Merge pull request #3646 from nasbench/nasbench-rule-devel

Rule Dev
2022-10-28 06:34:48 +02:00
parent b5a43a0815 8e3d1fa653
commit 625f05df3c
19 changed files with 282 additions and 63 deletions
@@ -4,32 +4,52 @@ status: test
 description: Detects Windows Webshells that use GET requests via access logs
 references:
    - https://bad-jubies.github.io/RCE-NOW-WHAT/
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Florian Roth, Nasreddine Bencherchali
 date: 2017/02/19
-modified: 2022/06/14
+modified: 2022/10/26
 tags:
    - attack.persistence
    - attack.t1505.003
 logsource:
    category: webserver
 detection:
-    select_method:
+    selection_method:
        cs-method: 'GET'
-    keywords:
-        - =whoami
-        - =net%20user
-        - =cmd%20/c%20
-        - =powershell%20
-        - =tasklist%20
-        - =wmic%20
-        - =ssh%20 #available on windows
-        - =python%20
-        - =ipconfig
-        - =wget%20 #available on windows
-        - =curl%20 #available on windows
-        - =certutil
-        - =copy%20%5C%5C
-    condition: select_method and keywords
+    selection_keywords:
+        # The "%20" is URL encoded version of the space
+        # The "%2B" is URL encoded version of the "+"
+        - '=whoami'
+        - '=net%20user'
+        - '=net+user'
+        - '=net%2Buser'
+        - '=cmd%20/c%'
+        - '=cmd+/c+'
+        - '=cmd%2B/c%'
+        - '=powershell%'
+        - '=powershell+'
+        - '=tasklist%'
+        - '=tasklist+'
+        - '=wmic%'
+        - '=wmic+'
+        - '=ssh%'
+        - '=ssh+'
+        - '=python%'
+        - '=python+'
+        - '=python3%'
+        - '=python3+'
+        - '=ipconfig'
+        - '=wget%'
+        - '=wget+'
+        - '=curl%'
+        - '=curl+'
+        - '=certutil'
+        - '=copy%20%5C%5C'
+        - '=dsquery%'
+        - '=dsquery+'
+        - '=nltest%'
+        - '=nltest+'
+    condition: all of selection_*
 fields:
    - client_ip
    - vhost
@@ -6,7 +6,7 @@ references:
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
 author: Florian Roth, Rich Warren, Christian Burkard
 date: 2021/08/09
-modified: 2022/02/01
+modified: 2022/10/26
 tags:
    - attack.persistence
    - attack.t1505.003
@@ -18,14 +18,13 @@ detection:
        - 'New-MailboxExportRequest'
        - ' -Mailbox '
    export_params:
-        - '-FilePath "\\\\localhost\\C$'
-        - '-FilePath "\\\\127.0.0.1\\C$'
+        - '-FilePath "\\\\' # We care about any share location
        - '.aspx'
    role_assignment:
        - 'New-ManagementRoleAssignment'
        - ' -Role "Mailbox Import Export"'
        - ' -User '
-    condition: (all of export_command and export_params) or all of role_assignment
+    condition: all of export_* or role_assignment
 falsepositives:
    - Unlikely
 level: critical
@@ -0,0 +1,25 @@
+title: PAExec Service Installation
+id: de7ce410-b3fb-4e8a-b38c-3b999e2c3420
+status: experimental
+description: Detects PAExec service installation
+references:
+    - https://www.poweradmin.com/paexec/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.execution
+    - attack.t1569.002
+logsource:
+    product: windows
+    service: system
+detection:
+    selection_eid:
+        Provider_Name: 'Service Control Manager'
+        EventID: 7045
+    selection_image:
+        - ServiceName|startswith: 'PAExec-'
+        - ImagePath|startswith: 'C:\WINDOWS\PAExec-'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: medium
@@ -1,4 +1,4 @@
-title: PsExec Tool Execution
+title: PsExec Service Installation
 id: 42c575ea-e41e-41f1-b248-8093c3e82a28
 status: experimental
 description: Detects PsExec service installation and execution events (service and Sysmon)
@@ -7,7 +7,7 @@ references:
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 author: Thomas Patzke
 date: 2017/06/12
-modified: 2022/03/21
+modified: 2022/10/26
 tags:
    - attack.execution
    - attack.t1569.002
@@ -24,7 +24,7 @@ detection:
    service_execution:
        EventID: 7036
        ServiceName: 'PSEXESVC'
-    condition: service_installation or service_execution
+    condition: 1 of service_*
 fields:
    - EventID
    - CommandLine
@@ -0,0 +1,22 @@
+title: Exchange PowerShell Cmdlet History Deleted
+id: a55349d8-9588-4c5a-8e3b-1925fe2a4ffe
+status: experimental
+description: Detects the deletion of the Exchange PowerShell cmdlet History logs which may indicate an attempt to destroy forensic evidence
+references:
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.defense_evasion
+    - attack.t1070
+logsource:
+    category: file_delete
+    product: windows
+detection:
+    selection:
+        FileName|startswith: '\Logging\CmdletInfra\LocalPowerShell\Cmdlet\'
+        FileName|contains: '_Cmdlet_'
+    condition: selection
+falsepositives:
+    - Possible FP during log rotation
+level: high
@@ -1,16 +1,16 @@
-title: PsExec Tool Execution
+title: PsExec Service File Creation
 id: 259e5a6a-b8d2-4c38-86e2-26c5e651361d
 related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
 status: test
-description: Detects PsExec service installation and execution events (service and Sysmon)
+description: Detects default PsExec service filename which indicates PsExec service installation and execution
 references:
    - https://www.jpcert.or.jp/english/pub/sr/ir_research.html
    - https://jpcertcc.github.io/ToolAnalysisResultSheet
 author: Thomas Patzke
 date: 2017/06/12
-modified: 2022/10/09
+modified: 2022/10/26
 tags:
    - attack.execution
    - attack.t1569.002
@@ -20,10 +20,10 @@ detection:
    selection:
        PipeName:
            - '\atctl'       # https://www.virustotal.com/#/file/a4ddb2664a6c87a1d3c5da5a5a32a5df9a0b0c8f2e951811bd1ec1d44d42ccf1/detection
-            - '\userpipe'       # ruag apt case
-            - '\iehelper'       # ruag apt case
-            - '\sdlrpc'       # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
-            - '\comnap'       # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            - '\userpipe'    # ruag apt case
+            - '\iehelper'    # ruag apt case
+            - '\sdlrpc'      # project cobra https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
+            - '\comnap'      # https://www.gdatasoftware.com/blog/2015/01/23926-analysis-of-project-cobra
            # - '\rpc'  # may cause too many false positives : http://kb.palisade.com/index.php?pg=kb.page&id=483
    condition: selection
 falsepositives:
@@ -0,0 +1,22 @@
+title: PAExec Default Named Pipe
+id: f6451de4-df0a-41fa-8d72-b39f54a08db5
+status: test
+description: Detects PAExec default named pipe
+references:
+    - https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/efa17a600b43c897b4b7463cc8541daa1987eeb4/Command%20and%20Control/C2-NamedPipe.md
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.execution
+    - attack.t1569.002
+logsource:
+    category: pipe_created
+    product: windows
+    definition: 'Note that you have to configure logging for Named Pipe Events in Sysmon config (Event ID 17 and Event ID 18). The basic configuration is in popular sysmon configuration (https://github.com/SwiftOnSecurity/sysmon-config), but it is worth verifying. You can also use other repo, e.g. https://github.com/Neo23x0/sysmon-config, https://github.com/olafhartong/sysmon-modular. How to test detection? You can check powershell script from this site https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575'
+detection:
+    selection:
+        PipeName|startswith: '\PAExec'
+    condition: selection
+falsepositives:
+    - Unknown
+level: medium
@@ -1,4 +1,4 @@
-title: PsExec Tool Execution
+title: PsExec Default Named Pipe
 id: f3f3a972-f982-40ad-b63c-bca6afdfad7c
 related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
@@ -0,0 +1,24 @@
+title: Suspicious PowerShell Mailbox SMTP Forward Rule
+id: 15b7abbb-8b40-4d01-9ee2-b51994b1d474
+status: experimental
+description: Detects usage of the powerShell Set-Mailbox Cmdlet to set-up an SMTP forwarding rule.
+references:
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.exfiltration
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'Set-Mailbox '
+            - ' -DeliverToMailboxAndForward '
+            - ' -ForwardingSmtpAddress '
+    condition: selection
+falsepositives:
+    - Legitimate usage of the cmdlet to forward emails
+level: medium
@@ -0,0 +1,33 @@
+title: Suspicious PowerShell Mailbox Export to Share - PS
+id: 4a241dea-235b-4a7e-8d76-50d817b146c4
+related:
+    - id: 889719ef-dd62-43df-86c3-768fb08dc7c0
+      type: derived
+status: experimental
+description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
+references:
+    - https://youtu.be/5mqid-7zp8k?t=2481
+    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
+    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
+author: Nasreddine Bencherchali
+date: 2022/10/26
+tags:
+    - attack.exfiltration
+logsource:
+    product: windows
+    category: ps_script
+    definition: Script block logging must be enabled
+detection:
+    selection:
+        ScriptBlockText|contains|all:
+            - 'New-MailboxExportRequest'
+            - ' -Mailbox '
+            - ' -FilePath \\\\'
+    condition: selection
+falsepositives:
+    - Unknown
+level: critical
+fields:
+    - CommandLine
+    - ParentCommandLine
@@ -1,23 +1,26 @@
 title: Suspicious PowerShell Mailbox Export to Share
 id: 889719ef-dd62-43df-86c3-768fb08dc7c0
 status: experimental
-description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations
+description: Detects usage of the powerShell New-MailboxExportRequest Cmdlet to exports a mailbox to a remote or local share, as used in ProxyShell exploitations
 references:
    - https://youtu.be/5mqid-7zp8k?t=2481
    - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html
    - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1
+    - https://m365internals.com/2022/10/07/hunting-in-on-premises-exchange-server-logs/
 author: Florian Roth
 date: 2021/08/07
-modified: 2022/02/01
+modified: 2022/10/26
+tags:
+    - attack.exfiltration
 logsource:
    category: process_creation
    product: windows
 detection:
    selection:
        CommandLine|contains|all:
-            - 'New-MailboxExport'
+            - 'New-MailboxExportRequest'
            - ' -Mailbox '
-            - ' -FilePath \\\\127.0.0.1\\C$'
+            - ' -FilePath \\\\'
    condition: selection
 falsepositives:
    - Unknown
@@ -25,8 +28,3 @@ level: critical
 fields:
    - CommandLine
    - ParentCommandLine
-tags:
-   - attack.persistence  
-   - attack.t1505.003
-   - attack.resource_development
-   - attack.t1584.006
@@ -1,27 +1,67 @@
 title: PsExec/PAExec Escalation to LOCAL SYSTEM
 id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
+related:
+    - id: 207b0396-3689-42d9-8399-4222658efc99
+      type: similar
 status: experimental
 description: Detects suspicious flags used by PsExec and PAExec to escalate a command line to LOCAL_SYSTEM rights
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
-author: Florian Roth
+author: Florian Roth, Nasreddine Bencherchali
 date: 2021/11/23
-modified: 2022/08/24
+modified: 2022/10/26
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection: # Escalation to LOCAL_SYSTEM
-        CommandLine|endswith: ' -s cmd.exe'
+    selection_sys: # Escalation to LOCAL_SYSTEM
        CommandLine|contains:
-            - 'PsExec'
-            - 'PAExec'
+            # Note that you don't need to add the ".exe" part when using psexec/paexec
+            # The "-" can also be replaced with "/"
+            # The order of args isn't important
+            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
+            - ' -s cmd'
+            - ' /s cmd'
+            - ' -s -i cmd'
+            - ' /s /i cmd'
+            - ' /s -i cmd'
+            - ' -s /i cmd'
+            - ' -i -s cmd'
+            - ' /i /s cmd'
+            - ' -i /s cmd'
+            - ' /i -s cmd'
+            # Pwsh (For PowerShell 7)
+            - ' -s pwsh'
+            - ' /s pwsh'
+            - ' -s -i pwsh'
+            - ' /s /i pwsh'
+            - ' /s -i pwsh'
+            - ' -s /i pwsh'
+            - ' -i -s pwsh'
+            - ' /i /s pwsh'
+            - ' -i /s pwsh'
+            - ' /i -s pwsh'
+            # PowerShell (For PowerShell 5)
+            - ' -s powershell'
+            - ' /s powershell'
+            - ' -s -i powershell'
+            - ' /s /i powershell'
+            - ' /s -i powershell'
+            - ' -s /i powershell'
+            - ' -i -s powershell'
+            - ' /i /s powershell'
+            - ' -i /s powershell'
+            - ' /i -s powershell'
+    selection_other:
+        CommandLine|contains:
+            - 'psexec'
+            - 'paexec'
            - 'accepteula'
            - 'cmd /c '
            - 'cmd /k '
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Admins that use PsExec or PAExec to escalate to the SYSTEM account for maintenance purposes (rare)
 level: high
@@ -1,12 +1,15 @@
 title: PsExec/PAExec Flags
 id: 207b0396-3689-42d9-8399-4222658efc99
+related:
+    - id: 8834e2f7-6b4b-4f09-8906-d2276470ee23
+      type: similar
 status: experimental
 description: Detects suspicious flags used by PsExec and PAExec but no usual program name in command line
 references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
    - https://www.poweradmin.com/paexec/
    - https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
-author: Florian Roth
+author: Florian Roth, Nasreddine Bencherchali
 date: 2021/05/22
 modified: 2022/10/06
 logsource:
@@ -15,9 +18,43 @@ logsource:
 detection:
    selection_flags_1:
        # Escalation to LOCAL_SYSTEM
-        CommandLine|endswith:
-            - ' -s cmd.exe'
-            - ' -s -i cmd.exe'
+        CommandLine|contains:
+            # Note that you don't need to add the ".exe" part when using psexec/paexec
+            # The "-" can also be replaced with "/"
+            # The order of args isn't important
+            # "cmd" can be replaced by "powershell", "pwsh" or any other console like software
+            - ' -s cmd'
+            - ' /s cmd'
+            - ' -s -i cmd'
+            - ' /s /i cmd'
+            - ' /s -i cmd'
+            - ' -s /i cmd'
+            - ' -i -s cmd'
+            - ' /i /s cmd'
+            - ' -i /s cmd'
+            - ' /i -s cmd'
+            # Pwsh (For PowerShell 7)
+            - ' -s pwsh'
+            - ' /s pwsh'
+            - ' -s -i pwsh'
+            - ' /s /i pwsh'
+            - ' /s -i pwsh'
+            - ' -s /i pwsh'
+            - ' -i -s pwsh'
+            - ' /i /s pwsh'
+            - ' -i /s pwsh'
+            - ' /i -s pwsh'
+            # PowerShell (For PowerShell 5)
+            - ' -s powershell'
+            - ' /s powershell'
+            - ' -s -i powershell'
+            - ' /s /i powershell'
+            - ' /s -i powershell'
+            - ' -s /i powershell'
+            - ' -i -s powershell'
+            - ' /i /s powershell'
+            - ' -i /s powershell'
+            - ' /i -s powershell'
    selection_flags_2:
        # Accepting EULA in commandline - often used in automated attacks
        CommandLine|contains|all:
@@ -1,12 +1,12 @@
 title: Renamed PAExec
 id: c4e49831-1496-40cf-8ce1-b53f942b02f9
 status: test
-description: Detects suspicious renamed PAExec execution as often used by attackers
+description: Detects execution of renamed version of PAExec. Often used by attackers
 references:
    - https://www.poweradmin.com/paexec/
 author: Florian Roth
 date: 2021/05/22
-modified: 2022/10/09
+modified: 2022/10/26
 tags:
    - attack.defense_evasion
    - attack.t1202
@@ -14,16 +14,15 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
-        Description: 'PAExec Application'
-    selection2:
-        OriginalFileName: 'PAExec.exe'
+    selection:
+        - Description: 'PAExec Application'
+        - OriginalFileName: 'PAExec.exe'
    filter:
-        Image|endswith:
-            - '\PAexec.exe'
-            - '\paexec.exe'
-    condition: ( selection1 or selection2 ) and not filter
+        - Image|endswith: '\paexec.exe'
+        - Image|startswith: 'C:\Windows\PAExec-'
+    condition: selection and not filter
 falsepositives:
    - Weird admins that rename their tools
    - Software companies that bundle PAExec with their software and rename it, so that it is less embarrassing
+    - When executed with the "-s" flag. PAExec will copy itself to the "C:\Windows\" directory with a different name. Usually like this "PAExec-[XXXXX]-[ComputerName]"
 level: high
@@ -4,7 +4,7 @@ related:
    - id: 42c575ea-e41e-41f1-b248-8093c3e82a28
      type: derived
 status: experimental
-description: Detects PsExec service installation and execution events (service and Sysmon)
+description: Detects PsExec service execution via default service image name
 author: Thomas Patzke
 date: 2017/06/12
 modified: 2022/05/27