From d90c0ea990b7bd846360397a26d99dca8f99420f Mon Sep 17 00:00:00 2001 From: Alec Costello Date: Thu, 16 May 2019 17:51:45 +0300 Subject: [PATCH 1/7] Create powershell_nishang_malicious_commandlets.yml --- ...wershell_nishang_malicious_commandlets.yml | 100 ++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 rules/windows/powershell/powershell_nishang_malicious_commandlets.yml diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml new file mode 100644 index 000000000..9d01de43e --- /dev/null +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -0,0 +1,100 @@ +title: Malicious Nishang PowerShell Commandlets +status: experimental +description: Detects Commandlet names and arguments from the Nishang exploitation framework +modified: 2019/05/16 +references: + - https://github.com/samratashok/nishang +tags: + - attack.execution + - attack.t1086 +author: Alec Costello +logsource: + product: windows + service: powershell + definition: It is recommanded to use the new "Script Block Logging" of PowerShell v5 https://adsecurity.org/?p=2277 +detection: + keywords: + - Add-ConstrainedDelegationBackdoor + - Set-DCShadowPermissions + - DNS_TXT_Pwnage + - Execute-OnTime + - HTTP-Backdoor + - Set-RemotePSRemoting + - Set-RemoteWMI + - Invoke-AmsiBypass + - Out-CHM + - Out-Excel + - Out-HTA + - Out-JS + - Out-Java + - Out-SCF + - Out-SCT + - Out-Shortcut + - Out-WebQuery + - Out-Word + - Enable-Duplication + - Remove-Update + - Download-Execute-PS + - Download_Execute + - Execute-Command-MSSQL + - Execute-DNSTXT-Code + - Out-RundllCommand + - Copy-VSS + - FireBuster + - FireListener + - Get-Information + - Get-PassHints + - Get-WLAN-Keys + - Get-Web-Credentials + - Invoke-CredentialsPhish + - Invoke-MimikatzWDigestDowngrade + - Invoke-SSIDExfil + - Invoke-SessionGopher + - Keylogger + - Invoke-Interceptor + - Create-MultipleSessions + - Invoke-NetworkRelay + - Run-EXEonRemote + - Invoke-Prasadhak + - Invoke-BruteForce + - Password-List + - Invoke-JSRatRegsvr + - Invoke-JSRatRundll + - Invoke-PoshRatHttps + - Invoke-PowerShellIcmp + - Invoke-PowerShellUdp + - Invoke-PSGcat + - Invoke-PsGcatAgent + - Remove-PoshRat + - Add-Persistance + - ExetoText + - Invoke-Decode + - Invoke-Encode + - Parse_Keys + - Remove-Persistence + - StringtoBase64 + - TexttoExe + - Powerpreter + - Nishang + - EncodedData + - DataToEncode + - LoggedKeys + - OUT-DNSTXT + - Jitter + - ExfilOption + - Tamper + - DumpCerts + - DumpCreds + - Shellcode32 + - Shellcode64 + - JDKPath + - HHCPath + - NotAllNameSpaces + - exfill + - FakeDC + - Payload + - Exploit + condition: keywords +falsepositives: + - Penetration testing +level: high From 8b14a5673d36f5ef9dc87280f1af6a22fd888769 Mon Sep 17 00:00:00 2001 From: Alec Costello Date: Fri, 17 May 2019 15:18:01 +0300 Subject: [PATCH 2/7] Update win_susp_vssadmin_ntds_activity.yml Updated with SAM and SYSTEM for esentutl --- .../process_creation/win_susp_vssadmin_ntds_activity.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index 27105cafe..f0780c4e7 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -24,6 +24,8 @@ detection: - 'vssadmin delete shadows /for=C:' - 'reg SAVE HKLM\SYSTEM ' - esentutl.exe /y /vss *\ntds.dit* + - esentutl.exe /y /vss *\SAM + - esentutl.exe /y /vss *\SYSTEM condition: selection fields: - CommandLine From 3c8be3d48bc240b0f59a0cf2123eacf445e07cea Mon Sep 17 00:00:00 2001 From: Alec Costello Date: Fri, 17 May 2019 15:19:03 +0300 Subject: [PATCH 3/7] Update win_susp_vssadmin_ntds_activity.yml --- .../process_creation/win_susp_vssadmin_ntds_activity.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index f0780c4e7..3ef734d59 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -1,7 +1,7 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -author: Florian Roth, Michael Haag +author: Florian Roth, Michael Haag, Alec Costello references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ From 34d9b4b365a662eb79959e12f04ee6266c52900d Mon Sep 17 00:00:00 2001 From: Alec Costello Date: Fri, 17 May 2019 16:10:43 +0300 Subject: [PATCH 4/7] Update win_susp_process_creations.yml Tested the type method redirecting to a file and dumping the hashes out with pwdump. Used the wmic method to create the shadow copy. --- .../windows/process_creation/win_susp_process_creations.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index 2733c9815..b91f22a96 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -27,6 +27,10 @@ detection: - vssadmin create shadow /for=C:* - copy \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* - copy \\?\GLOBALROOT\Device\\*\config\SAM* + - copy \\?\GLOBALROOT\Device\\*\config\SYSTEM* + - type \\?\GLOBALROOT\Device\\*\config\SAM* + - type \\?\GLOBALROOT\Device\\*\config\SYSTEM* + - type \\?\GLOBALROOT\Device\\*\windows\ntds\ntds.dit* - reg SAVE HKLM\SYSTEM * - reg SAVE HKLM\SAM * - '* sekurlsa:*' @@ -46,6 +50,7 @@ detection: - '*\certutil.exe -ping *' - icacls * /grant Everyone:F /T /C /Q - '* wmic shadowcopy delete *' + - '* wmic shadowcopy call create Volume=*' - '* wbadmin.exe delete catalog -quiet*' - '*\wscript.exe *.jse' - '*\wscript.exe *.js' From 886de39814aa4b2a5dac8cf54ce3a9fc6f6d29a9 Mon Sep 17 00:00:00 2001 From: Alec Costello Date: Fri, 17 May 2019 17:40:32 +0300 Subject: [PATCH 5/7] Small edits Got trigger happy, first time doing this, please dont cruicify me. --- .../powershell_nishang_malicious_commandlets.yml | 16 ++++++++-------- .../win_susp_process_creations.yml | 2 +- .../win_susp_vssadmin_ntds_activity.yml | 3 ++- 3 files changed, 11 insertions(+), 10 deletions(-) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 9d01de43e..f7a2464dc 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -20,8 +20,8 @@ detection: - Execute-OnTime - HTTP-Backdoor - Set-RemotePSRemoting - - Set-RemoteWMI - - Invoke-AmsiBypass + - Set-RemoteWMI + - Invoke-AmsiBypass - Out-CHM - Out-Excel - Out-HTA @@ -31,7 +31,7 @@ detection: - Out-SCT - Out-Shortcut - Out-WebQuery - - Out-Word + - Out-Word - Enable-Duplication - Remove-Update - Download-Execute-PS @@ -50,14 +50,14 @@ detection: - Invoke-MimikatzWDigestDowngrade - Invoke-SSIDExfil - Invoke-SessionGopher - - Keylogger - - Invoke-Interceptor + - Keylogger + - Invoke-Interceptor - Create-MultipleSessions - Invoke-NetworkRelay - Run-EXEonRemote - - Invoke-Prasadhak + - Invoke-Prasadhak - Invoke-BruteForce - - Password-List + - Password-List - Invoke-JSRatRegsvr - Invoke-JSRatRundll - Invoke-PoshRatHttps @@ -65,7 +65,7 @@ detection: - Invoke-PowerShellUdp - Invoke-PSGcat - Invoke-PsGcatAgent - - Remove-PoshRat + - Remove-PoshRat - Add-Persistance - ExetoText - Invoke-Decode diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml index b91f22a96..a8684b0cf 100644 --- a/rules/windows/process_creation/win_susp_process_creations.yml +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -15,7 +15,7 @@ references: - https://twitter.com/vector_sec/status/896049052642533376 - http://security-research.dyndns.org/pub/slides/FIRST-TC-2018/FIRST-TC-2018_Tom-Ueltschi_Sysmon_PUBLIC.pdf author: Florian Roth -modified: 2018/12/11 +modified: 2019/05/17 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml index 3ef734d59..4fb1e8601 100644 --- a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -1,7 +1,8 @@ title: Activity Related to NTDS.dit Domain Hash Retrieval status: experimental description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -author: Florian Roth, Michael Haag, Alec Costello +author: Florian Roth, Michael Haag +modified: 2019/05/17 references: - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ From 913c839780be7d3323f329f9eaac5b84feff4714 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 31 Jan 2020 15:26:43 +0100 Subject: [PATCH 6/7] added 'id' --- .../powershell/powershell_nishang_malicious_commandlets.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index f7a2464dc..0a8b55fb4 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -1,4 +1,5 @@ title: Malicious Nishang PowerShell Commandlets +id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework modified: 2019/05/16 From 7a222920dfcc2f369fe38d53a328fd1de44a0504 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 31 Jan 2020 15:27:30 +0100 Subject: [PATCH 7/7] added 'date' --- .../powershell/powershell_nishang_malicious_commandlets.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml index 0a8b55fb4..1592ab611 100644 --- a/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_nishang_malicious_commandlets.yml @@ -2,7 +2,7 @@ title: Malicious Nishang PowerShell Commandlets id: f772cee9-b7c2-4cb2-8f07-49870adc02e0 status: experimental description: Detects Commandlet names and arguments from the Nishang exploitation framework -modified: 2019/05/16 +date: 2019/05/16 references: - https://github.com/samratashok/nishang tags: