diff --git a/rules/windows/other/win_tool_psexec.yml b/rules/windows/other/win_tool_psexec.yml index 22a4d3da1..250429d10 100644 --- a/rules/windows/other/win_tool_psexec.yml +++ b/rules/windows/other/win_tool_psexec.yml @@ -5,7 +5,7 @@ status: experimental description: Detects PsExec service installation and execution events (service and Sysmon) author: Thomas Patzke date: 2017/06/12 -modified: 2021/08/06 +modified: 2021/08/26 references: - https://www.jpcert.or.jp/english/pub/sr/ir_research.html - https://jpcertcc.github.io/ToolAnalysisResultSheet @@ -46,7 +46,9 @@ logsource: detection: sysmon_processcreation: Image|endswith: '\PSEXESVC.exe' - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings --- logsource: category: pipe_created diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 399103d25..041bba07a 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -28,7 +28,9 @@ detection: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings filter: CommandLine|contains|all: - ' route ' diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml index 8d89e217b..4aa3afd03 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_windows_installer.yml @@ -4,6 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) wh status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 +modified: 2021/08/26 references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-48-638.jpg tags: @@ -16,7 +17,9 @@ detection: integrity_level: IntegrityLevel: 'System' user: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings image_1: Image|contains|all: - '\Windows\Installer\' @@ -34,4 +37,4 @@ fields: falsepositives: - System administrator Usage - Penetration test -level: medium \ No newline at end of file +level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml index c93f2113b..096c1994e 100644 --- a/rules/windows/process_creation/win_exploit_cve_2019_1388.yml +++ b/rules/windows/process_creation/win_exploit_cve_2019_1388.yml @@ -7,6 +7,7 @@ references: - https://www.zerodayinitiative.com/blog/2019/11/19/thanksgiving-treat-easy-as-pie-windows-7-secure-desktop-escalation-of-privilege author: Florian Roth date: 2019/11/20 +modified: 2021/08/26 tags: - attack.privilege_escalation - attack.t1068 @@ -21,7 +22,9 @@ detection: rights1: IntegrityLevel: 'System' # for Sysmon users rights2: - User: 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings + User|startswith: + - 'NT AUTHORITY\SYSTEM' # for non-Sysmon users - English language settings + - 'AUTORITE NT\Sys' # French language settings condition: selection and ( rights1 or rights2 ) falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml index 1647d2f54..bc671f4cf 100644 --- a/rules/windows/process_creation/win_susp_schtask_creation.yml +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -4,6 +4,7 @@ status: experimental description: Detects the creation of scheduled tasks in user session author: Florian Roth date: 2019/01/16 +modified: 2021/08/26 logsource: category: process_creation product: windows @@ -12,7 +13,9 @@ detection: Image|endswith: '\schtasks.exe' CommandLine|contains: ' /create ' filter: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings condition: selection and not filter fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 4ac61fed9..2ec58e2cf 100644 --- a/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -7,12 +7,15 @@ tags: - attack.t1036 author: Florian Roth date: 2018/03/18 +modified: 2021/08/26 logsource: category: process_creation product: windows detection: selection: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\taskmgr.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml index b11145b61..d04687d1e 100644 --- a/rules/windows/process_creation/win_susp_tscon_localsystem.yml +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -7,6 +7,7 @@ references: - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 author: Florian Roth date: 2018/03/17 +modified: 2021/08/26 tags: - attack.command_and_control - attack.t1219 @@ -15,7 +16,9 @@ logsource: product: windows detection: selection: - User: NT AUTHORITY\SYSTEM + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\tscon.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml index 4fee1a9e5..cdfa30d2f 100644 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment author: Teymur Kheirkhabarov date: 2019/10/23 -modified: 2019/11/11 +modified: 2021/08/26 tags: - attack.privilege_escalation - attack.discovery @@ -16,7 +16,9 @@ logsource: product: windows detection: selection: - User: 'NT AUTHORITY\SYSTEM' + User|startswith: + - 'NT AUTHORITY\SYSTEM' + - 'AUTORITE NT\Sys' # French language settings Image|endswith: '\whoami.exe' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml index e0da3a8cf..d3e6843f3 100644 --- a/rules/windows/process_creation/win_wmiprvse_spawning_process.yml +++ b/rules/windows/process_creation/win_wmiprvse_spawning_process.yml @@ -3,7 +3,7 @@ id: d21374ff-f574-44a7-9998-4a8c8bf33d7d description: Detects wmiprvse spawning processes status: experimental date: 2019/08/15 -modified: 2021/02/24 +modified: 2021/08/26 author: Roberto Rodriguez @Cyb3rWard0g references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190810201010.html @@ -23,7 +23,9 @@ detection: - SubjectLogonId: - '0x3e7' # LUID 999 for SYSTEM - 'null' # too many false positives - - User: 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection + - User|startswith: + - 'NT AUTHORITY\SYSTEM' # if we don't have LogonId data, fallback on username detection + - 'AUTORITE NT\Sys' # French language settings - Image|endswith: - '\WmiPrvSE.exe' - '\WerFault.exe'