - '* C:\ProgramData\*.vbs *' + falsepositive: + ParentImage: '*\winzip*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Winzip + - Other self-extractors +level: high diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml new file mode 100644 index 000000000..f8639f654 --- /dev/null +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -0,0 +1,37 @@ +title: WannaCry Ransomware via Sysmon +status: experimental +description: Detects WannaCry ransomware activity via Sysmon +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\@WanaDecryptor@*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + selection2: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + - '*@Please_Read_Me@.txt*' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Diskpart.exe usage to manage partitions on the local hard drive +level: critical diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml new file mode 100644 index 000000000..4b049a114 --- /dev/null +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -0,0 +1,24 @@ +title: MavInject Process Injection +status: experimental +description: Detects process injection using the signed Windows tool Mavinject32.exe +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +author: Florian Roth +date: 2018/12/12 +tags: + - attack.process_injection + - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* /INJECTRUNNING *' + condition: selection +falsepositives: + - unknown +level: critical diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml new file mode 100644 index 000000000..7710a22a9 --- /dev/null +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -0,0 +1,37 @@ +title: MSHTA Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from MSHTA. +references: + - https://www.trustedsec.com/july-2015/malicious-htas/ +author: Michael Haag +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\mshta.exe' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\reg.exe' + - '*\regsvr32.exe' + - '*\BITSADMIN*' + filter: + CommandLine: + - '*/HP/HP*' + - '*\HP\HP*' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.execution + - attack.t1170 +falsepositives: + - Printer software / driver installations +level: high diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml new file mode 100644 index 000000000..7e0fbecb6 --- /dev/null +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -0,0 +1,56 @@ +title: Quick Execution of a Series of Suspicious Commands +description: Detects multiple suspicious process in a limited timeframe +status: experimental +references: + - https://car.mitre.org/wiki/CAR-2013-04-002 +author: juju4 +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - arp.exe + - at.exe + - attrib.exe + - cscript.exe + - dsquery.exe + - hostname.exe + - ipconfig.exe + - mimikatz.exe + - nbstat.exe + - net.exe + - netsh.exe + - nslookup.exe + - ping.exe + - quser.exe + - qwinsta.exe + - reg.exe + - runas.exe + - sc.exe + - schtasks.exe + - ssh.exe + - systeminfo.exe + - taskkill.exe + - telnet.exe + - tracert.exe + - wscript.exe + - xcopy.exe + - pscp.exe + - copy.exe + - robocopy.exe + - certutil.exe + - vssadmin.exe + - powershell.exe + - wevtutil.exe + - psexec.exe + - bcedit.exe + - wbadmin.exe + - icacls.exe + - diskpart.exe + timeframe: 5m + condition: selection | count() by MachineName > 5 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml new file mode 100644 index 000000000..dc1ced424 --- /dev/null +++ b/rules/windows/process_creation/win_office_shell.yml @@ -0,0 +1,52 @@ +title: Microsoft Office Product Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059 + - attack.T1202 +author: Michael Haag, Florian Roth, Markus Neis +date: 2018/04/06 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\WINWORD.EXE' + - '*\EXCEL.EXE' + - '*\POWERPNT.exe' + - '*\MSPUB.exe' + - '*\VISIO.exe' + - '*\OUTLOOK.EXE' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\scrcons.exe' + - '*\schtasks.exe' + - '*\regsvr32.exe' + - '*\hh.exe' + - '*\wmic.exe' + - '*\mshta.exe' + - '*\rundll32.exe' + - '*\msiexec.exe' + - '*\forfiles.exe' + - '*\scriptrunner.exe' + - '*\mftrace.exe' + - '*\AppVLP.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml new file mode 100644 index 000000000..a465f0016 --- /dev/null +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -0,0 +1,88 @@ +title: Executable used by PlugX in Uncommon Location - Sysmon Version +status: experimental +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location +references: + - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ +author: Florian Roth +date: 2017/06/12 +logsource: + category: process_creation + product: windows +detection: + selection_cammute: + Image: '*\CamMute.exe' + filter_cammute: + Image: '*\Lenovo\Communication Utility\*' + selection_chrome_frame: + Image: '*\chrome_frame_helper.exe' + filter_chrome_frame: + Image: '*\Google\Chrome\application\*' + selection_devemu: + Image: '*\dvcemumanager.exe' + filter_devemu: + Image: '*\Microsoft Device Emulator\*' + selection_gadget: + Image: '*\Gadget.exe' + filter_gadget: + Image: '*\Windows Media Player\*' + selection_hcc: + Image: '*\hcc.exe' + filter_hcc: + Image: '*\HTML Help Workshop\*' + selection_hkcmd: + Image: '*\hkcmd.exe' + filter_hkcmd: + Image: + - '*\System32\*' + - '*\SysNative\*' + - '*\SysWowo64\*' + selection_mc: + Image: '*\Mc.exe' + filter_mc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + selection_msmpeng: + Image: '*\MsMpEng.exe' + filter_msmpeng: + Image: + - '*\Microsoft Security Client\*' + - '*\Windows Defender\*' + - '*\AntiMalware\*' + selection_msseces: + Image: '*\msseces.exe' + filter_msseces: + Image: '*\Microsoft Security Center\*' + selection_oinfo: + Image: '*\OInfoP11.exe' + filter_oinfo: + Image: '*\Common Files\Microsoft Shared\*' + selection_oleview: + Image: '*\OleView.exe' + filter_oleview: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\*' + selection_rc: + Image: '*\rc.exe' + filter_rc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\*' + - '*\Microsoft.NET\*' + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) + or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc + ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview + and not filter_oleview ) or ( selection_rc and not filter_rc ) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml new file mode 100644 index 000000000..72490fdd8 --- /dev/null +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -0,0 +1,27 @@ +title: Possible Applocker Bypass +description: Detects execution of executables that can be used to bypass Applocker whitelisting +status: experimental +references: + - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt + - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ +author: juju4 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\msdt.exe*' + - '*\installutil.exe*' + - '*\regsvcs.exe*' + - '*\regasm.exe*' + - '*\regsvr32.exe*' + - '*\msbuild.exe*' + - '*\ieexec.exe*' + - '*\mshta.exe*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml new file mode 100644 index 000000000..05837d3f3 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -0,0 +1,25 @@ +title: Powershell AMSI Bypass via .NET Reflection +status: experimental +description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning +references: + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 +tags: + - attack.execution + - attack.t1086 +author: Markus Neis +date: 2018/08/17 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*System.Management.Automation.AmsiUtils*' + selection2: + CommandLine: + - '*amsiInitFailed*' + condition: selection1 and selection2 + falsepositives: + - Potential Admin Activity +level: high diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml new file mode 100644 index 000000000..b63c8d062 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -0,0 +1,24 @@ +title: PowerShell Base64 Encoded Shellcode +description: Detects Base64 encoded Shellcode +status: experimental +references: + - https://twitter.com/cyb3rops/status/1063072865992523776 +author: Florian Roth +date: 2018/11/17 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: '*AAAAYInlM*' + selection2: + CommandLine: + - '*OiCAAAAYInlM*' + - '*OiJAAAAYInlM*' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml new file mode 100644 index 000000000..200743312 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -0,0 +1,28 @@ +title: Detection of PowerShell Execution via DLL +status: experimental +description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll +references: + - https://github.com/p3nt4/PowerShdll/blob/master/README.md +tags: + - attack.execution + - attack.t1086 +author: Markus Neis +date: 2018/08/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\rundll32.exe' + selection2: + Description: + - '*Windows-Hostprozess (Rundll32)*' + selection3: + CommandLine: + - '*Default.GetString*' + - '*FromBase64String*' + condition: (selection1 or selection2) and selection3 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml new file mode 100644 index 000000000..76f29ceba --- /dev/null +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -0,0 +1,23 @@ +title: PowerShell Download from URL +status: experimental +description: Detects a Powershell process that contains download commands in its command line string +author: Florian Roth +tags: + - attack.t1086 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\powershell.exe' + CommandLine: + - '*new-object system.net.webclient).downloadstring(*' + - '*new-object system.net.webclient).downloadfile(*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_powershell_renamed_ps.yml b/rules/windows/process_creation/win_powershell_renamed_ps.yml new file mode 100644 index 000000000..b975cf091 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_renamed_ps.yml @@ -0,0 +1,26 @@ +title: Renamed Powershell.exe +status: experimental +description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) +references: + - https://attack.mitre.org/techniques/T1086/ + - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ +tags: + - attack.t1086 + - attack.execution +author: Tom Ueltschi (@c_APT_ure) +logsource: + category: process_creation + product: windows +detection: + selection: + Description: Windows PowerShell + exclusion_1: + Image: + - powershell.exe + - powershell_ise.exe + exclusion_2: + Description: Windows PowerShell ISE + condition: all of selection and not (1 of exclusion_*) +falsepositives: + - penetration tests, red teaming +level: high diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml new file mode 100644 index 000000000..7ae0a669d --- /dev/null +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -0,0 +1,61 @@ +title: Suspicious PowerShell Parameter Substring +status: experimental +description: Detects suspicious PowerShell invocation with a parameter substring +references: + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +tags: + - attack.execution + - attack.t1086 +author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\Powershell.exe' + CommandLine: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml new file mode 100644 index 000000000..1c8f9ae18 --- /dev/null +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -0,0 +1,19 @@ +title: PsExec Service Start +description: Detects a PsExec service start +author: Florian Roth +date: 2018/03/13 +modified: 2012/12/11 +tags: + - attack.execution + - attack.t1035 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandLine: C:\Windows\PSEXESVC.exe + condition: 1 of them +falsepositives: + - Administrative activity +level: low diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml new file mode 100644 index 000000000..c71f452b6 --- /dev/null +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -0,0 +1,23 @@ +title: Possible Shim Database Persistence via sdbinst.exe +status: experimental +description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +tags: + - attack.persistence + - attack.t1138 +author: Markus Neis +date: 2018-08-03 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\sdbinst.exe' + CommandLine: + - '*\AppPatch\*}.sdb*' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml new file mode 100644 index 000000000..108daa255 --- /dev/null +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -0,0 +1,33 @@ +title: Windows Shell Spawning Suspicious Program +status: experimental +description: Detects a suspicious child process of a Windows shell +references: + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html +author: Florian Roth +date: 2018/04/06 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\mshta.exe' + - '*\powershell.exe' + - '*\cmd.exe' + - '*\rundll32.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\wmiprvse.exe' + Image: + - '*\schtasks.exe' + - '*\nslookup.exe' + - '*\certutil.exe' + - '*\bitsadmin.exe' + - '*\mshta.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative scripts +level: high diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml new file mode 100644 index 000000000..b464a8015 --- /dev/null +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -0,0 +1,42 @@ +title: Suspicious Certutil Command +status: experimental +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with + the built-in certutil utility +author: Florian Roth, juju4 +modified: 2018/12/11 +references: + - https://twitter.com/JohnLaTwC/status/835149808817991680 + - https://twitter.com/subTee/status/888102593838362624 + - https://twitter.com/subTee/status/888071631528235010 + - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*certutil * -decode *' + - '*certutil * -decodehex *' + - '*certutil *-urlcache* http*' + - '*certutil *-urlcache* ftp*' + - '*certutil *-URL*' + - '*certutil *-ping*' + - '*certutil.exe * -decode *' + - '*certutil.exe * -decodehex *' + - '*certutil.exe *-urlcache* http*' + - '*certutil.exe *-urlcache* ftp*' + - '*certutil.exe *-URL*' + - '*certutil.exe *-ping*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.t1140 + - attack.s0189 + - attack.g0007 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml new file mode 100644 index 000000000..cf37d4009 --- /dev/null +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -0,0 +1,27 @@ +title: Suspicious Commandline Escape +description: Detects suspicious process that use escape characters +status: experimental +references: + - https://twitter.com/vysecurity/status/885545634958385153 + - https://twitter.com/Hexacorn/status/885553465417756673 + - https://twitter.com/Hexacorn/status/885570278637678592 + - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html + - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ +author: juju4 +modified: 2018/12/11 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - + - ^h^t^t^p + - h"t"t"p + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml new file mode 100644 index 000000000..8c67992ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -0,0 +1,23 @@ +title: Command Line Execution with suspicious URL and AppData Strings +status: experimental +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs + > powershell) +references: + - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 + - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - cmd.exe /c *http://*%AppData% + - cmd.exe /c *https://*%AppData% + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - High +level: medium diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml new file mode 100644 index 000000000..074cf6ed9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -0,0 +1,42 @@ +title: Reconnaissance Activity with Net Command +status: experimental +description: Detects a set of commands often used in recon stages by different attack groups +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 + - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html +author: Florian Roth, Markus Neis +date: 2018/08/22 +modified: 2018/12/11 +tags: + - attack.discovery + - attack.t1073 + - attack.t1012 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - '*\net1 start' + - qprocess + - nslookup + - hostname.exe + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - netstat -an + timeframe: 15s + condition: selection | count() by CommandLine > 4 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml new file mode 100644 index 000000000..7fb960a1b --- /dev/null +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -0,0 +1,23 @@ +title: Suspicious Control Panel DLL Load +status: experimental +description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits +author: Florian Roth +date: 2017/04/15 +references: + - https://twitter.com/rikvduijn/status/853251879320662017 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\System32\control.exe' + CommandLine: '*\rundll32.exe *' + filter: + CommandLine: '*Shell32.dll*' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml new file mode 100644 index 000000000..aad005635 --- /dev/null +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -0,0 +1,33 @@ +title: Executables Started in Suspicious Folder +status: experimental +description: Detects process starts of binaries from a suspicious folder +author: Florian Roth +date: 2017/10/14 +references: + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - C:\PerfLogs\* + - C:\$Recycle.bin\* + - C:\Intel\Logs\* + - C:\Users\Default\* + - C:\Users\Public\* + - C:\Users\NetworkService\* + - C:\Windows\Fonts\* + - C:\Windows\Debug\* + - C:\Windows\Media\* + - C:\Windows\Help\* + - C:\Windows\addins\* + - C:\Windows\repair\* + - C:\Windows\security\* + - '*\RSA\MachineKeys\*' + - C:\Windows\system32\config\systemprofile\* + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml new file mode 100644 index 000000000..d622ab28d --- /dev/null +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -0,0 +1,26 @@ +title: Execution in Non-Executable Folder +status: experimental +description: Detects a suspicious exection from an uncommon folder +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\$Recycle.bin' + - '*\Users\All Users\*' + - '*\Users\Default\*' + - '*\Users\Public\*' + - C:\Perflogs\* + - '*\config\systemprofile\*' + - '*\Windows\Fonts\*' + - '*\Windows\IME\*' + - '*\Windows\addins\*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml new file mode 100644 index 000000000..ace681b0c --- /dev/null +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -0,0 +1,28 @@ +title: Execution in Webserver Root Folder +status: experimental +description: Detects a suspicious program execution in a web service root folder (filter out false positives) +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wwwroot\*' + - '*\wmpub\*' + - '*\htdocs\*' + filter: + Image: + - '*bin\*' + - '*\Tools\*' + - '*\SMSComponent\*' + ParentImage: + - '*\services.exe' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Various applications + - Tools that include ping or nslookup command invocations +level: medium diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml new file mode 100644 index 000000000..52b684596 --- /dev/null +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -0,0 +1,21 @@ +title: IIS Native-Code Module Command Line Installation +description: Detects suspicious IIS native-code module installations via command line +status: experimental +references: + - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ +author: Florian Roth +modified: 2012/12/11 +tags: + - attack.persistence + - attack.t1100 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\APPCMD.EXE install module /name:*' + condition: selection +falsepositives: + - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules +level: medium diff --git a/rules/windows/process_creation/win_susp_mmc_source.yml b/rules/windows/process_creation/win_susp_mmc_source.yml new file mode 100644 index 000000000..94226405b --- /dev/null +++ b/rules/windows/process_creation/win_susp_mmc_source.yml @@ -0,0 +1,21 @@ +title: Processes created by MMC +status: experimental +description: Processes started by MMC could be a sign of lateral movement using MMC application COM object +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\mmc.exe' + Image: '*\cmd.exe' + exclusion: + CommandLine: '*\RunCmd.cmd' + condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml new file mode 100644 index 000000000..5e6734058 --- /dev/null +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -0,0 +1,19 @@ +title: MsiExec Web Install +status: experimental +description: Detects suspicious msiexec proess starts with web addreses as parameter +references: + - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ +author: Florian Roth +date: 2018/02/09 +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* msiexec*:\/\/*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml new file mode 100644 index 000000000..697b44629 --- /dev/null +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -0,0 +1,33 @@ +title: Net.exe Execution +status: experimental +description: Detects execution of Net.exe, whether suspicious or benign. +references: + - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +author: Michael Haag, Mark Woan (improvements) +tags: + - attack.s0039 + - attack.lateral_movement + - attack.discovery +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\net.exe' + - '*\net1.exe' + CommandLine: + - '* group*' + - '* localgroup*' + - '* user*' + - '* view*' + - '* share' + - '* accounts*' + - '* use*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. +level: low diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml new file mode 100644 index 000000000..e8735e074 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -0,0 +1,19 @@ +title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) +description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) +status: experimental +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm +author: Thomas Patzke +tags: + - attack.credential_access + - attack.t1003 +detection: + selection: + CommandLine: '*\ntdsutil.exe *' + condition: selection +falsepositives: + - NTDS maintenance +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml new file mode 100644 index 000000000..4620d0722 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -0,0 +1,21 @@ +title: Ping Hex IP +description: Detects a ping command that uses a hex encoded IP address +references: + - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna + - https://twitter.com/vysecurity/status/977198418354491392 +author: Florian Roth +date: 2018/03/23 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\ping.exe 0x*' + - '*\ping 0x*' + condition: selection +fields: + - ParentCommandLine +falsepositives: + - Unlikely, because no sane admin pings IP addresses in a hexadecimal form +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml new file mode 100644 index 000000000..18ae2b164 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -0,0 +1,25 @@ +title: Suspicious Encoded PowerShell Command Line +description: Detects suspicious powershell process starts with base64 encoded commands +status: experimental +references: + - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e +author: Florian Roth +date: 2018/09/03 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* -e JAB*' + - '* -enc JAB*' + - '* -encodedcommand JAB*' + falsepositive1: + Image: '*\GRR\*' + falsepositive2: + CommandLine: '* -ExecutionPolicy remotesigned *' + condition: selection and not 1 of falsepositive* +falsepositives: + - GRR powershell hacks + - PowerSponse Deployments +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml new file mode 100644 index 000000000..74e01c8bc --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -0,0 +1,70 @@ +title: Malicious Base64 encoded PowerShell Keywords in command lines +status: experimental +description: Detects base64 encoded strings used in hidden malicious PowerShell command lines +references: + - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ +tags: + - attack.execution + - attack.t1086 +author: John Lambert (rule) +logsource: + category: process_creation + product: windows +detection: + encoded: + Image: '*\powershell.exe' + CommandLine: '* hidden *' + selection: + CommandLine: + - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' + - '*aXRzYWRtaW4gL3RyYW5zZmVy*' + - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' + - '*JpdHNhZG1pbiAvdHJhbnNmZX*' + - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' + - '*Yml0c2FkbWluIC90cmFuc2Zlc*' + - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' + - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' + - '*JGNodW5rX3Npem*' + - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' + - '*RjaHVua19zaXpl*' + - '*Y2h1bmtfc2l6Z*' + - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' + - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' + - '*lPLkNvbXByZXNzaW9u*' + - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' + - '*SU8uQ29tcHJlc3Npb2*' + - '*Ty5Db21wcmVzc2lvb*' + - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' + - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' + - '*lPLk1lbW9yeVN0cmVhb*' + - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' + - '*SU8uTWVtb3J5U3RyZWFt*' + - '*Ty5NZW1vcnlTdHJlYW*' + - '*4ARwBlAHQAQwBoAHUAbgBrA*' + - '*5HZXRDaHVua*' + - '*AEcAZQB0AEMAaAB1AG4Aaw*' + - '*LgBHAGUAdABDAGgAdQBuAGsA*' + - '*LkdldENodW5r*' + - '*R2V0Q2h1bm*' + - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' + - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' + - '*RIUkVBRF9JTkZPNj*' + - '*SFJFQURfSU5GTzY0*' + - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' + - '*VEhSRUFEX0lORk82N*' + - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' + - '*cmVhdGVSZW1vdGVUaHJlYW*' + - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' + - '*NyZWF0ZVJlbW90ZVRocmVhZ*' + - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' + - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' + - '*0AZQBtAG0AbwB2AGUA*' + - '*1lbW1vdm*' + - '*AGUAbQBtAG8AdgBlA*' + - '*bQBlAG0AbQBvAHYAZQ*' + - '*bWVtbW92Z*' + - '*ZW1tb3Zl*' + condition: encoded and selection +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml new file mode 100644 index 000000000..d9d59fa8e --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -0,0 +1,29 @@ +title: Suspicious PowerShell Invocation based on Parent Process +status: experimental +description: Detects suspicious powershell invocations from interpreters or unusual programs +author: Florian Roth +references: + - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +tags: + - attack.execution + - attack.t1086 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\wscript.exe' + - '*\cscript.exe' + Image: + - '*\powershell.exe' + falsepositive: + CurrentDirectory: '*\Health Service State\*' + condition: selection and not falsepositive +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Microsoft Operations Manager (MOM) + - Other scripts +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml new file mode 100644 index 000000000..e4b4a306d --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -0,0 +1,28 @@ +title: Suspicious Use of Procdump +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This + way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '* -ma *' + selection2: + CommandLine: + - '* lsass.exe*' + condition: selection1 and selection2 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: medium diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml new file mode 100644 index 000000000..ec4152886 --- /dev/null +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -0,0 +1,65 @@ +title: Suspicious Process Creation +description: Detects suspicious process starts on Windows systems based on keywords +status: experimental +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://twitter.com/subTee/status/872244674609676288 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples + - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html + - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat + - https://twitter.com/vector_sec/status/896049052642533376 +author: Florian Roth +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - vssadmin.exe delete shadows* + - vssadmin delete shadows* + - vssadmin create shadow /for=C:* + - copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit* + - copy \\?\GLOBALROOT\Device\*\config\SAM* + - reg SAVE HKLM\SYSTEM * + - '* sekurlsa:*' + - net localgroup adminstrators * /add + - net group "Domain Admins" * /ADD /DOMAIN + - certutil.exe *-urlcache* http* + - certutil.exe *-urlcache* ftp* + - netsh advfirewall firewall *\AppData\* + - attrib +S +H +R *\AppData\* + - schtasks* /create *\AppData\* + - schtasks* /sc minute* + - '*\Regasm.exe *\AppData\*' + - '*\Regasm *\AppData\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - icacls * /grant Everyone:F /T /C /Q + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + - '*\fodhelper.exe' + - '*waitfor*/s*' + - '*waitfor*/si persist*' + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + - '*AddInProcess*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml new file mode 100644 index 000000000..3a04d7550 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -0,0 +1,20 @@ +title: PowerShell Script Run in AppData +status: experimental +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +references: + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +author: Florian Roth +date: 2019/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* /c powershell*\AppData\Local\*' + - '* /c powershell*\AppData\Roaming\*' + condition: selection +falsepositives: + - Administrative scripts +level: medium diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml new file mode 100644 index 000000000..9f83ece21 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -0,0 +1,17 @@ +title: Suspicious RASdial Activity +description: Detects suspicious process related to rasdial.exe +status: experimental +references: + - https://twitter.com/subTee/status/891298217907830785 +author: juju4 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - rasdial + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml new file mode 100644 index 000000000..24b578697 --- /dev/null +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -0,0 +1,23 @@ +title: Suspicious Reconnaissance Activity +status: experimental +description: Detects suspicious command line activity on Windows systems +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - net group "domain admins" /domain + - net localgroup administrators + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Inventory tool runs + - Penetration tests + - Administrative activity +analysis: + recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) +level: medium diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml new file mode 100644 index 000000000..9f6441554 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -0,0 +1,38 @@ +title: Regsvr32 Anomaly +status: experimental +description: Detects various anomalies in relation to regsvr32.exe +author: Florian Roth +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +tags: + - attack.t1117 + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: '*\regsvr32.exe' + CommandLine: '*\Temp\*' + selection2: + Image: '*\regsvr32.exe' + ParentImage: '*\powershell.exe' + selection3: + Image: '*\regsvr32.exe' + CommandLine: + - '*/i:http* scrobj.dll' + - '*/i:ftp* scrobj.dll' + selection4: + Image: '*\wscript.exe' + ParentImage: '*\regsvr32.exe' + selection5: + Image: '*\EXCEL.EXE' + CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml new file mode 100644 index 000000000..ce74c9334 --- /dev/null +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -0,0 +1,23 @@ +title: Suspicious Process Start Locations +description: Detects suspicious process run from unusual locations +status: experimental +references: + - https://car.mitre.org/wiki/CAR-2013-05-002 +author: juju4 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*:\RECYCLER\*' + - '*:\SystemVolumeInformation\*' + - '%windir%\Tasks\*' + - '%systemroot%\debug\*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml new file mode 100644 index 000000000..03a44c6ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -0,0 +1,35 @@ +title: Suspicious Rundll32 Activity +description: Detects suspicious process related to rundll32 based on arguments +status: experimental +references: + - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ + - https://twitter.com/Hexacorn/status/885258886428725250 + - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1085 +author: juju4 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\rundll32.exe* url.dll,*OpenURL *' + - '*\rundll32.exe* url.dll,*OpenURLA *' + - '*\rundll32.exe* url.dll,*FileProtocolHandler *' + - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' + - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' + - '*\rundll32.exe javascript:*' + - '* url.dll,*OpenURL *' + - '* url.dll,*OpenURLA *' + - '* url.dll,*FileProtocolHandler *' + - '* zipfldr.dll,*RouteTheCall *' + - '* Shell32.dll,*Control_RunDLL *' + - '* javascript:*' + - '*.RegisterXLL*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml new file mode 100644 index 000000000..905db2112 --- /dev/null +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -0,0 +1,27 @@ +title: Scheduled Task Creation +status: experimental +description: Detects the creation of scheduled tasks in user session +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\schtasks.exe' + CommandLine: '* /create *' + filter: + User: NT AUTHORITY\SYSTEM + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.persistence + - attack.privelege_escalation + - attack.t1053 + - attack.s0111 +falsepositives: + - Administrative activity + - Software installation +level: low diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml new file mode 100644 index 000000000..6e0773cfb --- /dev/null +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -0,0 +1,24 @@ +title: WSF/JSE/JS/VBA/VBE File Execution +status: experimental +description: Detects suspicious file execution by wscript and cscript +author: Michael Haag +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '*.jse' + - '*.vbe' + - '*.js' + - '*.vba' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. +level: medium diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml new file mode 100644 index 000000000..006337202 --- /dev/null +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -0,0 +1,24 @@ +title: Suspicious Svchost Process +status: experimental +description: Detects a suspicious svchost process start +author: Florian Roth +date: 2017/08/15 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\svchost.exe' + filter: + ParentImage: + - '*\services.exe' + - '*\MsMpEng.exe' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml new file mode 100644 index 000000000..ad94a7864 --- /dev/null +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -0,0 +1,21 @@ +title: Sysprep on AppData Folder +status: experimental +description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) +references: + - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets + - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b +author: Florian Roth +date: 2018/06/22 +modified: 2018/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\sysprep.exe *\AppData\*' + - sysprep.exe *\AppData\* + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml new file mode 100644 index 000000000..3ca1ea09d --- /dev/null +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -0,0 +1,22 @@ +title: Suspicious SYSVOL Domain Group Policy Access +status: experimental +description: Detects Access to Domain Group Policies stored in SYSVOL +references: + - https://adsecurity.org/?p=2288 + - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 +author: Markus Neis +date: 2018/04/09 +modified: 2018/12/11 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*\SYSVOL\*\policies\*' + condition: selection +falsepositives: + - administrative activity +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml similarity index 55% rename from rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml rename to rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 9cf162797..f3da5750f 100644 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -4,14 +4,13 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS author: Florian Roth date: 2018/03/18 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' - Image: '*\taskmgr.exe' - condition: selection + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\taskmgr.exe' + condition: selection falsepositives: - - Unkown + - Unkown level: high diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml new file mode 100644 index 000000000..e4e516d4e --- /dev/null +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -0,0 +1,23 @@ +title: Taskmgr as Parent +status: experimental +description: Detects the creation of a process from Windows task manager +author: Florian Roth +date: 2018/03/13 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\taskmgr.exe' + filter: + Image: + - resmon.exe + - mmc.exe + condition: selection and not filter +fields: + - Image + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative activity +level: low diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml new file mode 100644 index 000000000..aa7602464 --- /dev/null +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -0,0 +1,19 @@ +title: Suspicious TSCON Start +status: experimental +description: Detects a tscon.exe start as LOCAL SYSTEM +references: + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +author: Florian Roth +date: 2018/03/17 +logsource: + category: process_creation + product: windows +detection: + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\tscon.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml new file mode 100644 index 000000000..f8c0c81d2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -0,0 +1,19 @@ +title: Suspicious RDP Redirect Using TSCON +status: experimental +description: Detects a suspicious RDP session redirect using tscon.exe +references: + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +author: Florian Roth +date: 2018/03/17 +modified: 2018/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* /dest:rdp-tcp:*' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml new file mode 100644 index 000000000..43c24a64c --- /dev/null +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -0,0 +1,31 @@ +title: Activity Related to NTDS.dit Domain Hash Retrieval +status: experimental +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +author: Florian Roth, Michael Haag +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ + - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - vssadmin.exe Delete Shadows + - 'vssadmin create shadow /for=C:' + - copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit + - copy \\?\GLOBALROOT\Device\*\config\SAM + - 'vssadmin delete shadows /for=C:' + - 'reg SAVE HKLM\SYSTEM ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.credential_access + - attack.t1003 +falsepositives: + - Administrative activity +level: high diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml new file mode 100644 index 000000000..974cf4567 --- /dev/null +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -0,0 +1,22 @@ +title: Whoami Execution +status: experimental +description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 +author: Florian Roth +date: 2018/05/22 +tags: + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: whoami + condition: selection +falsepositives: + - Admin activity + - Scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml new file mode 100644 index 000000000..3a22fa429 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -0,0 +1,31 @@ +title: Suspicious WMI execution +status: experimental +description: Detects WMI executing suspicious commands +references: + - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ + - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 + - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ +author: Michael Haag, Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wmic.exe' + CommandLine: + - '*/NODE:*process call create *' + - '* path AntiVirusProduct get *' + - '* path FirewallProduct get *' + - '* shadowcopy delete *' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.t1047 +falsepositives: + - Will need to be tuned + - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. +level: medium diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml new file mode 100644 index 000000000..414f58d37 --- /dev/null +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -0,0 +1,33 @@ +title: System File Execution Location Anomaly +status: experimental +description: Detects a Windows program executable started in a suspicious folder +references: + - https://twitter.com/GelosSnake/status/934900723426439170 +author: Florian Roth +date: 2017/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\svchost.exe' + - '*\rundll32.exe' + - '*\services.exe' + - '*\powershell.exe' + - '*\regsvr32.exe' + - '*\spoolsv.exe' + - '*\lsass.exe' + - '*\smss.exe' + - '*\csrss.exe' + - '*\conhost.exe' + filter: + Image: + - '*\System32\*' + - '*\SysWow64\*' + condition: selection and not filter +tags: + - attack.defense_evasion +falsepositives: + - Exotic software +level: high diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml new file mode 100644 index 000000000..edce8d264 --- /dev/null +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -0,0 +1,19 @@ +title: Java Running with Remote Debugging +description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*transport=dt_socket,address=*' + exclusion: + - CommandLine: '*address=127.0.0.1*' + - CommandLine: '*address=localhost*' + condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml new file mode 100644 index 000000000..466ca9a02 --- /dev/null +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -0,0 +1,31 @@ +title: Webshell Detection With Command Line Keywords +description: Detects certain command line parameters often used during reconnaissance activity via web shells +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\apache*' + - '*\tomcat*' + - '*\w3wp.exe' + - '*\php-cgi.exe' + - '*\nginx.exe' + - '*\httpd.exe' + CommandLine: + - whoami + - net user + - ping -n + - systeminfo + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1100 +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml new file mode 100644 index 000000000..bf6569a19 --- /dev/null +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -0,0 +1,30 @@ +title: Shells Spawned by Web Servers +status: experimental +description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack +author: Thomas Patzke +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\w3wp.exe' + - '*\httpd.exe' + - '*\nginx.exe' + - '*\php-cgi.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1100 +falsepositives: + - Particular web applications may spawn a shell process legitimately +level: high diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml new file mode 100644 index 000000000..3f90fbed6 --- /dev/null +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -0,0 +1,22 @@ +title: WMI Persistence - Script Event Consumer +status: experimental +description: Detects WMI script event consumers +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +author: Thomas Patzke +date: 2018/03/07 +tags: + - attack.execution + - attack.persistence + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: C:\WINDOWS\system32\wbem\scrcons.exe + ParentImage: C:\Windows\System32\svchost.exe + condition: selection +falsepositives: + - Legitimate event consumers +level: high diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml new file mode 100644 index 000000000..ae2ea8844 --- /dev/null +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -0,0 +1,22 @@ +title: Microsoft Workflow Compiler +status: experimental +description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. +tags: + - attack.defense_evasion + - attack.execution +author: Nik Seetharaman +references: + - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\Microsoft.Workflow.Compiler.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate MWC use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml deleted file mode 100644 index 8bba17482..000000000 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Hiding files with attrib.exe -status: experimental -description: Detects usage of attrib.exe to hide files from users. -author: Sami Ruohonen -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\attrib.exe' - CommandLine: '* +h *' - ini: - CommandLine: '*\desktop.ini *' - intel: - ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \*.cui' - ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' - condition: selection and not (ini or intel) -fields: - - CommandLine - - ParentCommandLine - - User -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1158 -falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini -level: low diff --git a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml b/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml deleted file mode 100644 index bb312f204..000000000 --- a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: SquiblyTwo -status: experimental -description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 -tags: - - attack.defense_evasion - - attack.t1047 -author: Markus Neis / Florian Roth -falsepositives: - - Unknown -level: medium -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\wmic.exe' - CommandLine: - - 'wmic * *format:\"http*' - - "wmic * /format:'http" - - 'wmic * /format:http*' - selection2: - EventID: 1 - Imphash: - - '1B1A3F43BF37B5BFE60751F2EE2F326E' - - '37777A96245A3C74EB217308F3546F4C' - - '9D87C9D67CE724033C0B40CC4CA1B206' - CommandLine: - - '* *format:\"http*' - - "* /format:'http" - - '* /format:http*' - condition: 1 of them diff --git a/rules/windows/sysmon/sysmon_cmdkey_recon.yml b/rules/windows/sysmon/sysmon_cmdkey_recon.yml deleted file mode 100644 index 6f1e4c664..000000000 --- a/rules/windows/sysmon/sysmon_cmdkey_recon.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Cmdkey Cached Credentials Recon -status: experimental -description: Detects usage of cmdkey to look for cached credentials -references: - - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx -author: jmallette -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\cmdkey.exe' - CommandLine: '* /list *' - condition: selection -fields: - - CommandLine - - ParentCommandLine - - User -falsepositives: - - Legitimate administrative tasks. -level: low diff --git a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml b/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml deleted file mode 100644 index f535868aa..000000000 --- a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: CMSTP UAC Bypass via COM Object Access -status: stable -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.execution - - attack.t1088 - - attack.t1191 - - attack.g0069 -author: Nik Seetharaman -references: - - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - - https://twitter.com/hFireF0X/status/897640081053364225 -logsource: - product: windows - service: sysmon -detection: - # CMSTP Spawning Child Process - selection1: - EventID: 1 - ParentCommandLine: '*\DllHost.exe' - selection2: - ParentCommandLine: - - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA - - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225 - condition: selection1 and selection2 -fields: - - CommandLine - - ParentCommandLine - - Hashes -falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) -level: high diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml deleted file mode 100644 index 258254ccf..000000000 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: Exploit for CVE-2017-0261 -status: experimental -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -references: - - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html -author: Florian Roth -date: 2018/02/22 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\FLTLDR.exe*' - condition: selection -falsepositives: - - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) -level: medium diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml deleted file mode 100644 index ad2eff251..000000000 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Droppers exploiting CVE-2017-11882 -status: experimental -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -references: - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw -author: Florian Roth -date: 2017/11/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\EQNEDT32.EXE' - condition: selection -fields: - - CommandLine -falsepositives: - - unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_lethalhta.yml b/rules/windows/sysmon/sysmon_lethalhta.yml deleted file mode 100644 index 5669721a8..000000000 --- a/rules/windows/sysmon/sysmon_lethalhta.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: MSHTA spwaned by SVCHOST as seen in LethalHTA -status: experimental -description: Detects MSHTA.EXE spwaned by SVCHOST described in report -references: - - https://codewhitesec.blogspot.com/2018/07/lethalhta.html -author: Markus Neis -date: 2018/06/07 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\svchost.exe' - Image: '*\mshta.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml deleted file mode 100644 index 95b29fd80..000000000 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: WScript or CScript Dropper -status: experimental -description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (rule) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '* C:\Users\*.jse *' - - '* C:\Users\*.vbe *' - - '* C:\Users\*.js *' - - '* C:\Users\*.vba *' - - '* C:\Users\*.vbs *' - - '* C:\ProgramData\*.jse *' - - '* C:\ProgramData\*.vbe *' - - '* C:\ProgramData\*.js *' - - '* C:\ProgramData\*.vba *' - - '* C:\ProgramData\*.vbs *' - falsepositive: - ParentImage: '*\winzip*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Winzip - - Other self-extractors -level: high diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml deleted file mode 100644 index ddb298fa1..000000000 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: MSHTA Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from MSHTA. -references: - - https://www.trustedsec.com/july-2015/malicious-htas/ -author: Michael Haag -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\mshta.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' - filter: - CommandLine: - - '*/HP/HP*' - - '*\HP\HP*' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.execution - - attack.t1170 -falsepositives: - - Printer software / driver installations -level: high - diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml deleted file mode 100644 index c226ffe44..000000000 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ /dev/null @@ -1,53 +0,0 @@ -title: Microsoft Office Product Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle -tags: - - attack.execution - - attack.defense_evasion - - attack.t1059 - - attack.T1202 -author: Michael Haag, Florian Roth, Markus Neis -date: 2018/04/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' # see https://www.hybrid-analysis.com/sample/b409538c99f99b94a5035d9fa44a506b41be0feb23e89b7e4d272ba791aa6002?environmentId=100 - - '*\regsvr32.exe' # see https://twitter.com/subTee/status/899283365647458305 - - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 - - '*\wmic.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\mshta.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\rundll32.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\msiexec.exe' # see https://twitter.com/DissectMalware/status/984252467474026497 - - '*\forfiles.exe' # see https://twitter.com/danielhbohannon/status/896057910123347969?lang=en - - '*\scriptrunner.exe' # see https://twitter.com/KyleHanslovan/status/914800377580503040 - - '*\mftrace.exe' # see https://github.com/api0cradle/LOLBAS/blob/763d0b115cd702780ca042a8beb6ee684ef7823f/OtherMSBinaries/Mftrace.md - - '*\AppVLP.exe' # see https://twitter.com/moo_hax/status/892388990686347264 - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml deleted file mode 100644 index 59f5821a2..000000000 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,147 +0,0 @@ -title: Executable used by PlugX in Uncommon Location - Sysmon Version -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -logsource: - product: windows - service: sysmon -detection: - - # CamMute - selection_cammute: - EventID: 1 - Image: '*\CamMute.exe' - filter_cammute: - EventID: 1 - Image: '*\Lenovo\Communication Utility\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 1 - Image: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 1 - Image: '*\Google\Chrome\application\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 1 - Image: '*\dvcemumanager.exe' - filter_devemu: - EventID: 1 - Image: '*\Microsoft Device Emulator\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 1 - Image: '*\Gadget.exe' - filter_gadget: - EventID: 1 - Image: '*\Windows Media Player\*' - - # HTML Help Workshop - selection_hcc: - EventID: 1 - Image: '*\hcc.exe' - filter_hcc: - EventID: 1 - Image: '*\HTML Help Workshop\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 1 - Image: '*\hkcmd.exe' - filter_hkcmd: - EventID: 1 - Image: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' - - # McAfee component - selection_mc: - EventID: 1 - Image: '*\Mc.exe' - filter_mc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 1 - Image: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 1 - Image: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' - - # Microsoft Security Center - selection_msseces: - EventID: 1 - Image: '*\msseces.exe' - filter_msseces: - EventID: 1 - Image: '*\Microsoft Security Center\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 1 - Image: '*\OInfoP11.exe' - filter_oinfo: - EventID: 1 - Image: '*\Common Files\Microsoft Shared\*' - - # OLE View - selection_oleview: - EventID: 1 - Image: '*\OleView.exe' - filter_oleview: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - # RC - selection_rc: - EventID: 1 - Image: '*\rc.exe' - filter_rc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml b/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml deleted file mode 100644 index c78da8db6..000000000 --- a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Powershell AMSI Bypass via .NET Reflection -status: experimental -description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning -references: - - https://twitter.com/mattifestation/status/735261176745988096 - - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 -tags: - - attack.execution - - attack.t1086 -author: Markus Neis -date: 2018/08/17 -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: - - '*System.Management.Automation.AmsiUtils*' - selection2: - CommandLine: - - '*amsiInitFailed*' - condition: selection1 and selection2 - falsepositives: - - Potential Admin Activity -level: high - diff --git a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml b/rules/windows/sysmon/sysmon_powershell_dll_execution.yml deleted file mode 100644 index 940c75a4b..000000000 --- a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Detection of PowerShell Execution via DLL -status: experimental -description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll -references: - - https://github.com/p3nt4/PowerShdll/blob/master/README.md -tags: - - attack.execution - - attack.t1086 -author: Markus Neis -date: 2018/08/25 -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\rundll32.exe' - selection2: - EventID: 1 - Description: - - '*Windows-Hostprozess (Rundll32)*' - selection3: - EventID: 1 - CommandLine: - - '*Default.GetString*' - - '*FromBase64String*' - condition: (selection1 or selection2) and selection3 -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_powershell_download.yml b/rules/windows/sysmon/sysmon_powershell_download.yml deleted file mode 100644 index f5b875d6d..000000000 --- a/rules/windows/sysmon/sysmon_powershell_download.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: PowerShell Download from URL -status: experimental -description: Detects a Powershell process that contains download commands in its command line string -author: Florian Roth -tags: - - attack.t1086 - - attack.execution -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\powershell.exe' - CommandLine: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium - diff --git a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml deleted file mode 100644 index dce9e3751..000000000 --- a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Renamed Powershell.exe -status: experimental -description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) -references: - - https://attack.mitre.org/techniques/T1086/ - - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ -tags: - - attack.t1086 - - attack.execution -author: Tom Ueltschi (@c_APT_ure) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Description: Windows PowerShell - exclusion_1: - Image: - - powershell.exe - - powershell_ise.exe - exclusion_2: - Description: Windows PowerShell ISE - condition: all of selection and not (1 of exclusion_*) -falsepositives: - - penetration tests, red teaming -level: high diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml deleted file mode 100644 index ed6d68eeb..000000000 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: Suspicious PowerShell Parameter Substring -status: experimental -description: Detects suspicious PowerShell invocation with a parameter substring -references: - - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -tags: - - attack.execution - - attack.t1086 -author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -logsource: - product: windows - service: sysmon -detection: - selection: - Image: - - '*\Powershell.exe' - EventID: 1 - CommandLine: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: selection -falsepositives: - - Penetration tests -level: high diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml deleted file mode 100644 index cea5c5ba8..000000000 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Possible Shim Database Persistence via sdbinst.exe -status: experimental -description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* -references: - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html -tags: - - attack.persistence - - attack.t1138 -author: Markus Neis -date: 2018-08-03 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\sdbinst.exe' - CommandLine: - - '*\AppPatch\*}.sdb*' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml deleted file mode 100644 index d1af4a536..000000000 --- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Windows Shell Spawning Suspicious Program -status: experimental -description: Detects a suspicious child process of a Windows shell -references: - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Florian Roth -date: 2018/04/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\mshta.exe' - - '*\powershell.exe' - - '*\cmd.exe' - - '*\rundll32.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\wmiprvse.exe' - Image: - - '*\schtasks.exe' - - '*\nslookup.exe' - - '*\certutil.exe' - - '*\bitsadmin.exe' - - '*\mshta.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Administrative scripts -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml deleted file mode 100644 index b6cdcfab4..000000000 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -action: global -title: Suspicious Certutil Command -status: experimental -description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -author: Florian Roth, juju4 -modified: 2018/12/11 -references: - - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ -detection: - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.t1140 - - attack.s0189 - - attack.g0007 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml deleted file mode 100644 index f8ef570a7..000000000 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Command Line Execution with suspicious URL and AppData Strings -status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -references: - - 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100' - - 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100' -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'cmd.exe /c *http://*%AppData%' - - 'cmd.exe /c *https://*%AppData%' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - High -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml deleted file mode 100644 index f2a069d1a..000000000 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Control Panel DLL Load -status: experimental -description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -author: Florian Roth -date: 2017/04/15 -references: - - https://twitter.com/rikvduijn/status/853251879320662017 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\System32\control.exe' - CommandLine: '*\rundll32.exe *' - filter: - CommandLine: '*Shell32.dll*' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml deleted file mode 100644 index 02a9eb35e..000000000 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Executables Started in Suspicious Folder -status: experimental -description: Detects process starts of binaries from a suspicious folder -author: Florian Roth -date: 2017/10/14 -references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - 'C:\PerfLogs\*' - - 'C:\$Recycle.bin\*' - - 'C:\Intel\Logs\*' - - 'C:\Users\Default\*' - - 'C:\Users\Public\*' - - 'C:\Users\NetworkService\*' - - 'C:\Windows\Fonts\*' - - 'C:\Windows\Debug\*' - - 'C:\Windows\Media\*' - - 'C:\Windows\Help\*' - - 'C:\Windows\addins\*' - - 'C:\Windows\repair\*' - - 'C:\Windows\security\*' - - '*\RSA\MachineKeys\*' - - 'C:\Windows\system32\config\systemprofile\*' - condition: selection -falsepositives: - - Unknown -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml deleted file mode 100644 index d1f06b220..000000000 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution in Non-Executable Folder -status: experimental -description: Detects a suspicious exection from an uncommon folder -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml deleted file mode 100644 index 017d726cf..000000000 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution in Webserver Root Folder -status: experimental -description: Detects a suspicious program execution in a web service root folder (filter out false positives) -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wwwroot\*' - - '*\wmpub\*' - - '*\htdocs\*' - filter: - Image: - - '*bin\*' - - '*\Tools\*' - - '*\SMSComponent\*' - ParentImage: - - '*\services.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Various applications - - Tools that include ping or nslookup command invocations -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml deleted file mode 100644 index 7cbc0c82e..000000000 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Processes created by MMC -status: experimental -description: Processes started by MMC could be a sign of lateral movement using MMC application COM object -references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\mmc.exe' - Image: '*\cmd.exe' - exclusion: - CommandLine: '*\RunCmd.cmd' - condition: selection and not exclusion -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml deleted file mode 100644 index c4889af6a..000000000 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Net.exe Execution -status: experimental -description: Detects execution of Net.exe, whether suspicious or benign. -references: - - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) -tags: - - attack.s0039 - - attack.lateral_movement - - attack.discovery - -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\net.exe' - - '*\net1.exe' - CommandLine: - - '* group*' - - '* localgroup*' - - '* user*' - - '* view*' - - '* share' - - '* accounts*' - - '* use*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. -level: low diff --git a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml b/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml deleted file mode 100644 index 1215805e1..000000000 --- a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Ping Hex IP -description: Detects a ping command that uses a hex encoded IP address -references: - - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna - - https://twitter.com/vysecurity/status/977198418354491392 -author: Florian Roth -date: 2018/03/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\ping.exe 0x*' - - '*\ping 0x*' - condition: selection -fields: - - ParentCommandLine -falsepositives: - - Unlikely, because no sane admin pings IP addresses in a hexadecimal form -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml deleted file mode 100644 index 6c6c893d9..000000000 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious PowerShell Invocation based on Parent Process -status: experimental -description: Detects suspicious powershell invocations from interpreters or unusual programs -author: Florian Roth -references: - - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ -tags: - - attack.execution - - attack.t1086 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - Image: - - '*\powershell.exe' - falsepositive: - CurrentDirectory: '*\Health Service State\*' - condition: selection and not falsepositive -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Microsoft Operations Manager (MOM) - - Other scripts -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_recon_activity.yml b/rules/windows/sysmon/sysmon_susp_recon_activity.yml deleted file mode 100644 index 00f385f4e..000000000 --- a/rules/windows/sysmon/sysmon_susp_recon_activity.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Reconnaissance Activity -status: experimental -description: Detects suspicious command line activity on Windows systems -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'net group "domain admins" /domain' - - 'net localgroup administrators' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Inventory tool runs - - Penetration tests - - Administrative activity -analysis: - recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml deleted file mode 100644 index 2ed6e2de2..000000000 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: Regsvr32 Anomaly -status: experimental -description: Detects various anomalies in relation to regsvr32.exe -author: Florian Roth -references: - - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html -tags: - - attack.t1117 - - attack.defense_evasion - - attack.execution -logsource: - product: windows - service: sysmon -detection: - # Loads from Temp folder - selection1: - EventID: 1 - Image: '*\regsvr32.exe' - CommandLine: '*\Temp\*' - # Loaded by powershell - selection2: - EventID: 1 - Image: '*\regsvr32.exe' - ParentImage: '*\powershell.exe' - # Regsvr32.exe used with http(s) address - selection3: - EventID: 1 - Image: '*\regsvr32.exe' - CommandLine: - - '*/i:http* scrobj.dll' - - '*/i:ftp* scrobj.dll' - # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet - # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 - selection4: - EventID: 1 - Image: '*\wscript.exe' - ParentImage: '*\regsvr32.exe' - # https://twitter.com/danielhbohannon/status/974321840385531904 - selection5: - EventID: 1 - Image: '*\EXCEL.EXE' - CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml deleted file mode 100644 index 0183aeca7..000000000 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Scheduled Task Creation -status: experimental -description: Detects the creation of scheduled tasks in user session -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\schtasks.exe' - CommandLine: '* /create *' - filter: - User: 'NT AUTHORITY\SYSTEM' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.persistence - - attack.privelege_escalation - - attack.t1053 - - attack.s0111 -falsepositives: - - Administrative activity - - Software installation -level: low diff --git a/rules/windows/sysmon/sysmon_susp_script_execution.yml b/rules/windows/sysmon/sysmon_susp_script_execution.yml deleted file mode 100644 index 0f76b1360..000000000 --- a/rules/windows/sysmon/sysmon_susp_script_execution.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: WSF/JSE/JS/VBA/VBE File Execution -status: experimental -description: Detects suspicious file execution by wscript and cscript -author: Michael Haag -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '*.jse' - - '*.vbe' - - '*.js' - - '*.vba' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/sysmon/sysmon_susp_svchost.yml deleted file mode 100644 index da69e381c..000000000 --- a/rules/windows/sysmon/sysmon_susp_svchost.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Suspicious Svchost Process -status: experimental -description: Detects a suspicious svchost process start -author: Florian Roth -date: 2017/08/15 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\svchost.exe' - filter: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml b/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml deleted file mode 100644 index b01239bbb..000000000 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Taskmgr as Parent -status: experimental -description: Detects the creation of a process from Windows task manager -author: Florian Roth -date: 2018/03/13 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\taskmgr.exe' - filter: - Image: - - 'resmon.exe' - - 'mmc.exe' - condition: selection and not filter -fields: - - Image - - CommandLine - - ParentCommandLine -falsepositives: - - Administrative activity -level: low diff --git a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml deleted file mode 100644 index d700b9324..000000000 --- a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Suspicious TSCON Start -status: experimental -description: Detects a tscon.exe start as LOCAL SYSTEM -references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -author: Florian Roth -date: 2018/03/17 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' - Image: '*\tscon.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml deleted file mode 100644 index ec7b0788d..000000000 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -action: global -title: Suspicious RDP Redirect Using TSCON -status: experimental -description: Detects a suspicious RDP session redirect using tscon.exe -references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -author: Florian Roth -date: 2018/03/17 -modified: 2018/12/11 -detection: - condition: selection -falsepositives: - - Unknown -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /dest:rdp-tcp:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /dest:rdp-tcp:*' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml deleted file mode 100644 index ad4a0db3c..000000000 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Activity Related to NTDS.dit Domain Hash Retrieval -status: experimental -description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -author: Florian Roth, Michael Haag -references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ - - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - # Ransomware - - 'vssadmin.exe Delete Shadows' - # Hacking - - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM' - - 'vssadmin delete shadows /for=C:' - - 'reg SAVE HKLM\SYSTEM ' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.credential_access - - attack.t1003 -falsepositives: - - Administrative activity -level: high diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml deleted file mode 100644 index d0fb1e5c1..000000000 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious WMI execution -status: experimental -description: Detects WMI executing suspicious commands -references: - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -author: Michael Haag, Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wmic.exe' - CommandLine: - - '*/NODE:*process call create *' - - '* path AntiVirusProduct get *' - - '* path FirewallProduct get *' - - '* shadowcopy delete *' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.t1047 -falsepositives: - - Will need to be tuned - - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. -level: medium diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml deleted file mode 100644 index 4a568ec4f..000000000 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: System File Execution Location Anomaly -status: experimental -description: Detects a Windows program executable started in a suspicious folder -references: - - https://twitter.com/GelosSnake/status/934900723426439170 -author: Florian Roth -date: 2017/11/27 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - filter: - Image: - - '*\System32\*' - - '*\SysWow64\*' - condition: selection and not filter -tags: - - attack.defense_evasion -falsepositives: - - Exotic software -level: high - diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml deleted file mode 100644 index a3288802b..000000000 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Java Running with Remote Debugging -description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*transport=dt_socket,address=*' - exclusion: - - CommandLine: '*address=127.0.0.1*' - - CommandLine: '*address=localhost*' - condition: selection and not exclusion -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml deleted file mode 100644 index be67266ec..000000000 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Webshell Detection With Command Line Keywords -description: Detects certain command line parameters often used during reconnaissance activity via web shells -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' - CommandLine: - - 'whoami' - - 'net user' - - 'ping -n' - - 'systeminfo' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml deleted file mode 100644 index d9faf6c8a..000000000 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Shells Spawned by Web Servers -status: experimental -description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack -author: Thomas Patzke -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - - '*\php-cgi.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 -falsepositives: - - Particular web applications may spawn a shell process legitimately -level: high diff --git a/rules/windows/sysmon/sysmon_workflow_compiler.yml b/rules/windows/sysmon/sysmon_workflow_compiler.yml deleted file mode 100644 index 433464ec8..000000000 --- a/rules/windows/sysmon/sysmon_workflow_compiler.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft Workflow Compiler -status: experimental -description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -tags: - - attack.defense_evasion - - attack.execution -author: Nik Seetharaman -references: - - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb -logsource: - product: windows - service: sysmon -detection: - # Description contains MWC even if file has been renamed. - selection: - EventID: 1 - Image: '*\Microsoft.Workflow.Compiler.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Legitimate MWC use (unlikely in modern enterprise environments) -level: high From 3eaf83cf5aa7044941fb74f516098fd38ac1863e Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 16 Jan 2019 23:37:18 +0100 Subject: [PATCH 30/32] Improved configurations Added Security/4688 field mappings --- tools/config/elk-winlogbeat.yml | 2 ++ tools/config/generic/windows-audit.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/tools/config/elk-winlogbeat.yml b/tools/config/elk-winlogbeat.yml index 20bf500fc..2b7aba1f2 100644 --- a/tools/config/elk-winlogbeat.yml +++ b/tools/config/elk-winlogbeat.yml @@ -71,9 +71,11 @@ fieldmappings: ObjectType: event_data.ObjectType ObjectValueName: event_data.ObjectValueName ParentCommandLine: event_data.ParentCommandLine + ParentProcessName: event_data.ParentProcessName ParentImage: event_data.ParentImage Path: event_data.Path PipeName: event_data.PipeName + ProcessCommandLine: event_data.ProcessCommandLine ProcessName: event_data.ProcessName Properties: event_data.Properties ServiceFileName: event_data.ServiceFileName diff --git a/tools/config/generic/windows-audit.yml b/tools/config/generic/windows-audit.yml index 38f320e7f..45afec694 100644 --- a/tools/config/generic/windows-audit.yml +++ b/tools/config/generic/windows-audit.yml @@ -9,3 +9,5 @@ logsources: service: security fieldmappings: Image: NewProcessName + ParentImage: ParentProcessName + CommandLine: ProcessCommandLine From 6bdb4ab78a4b26de8cc475a89906a4d50b1e246c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 27 Feb 2019 22:05:27 +0100 Subject: [PATCH 31/32] Merge cleanup --- rules/apt/apt_babyshark.yml | 45 +++------- rules/apt/apt_bear_activity_gtr19.yml | 57 ++++--------- rules/apt/apt_judgement_panda_gtr19.yml | 84 +++++++------------ rules/windows/builtin/win_netsh_port_fwd.yml | 35 -------- .../builtin/win_netsh_port_fwd_3389.yml | 35 -------- rules/windows/builtin/win_spn_enum.yml | 39 --------- rules/windows/builtin/win_susp_bcdedit.yml | 39 --------- .../builtin/win_susp_certutil_encode.yml | 43 ---------- rules/windows/builtin/win_susp_gup.yml | 35 -------- .../process_creation/apt_babyshark.yml | 20 ----- .../apt_bear_activity_gtr19.yml | 23 ----- .../apt_judgement_panda_gtr19.yml | 33 -------- rules/windows/sysmon/sysmon_susp_csc.yml | 25 ------ rules/windows/sysmon/sysmon_susp_outlook.yml | 28 ------- ...smon_susp_prog_location_process_starts.yml | 26 ------ 15 files changed, 59 insertions(+), 508 deletions(-) delete mode 100644 rules/windows/builtin/win_netsh_port_fwd.yml delete mode 100644 rules/windows/builtin/win_netsh_port_fwd_3389.yml delete mode 100644 rules/windows/builtin/win_spn_enum.yml delete mode 100644 rules/windows/builtin/win_susp_bcdedit.yml delete mode 100644 rules/windows/builtin/win_susp_certutil_encode.yml delete mode 100644 rules/windows/builtin/win_susp_gup.yml delete mode 100644 rules/windows/process_creation/apt_babyshark.yml delete mode 100644 rules/windows/process_creation/apt_bear_activity_gtr19.yml delete mode 100644 rules/windows/process_creation/apt_judgement_panda_gtr19.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_csc.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_outlook.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml diff --git a/rules/apt/apt_babyshark.yml b/rules/apt/apt_babyshark.yml index e5d8e3303..fe01a503e 100644 --- a/rules/apt/apt_babyshark.yml +++ b/rules/apt/apt_babyshark.yml @@ -1,39 +1,20 @@ ---- -action: global -title: Baby Shark Activity +title: Baby Shark Activity status: experimental -description: 'Detects activity that could be related to Baby Shark malware' +description: Detects activity that could be related to Baby Shark malware references: - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ logsource: - product: windows + category: process_creation + product: windows author: Florian Roth -date: 2019/02/24 +date: 2019/02/24 detection: - condition: selection + selection: + CommandLine: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - powershell.exe mshta.exe http* + - cmd.exe /c taskkill /im cmd.exe + condition: selection falsepositives: - - unknown + - unknown level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' - - 'powershell.exe mshta.exe http*' - - 'cmd.exe /c taskkill /im cmd.exe' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"' - - 'powershell.exe mshta.exe http*' - - 'cmd.exe /c taskkill /im cmd.exe' diff --git a/rules/apt/apt_bear_activity_gtr19.yml b/rules/apt/apt_bear_activity_gtr19.yml index 09d759e9a..3b8234102 100644 --- a/rules/apt/apt_bear_activity_gtr19.yml +++ b/rules/apt/apt_bear_activity_gtr19.yml @@ -1,44 +1,23 @@ ---- -action: global -title: Judgement Panda Exfil Activity -description: 'Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike' +title: Judgement Panda Exfil Activity +description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -logsource: - product: windows + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth -date: 2019/02/21 -tags: - - attack.credential_access - - attack.t1098 +date: 2019/02/21 +tags: + - attack.credential_access + - attack.t1098 +logsource: + category: process_creation + product: windows detection: - condition: selection1 or selection2 + selection1: + Image: '*\xcopy.exe' + CommandLine: '* /S /E /C /Q /H \\*' + selection2: + Image: '*\adexplorer.exe' + CommandLine: '* -snapshot "" c:\users\\*' + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' - selection2: - EventID: 1 - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*\xcopy.exe /S /E /C /Q /H \\*' - selection2: - EventID: 4688 - NewProcessName: '*\adexplorer.exe' - ProcessCommandLine: '* -snapshot "" c:\users\\*' \ No newline at end of file diff --git a/rules/apt/apt_judgement_panda_gtr19.yml b/rules/apt/apt_judgement_panda_gtr19.yml index dcf80f8d5..01444bf79 100644 --- a/rules/apt/apt_judgement_panda_gtr19.yml +++ b/rules/apt/apt_judgement_panda_gtr19.yml @@ -1,61 +1,33 @@ ---- -action: global -title: Judgement Panda Exfil Activity -description: 'Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike' +title: Judgement Panda Exfil Activity +description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -logsource: - product: windows + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth -date: 2019/02/21 -tags: - - attack.lateral_movement - - attack.g0010 - - attack.credential_access - - attack.t1098 - - attack.exfiltration - - attack.t1002 +date: 2019/02/21 +tags: + - attack.lateral_movement + - attack.g0010 + - attack.credential_access + - attack.t1098 + - attack.exfiltration + - attack.t1002 +logsource: + category: process_creation + product: windows detection: - condition: selection1 or selection2 + selection1: + CommandLine: + - '*\ldifde.exe -f -n *' + - '*\7za.exe a 1.7z *' + - '* eprod.ldf' + - '*\aaaa\procdump64.exe*' + - '*\aaaa\netsess.exe*' + - '*\aaaa\7za.exe*' + - '*copy .\1.7z \\*' + - '*copy \\client\c$\aaaa\*' + selection2: + Image: C:\Users\Public\7za.exe + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - EventID: 1 - Image: 'C:\Users\Public\7za.exe' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - EventID: 4688 - NewProcessName: 'C:\Users\Public\7za.exe' \ No newline at end of file diff --git a/rules/windows/builtin/win_netsh_port_fwd.yml b/rules/windows/builtin/win_netsh_port_fwd.yml deleted file mode 100644 index ac05d5dec..000000000 --- a/rules/windows/builtin/win_netsh_port_fwd.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -action: global -title: Netsh Port Forwarding -description: Detects netsh commands that configure a port forwarding -references: - - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -date: 2019/01/29 -tags: - - attack.lateral_movement -status: experimental -author: Florian Roth -detection: - condition: selection -falsepositives: - - Legitimate administration -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'netsh interface portproxy add v4tov4 *' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'netsh interface portproxy add v4tov4 *' diff --git a/rules/windows/builtin/win_netsh_port_fwd_3389.yml b/rules/windows/builtin/win_netsh_port_fwd_3389.yml deleted file mode 100644 index 67aff58f6..000000000 --- a/rules/windows/builtin/win_netsh_port_fwd_3389.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -action: global -title: Netsh RDP Port Forwarding -description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP -references: - - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html -date: 2019/01/29 -tags: - - attack.lateral_movement -status: experimental -author: Florian Roth -detection: - condition: selection -falsepositives: - - Legitimate administration -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'netsh i* p*=3389 c*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'netsh i* p*=3389 c*' diff --git a/rules/windows/builtin/win_spn_enum.yml b/rules/windows/builtin/win_spn_enum.yml deleted file mode 100644 index e6397c7ca..000000000 --- a/rules/windows/builtin/win_spn_enum.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: Possible SPN Enumeration -description: Detects Service Principal Name Enumeration used for Kerberoasting -status: experimental -references: - - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation -author: Markus Neis, keepwatch -date: 2018/11/14 -tags: - - attack.credential_access - - attack.t1208 -detection: - selection_image: - Image: '*\setspn.exe' - selection_desc: - Description: '*Query or reset the computer* SPN attribute*' - cmd: - CommandLine: '*-q*' - condition: selection and (selection_image or selection_desc) and cmd -falsepositives: - - Administrator Activity -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_bcdedit.yml b/rules/windows/builtin/win_susp_bcdedit.yml deleted file mode 100644 index fd2702bb4..000000000 --- a/rules/windows/builtin/win_susp_bcdedit.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: Possible Ransomware or unauthorized MBR modifications -status: experimental -description: Detects, possibly, malicious unauthorized usage of bcdedit.exe -references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set -author: "@neu5ron" -date: 2019/02/07 -detection: - condition: selection -level: medium ---- -# Windows Security Eventlog: Process Creation with Full Command Line -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\fsutil.exe' - ProcessCommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' ---- -# Sysmon: Process Creation (ID 1) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\fsutil.exe' - ProcessCommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' diff --git a/rules/windows/builtin/win_susp_certutil_encode.yml b/rules/windows/builtin/win_susp_certutil_encode.yml deleted file mode 100644 index f0cac5a43..000000000 --- a/rules/windows/builtin/win_susp_certutil_encode.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -action: global -title: Certutil Encode -status: experimental -description: 'Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration' -references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -logsource: - product: windows -author: Florian Roth -date: 2019/02/24 -detection: - condition: selection -falsepositives: - - unknown -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'certutil -f -encode *' - - 'certutil.exe -f -encode *' - - 'certutil -encode -f *' - - 'certutil.exe -encode -f *' ---- -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'certutil -f -encode *' - - 'certutil.exe -f -encode *' - - 'certutil -encode -f *' - - 'certutil.exe -encode -f *' - diff --git a/rules/windows/builtin/win_susp_gup.yml b/rules/windows/builtin/win_susp_gup.yml deleted file mode 100644 index e934b3711..000000000 --- a/rules/windows/builtin/win_susp_gup.yml +++ /dev/null @@ -1,35 +0,0 @@ ---- -action: global -title: Suspicious GUP Usage -description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks -status: experimental -references: - - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html -author: Florian Roth -date: 2019/02/06 -detection: - condition: selection and not filter -falsepositives: - - 'Execution of tools named GUP.exe and located in folders different than Notepad++\updater' -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\GUP.exe' - filter: - Image: '*\updater\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\GUP.exe' - filter: - NewProcessName: '*\updater\*' diff --git a/rules/windows/process_creation/apt_babyshark.yml b/rules/windows/process_creation/apt_babyshark.yml deleted file mode 100644 index fe01a503e..000000000 --- a/rules/windows/process_creation/apt_babyshark.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Baby Shark Activity -status: experimental -description: Detects activity that could be related to Baby Shark malware -references: - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ -logsource: - category: process_creation - product: windows -author: Florian Roth -date: 2019/02/24 -detection: - selection: - CommandLine: - - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" - - powershell.exe mshta.exe http* - - cmd.exe /c taskkill /im cmd.exe - condition: selection -falsepositives: - - unknown -level: high diff --git a/rules/windows/process_creation/apt_bear_activity_gtr19.yml b/rules/windows/process_creation/apt_bear_activity_gtr19.yml deleted file mode 100644 index 3b8234102..000000000 --- a/rules/windows/process_creation/apt_bear_activity_gtr19.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Judgement Panda Exfil Activity -description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike -references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -author: Florian Roth -date: 2019/02/21 -tags: - - attack.credential_access - - attack.t1098 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' - selection2: - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' - condition: selection1 or selection2 -falsepositives: - - unknown -level: critical diff --git a/rules/windows/process_creation/apt_judgement_panda_gtr19.yml b/rules/windows/process_creation/apt_judgement_panda_gtr19.yml deleted file mode 100644 index 01444bf79..000000000 --- a/rules/windows/process_creation/apt_judgement_panda_gtr19.yml +++ /dev/null @@ -1,33 +0,0 @@ -title: Judgement Panda Exfil Activity -description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike -references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ -author: Florian Roth -date: 2019/02/21 -tags: - - attack.lateral_movement - - attack.g0010 - - attack.credential_access - - attack.t1098 - - attack.exfiltration - - attack.t1002 -logsource: - category: process_creation - product: windows -detection: - selection1: - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - Image: C:\Users\Public\7za.exe - condition: selection1 or selection2 -falsepositives: - - unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_susp_csc.yml b/rules/windows/sysmon/sysmon_susp_csc.yml deleted file mode 100644 index 8f8105319..000000000 --- a/rules/windows/sysmon/sysmon_susp_csc.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Suspicious Parent of Csc.exe -description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery -status: experimental -references: - - https://twitter.com/SBousseaden/status/1094924091256176641 -author: Florian Roth -date: 2019/02/11 -tags: - - attack.defense_evasion - - attack.t1036 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\csc.exe*' - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - condition: selection -falsepositives: - - Unkown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_outlook.yml b/rules/windows/sysmon/sysmon_susp_outlook.yml deleted file mode 100644 index 224231b7f..000000000 --- a/rules/windows/sysmon/sysmon_susp_outlook.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Suspicious Execution from Outlook -status: experimental -description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook -references: - - https://github.com/sensepost/ruler - - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html -tags: - - attack.execution - - attack.t1059 - - attack.t1202 -author: Markus Neis -date: 2018/12/27 -logsource: - product: windows - service: sysmon -detection: - clientMailRules: - EventID: 1 - CommandLine: '*EnableUnsafeClientMailRules*' # EnableUnsafeClientMailRules used for Script Execution from Outlook - outlookExec: - EventID: 1 - ParentImage: '*\outlook.exe' - CommandLine: '\\\\*\\*.exe' # UNC Path required for Execution - - condition: clientMailRules OR outlookExec -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml b/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml deleted file mode 100644 index b8d3f7ad7..000000000 --- a/rules/windows/sysmon/sysmon_susp_prog_location_process_starts.yml +++ /dev/null @@ -1,26 +0,0 @@ -title: Suspicious Program Location Process Starts -status: experimental -description: Detects programs running in suspicious files system locations -references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo -author: Florian Roth -date: 2019/01/15 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - # - '*\ProgramData\\*' # too many false positives, e.g. with Webex for Windows - - '*\$Recycle.bin' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Windows\debug\\*' - condition: selection -falsepositives: - - unknown -level: high From 760230913863462d35a2dfcc3283625e7936cd2c Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Sat, 2 Mar 2019 00:14:20 +0100 Subject: [PATCH 32/32] Increased indentation to 4 * Converted (to generic sigma) rules * Converter outputs by default with indentation 4 --- rules/apt/apt_babyshark.yml | 20 +-- rules/apt/apt_bear_activity_gtr19.yml | 26 +-- rules/apt/apt_judgement_panda_gtr19.yml | 46 +++--- .../powershell_xor_commandline.yml | 14 +- .../win_attrib_hiding_files.yml | 40 ++--- .../win_bypass_squiblytwo.yml | 48 +++--- .../process_creation/win_cmdkey_recon.yml | 24 +-- .../win_cmstp_com_object_access.yml | 42 ++--- .../win_exploit_cve_2015_1641.yml | 18 +- .../win_exploit_cve_2017_0261.yml | 16 +- .../win_exploit_cve_2017_11882.yml | 18 +- .../win_exploit_cve_2017_8759.yml | 18 +- .../process_creation/win_hack_rubeus.yml | 38 ++--- .../process_creation/win_lethalhta.yml | 16 +- .../process_creation/win_mal_adwind.yml | 44 ++--- .../process_creation/win_mal_wannacry.yml | 48 +++--- .../process_creation/win_malware_dridex.yml | 24 +-- .../process_creation/win_malware_notpetya.yml | 56 +++---- .../win_malware_script_dropper.yml | 48 +++--- .../process_creation/win_malware_wannacry.yml | 54 +++--- .../win_mavinject_proc_inj.yml | 26 +-- .../win_mshta_spawn_shell.yml | 52 +++--- .../win_multiple_suspicious_cli.yml | 92 +++++------ .../process_creation/win_netsh_port_fwd.yml | 18 +- .../win_netsh_port_fwd_3389.yml | 18 +- .../process_creation/win_office_shell.yml | 80 ++++----- .../win_plugx_susp_exe_locations.yml | 154 +++++++++--------- .../win_possible_applocker_bypass.yml | 36 ++-- .../win_powershell_amsi_bypass.yml | 30 ++-- .../win_powershell_b64_shellcode.yml | 26 +-- .../win_powershell_dll_execution.yml | 34 ++-- .../win_powershell_download.yml | 30 ++-- .../win_powershell_renamed_ps.yml | 32 ++-- ...ershell_suspicious_parameter_variation.yml | 102 ++++++------ ...in_process_creation_bitsadmin_download.yml | 34 ++-- .../process_creation/win_psexesvc_start.yml | 18 +- .../win_sdbinst_shim_persistence.yml | 24 +-- .../win_shell_spawn_susp_program.yml | 50 +++--- .../windows/process_creation/win_spn_enum.yml | 26 +-- .../process_creation/win_susp_bcdedit.yml | 20 +-- .../process_creation/win_susp_calc.yml | 26 +-- .../win_susp_certutil_command.yml | 70 ++++---- .../win_susp_certutil_encode.yml | 24 +-- .../process_creation/win_susp_cli_escape.yml | 32 ++-- .../win_susp_cmd_http_appdata.yml | 26 +-- .../win_susp_commands_recon_activity.yml | 60 +++---- .../win_susp_control_dll_load.yml | 24 +-- .../windows/process_creation/win_susp_csc.yml | 26 +-- .../process_creation/win_susp_exec_folder.yml | 48 +++--- .../win_susp_execution_path.yml | 34 ++-- .../win_susp_execution_path_webserver.yml | 38 ++--- .../windows/process_creation/win_susp_gup.yml | 18 +- .../win_susp_iss_module_install.yml | 20 +-- .../process_creation/win_susp_mmc_source.yml | 24 +-- .../win_susp_msiexec_web_install.yml | 16 +- .../win_susp_net_execution.yml | 44 ++--- .../process_creation/win_susp_ntdsutil.yml | 18 +- .../process_creation/win_susp_outlook.yml | 28 ++-- .../process_creation/win_susp_ping_hex_ip.yml | 22 +-- .../win_susp_powershell_enc_cmd.yml | 32 ++-- .../win_susp_powershell_hidden_b64_cmd.yml | 120 +++++++------- .../win_susp_powershell_parent_combo.yml | 36 ++-- .../process_creation/win_susp_procdump.yml | 34 ++-- .../win_susp_process_creations.yml | 126 +++++++------- .../win_susp_prog_location_process_starts.yml | 28 ++-- .../process_creation/win_susp_ps_appdata.yml | 20 +-- .../win_susp_rasdial_activity.yml | 16 +- .../win_susp_recon_activity.yml | 26 +-- .../win_susp_regsvr32_anomalies.yml | 54 +++--- .../win_susp_run_locations.yml | 26 +-- .../win_susp_rundll32_activity.yml | 50 +++--- .../win_susp_schtask_creation.yml | 34 ++-- .../win_susp_script_execution.yml | 30 ++-- .../process_creation/win_susp_svchost.yml | 26 +-- .../win_susp_sysprep_appdata.yml | 20 +-- .../win_susp_sysvol_access.yml | 20 +-- .../win_susp_taskmgr_localsystem.yml | 14 +- .../win_susp_taskmgr_parent.yml | 26 +-- .../win_susp_tscon_localsystem.yml | 18 +- .../win_susp_tscon_rdp_redirect.yml | 16 +- .../win_susp_vssadmin_ntds_activity.yml | 44 ++--- .../process_creation/win_susp_whoami.yml | 22 +-- .../win_susp_wmi_execution.yml | 40 ++--- .../win_system_exe_anomaly.yml | 44 ++--- .../win_vul_java_remote_debugging.yml | 22 +-- .../win_webshell_detection.yml | 44 ++--- .../process_creation/win_webshell_spawn.yml | 40 ++--- ..._wmi_persistence_script_event_consumer.yml | 22 +-- .../win_workflow_compiler.yml | 22 +-- tools/sigma2genericsigma | 2 +- 90 files changed, 1616 insertions(+), 1616 deletions(-) diff --git a/rules/apt/apt_babyshark.yml b/rules/apt/apt_babyshark.yml index fe01a503e..063ecadc0 100644 --- a/rules/apt/apt_babyshark.yml +++ b/rules/apt/apt_babyshark.yml @@ -2,19 +2,19 @@ title: Baby Shark Activity status: experimental description: Detects activity that could be related to Baby Shark malware references: - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows author: Florian Roth date: 2019/02/24 detection: - selection: - CommandLine: - - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" - - powershell.exe mshta.exe http* - - cmd.exe /c taskkill /im cmd.exe - condition: selection + selection: + CommandLine: + - reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" + - powershell.exe mshta.exe http* + - cmd.exe /c taskkill /im cmd.exe + condition: selection falsepositives: - - unknown + - unknown level: high diff --git a/rules/apt/apt_bear_activity_gtr19.yml b/rules/apt/apt_bear_activity_gtr19.yml index 3b8234102..60567ff18 100644 --- a/rules/apt/apt_bear_activity_gtr19.yml +++ b/rules/apt/apt_bear_activity_gtr19.yml @@ -1,23 +1,23 @@ title: Judgement Panda Exfil Activity description: Detects Russian group activity as described in Global Threat Report 2019 by Crowdstrike references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth date: 2019/02/21 tags: - - attack.credential_access - - attack.t1098 + - attack.credential_access + - attack.t1098 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: '*\xcopy.exe' - CommandLine: '* /S /E /C /Q /H \\*' - selection2: - Image: '*\adexplorer.exe' - CommandLine: '* -snapshot "" c:\users\\*' - condition: selection1 or selection2 + selection1: + Image: '*\xcopy.exe' + CommandLine: '* /S /E /C /Q /H \\*' + selection2: + Image: '*\adexplorer.exe' + CommandLine: '* -snapshot "" c:\users\\*' + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical diff --git a/rules/apt/apt_judgement_panda_gtr19.yml b/rules/apt/apt_judgement_panda_gtr19.yml index 01444bf79..37aa0fd0c 100644 --- a/rules/apt/apt_judgement_panda_gtr19.yml +++ b/rules/apt/apt_judgement_panda_gtr19.yml @@ -1,33 +1,33 @@ title: Judgement Panda Exfil Activity description: Detects Judgement Panda activity as described in Global Threat Report 2019 by Crowdstrike references: - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ author: Florian Roth date: 2019/02/21 tags: - - attack.lateral_movement - - attack.g0010 - - attack.credential_access - - attack.t1098 - - attack.exfiltration - - attack.t1002 + - attack.lateral_movement + - attack.g0010 + - attack.credential_access + - attack.t1098 + - attack.exfiltration + - attack.t1002 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: - - '*\ldifde.exe -f -n *' - - '*\7za.exe a 1.7z *' - - '* eprod.ldf' - - '*\aaaa\procdump64.exe*' - - '*\aaaa\netsess.exe*' - - '*\aaaa\7za.exe*' - - '*copy .\1.7z \\*' - - '*copy \\client\c$\aaaa\*' - selection2: - Image: C:\Users\Public\7za.exe - condition: selection1 or selection2 + selection1: + CommandLine: + - '*\ldifde.exe -f -n *' + - '*\7za.exe a 1.7z *' + - '* eprod.ldf' + - '*\aaaa\procdump64.exe*' + - '*\aaaa\netsess.exe*' + - '*\aaaa\7za.exe*' + - '*copy .\1.7z \\*' + - '*copy \\client\c$\aaaa\*' + selection2: + Image: C:\Users\Public\7za.exe + condition: selection1 or selection2 falsepositives: - - unknown + - unknown level: critical diff --git a/rules/windows/process_creation/powershell_xor_commandline.yml b/rules/windows/process_creation/powershell_xor_commandline.yml index b6274ff57..9939121d6 100644 --- a/rules/windows/process_creation/powershell_xor_commandline.yml +++ b/rules/windows/process_creation/powershell_xor_commandline.yml @@ -4,13 +4,13 @@ status: experimental author: Sami Ruohonen date: 2018/09/05 detection: - selection: - CommandLine: - - '* -bxor*' - condition: selection + selection: + CommandLine: + - '* -bxor*' + condition: selection falsepositives: - - unknown + - unknown level: medium logsource: - category: process_creation - product: windows + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml index e1b9a1242..edd45bf99 100644 --- a/rules/windows/process_creation/win_attrib_hiding_files.yml +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -3,28 +3,28 @@ status: experimental description: Detects usage of attrib.exe to hide files from users. author: Sami Ruohonen logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\attrib.exe' - CommandLine: '* +h *' - ini: - CommandLine: '*\desktop.ini *' - intel: - ParentImage: '*\cmd.exe' - CommandLine: +R +H +S +A \\*.cui - ParentCommandLine: C:\WINDOWS\system32\\*.bat - condition: selection and not (ini or intel) + selection: + Image: '*\attrib.exe' + CommandLine: '* +h *' + ini: + CommandLine: '*\desktop.ini *' + intel: + ParentImage: '*\cmd.exe' + CommandLine: +R +H +S +A \\*.cui + ParentCommandLine: C:\WINDOWS\system32\\*.bat + condition: selection and not (ini or intel) fields: - - CommandLine - - ParentCommandLine - - User + - CommandLine + - ParentCommandLine + - User tags: - - attack.defense_evasion - - attack.persistence - - attack.t1158 + - attack.defense_evasion + - attack.persistence + - attack.t1158 falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini + - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - msiexec.exe hiding desktop.ini level: low diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml index 94e8515b2..9b47e50b0 100644 --- a/rules/windows/process_creation/win_bypass_squiblytwo.yml +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -2,33 +2,33 @@ title: SquiblyTwo status: experimental description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 tags: - - attack.defense_evasion - - attack.t1047 + - attack.defense_evasion + - attack.t1047 author: Markus Neis / Florian Roth falsepositives: - - Unknown + - Unknown level: medium logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: - - '*\wmic.exe' - CommandLine: - - wmic * *format:\"http* - - wmic * /format:'http - - wmic * /format:http* - selection2: - Imphash: - - 1B1A3F43BF37B5BFE60751F2EE2F326E - - 37777A96245A3C74EB217308F3546F4C - - 9D87C9D67CE724033C0B40CC4CA1B206 - CommandLine: - - '* *format:\"http*' - - '* /format:''http' - - '* /format:http*' - condition: 1 of them + selection1: + Image: + - '*\wmic.exe' + CommandLine: + - wmic * *format:\"http* + - wmic * /format:'http + - wmic * /format:http* + selection2: + Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + CommandLine: + - '* *format:\"http*' + - '* /format:''http' + - '* /format:http*' + condition: 1 of them diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml index 8ec873a87..3717c6c32 100644 --- a/rules/windows/process_creation/win_cmdkey_recon.yml +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -2,21 +2,21 @@ title: Cmdkey Cached Credentials Recon status: experimental description: Detects usage of cmdkey to look for cached credentials references: - - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx + - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation + - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx author: jmallette logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\cmdkey.exe' - CommandLine: '* /list *' - condition: selection + selection: + Image: '*\cmdkey.exe' + CommandLine: '* /list *' + condition: selection fields: - - CommandLine - - ParentCommandLine - - User + - CommandLine + - ParentCommandLine + - User falsepositives: - - Legitimate administrative tasks. + - Legitimate administrative tasks. level: low diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml index 5faf82be6..d5c2a386e 100644 --- a/rules/windows/process_creation/win_cmstp_com_object_access.yml +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -2,31 +2,31 @@ title: CMSTP UAC Bypass via COM Object Access status: stable description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.execution - - attack.t1088 - - attack.t1191 - - attack.g0069 + - attack.defense_evasion + - attack.privilege_escalation + - attack.execution + - attack.t1088 + - attack.t1191 + - attack.g0069 author: Nik Seetharaman references: - - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - - https://twitter.com/hFireF0X/status/897640081053364225 + - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ + - https://twitter.com/hFireF0X/status/897640081053364225 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - ParentCommandLine: '*\DllHost.exe' - selection2: - ParentCommandLine: - - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' - - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' - condition: selection1 and selection2 + selection1: + ParentCommandLine: '*\DllHost.exe' + selection2: + ParentCommandLine: + - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' + condition: selection1 and selection2 fields: - - CommandLine - - ParentCommandLine - - Hashes + - CommandLine + - ParentCommandLine + - Hashes falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) + - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high diff --git a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml index ce3befeae..8b335074e 100644 --- a/rules/windows/process_creation/win_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -2,18 +2,18 @@ title: Exploit for CVE-2015-1641 status: experimental description: Detects Winword starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 references: - - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ - - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 + - https://www.virustotal.com/en/file/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8/analysis/ + - https://www.hybrid-analysis.com/sample/5567408950b744c4e846ba8ae726883cb15268a539f3bb21758a466e47021ae8?environmentId=100 author: Florian Roth date: 2018/02/22 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\MicroScMgmt.exe ' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\MicroScMgmt.exe ' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml index fcfabffcf..6e972de7e 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -2,17 +2,17 @@ title: Exploit for CVE-2017-0261 status: experimental description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 references: - - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html author: Florian Roth date: 2018/02/22 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\FLTLDR.exe*' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\FLTLDR.exe*' + condition: selection falsepositives: - - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml index 922d2ea57..c2d01b6ad 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -2,19 +2,19 @@ title: Droppers exploiting CVE-2017-11882 status: experimental description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe references: - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw + - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 + - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw author: Florian Roth date: 2017/11/23 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\EQNEDT32.EXE' - condition: selection + selection: + ParentImage: '*\EQNEDT32.EXE' + condition: selection fields: - - CommandLine + - CommandLine falsepositives: - - unknown + - unknown level: critical diff --git a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml index b08742ff1..79035c3cf 100644 --- a/rules/windows/process_creation/win_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,18 +1,18 @@ title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 - - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 + - https://www.reverse.it/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 author: Florian Roth date: 15.09.2017 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\WINWORD.EXE' - Image: '*\csc.exe' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\csc.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml index 16884c73b..7043d3323 100644 --- a/rules/windows/process_creation/win_hack_rubeus.yml +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -2,28 +2,28 @@ title: Rubeus Hack Tool description: Detects command line parameters used by Rubeus hack tool author: Florian Roth references: - - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ date: 2018/12/19 tags: - - attack.credential_access - - attack.t1003 - - attack.s0005 + - attack.credential_access + - attack.t1003 + - attack.s0005 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' - condition: selection + selection: + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' + condition: selection falsepositives: - - unlikely + - unlikely level: critical diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml index 86d4dac8a..06f9c1589 100644 --- a/rules/windows/process_creation/win_lethalhta.yml +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -2,17 +2,17 @@ title: MSHTA spwaned by SVCHOST as seen in LethalHTA status: experimental description: Detects MSHTA.EXE spwaned by SVCHOST described in report references: - - https://codewhitesec.blogspot.com/2018/07/lethalhta.html + - https://codewhitesec.blogspot.com/2018/07/lethalhta.html author: Markus Neis date: 2018/06/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\svchost.exe' - Image: '*\mshta.exe' - condition: selection + selection: + ParentImage: '*\svchost.exe' + Image: '*\mshta.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml index a3bc86990..d2da67565 100644 --- a/rules/windows/process_creation/win_mal_adwind.yml +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -3,39 +3,39 @@ title: Adwind RAT / JRAT status: experimental description: Detects javaw.exe in AppData folder as used by Adwind / JRAT references: - - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf author: Florian Roth, Tom Ueltschi date: 2017/11/10 modified: 2018/12/11 detection: - condition: selection + condition: selection level: high --- logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ProcessCommandLine: - - '*\AppData\Roaming\Oracle*\java*.exe *' - - '*cscript.exe *Retrive*.vbs *' + selection: + ProcessCommandLine: + - '*\AppData\Roaming\Oracle*\java*.exe *' + - '*cscript.exe *Retrive*.vbs *' --- logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: - selection: - EventID: 11 - TargetFilename: - - '*\AppData\Roaming\Oracle\bin\java*.exe' - - '*\Retrive*.vbs' + selection: + EventID: 11 + TargetFilename: + - '*\AppData\Roaming\Oracle\bin\java*.exe' + - '*\Retrive*.vbs' --- logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: - selection: - EventID: 13 - TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* - Details: '%AppData%\Roaming\Oracle\bin\\*' + selection: + EventID: 13 + TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + Details: '%AppData%\Roaming\Oracle\bin\\*' diff --git a/rules/windows/process_creation/win_mal_wannacry.yml b/rules/windows/process_creation/win_mal_wannacry.yml index c8571db81..d3b43b5de 100644 --- a/rules/windows/process_creation/win_mal_wannacry.yml +++ b/rules/windows/process_creation/win_mal_wannacry.yml @@ -2,32 +2,32 @@ title: WannaCry Ransomware description: Detects WannaCry Ransomware Activity status: experimental references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - selection2: - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' - - '*\linuxnew.exe' - - '*\wannacry.exe' - condition: 1 of them + selection1: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + selection2: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\WanaDecryptor*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + condition: 1 of them falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml index 3c385f00a..62a746e75 100644 --- a/rules/windows/process_creation/win_malware_dridex.yml +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -2,21 +2,21 @@ title: Dridex Process Pattern status: experimental description: Detects typical Dridex process patterns references: - - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 author: Florian Roth date: 2019/01/10 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' - selection2: - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' - condition: 1 of them + selection1: + CommandLine: '*\svchost.exe C:\Users\\*\Desktop\\*' + selection2: + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' + condition: 1 of them falsepositives: - - Unlikely + - Unlikely level: critical diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml index 1d8a82538..151cc43dc 100644 --- a/rules/windows/process_creation/win_malware_notpetya.yml +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -1,39 +1,39 @@ title: NotPetya Ransomware Activity status: experimental description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive - C is deleted and windows eventlogs are cleared using wevtutil + C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 tags: - - attack.execution - - attack.credential_access - - attack.defense_evasion - - attack.t1085 - - attack.t1070 - - attack.t1003 + - attack.execution + - attack.credential_access + - attack.defense_evasion + - attack.t1085 + - attack.t1070 + - attack.t1003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - fsutil_clean_journal: - Image: '*\fsutil.exe' - CommandLine: '* deletejournal *' - pipe_com: - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' - event_clean: - Image: '*\wevtutil.exe' - CommandLine: '* cl *' - rundll32_dash1: - Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' - perfc_keyword: - - '*\perfc.dat*' - condition: 1 of them + fsutil_clean_journal: + Image: '*\fsutil.exe' + CommandLine: '* deletejournal *' + pipe_com: + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\\*' + event_clean: + Image: '*\wevtutil.exe' + CommandLine: '* cl *' + rundll32_dash1: + Image: '*\rundll32.exe' + CommandLine: '*.dat,#1' + perfc_keyword: + - '*\perfc.dat*' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Admin activity + - Admin activity level: critical diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml index 191e93d90..cdede5a6f 100644 --- a/rules/windows/process_creation/win_malware_script_dropper.yml +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -3,31 +3,31 @@ status: experimental description: Detects wscript/cscript executions of scripts located in user directories author: Margaritis Dimitrios (idea), Florian Roth (rule) logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '* C:\Users\\*.jse *' - - '* C:\Users\\*.vbe *' - - '* C:\Users\\*.js *' - - '* C:\Users\\*.vba *' - - '* C:\Users\\*.vbs *' - - '* C:\ProgramData\\*.jse *' - - '* C:\ProgramData\\*.vbe *' - - '* C:\ProgramData\\*.js *' - - '* C:\ProgramData\\*.vba *' - - '* C:\ProgramData\\*.vbs *' - falsepositive: - ParentImage: '*\winzip*' - condition: selection and not falsepositive + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '* C:\Users\\*.jse *' + - '* C:\Users\\*.vbe *' + - '* C:\Users\\*.js *' + - '* C:\Users\\*.vba *' + - '* C:\Users\\*.vbs *' + - '* C:\ProgramData\\*.jse *' + - '* C:\ProgramData\\*.vbe *' + - '* C:\ProgramData\\*.js *' + - '* C:\ProgramData\\*.vba *' + - '* C:\ProgramData\\*.vbs *' + falsepositive: + ParentImage: '*\winzip*' + condition: selection and not falsepositive fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Winzip - - Other self-extractors + - Winzip + - Other self-extractors level: high diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index f8639f654..051aecc58 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -2,36 +2,36 @@ title: WannaCry Ransomware via Sysmon status: experimental description: Detects WannaCry ransomware activity via Sysmon references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 author: Florian Roth (rule), Tom U. @c_APT_ure (collection) logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\@WanaDecryptor@*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' - - '*\linuxnew.exe' - - '*\wannacry.exe' - selection2: - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - - '*@Please_Read_Me@.txt*' - condition: 1 of them + selection1: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\@WanaDecryptor@*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + selection2: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + - '*@Please_Read_Me@.txt*' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Diskpart.exe usage to manage partitions on the local hard drive + - Diskpart.exe usage to manage partitions on the local hard drive level: critical diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml index 4b049a114..a3da623be 100644 --- a/rules/windows/process_creation/win_mavinject_proc_inj.yml +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -2,23 +2,23 @@ title: MavInject Process Injection status: experimental description: Detects process injection using the signed Windows tool Mavinject32.exe references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 author: Florian Roth date: 2018/12/12 tags: - - attack.process_injection - - attack.t1055 - - attack.signed_binary_proxy_execution - - attack.t1218 + - attack.process_injection + - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: '* /INJECTRUNNING *' - condition: selection + selection: + CommandLine: '* /INJECTRUNNING *' + condition: selection falsepositives: - - unknown + - unknown level: critical diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml index 7710a22a9..d437e26d8 100644 --- a/rules/windows/process_creation/win_mshta_spawn_shell.yml +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -2,36 +2,36 @@ title: MSHTA Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from MSHTA. references: - - https://www.trustedsec.com/july-2015/malicious-htas/ + - https://www.trustedsec.com/july-2015/malicious-htas/ author: Michael Haag logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\mshta.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' - filter: - CommandLine: - - '*/HP/HP*' - - '*\HP\HP*' - condition: selection and not filter + selection: + ParentImage: '*\mshta.exe' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\reg.exe' + - '*\regsvr32.exe' + - '*\BITSADMIN*' + filter: + CommandLine: + - '*/HP/HP*' + - '*\HP\HP*' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.defense_evasion - - attack.execution - - attack.t1170 + - attack.defense_evasion + - attack.execution + - attack.t1170 falsepositives: - - Printer software / driver installations + - Printer software / driver installations level: high diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml index 7e0fbecb6..d4237c788 100644 --- a/rules/windows/process_creation/win_multiple_suspicious_cli.yml +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -2,55 +2,55 @@ title: Quick Execution of a Series of Suspicious Commands description: Detects multiple suspicious process in a limited timeframe status: experimental references: - - https://car.mitre.org/wiki/CAR-2013-04-002 + - https://car.mitre.org/wiki/CAR-2013-04-002 author: juju4 modified: 2012/12/11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 + selection: + CommandLine: + - arp.exe + - at.exe + - attrib.exe + - cscript.exe + - dsquery.exe + - hostname.exe + - ipconfig.exe + - mimikatz.exe + - nbstat.exe + - net.exe + - netsh.exe + - nslookup.exe + - ping.exe + - quser.exe + - qwinsta.exe + - reg.exe + - runas.exe + - sc.exe + - schtasks.exe + - ssh.exe + - systeminfo.exe + - taskkill.exe + - telnet.exe + - tracert.exe + - wscript.exe + - xcopy.exe + - pscp.exe + - copy.exe + - robocopy.exe + - certutil.exe + - vssadmin.exe + - powershell.exe + - wevtutil.exe + - psexec.exe + - bcedit.exe + - wbadmin.exe + - icacls.exe + - diskpart.exe + timeframe: 5m + condition: selection | count() by MachineName > 5 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: low diff --git a/rules/windows/process_creation/win_netsh_port_fwd.yml b/rules/windows/process_creation/win_netsh_port_fwd.yml index fdc43d790..6f45ae187 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd.yml @@ -1,20 +1,20 @@ title: Netsh Port Forwarding description: Detects netsh commands that configure a port forwarding references: - - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 tags: - - attack.lateral_movement + - attack.lateral_movement status: experimental author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - netsh interface portproxy add v4tov4 * - condition: selection + selection: + CommandLine: + - netsh interface portproxy add v4tov4 * + condition: selection falsepositives: - - Legitimate administration + - Legitimate administration level: medium diff --git a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml index cebd116ee..7a62488bb 100644 --- a/rules/windows/process_creation/win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/win_netsh_port_fwd_3389.yml @@ -1,20 +1,20 @@ title: Netsh RDP Port Forwarding description: Detects netsh commands that configure a port forwarding of port 3389 used for RDP references: - - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html + - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html date: 2019/01/29 tags: - - attack.lateral_movement + - attack.lateral_movement status: experimental author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - netsh i* p*=3389 c* - condition: selection + selection: + CommandLine: + - netsh i* p*=3389 c* + condition: selection falsepositives: - - Legitimate administration + - Legitimate administration level: high diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml index 0c8f838d2..d9c2f6080 100644 --- a/rules/windows/process_creation/win_office_shell.yml +++ b/rules/windows/process_creation/win_office_shell.yml @@ -2,51 +2,51 @@ title: Microsoft Office Product Spawning Windows Shell status: experimental description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle tags: - - attack.execution - - attack.defense_evasion - - attack.t1059 - - attack.t1202 + - attack.execution + - attack.defense_evasion + - attack.t1059 + - attack.t1202 author: Michael Haag, Florian Roth, Markus Neis date: 2018/04/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' - - '*\regsvr32.exe' - - '*\hh.exe' - - '*\wmic.exe' - - '*\mshta.exe' - - '*\rundll32.exe' - - '*\msiexec.exe' - - '*\forfiles.exe' - - '*\scriptrunner.exe' - - '*\mftrace.exe' - - '*\AppVLP.exe' - condition: selection + selection: + ParentImage: + - '*\WINWORD.EXE' + - '*\EXCEL.EXE' + - '*\POWERPNT.exe' + - '*\MSPUB.exe' + - '*\VISIO.exe' + - '*\OUTLOOK.EXE' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\scrcons.exe' + - '*\schtasks.exe' + - '*\regsvr32.exe' + - '*\hh.exe' + - '*\wmic.exe' + - '*\mshta.exe' + - '*\rundll32.exe' + - '*\msiexec.exe' + - '*\forfiles.exe' + - '*\scriptrunner.exe' + - '*\mftrace.exe' + - '*\AppVLP.exe' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: high diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 60d6b7c60..55b3837d3 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -2,87 +2,87 @@ title: Executable used by PlugX in Uncommon Location - Sysmon Version status: experimental description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location references: - - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ + - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ author: Florian Roth date: 2017/06/12 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_cammute: - Image: '*\CamMute.exe' - filter_cammute: - Image: '*\Lenovo\Communication Utility\\*' - selection_chrome_frame: - Image: '*\chrome_frame_helper.exe' - filter_chrome_frame: - Image: '*\Google\Chrome\application\\*' - selection_devemu: - Image: '*\dvcemumanager.exe' - filter_devemu: - Image: '*\Microsoft Device Emulator\\*' - selection_gadget: - Image: '*\Gadget.exe' - filter_gadget: - Image: '*\Windows Media Player\\*' - selection_hcc: - Image: '*\hcc.exe' - filter_hcc: - Image: '*\HTML Help Workshop\\*' - selection_hkcmd: - Image: '*\hkcmd.exe' - filter_hkcmd: - Image: - - '*\System32\\*' - - '*\SysNative\\*' - - '*\SysWowo64\\*' - selection_mc: - Image: '*\Mc.exe' - filter_mc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - selection_msmpeng: - Image: '*\MsMpEng.exe' - filter_msmpeng: - Image: - - '*\Microsoft Security Client\\*' - - '*\Windows Defender\\*' - - '*\AntiMalware\\*' - selection_msseces: - Image: '*\msseces.exe' - filter_msseces: - Image: '*\Microsoft Security Center\\*' - selection_oinfo: - Image: '*\OInfoP11.exe' - filter_oinfo: - Image: '*\Common Files\Microsoft Shared\\*' - selection_oleview: - Image: '*\OleView.exe' - filter_oleview: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - selection_rc: - Image: '*\rc.exe' - filter_rc: - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\\*' - - '*\Microsoft.NET\\*' - condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) - or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc - ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview - and not filter_oleview ) or ( selection_rc and not filter_rc ) + selection_cammute: + Image: '*\CamMute.exe' + filter_cammute: + Image: '*\Lenovo\Communication Utility\\*' + selection_chrome_frame: + Image: '*\chrome_frame_helper.exe' + filter_chrome_frame: + Image: '*\Google\Chrome\application\\*' + selection_devemu: + Image: '*\dvcemumanager.exe' + filter_devemu: + Image: '*\Microsoft Device Emulator\\*' + selection_gadget: + Image: '*\Gadget.exe' + filter_gadget: + Image: '*\Windows Media Player\\*' + selection_hcc: + Image: '*\hcc.exe' + filter_hcc: + Image: '*\HTML Help Workshop\\*' + selection_hkcmd: + Image: '*\hkcmd.exe' + filter_hkcmd: + Image: + - '*\System32\\*' + - '*\SysNative\\*' + - '*\SysWowo64\\*' + selection_mc: + Image: '*\Mc.exe' + filter_mc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + selection_msmpeng: + Image: '*\MsMpEng.exe' + filter_msmpeng: + Image: + - '*\Microsoft Security Client\\*' + - '*\Windows Defender\\*' + - '*\AntiMalware\\*' + selection_msseces: + Image: '*\msseces.exe' + filter_msseces: + Image: '*\Microsoft Security Center\\*' + selection_oinfo: + Image: '*\OInfoP11.exe' + filter_oinfo: + Image: '*\Common Files\Microsoft Shared\\*' + selection_oleview: + Image: '*\OleView.exe' + filter_oleview: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\\*' + selection_rc: + Image: '*\rc.exe' + filter_rc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\\*' + - '*\Microsoft.NET\\*' + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) + or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc + ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview + and not filter_oleview ) or ( selection_rc and not filter_rc ) fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml index 57efd9b5d..989053f49 100644 --- a/rules/windows/process_creation/win_possible_applocker_bypass.yml +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -2,27 +2,27 @@ title: Possible Applocker Bypass description: Detects execution of executables that can be used to bypass Applocker whitelisting status: experimental references: - - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ + - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt + - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ author: juju4 tags: - - attack.defense_evasion + - attack.defense_evasion logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*\msdt.exe*' - - '*\installutil.exe*' - - '*\regsvcs.exe*' - - '*\regasm.exe*' - - '*\regsvr32.exe*' - - '*\msbuild.exe*' - - '*\ieexec.exe*' - - '*\mshta.exe*' - condition: selection + selection: + CommandLine: + - '*\msdt.exe*' + - '*\installutil.exe*' + - '*\regsvcs.exe*' + - '*\regasm.exe*' + - '*\regsvr32.exe*' + - '*\msbuild.exe*' + - '*\ieexec.exe*' + - '*\mshta.exe*' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment - - Using installutil to add features for .NET applications (primarly would occur in developer environments) + - False positives depend on scripts and administrative tools used in the monitored environment + - Using installutil to add features for .NET applications (primarly would occur in developer environments) level: low diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml index 05837d3f3..52ad67259 100644 --- a/rules/windows/process_creation/win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -2,24 +2,24 @@ title: Powershell AMSI Bypass via .NET Reflection status: experimental description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning references: - - https://twitter.com/mattifestation/status/735261176745988096 - - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 author: Markus Neis date: 2018/08/17 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: - - '*System.Management.Automation.AmsiUtils*' - selection2: - CommandLine: - - '*amsiInitFailed*' - condition: selection1 and selection2 - falsepositives: - - Potential Admin Activity + selection1: + CommandLine: + - '*System.Management.Automation.AmsiUtils*' + selection2: + CommandLine: + - '*amsiInitFailed*' + condition: selection1 and selection2 + falsepositives: + - Potential Admin Activity level: high diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml index b63c8d062..f23c8cbaa 100644 --- a/rules/windows/process_creation/win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -2,23 +2,23 @@ title: PowerShell Base64 Encoded Shellcode description: Detects Base64 encoded Shellcode status: experimental references: - - https://twitter.com/cyb3rops/status/1063072865992523776 + - https://twitter.com/cyb3rops/status/1063072865992523776 author: Florian Roth date: 2018/11/17 tags: - - attack.defense_evasion - - attack.t1036 + - attack.defense_evasion + - attack.t1036 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: '*AAAAYInlM*' - selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' - condition: selection1 and selection2 + selection1: + CommandLine: '*AAAAYInlM*' + selection2: + CommandLine: + - '*OiCAAAAYInlM*' + - '*OiJAAAAYInlM*' + condition: selection1 and selection2 falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml index 200743312..be57fb374 100644 --- a/rules/windows/process_creation/win_powershell_dll_execution.yml +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -2,27 +2,27 @@ title: Detection of PowerShell Execution via DLL status: experimental description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll references: - - https://github.com/p3nt4/PowerShdll/blob/master/README.md + - https://github.com/p3nt4/PowerShdll/blob/master/README.md tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 author: Markus Neis date: 2018/08/25 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: - - '*\rundll32.exe' - selection2: - Description: - - '*Windows-Hostprozess (Rundll32)*' - selection3: - CommandLine: - - '*Default.GetString*' - - '*FromBase64String*' - condition: (selection1 or selection2) and selection3 + selection1: + Image: + - '*\rundll32.exe' + selection2: + Description: + - '*Windows-Hostprozess (Rundll32)*' + selection3: + CommandLine: + - '*Default.GetString*' + - '*FromBase64String*' + condition: (selection1 or selection2) and selection3 falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml index b039960ea..5b6b88a59 100644 --- a/rules/windows/process_creation/win_powershell_download.yml +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -3,23 +3,23 @@ status: experimental description: Detects a Powershell process that contains download commands in its command line string author: Florian Roth tags: - - attack.t1086 - - attack.execution + - attack.t1086 + - attack.execution logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\powershell.exe' - CommandLine: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - - '*new-object net.webclient).downloadstring(*' - - '*new-object net.webclient).downloadfile(*' - condition: selection + selection: + Image: '*\powershell.exe' + CommandLine: + - '*new-object system.net.webclient).downloadstring(*' + - '*new-object system.net.webclient).downloadfile(*' + - '*new-object net.webclient).downloadstring(*' + - '*new-object net.webclient).downloadfile(*' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium diff --git a/rules/windows/process_creation/win_powershell_renamed_ps.yml b/rules/windows/process_creation/win_powershell_renamed_ps.yml index 280feb54d..1e02fef2b 100644 --- a/rules/windows/process_creation/win_powershell_renamed_ps.yml +++ b/rules/windows/process_creation/win_powershell_renamed_ps.yml @@ -2,25 +2,25 @@ title: Renamed Powershell.exe status: experimental description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) references: - - https://attack.mitre.org/techniques/T1086/ - - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ + - https://attack.mitre.org/techniques/T1086/ + - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ tags: - - attack.t1086 - - attack.execution + - attack.t1086 + - attack.execution author: Tom Ueltschi (@c_APT_ure) logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Description: Windows PowerShell - exclusion_1: - Image: - - '*\powershell.exe' - - '*\powershell_ise.exe' - exclusion_2: - Description: Windows PowerShell ISE - condition: all of selection and not (1 of exclusion_*) + selection: + Description: Windows PowerShell + exclusion_1: + Image: + - '*\powershell.exe' + - '*\powershell_ise.exe' + exclusion_2: + Description: Windows PowerShell ISE + condition: all of selection and not (1 of exclusion_*) falsepositives: - - penetration tests, red teaming + - penetration tests, red teaming level: high diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml index 7ae0a669d..55493e411 100644 --- a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -2,60 +2,60 @@ title: Suspicious PowerShell Parameter Substring status: experimental description: Detects suspicious PowerShell invocation with a parameter substring references: - - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\Powershell.exe' - CommandLine: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: selection + selection: + Image: + - '*\Powershell.exe' + CommandLine: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection falsepositives: - - Penetration tests + - Penetration tests level: high diff --git a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml index 2e1f4e03d..42b697d03 100644 --- a/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml +++ b/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml @@ -2,27 +2,27 @@ title: Bitsadmin Download status: experimental description: Detects usage of bitsadmin downloading a file references: - - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin - - https://isc.sans.edu/diary/22264 + - https://blog.netspi.com/15-ways-to-download-a-file/#bitsadmin + - https://isc.sans.edu/diary/22264 tags: - - attack.defense_evasion - - attack.persistence - - attack.t1197 - - attack.s0190 + - attack.defense_evasion + - attack.persistence + - attack.t1197 + - attack.s0190 author: Michael Haag logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\bitsadmin.exe' - CommandLine: - - '/transfer' - condition: selection + selection: + Image: + - '*\bitsadmin.exe' + CommandLine: + - '/transfer' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Some legitimate apps use this, but limited. + - Some legitimate apps use this, but limited. level: medium diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml index bf461d08c..d71fa288a 100644 --- a/rules/windows/process_creation/win_psexesvc_start.yml +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -4,16 +4,16 @@ author: Florian Roth date: 2018/03/13 modified: 2012/12/11 tags: - - attack.execution - - attack.t1035 - - attack.s0029 + - attack.execution + - attack.t1035 + - attack.s0029 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ProcessCommandLine: C:\Windows\PSEXESVC.exe - condition: selection + selection: + ProcessCommandLine: C:\Windows\PSEXESVC.exe + condition: selection falsepositives: - - Administrative activity + - Administrative activity level: low diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml index 793b5faeb..603a94914 100644 --- a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -2,22 +2,22 @@ title: Possible Shim Database Persistence via sdbinst.exe status: experimental description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* references: - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html tags: - - attack.persistence - - attack.t1138 + - attack.persistence + - attack.t1138 author: Markus Neis date: 2018-08-03 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\sdbinst.exe' - CommandLine: - - '*\AppPatch\\*}.sdb*' - condition: selection + selection: + Image: + - '*\sdbinst.exe' + CommandLine: + - '*\AppPatch\\*}.sdb*' + condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml index 14345a5bf..f965486f6 100644 --- a/rules/windows/process_creation/win_shell_spawn_susp_program.yml +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -2,36 +2,36 @@ title: Windows Shell Spawning Suspicious Program status: experimental description: Detects a suspicious child process of a Windows shell references: - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html author: Florian Roth date: 2018/04/06 modified: 2019/02/05 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: - - '*\mshta.exe' - - '*\powershell.exe' - - '*\cmd.exe' - - '*\rundll32.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\wmiprvse.exe' - Image: - - '*\schtasks.exe' - - '*\nslookup.exe' - - '*\certutil.exe' - - '*\bitsadmin.exe' - - '*\mshta.exe' - falsepositives: - CurrentDirectory: '*\ccmcache\*' - condition: selection and not falsepositives + selection: + ParentImage: + - '*\mshta.exe' + - '*\powershell.exe' + - '*\cmd.exe' + - '*\rundll32.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\wmiprvse.exe' + Image: + - '*\schtasks.exe' + - '*\nslookup.exe' + - '*\certutil.exe' + - '*\bitsadmin.exe' + - '*\mshta.exe' + falsepositives: + CurrentDirectory: '*\ccmcache\*' + condition: selection and not falsepositives fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Administrative scripts - - Microsoft SCCM + - Administrative scripts + - Microsoft SCCM level: high diff --git a/rules/windows/process_creation/win_spn_enum.yml b/rules/windows/process_creation/win_spn_enum.yml index 569a9ad53..e00eacf52 100644 --- a/rules/windows/process_creation/win_spn_enum.yml +++ b/rules/windows/process_creation/win_spn_enum.yml @@ -2,23 +2,23 @@ title: Possible SPN Enumeration description: Detects Service Principal Name Enumeration used for Kerberoasting status: experimental references: - - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation + - https://p16.praetorian.com/blog/how-to-use-kerberoasting-t1208-for-privilege-escalation author: Markus Neis, keepwatch date: 2018/11/14 tags: - - attack.credential_access - - attack.t1208 + - attack.credential_access + - attack.t1208 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection_image: - Image: '*\setspn.exe' - selection_desc: - Description: '*Query or reset the computer* SPN attribute*' - cmd: - CommandLine: '*-q*' - condition: (selection_image or selection_desc) and cmd + selection_image: + Image: '*\setspn.exe' + selection_desc: + Description: '*Query or reset the computer* SPN attribute*' + cmd: + CommandLine: '*-q*' + condition: (selection_image or selection_desc) and cmd falsepositives: - - Administrator Activity + - Administrator Activity level: medium diff --git a/rules/windows/process_creation/win_susp_bcdedit.yml b/rules/windows/process_creation/win_susp_bcdedit.yml index 51c019c54..e551c0868 100644 --- a/rules/windows/process_creation/win_susp_bcdedit.yml +++ b/rules/windows/process_creation/win_susp_bcdedit.yml @@ -2,18 +2,18 @@ title: Possible Ransomware or unauthorized MBR modifications status: experimental description: Detects, possibly, malicious unauthorized usage of bcdedit.exe references: - - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set + - https://docs.microsoft.com/en-us/windows-hardware/drivers/devtest/bcdedit--set author: '@neu5ron' date: 2019/02/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - NewProcessName: '*\fsutil.exe' - ProcessCommandLine: - - '*delete*' - - '*deletevalue*' - - '*import*' - condition: selection + selection: + NewProcessName: '*\fsutil.exe' + ProcessCommandLine: + - '*delete*' + - '*deletevalue*' + - '*import*' + condition: selection level: medium diff --git a/rules/windows/process_creation/win_susp_calc.yml b/rules/windows/process_creation/win_susp_calc.yml index bc274db5e..92e8b9254 100644 --- a/rules/windows/process_creation/win_susp_calc.yml +++ b/rules/windows/process_creation/win_susp_calc.yml @@ -2,22 +2,22 @@ title: Suspicious Calculator Usage description: Detects suspicious use of calc.exe with command line parameters or in a suspicious directory, which is likely caused by some PoC or detection evasion status: experimental references: - - https://twitter.com/ItsReallyNick/status/1094080242686312448 + - https://twitter.com/ItsReallyNick/status/1094080242686312448 author: Florian Roth date: 2019/02/09 logsource: - product: windows - service: sysmon + product: windows + service: sysmon detection: - selection1: - EventID: 1 - CommandLine: '*\calc.exe *' - selection2: - EventID: 1 - Image: '*\calc.exe' - filter2: - Image: '*\Windows\Sys*' - condition: selection1 or ( selection2 and not filter2 ) + selection1: + EventID: 1 + CommandLine: '*\calc.exe *' + selection2: + EventID: 1 + Image: '*\calc.exe' + filter2: + Image: '*\Windows\Sys*' + condition: selection1 or ( selection2 and not filter2 ) falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 61139e638..9dc779d41 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -1,47 +1,47 @@ title: Suspicious Certutil Command status: experimental description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with - the built-in certutil utility + the built-in certutil utility author: Florian Roth, juju4, keepwatch modified: 2019/01/22 references: - - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - - https://twitter.com/egre55/status/1087685529016193025 - - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ + - https://twitter.com/JohnLaTwC/status/835149808817991680 + - https://twitter.com/subTee/status/888102593838362624 + - https://twitter.com/subTee/status/888071631528235010 + - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://twitter.com/egre55/status/1087685529016193025 + - https://lolbas-project.github.io/lolbas/Binaries/Certutil/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '* -decode *' - - '* /decode *' - - '* -decodehex *' - - '* /decodehex *' - - '* -urlcache *' - - '* /urlcache *' - - '* -verifyctl *' - - '* /verifyctl *' - - '* -encode *' - - '* /encode *' - - '*certutil* -URL*' - - '*certutil* /URL*' - - '*certutil* -ping*' - - '*certutil* /ping*' - condition: selection + selection: + CommandLine: + - '* -decode *' + - '* /decode *' + - '* -decodehex *' + - '* /decodehex *' + - '* -urlcache *' + - '* /urlcache *' + - '* -verifyctl *' + - '* /verifyctl *' + - '* -encode *' + - '* /encode *' + - '*certutil* -URL*' + - '*certutil* /URL*' + - '*certutil* -ping*' + - '*certutil* /ping*' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.defense_evasion - - attack.t1140 - - attack.t1105 - - attack.s0189 - - attack.g0007 + - attack.defense_evasion + - attack.t1140 + - attack.t1105 + - attack.s0189 + - attack.g0007 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_certutil_encode.yml b/rules/windows/process_creation/win_susp_certutil_encode.yml index aa1d805e6..1b4bfbe0c 100644 --- a/rules/windows/process_creation/win_susp_certutil_encode.yml +++ b/rules/windows/process_creation/win_susp_certutil_encode.yml @@ -2,21 +2,21 @@ title: Certutil Encode status: experimental description: Detects suspicious a certutil command that used to encode files, which is sometimes used for data exfiltration references: - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil - - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil + - https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ author: Florian Roth date: 2019/02/24 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - certutil -f -encode * - - certutil.exe -f -encode * - - certutil -encode -f * - - certutil.exe -encode -f * - condition: selection + selection: + CommandLine: + - certutil -f -encode * + - certutil.exe -f -encode * + - certutil -encode -f * + - certutil.exe -encode -f * + condition: selection falsepositives: - - unknown + - unknown level: medium diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml index cf37d4009..46f573fcd 100644 --- a/rules/windows/process_creation/win_susp_cli_escape.yml +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -2,26 +2,26 @@ title: Suspicious Commandline Escape description: Detects suspicious process that use escape characters status: experimental references: - - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 - - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ + - https://twitter.com/vysecurity/status/885545634958385153 + - https://twitter.com/Hexacorn/status/885553465417756673 + - https://twitter.com/Hexacorn/status/885570278637678592 + - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html + - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ author: juju4 modified: 2018/12/11 tags: - - attack.defense_evasion - - attack.t1140 + - attack.defense_evasion + - attack.t1140 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - - - ^h^t^t^p - - h"t"t"p - condition: selection + selection: + CommandLine: + - + - ^h^t^t^p + - h"t"t"p + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: low diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml index 8c67992ad..9655396a0 100644 --- a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -1,23 +1,23 @@ title: Command Line Execution with suspicious URL and AppData Strings status: experimental description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs - > powershell) + > powershell) references: - - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 - - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 + - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 + - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - cmd.exe /c *http://*%AppData% - - cmd.exe /c *https://*%AppData% - condition: selection + selection: + CommandLine: + - cmd.exe /c *http://*%AppData% + - cmd.exe /c *https://*%AppData% + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - High + - High level: medium diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml index 074cf6ed9..c5a639a0b 100644 --- a/rules/windows/process_creation/win_susp_commands_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -2,41 +2,41 @@ title: Reconnaissance Activity with Net Command status: experimental description: Detects a set of commands often used in recon stages by different attack groups references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 - - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 + - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html author: Florian Roth, Markus Neis date: 2018/08/22 modified: 2018/12/11 tags: - - attack.discovery - - attack.t1073 - - attack.t1012 + - attack.discovery + - attack.t1073 + - attack.t1012 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - tasklist - - net time - - systeminfo - - whoami - - nbtstat - - net start - - '*\net1 start' - - qprocess - - nslookup - - hostname.exe - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - netstat -an - timeframe: 15s - condition: selection | count() by CommandLine > 4 + selection: + CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - '*\net1 start' + - qprocess + - nslookup + - hostname.exe + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - netstat -an + timeframe: 15s + condition: selection | count() by CommandLine > 4 falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index 7fb960a1b..457ba0c49 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -4,20 +4,20 @@ description: Detects suspicious Rundll32 execution from control.exe as used by E author: Florian Roth date: 2017/04/15 references: - - https://twitter.com/rikvduijn/status/853251879320662017 + - https://twitter.com/rikvduijn/status/853251879320662017 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\System32\control.exe' - CommandLine: '*\rundll32.exe *' - filter: - CommandLine: '*Shell32.dll*' - condition: selection and not filter + selection: + ParentImage: '*\System32\control.exe' + CommandLine: '*\rundll32.exe *' + filter: + CommandLine: '*Shell32.dll*' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_csc.yml b/rules/windows/process_creation/win_susp_csc.yml index 8eb7bd539..715ed3cab 100644 --- a/rules/windows/process_creation/win_susp_csc.yml +++ b/rules/windows/process_creation/win_susp_csc.yml @@ -2,23 +2,23 @@ title: Suspicious Parent of Csc.exe description: Detects a suspicious parent of csc.exe, which could by a sign of payload delivery status: experimental references: - - https://twitter.com/SBousseaden/status/1094924091256176641 + - https://twitter.com/SBousseaden/status/1094924091256176641 author: Florian Roth date: 2019/02/11 tags: - - attack.defense_evasion - - attack.t1036 + - attack.defense_evasion + - attack.t1036 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\csc.exe*' - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - - '*\mshta.exe' - condition: selection + selection: + Image: '*\csc.exe*' + ParentImage: + - '*\wscript.exe' + - '*\cscript.exe' + - '*\mshta.exe' + condition: selection falsepositives: - - Unkown + - Unkown level: high diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml index d57ab5526..6372cec7d 100644 --- a/rules/windows/process_creation/win_susp_exec_folder.yml +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -5,31 +5,31 @@ author: Florian Roth date: 2017/10/14 modfied: 2019/02/21 references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses + - https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - C:\PerfLogs\\* - - C:\$Recycle.bin\\* - - C:\Intel\Logs\\* - - C:\Users\Default\\* - - C:\Users\Public\\* - - C:\Users\NetworkService\\* - - C:\Windows\Fonts\\* - - C:\Windows\Debug\\* - - C:\Windows\Media\\* - - C:\Windows\Help\\* - - C:\Windows\addins\\* - - C:\Windows\repair\\* - - C:\Windows\security\\* - - '*\RSA\MachineKeys\\*' - - C:\Windows\system32\config\systemprofile\\* - condition: selection + selection: + Image: + - C:\PerfLogs\\* + - C:\$Recycle.bin\\* + - C:\Intel\Logs\\* + - C:\Users\Default\\* + - C:\Users\Public\\* + - C:\Users\NetworkService\\* + - C:\Windows\Fonts\\* + - C:\Windows\Debug\\* + - C:\Windows\Media\\* + - C:\Windows\Help\\* + - C:\Windows\addins\\* + - C:\Windows\repair\\* + - C:\Windows\security\\* + - '*\RSA\MachineKeys\\*' + - C:\Windows\system32\config\systemprofile\\* + condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml index d8ebef1e0..4a0f1f5e9 100644 --- a/rules/windows/process_creation/win_susp_execution_path.yml +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -3,24 +3,24 @@ status: experimental description: Detects a suspicious exection from an uncommon folder author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\$Recycle.bin' - - '*\Users\All Users\\*' - - '*\Users\Default\\*' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\config\systemprofile\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - condition: selection + selection: + Image: + - '*\$Recycle.bin' + - '*\Users\All Users\\*' + - '*\Users\Default\\*' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\config\systemprofile\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml index a68521da6..d687dc461 100644 --- a/rules/windows/process_creation/win_susp_execution_path_webserver.yml +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -3,26 +3,26 @@ status: experimental description: Detects a suspicious program execution in a web service root folder (filter out false positives) author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\wwwroot\\*' - - '*\wmpub\\*' - - '*\htdocs\\*' - filter: - Image: - - '*bin\\*' - - '*\Tools\\*' - - '*\SMSComponent\\*' - ParentImage: - - '*\services.exe' - condition: selection and not filter + selection: + Image: + - '*\wwwroot\\*' + - '*\wmpub\\*' + - '*\htdocs\\*' + filter: + Image: + - '*bin\\*' + - '*\Tools\\*' + - '*\SMSComponent\\*' + ParentImage: + - '*\services.exe' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Various applications - - Tools that include ping or nslookup command invocations + - Various applications + - Tools that include ping or nslookup command invocations level: medium diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index e2498fbf8..c711c47cc 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -2,18 +2,18 @@ title: Suspicious GUP Usage description: Detects execution of the Notepad++ updater in a suspicious directory, which is often used in DLL side-loading attacks status: experimental references: - - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html + - https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html author: Florian Roth date: 2019/02/06 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\GUP.exe' - filter: - Image: '*\updater\*' - condition: selection and not filter + selection: + Image: '*\GUP.exe' + filter: + Image: '*\updater\*' + condition: selection and not filter falsepositives: - - Execution of tools named GUP.exe and located in folders different than Notepad++\updater + - Execution of tools named GUP.exe and located in folders different than Notepad++\updater level: high diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml index 52b684596..3bcbcbb79 100644 --- a/rules/windows/process_creation/win_susp_iss_module_install.yml +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -2,20 +2,20 @@ title: IIS Native-Code Module Command Line Installation description: Detects suspicious IIS native-code module installations via command line status: experimental references: - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ + - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ author: Florian Roth modified: 2012/12/11 tags: - - attack.persistence - - attack.t1100 + - attack.persistence + - attack.t1100 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*\APPCMD.EXE install module /name:*' - condition: selection + selection: + CommandLine: + - '*\APPCMD.EXE install module /name:*' + condition: selection falsepositives: - - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules + - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules level: medium diff --git a/rules/windows/process_creation/win_susp_mmc_source.yml b/rules/windows/process_creation/win_susp_mmc_source.yml index 94226405b..bdadc4dcd 100644 --- a/rules/windows/process_creation/win_susp_mmc_source.yml +++ b/rules/windows/process_creation/win_susp_mmc_source.yml @@ -2,20 +2,20 @@ title: Processes created by MMC status: experimental description: Processes started by MMC could be a sign of lateral movement using MMC application COM object references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\mmc.exe' - Image: '*\cmd.exe' - exclusion: - CommandLine: '*\RunCmd.cmd' - condition: selection and not exclusion + selection: + ParentImage: '*\mmc.exe' + Image: '*\cmd.exe' + exclusion: + CommandLine: '*\RunCmd.cmd' + condition: selection and not exclusion fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml index 5e6734058..ec773ad68 100644 --- a/rules/windows/process_creation/win_susp_msiexec_web_install.yml +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -2,18 +2,18 @@ title: MsiExec Web Install status: experimental description: Detects suspicious msiexec proess starts with web addreses as parameter references: - - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ + - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ author: Florian Roth date: 2018/02/09 modified: 2012/12/11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '* msiexec*:\/\/*' - condition: selection + selection: + CommandLine: + - '* msiexec*:\/\/*' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 697b44629..fbccb2aa8 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -2,32 +2,32 @@ title: Net.exe Execution status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: - - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ + - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ author: Michael Haag, Mark Woan (improvements) tags: - - attack.s0039 - - attack.lateral_movement - - attack.discovery + - attack.s0039 + - attack.lateral_movement + - attack.discovery logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\net.exe' - - '*\net1.exe' - CommandLine: - - '* group*' - - '* localgroup*' - - '* user*' - - '* view*' - - '* share' - - '* accounts*' - - '* use*' - condition: selection + selection: + Image: + - '*\net.exe' + - '*\net1.exe' + CommandLine: + - '* group*' + - '* localgroup*' + - '* user*' + - '* view*' + - '* share' + - '* accounts*' + - '* use*' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. + - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. level: low diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index a47746103..72f33a934 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -2,18 +2,18 @@ title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) status: experimental references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm author: Thomas Patzke tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: '*\ntdsutil*' - condition: selection + selection: + CommandLine: '*\ntdsutil*' + condition: selection falsepositives: - - NTDS maintenance + - NTDS maintenance level: high diff --git a/rules/windows/process_creation/win_susp_outlook.yml b/rules/windows/process_creation/win_susp_outlook.yml index 51a114639..619ce7ab9 100644 --- a/rules/windows/process_creation/win_susp_outlook.yml +++ b/rules/windows/process_creation/win_susp_outlook.yml @@ -2,24 +2,24 @@ title: Suspicious Execution from Outlook status: experimental description: Detects EnableUnsafeClientMailRules used for Script Execution from Outlook references: - - https://github.com/sensepost/ruler - - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html + - https://github.com/sensepost/ruler + - https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html tags: - - attack.execution - - attack.t1059 - - attack.t1202 + - attack.execution + - attack.t1059 + - attack.t1202 author: Markus Neis date: 2018/12/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - clientMailRules: - CommandLine: '*EnableUnsafeClientMailRules*' - outlookExec: - ParentImage: '*\outlook.exe' - CommandLine: \\\\*\\*.exe - condition: clientMailRules or outlookExec + clientMailRules: + CommandLine: '*EnableUnsafeClientMailRules*' + outlookExec: + ParentImage: '*\outlook.exe' + CommandLine: \\\\*\\*.exe + condition: clientMailRules or outlookExec falsepositives: - - unknown + - unknown level: high diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml index 4620d0722..3fdeb0b7d 100644 --- a/rules/windows/process_creation/win_susp_ping_hex_ip.yml +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -1,21 +1,21 @@ title: Ping Hex IP description: Detects a ping command that uses a hex encoded IP address references: - - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna - - https://twitter.com/vysecurity/status/977198418354491392 + - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna + - https://twitter.com/vysecurity/status/977198418354491392 author: Florian Roth date: 2018/03/23 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*\ping.exe 0x*' - - '*\ping 0x*' - condition: selection + selection: + CommandLine: + - '*\ping.exe 0x*' + - '*\ping 0x*' + condition: selection fields: - - ParentCommandLine + - ParentCommandLine falsepositives: - - Unlikely, because no sane admin pings IP addresses in a hexadecimal form + - Unlikely, because no sane admin pings IP addresses in a hexadecimal form level: high diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml index 9d26235e3..b429a77b6 100644 --- a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -2,25 +2,25 @@ title: Suspicious Encoded PowerShell Command Line description: Detects suspicious powershell process starts with base64 encoded commands status: experimental references: - - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e + - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e author: Florian Roth, Markus Neis date: 2018/09/03 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '* -e JAB*' - - '* -enc JAB*' - - '* -encodedcommand JAB*' - - '* BA^J e-' - falsepositive1: - Image: '*\GRR\\*' - falsepositive2: - CommandLine: '* -ExecutionPolicy remotesigned *' - condition: selection and not 1 of falsepositive* + selection: + CommandLine: + - '* -e JAB*' + - '* -enc JAB*' + - '* -encodedcommand JAB*' + - '* BA^J e-' + falsepositive1: + Image: '*\GRR\\*' + falsepositive2: + CommandLine: '* -ExecutionPolicy remotesigned *' + condition: selection and not 1 of falsepositive* falsepositives: - - GRR powershell hacks - - PowerSponse Deployments + - GRR powershell hacks + - PowerSponse Deployments level: high diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml index 74e01c8bc..a2e93a389 100644 --- a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -2,69 +2,69 @@ title: Malicious Base64 encoded PowerShell Keywords in command lines status: experimental description: Detects base64 encoded strings used in hidden malicious PowerShell command lines references: - - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ + - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 author: John Lambert (rule) logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - encoded: - Image: '*\powershell.exe' - CommandLine: '* hidden *' - selection: - CommandLine: - - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - - '*JGNodW5rX3Npem*' - - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - - '*RjaHVua19zaXpl*' - - '*Y2h1bmtfc2l6Z*' - - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - - '*lPLkNvbXByZXNzaW9u*' - - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - - '*SU8uQ29tcHJlc3Npb2*' - - '*Ty5Db21wcmVzc2lvb*' - - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - - '*lPLk1lbW9yeVN0cmVhb*' - - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - - '*SU8uTWVtb3J5U3RyZWFt*' - - '*Ty5NZW1vcnlTdHJlYW*' - - '*4ARwBlAHQAQwBoAHUAbgBrA*' - - '*5HZXRDaHVua*' - - '*AEcAZQB0AEMAaAB1AG4Aaw*' - - '*LgBHAGUAdABDAGgAdQBuAGsA*' - - '*LkdldENodW5r*' - - '*R2V0Q2h1bm*' - - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - - '*RIUkVBRF9JTkZPNj*' - - '*SFJFQURfSU5GTzY0*' - - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - - '*VEhSRUFEX0lORk82N*' - - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - - '*cmVhdGVSZW1vdGVUaHJlYW*' - - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - - '*0AZQBtAG0AbwB2AGUA*' - - '*1lbW1vdm*' - - '*AGUAbQBtAG8AdgBlA*' - - '*bQBlAG0AbQBvAHYAZQ*' - - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' - condition: encoded and selection + encoded: + Image: '*\powershell.exe' + CommandLine: '* hidden *' + selection: + CommandLine: + - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' + - '*aXRzYWRtaW4gL3RyYW5zZmVy*' + - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' + - '*JpdHNhZG1pbiAvdHJhbnNmZX*' + - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' + - '*Yml0c2FkbWluIC90cmFuc2Zlc*' + - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' + - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' + - '*JGNodW5rX3Npem*' + - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' + - '*RjaHVua19zaXpl*' + - '*Y2h1bmtfc2l6Z*' + - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' + - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' + - '*lPLkNvbXByZXNzaW9u*' + - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' + - '*SU8uQ29tcHJlc3Npb2*' + - '*Ty5Db21wcmVzc2lvb*' + - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' + - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' + - '*lPLk1lbW9yeVN0cmVhb*' + - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' + - '*SU8uTWVtb3J5U3RyZWFt*' + - '*Ty5NZW1vcnlTdHJlYW*' + - '*4ARwBlAHQAQwBoAHUAbgBrA*' + - '*5HZXRDaHVua*' + - '*AEcAZQB0AEMAaAB1AG4Aaw*' + - '*LgBHAGUAdABDAGgAdQBuAGsA*' + - '*LkdldENodW5r*' + - '*R2V0Q2h1bm*' + - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' + - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' + - '*RIUkVBRF9JTkZPNj*' + - '*SFJFQURfSU5GTzY0*' + - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' + - '*VEhSRUFEX0lORk82N*' + - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' + - '*cmVhdGVSZW1vdGVUaHJlYW*' + - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' + - '*NyZWF0ZVJlbW90ZVRocmVhZ*' + - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' + - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' + - '*0AZQBtAG0AbwB2AGUA*' + - '*1lbW1vdm*' + - '*AGUAbQBtAG8AdgBlA*' + - '*bQBlAG0AbQBvAHYAZQ*' + - '*bWVtbW92Z*' + - '*ZW1tb3Zl*' + condition: encoded and selection falsepositives: - - Penetration tests + - Penetration tests level: high diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml index 64e672cd5..26cdf23c2 100644 --- a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -3,27 +3,27 @@ status: experimental description: Detects suspicious powershell invocations from interpreters or unusual programs author: Florian Roth references: - - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ + - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ tags: - - attack.execution - - attack.t1086 + - attack.execution + - attack.t1086 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - Image: - - '*\powershell.exe' - falsepositive: - CurrentDirectory: '*\Health Service State\\*' - condition: selection and not falsepositive + selection: + ParentImage: + - '*\wscript.exe' + - '*\cscript.exe' + Image: + - '*\powershell.exe' + falsepositive: + CurrentDirectory: '*\Health Service State\\*' + condition: selection and not falsepositive fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Microsoft Operations Manager (MOM) - - Other scripts + - Microsoft Operations Manager (MOM) + - Other scripts level: medium diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml index e4b4a306d..1f6c6ce63 100644 --- a/rules/windows/process_creation/win_susp_procdump.yml +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -1,28 +1,28 @@ title: Suspicious Use of Procdump description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This - way we're also able to catch cases in which the attacker has renamed the procdump executable. + way we're also able to catch cases in which the attacker has renamed the procdump executable. status: experimental references: - - Internal Research + - Internal Research author: Florian Roth date: 2018/10/30 tags: - - attack.defense_evasion - - attack.t1036 - - attack.credential_access - - attack.t1003 + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine: - - '* -ma *' - selection2: - CommandLine: - - '* lsass.exe*' - condition: selection1 and selection2 + selection1: + CommandLine: + - '* -ma *' + selection2: + CommandLine: + - '* lsass.exe*' + condition: selection1 and selection2 falsepositives: - - Unlikely, because no one should dump an lsass process memory - - Another tool that uses the command line switches of Procdump + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump level: medium diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index b33e4e060..59da76820 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -2,72 +2,72 @@ title: Suspicious Process Creation description: Detects suspicious process starts on Windows systems based on keywords status: experimental references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - - https://twitter.com/subTee/status/872244674609676288 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples - - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html - - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - - https://twitter.com/vector_sec/status/896049052642533376 - - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://twitter.com/subTee/status/872244674609676288 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples + - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html + - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat + - https://twitter.com/vector_sec/status/896049052642533376 + - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf author: Florian Roth modified: 2018/12/11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - vssadmin.exe delete shadows* - - vssadmin delete shadows* - - vssadmin create shadow /for=C:* - - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* - - copy \\?\GLOBALROOT\Device\\*\config\SAM* - - reg SAVE HKLM\SYSTEM * - - '* sekurlsa:*' - - net localgroup adminstrators * /add - - net group "Domain Admins" * /ADD /DOMAIN - - certutil.exe *-urlcache* http* - - certutil.exe *-urlcache* ftp* - - netsh advfirewall firewall *\AppData\\* - - attrib +S +H +R *\AppData\\* - - schtasks* /create *\AppData\\* - - schtasks* /sc minute* - - '*\Regasm.exe *\AppData\\*' - - '*\Regasm *\AppData\\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - icacls * /grant Everyone:F /T /C /Q - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - - '*\fodhelper.exe' - - '*waitfor*/s*' - - '*waitfor*/si persist*' - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - - '*AddInProcess*' - - '* /stext *' - - '* /scomma *' - - '* /stab *' - - '* /stabular *' - - '* /shtml *' - - '* /sverhtml *' - - '* /sxml *' - condition: selection + selection: + CommandLine: + - vssadmin.exe delete shadows* + - vssadmin delete shadows* + - vssadmin create shadow /for=C:* + - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* + - copy \\?\GLOBALROOT\Device\\*\config\SAM* + - reg SAVE HKLM\SYSTEM * + - '* sekurlsa:*' + - net localgroup adminstrators * /add + - net group "Domain Admins" * /ADD /DOMAIN + - certutil.exe *-urlcache* http* + - certutil.exe *-urlcache* ftp* + - netsh advfirewall firewall *\AppData\\* + - attrib +S +H +R *\AppData\\* + - schtasks* /create *\AppData\\* + - schtasks* /sc minute* + - '*\Regasm.exe *\AppData\\*' + - '*\Regasm *\AppData\\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - icacls * /grant Everyone:F /T /C /Q + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + - '*\fodhelper.exe' + - '*waitfor*/s*' + - '*waitfor*/si persist*' + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + - '*AddInProcess*' + - '* /stext *' + - '* /scomma *' + - '* /stab *' + - '* /stabular *' + - '* /shtml *' + - '* /sverhtml *' + - '* /sxml *' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml index 27e4dc483..b3f8f1075 100644 --- a/rules/windows/process_creation/win_susp_prog_location_process_starts.yml +++ b/rules/windows/process_creation/win_susp_prog_location_process_starts.yml @@ -2,23 +2,23 @@ title: Suspicious Program Location Process Starts status: experimental description: Detects programs running in suspicious files system locations references: - - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo + - https://docs.google.com/spreadsheets/d/17pSTDNpa0sf6pHeRhusvWG6rThciE8CsXTSlDUAZDyo author: Florian Roth date: 2019/01/15 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\$Recycle.bin' - - '*\Users\Public\\*' - - 'C:\Perflogs\\*' - - '*\Windows\Fonts\\*' - - '*\Windows\IME\\*' - - '*\Windows\addins\\*' - - '*\Windows\debug\\*' - condition: selection + selection: + Image: + - '*\$Recycle.bin' + - '*\Users\Public\\*' + - 'C:\Perflogs\\*' + - '*\Windows\Fonts\\*' + - '*\Windows\IME\\*' + - '*\Windows\addins\\*' + - '*\Windows\debug\\*' + condition: selection falsepositives: - - unknown + - unknown level: high diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index 999b22a67..603714315 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -2,19 +2,19 @@ title: PowerShell Script Run in AppData status: experimental description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder references: - - https://twitter.com/JohnLaTwC/status/1082851155481288706 - - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 author: Florian Roth date: 2019/01/09 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '* /c powershell*\AppData\Local\\*' - - '* /c powershell*\AppData\Roaming\\*' - condition: selection + selection: + CommandLine: + - '* /c powershell*\AppData\Local\\*' + - '* /c powershell*\AppData\Roaming\\*' + condition: selection falsepositives: - - Administrative scripts + - Administrative scripts level: medium diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml index 9f83ece21..39c9648e3 100644 --- a/rules/windows/process_creation/win_susp_rasdial_activity.yml +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -2,16 +2,16 @@ title: Suspicious RASdial Activity description: Detects suspicious process related to rasdial.exe status: experimental references: - - https://twitter.com/subTee/status/891298217907830785 + - https://twitter.com/subTee/status/891298217907830785 author: juju4 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - rasdial - condition: selection + selection: + CommandLine: + - rasdial + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml index 24b578697..d9bd44894 100644 --- a/rules/windows/process_creation/win_susp_recon_activity.yml +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -3,21 +3,21 @@ status: experimental description: Detects suspicious command line activity on Windows systems author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - net group "domain admins" /domain - - net localgroup administrators - condition: selection + selection: + CommandLine: + - net group "domain admins" /domain + - net localgroup administrators + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Inventory tool runs - - Penetration tests - - Administrative activity + - Inventory tool runs + - Penetration tests + - Administrative activity analysis: - recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) + recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) level: medium diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml index 82ae219cd..3e838bab1 100644 --- a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -3,36 +3,36 @@ status: experimental description: Detects various anomalies in relation to regsvr32.exe author: Florian Roth references: - - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html tags: - - attack.t1117 - - attack.defense_evasion - - attack.execution + - attack.t1117 + - attack.defense_evasion + - attack.execution logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image: '*\regsvr32.exe' - CommandLine: '*\Temp\\*' - selection2: - Image: '*\regsvr32.exe' - ParentImage: '*\powershell.exe' - selection3: - Image: '*\regsvr32.exe' - CommandLine: - - '*/i:http* scrobj.dll' - - '*/i:ftp* scrobj.dll' - selection4: - Image: '*\wscript.exe' - ParentImage: '*\regsvr32.exe' - selection5: - Image: '*\EXCEL.EXE' - CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' - condition: 1 of them + selection1: + Image: '*\regsvr32.exe' + CommandLine: '*\Temp\\*' + selection2: + Image: '*\regsvr32.exe' + ParentImage: '*\powershell.exe' + selection3: + Image: '*\regsvr32.exe' + CommandLine: + - '*/i:http* scrobj.dll' + - '*/i:ftp* scrobj.dll' + selection4: + Image: '*\wscript.exe' + ParentImage: '*\regsvr32.exe' + selection5: + Image: '*\EXCEL.EXE' + CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' + condition: 1 of them fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml index 3a9548847..495933f5a 100644 --- a/rules/windows/process_creation/win_susp_run_locations.yml +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -2,22 +2,22 @@ title: Suspicious Process Start Locations description: Detects suspicious process run from unusual locations status: experimental references: - - https://car.mitre.org/wiki/CAR-2013-05-002 + - https://car.mitre.org/wiki/CAR-2013-05-002 author: juju4 tags: - - attack.defense_evasion - - attack.t1036 + - attack.defense_evasion + - attack.t1036 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*:\RECYCLER\\*' - - '*:\SystemVolumeInformation\\*' - - '%windir%\Tasks\\*' - - '%systemroot%\debug\\*' - condition: selection + selection: + CommandLine: + - '*:\RECYCLER\\*' + - '*:\SystemVolumeInformation\\*' + - '%windir%\Tasks\\*' + - '%systemroot%\debug\\*' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml index 03a44c6ad..573ef823e 100644 --- a/rules/windows/process_creation/win_susp_rundll32_activity.yml +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -2,34 +2,34 @@ title: Suspicious Rundll32 Activity description: Detects suspicious process related to rundll32 based on arguments status: experimental references: - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - - https://twitter.com/Hexacorn/status/885258886428725250 - - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 + - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ + - https://twitter.com/Hexacorn/status/885258886428725250 + - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 tags: - - attack.defense_evasion - - attack.execution - - attack.t1085 + - attack.defense_evasion + - attack.execution + - attack.t1085 author: juju4 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*\rundll32.exe* url.dll,*OpenURL *' - - '*\rundll32.exe* url.dll,*OpenURLA *' - - '*\rundll32.exe* url.dll,*FileProtocolHandler *' - - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' - - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' - - '*\rundll32.exe javascript:*' - - '* url.dll,*OpenURL *' - - '* url.dll,*OpenURLA *' - - '* url.dll,*FileProtocolHandler *' - - '* zipfldr.dll,*RouteTheCall *' - - '* Shell32.dll,*Control_RunDLL *' - - '* javascript:*' - - '*.RegisterXLL*' - condition: selection + selection: + CommandLine: + - '*\rundll32.exe* url.dll,*OpenURL *' + - '*\rundll32.exe* url.dll,*OpenURLA *' + - '*\rundll32.exe* url.dll,*FileProtocolHandler *' + - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' + - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' + - '*\rundll32.exe javascript:*' + - '* url.dll,*OpenURL *' + - '* url.dll,*OpenURLA *' + - '* url.dll,*FileProtocolHandler *' + - '* zipfldr.dll,*RouteTheCall *' + - '* Shell32.dll,*Control_RunDLL *' + - '* javascript:*' + - '*.RegisterXLL*' + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index b5907bca9..f9b0f1f41 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -3,25 +3,25 @@ status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\schtasks.exe' - CommandLine: '* /create *' - filter: - User: NT AUTHORITY\SYSTEM - condition: selection and not filter + selection: + Image: '*\schtasks.exe' + CommandLine: '* /create *' + filter: + User: NT AUTHORITY\SYSTEM + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.t1053 - - attack.s0111 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.t1053 + - attack.s0111 falsepositives: - - Administrative activity - - Software installation + - Administrative activity + - Software installation level: low diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml index 6e0773cfb..8896aae06 100644 --- a/rules/windows/process_creation/win_susp_script_execution.yml +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -3,22 +3,22 @@ status: experimental description: Detects suspicious file execution by wscript and cscript author: Michael Haag logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '*.jse' - - '*.vbe' - - '*.js' - - '*.vba' - condition: selection + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '*.jse' + - '*.vbe' + - '*.js' + - '*.vba' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. + - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. level: medium diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml index 006337202..ec4477b3a 100644 --- a/rules/windows/process_creation/win_susp_svchost.yml +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -4,21 +4,21 @@ description: Detects a suspicious svchost process start author: Florian Roth date: 2017/08/15 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\svchost.exe' - filter: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - condition: selection and not filter + selection: + Image: '*\svchost.exe' + filter: + ParentImage: + - '*\services.exe' + - '*\MsMpEng.exe' + condition: selection and not filter fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.defense_evasion + - attack.defense_evasion falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index c4887b980..893512430 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -2,20 +2,20 @@ title: Sysprep on AppData Folder status: experimental description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) references: - - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b + - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets + - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b author: Florian Roth date: 2018/06/22 modified: 2018/12/11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - '*\sysprep.exe *\AppData\\*' - - sysprep.exe *\AppData\\* - condition: selection + selection: + CommandLine: + - '*\sysprep.exe *\AppData\\*' + - sysprep.exe *\AppData\\* + condition: selection falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment + - False positives depend on scripts and administrative tools used in the monitored environment level: medium diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml index f6c247d88..97c51d2ca 100644 --- a/rules/windows/process_creation/win_susp_sysvol_access.yml +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -2,21 +2,21 @@ title: Suspicious SYSVOL Domain Group Policy Access status: experimental description: Detects Access to Domain Group Policies stored in SYSVOL references: - - https://adsecurity.org/?p=2288 - - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 + - https://adsecurity.org/?p=2288 + - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 author: Markus Neis date: 2018/04/09 modified: 2018/12/11 tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: '*\SYSVOL\\*\policies\\*' - condition: selection + selection: + CommandLine: '*\SYSVOL\\*\policies\\*' + condition: selection falsepositives: - - administrative activity + - administrative activity level: medium diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index f3da5750f..eb38f977f 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -4,13 +4,13 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS author: Florian Roth date: 2018/03/18 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - User: NT AUTHORITY\SYSTEM - Image: '*\taskmgr.exe' - condition: selection + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\taskmgr.exe' + condition: selection falsepositives: - - Unkown + - Unkown level: high diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml index e4e516d4e..bcf4e2b20 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_parent.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -4,20 +4,20 @@ description: Detects the creation of a process from Windows task manager author: Florian Roth date: 2018/03/13 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: '*\taskmgr.exe' - filter: - Image: - - resmon.exe - - mmc.exe - condition: selection and not filter + selection: + ParentImage: '*\taskmgr.exe' + filter: + Image: + - resmon.exe + - mmc.exe + condition: selection and not filter fields: - - Image - - CommandLine - - ParentCommandLine + - Image + - CommandLine + - ParentCommandLine falsepositives: - - Administrative activity + - Administrative activity level: low diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index aa7602464..da626dc62 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -2,18 +2,18 @@ title: Suspicious TSCON Start status: experimental description: Detects a tscon.exe start as LOCAL SYSTEM references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - User: NT AUTHORITY\SYSTEM - Image: '*\tscon.exe' - condition: selection + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\tscon.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml index f8c0c81d2..071be9fdc 100644 --- a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -2,18 +2,18 @@ title: Suspicious RDP Redirect Using TSCON status: experimental description: Detects a suspicious RDP session redirect using tscon.exe references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 modified: 2018/12/11 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: '* /dest:rdp-tcp:*' - condition: selection + selection: + CommandLine: '* /dest:rdp-tcp:*' + condition: selection falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index d11e0090c..27105cafe 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -3,31 +3,31 @@ status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely author: Florian Roth, Michael Haag references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ - - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ - - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ + - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ + - https://dfironthemountain.wordpress.com/2018/12/06/locked-file-access-using-esentutl-exe/ tags: - - attack.credential_access - - attack.t1003 + - attack.credential_access + - attack.t1003 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: - - vssadmin.exe Delete Shadows - - 'vssadmin create shadow /for=C:' - - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit - - copy \\?\GLOBALROOT\Device\\*\config\SAM - - 'vssadmin delete shadows /for=C:' - - 'reg SAVE HKLM\SYSTEM ' - - esentutl.exe /y /vss *\ntds.dit* - condition: selection + selection: + CommandLine: + - vssadmin.exe Delete Shadows + - 'vssadmin create shadow /for=C:' + - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit + - copy \\?\GLOBALROOT\Device\\*\config\SAM + - 'vssadmin delete shadows /for=C:' + - 'reg SAVE HKLM\SYSTEM ' + - esentutl.exe /y /vss *\ntds.dit* + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Administrative activity + - Administrative activity level: high diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 974cf4567..ac983d973 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -2,21 +2,21 @@ title: Whoami Execution status: experimental description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 author: Florian Roth date: 2018/05/22 tags: - - attack.discovery - - attack.t1033 + - attack.discovery + - attack.t1033 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: whoami - condition: selection + selection: + CommandLine: whoami + condition: selection falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment + - Admin activity + - Scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml index 3a22fa429..852f644b4 100644 --- a/rules/windows/process_creation/win_susp_wmi_execution.yml +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -2,30 +2,30 @@ title: Suspicious WMI execution status: experimental description: Detects WMI executing suspicious commands references: - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ + - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ + - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 + - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ author: Michael Haag, Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\wmic.exe' - CommandLine: - - '*/NODE:*process call create *' - - '* path AntiVirusProduct get *' - - '* path FirewallProduct get *' - - '* shadowcopy delete *' - condition: selection + selection: + Image: + - '*\wmic.exe' + CommandLine: + - '*/NODE:*process call create *' + - '* path AntiVirusProduct get *' + - '* path FirewallProduct get *' + - '* shadowcopy delete *' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.execution - - attack.t1047 + - attack.execution + - attack.t1047 falsepositives: - - Will need to be tuned - - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. + - Will need to be tuned + - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. level: medium diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml index 3a76f0079..2f81cc4ac 100644 --- a/rules/windows/process_creation/win_system_exe_anomaly.yml +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -2,32 +2,32 @@ title: System File Execution Location Anomaly status: experimental description: Detects a Windows program executable started in a suspicious folder references: - - https://twitter.com/GelosSnake/status/934900723426439170 + - https://twitter.com/GelosSnake/status/934900723426439170 author: Florian Roth date: 2017/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - filter: - Image: - - '*\System32\\*' - - '*\SysWow64\\*' - condition: selection and not filter + selection: + Image: + - '*\svchost.exe' + - '*\rundll32.exe' + - '*\services.exe' + - '*\powershell.exe' + - '*\regsvr32.exe' + - '*\spoolsv.exe' + - '*\lsass.exe' + - '*\smss.exe' + - '*\csrss.exe' + - '*\conhost.exe' + filter: + Image: + - '*\System32\\*' + - '*\SysWow64\\*' + condition: selection and not filter tags: - - attack.defense_evasion + - attack.defense_evasion falsepositives: - - Exotic software + - Exotic software level: high diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml index edce8d264..03ec6b5b8 100644 --- a/rules/windows/process_creation/win_vul_java_remote_debugging.yml +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -2,18 +2,18 @@ title: Java Running with Remote Debugging description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - CommandLine: '*transport=dt_socket,address=*' - exclusion: - - CommandLine: '*address=127.0.0.1*' - - CommandLine: '*address=localhost*' - condition: selection and not exclusion + selection: + CommandLine: '*transport=dt_socket,address=*' + exclusion: + - CommandLine: '*address=127.0.0.1*' + - CommandLine: '*address=localhost*' + condition: selection and not exclusion fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - unknown + - unknown level: medium diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml index 466ca9a02..f70280b0f 100644 --- a/rules/windows/process_creation/win_webshell_detection.yml +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -2,30 +2,30 @@ title: Webshell Detection With Command Line Keywords description: Detects certain command line parameters often used during reconnaissance activity via web shells author: Florian Roth logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' - CommandLine: - - whoami - - net user - - ping -n - - systeminfo - condition: selection + selection: + ParentImage: + - '*\apache*' + - '*\tomcat*' + - '*\w3wp.exe' + - '*\php-cgi.exe' + - '*\nginx.exe' + - '*\httpd.exe' + CommandLine: + - whoami + - net user + - ping -n + - systeminfo + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 + - attack.privilege_escalation + - attack.persistence + - attack.t1100 falsepositives: - - unknown + - unknown level: high diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml index bf6569a19..9cc4ca33c 100644 --- a/rules/windows/process_creation/win_webshell_spawn.yml +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -3,28 +3,28 @@ status: experimental description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack author: Thomas Patzke logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - - '*\php-cgi.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - condition: selection + selection: + ParentImage: + - '*\w3wp.exe' + - '*\httpd.exe' + - '*\nginx.exe' + - '*\php-cgi.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 + - attack.privilege_escalation + - attack.persistence + - attack.t1100 falsepositives: - - Particular web applications may spawn a shell process legitimately + - Particular web applications may spawn a shell process legitimately level: high diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml index 3f90fbed6..4d484bf28 100644 --- a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -2,21 +2,21 @@ title: WMI Persistence - Script Event Consumer status: experimental description: Detects WMI script event consumers references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ author: Thomas Patzke date: 2018/03/07 tags: - - attack.execution - - attack.persistence - - attack.t1047 + - attack.execution + - attack.persistence + - attack.t1047 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: C:\WINDOWS\system32\wbem\scrcons.exe - ParentImage: C:\Windows\System32\svchost.exe - condition: selection + selection: + Image: C:\WINDOWS\system32\wbem\scrcons.exe + ParentImage: C:\Windows\System32\svchost.exe + condition: selection falsepositives: - - Legitimate event consumers + - Legitimate event consumers level: high diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml index ae2ea8844..ede0a7610 100644 --- a/rules/windows/process_creation/win_workflow_compiler.yml +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -2,21 +2,21 @@ title: Microsoft Workflow Compiler status: experimental description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. tags: - - attack.defense_evasion - - attack.execution + - attack.defense_evasion + - attack.execution author: Nik Seetharaman references: - - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb + - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image: '*\Microsoft.Workflow.Compiler.exe' - condition: selection + selection: + Image: '*\Microsoft.Workflow.Compiler.exe' + condition: selection fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Legitimate MWC use (unlikely in modern enterprise environments) + - Legitimate MWC use (unlikely in modern enterprise environments) level: high diff --git a/tools/sigma2genericsigma b/tools/sigma2genericsigma index 92d63130b..0d5d6cb14 100755 --- a/tools/sigma2genericsigma +++ b/tools/sigma2genericsigma @@ -220,7 +220,7 @@ for path in input_paths: if changed: # only write output if changed try: - output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, width=160, default_flow_style=False)) + output.write(yaml.dump_all(yamldocs, Dumper=SigmaYAMLDumper, indent=4, width=160, default_flow_style=False)) print(path, file=fconv) except OSError as e: print("Error while writing result: {}".format(str(e)), file=sys.stderr)