From 326eebdc7bbe83227ac76555a7c765bcf17373dc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 22 Aug 2022 17:17:32 +0200 Subject: [PATCH 1/9] Add file_event_proxy_dropping_executable --- .../file_event_proxy_dropping_executable.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/file_event/file_event_proxy_dropping_executable.yml diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml new file mode 100644 index 000000000..7a5fba9d5 --- /dev/null +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -0,0 +1,47 @@ +title: Legitimate Application Hijacked to Create an Executable +id: 9f340953-08a6-4ee5-b015-118bf4ee858d +description: Detects Executable that should not drop executable +status: experimental +author: frack113 (sigma) +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \notepad.exe + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: '.exe' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 From 911d0fa15887cc3dc2ecb5685252f0465ca83bf3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 22 Aug 2022 19:31:17 +0200 Subject: [PATCH 2/9] Add dll and ocx --- .../file_event/file_event_proxy_dropping_executable.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml index 7a5fba9d5..bc7731447 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -37,7 +37,10 @@ detection: - \RdrCEF.exe - \mshta.exe - \hh.exe - TargetFilename|endswith: '.exe' + TargetFilename|endswith: + - '.exe' + - '.dll' + - '.ocx' condition: selection falsepositives: - Unknown From 69f6993ed75ce8b8b81c97131a5b2af93a00702e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 19:48:14 +0200 Subject: [PATCH 3/9] Update file_event_proxy_dropping_executable.yml --- .../file_event/file_event_proxy_dropping_executable.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml index bc7731447..2f84ff034 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -1,8 +1,8 @@ -title: Legitimate Application Hijacked to Create an Executable +title: Legitimate Application Writing an Executable or Script id: 9f340953-08a6-4ee5-b015-118bf4ee858d -description: Detects Executable that should not drop executable +description: Detects programs on a Windows system that should not write executables or scritps to disk status: experimental -author: frack113 (sigma) +author: frack113, Florian Roth references: - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 date: 2022/08/21 @@ -41,6 +41,9 @@ detection: - '.exe' - '.dll' - '.ocx' + - '.ps1' + - '.bat' + - '.vbs' condition: selection falsepositives: - Unknown From bb7539ea56618a7c53e3b7bb76a668312f9c8bc6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 19:48:52 +0200 Subject: [PATCH 4/9] Update file_event_proxy_dropping_executable.yml --- .../windows/file_event/file_event_proxy_dropping_executable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml index 2f84ff034..52057d05d 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -1,4 +1,4 @@ -title: Legitimate Application Writing an Executable or Script +title: Legitimate Application Droped Executable or Script id: 9f340953-08a6-4ee5-b015-118bf4ee858d description: Detects programs on a Windows system that should not write executables or scritps to disk status: experimental From 848162172a65b70fe5f92a15ece5565141e0f867 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 19:49:17 +0200 Subject: [PATCH 5/9] Update file_event_proxy_dropping_executable.yml --- .../windows/file_event/file_event_proxy_dropping_executable.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml index 52057d05d..076c95d8d 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -1,4 +1,4 @@ -title: Legitimate Application Droped Executable or Script +title: Legitimate Application Dropped Executable or Script id: 9f340953-08a6-4ee5-b015-118bf4ee858d description: Detects programs on a Windows system that should not write executables or scritps to disk status: experimental From 60512d7749ac53ba5533658773cfd774b866c687 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 20:13:37 +0200 Subject: [PATCH 6/9] Update file_event_proxy_dropping_executable.yml --- .../file_event/file_event_proxy_dropping_executable.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_proxy_dropping_executable.yml index 076c95d8d..c66000ee1 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_proxy_dropping_executable.yml @@ -44,6 +44,9 @@ detection: - '.ps1' - '.bat' - '.vbs' + - '.scf' + - '.wsf' + - '.wsh' condition: selection falsepositives: - Unknown From 9f38bce2cadc008801126b9eb3f9248b554f3114 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 20:20:57 +0200 Subject: [PATCH 7/9] refactor: refactored to 3 rules --- ..._event_legitimate_app_dropping_archive.yml | 52 +++++++++++++++++++ ...ile_event_legitimate_app_dropping_exe.yml} | 8 +-- ...e_event_legitimate_app_dropping_script.yml | 52 +++++++++++++++++++ 3 files changed, 105 insertions(+), 7 deletions(-) create mode 100644 rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml rename rules/windows/file_event/{file_event_proxy_dropping_executable.yml => file_event_legitimate_app_dropping_exe.yml} (91%) create mode 100644 rules/windows/file_event/file_event_legitimate_app_dropping_script.yml diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml new file mode 100644 index 000000000..f7d3047f8 --- /dev/null +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml @@ -0,0 +1,52 @@ +title: Legitimate Application Dropped Archive +id: 9f340953-08a6-4ee5-b015-118bf4ee858d +description: Detects programs on a Windows system that should not write an archive to disk +status: experimental +author: frack113, Florian Roth +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + # - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \notepad.exe + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: + - '.zip' + - '.rar' + - '.7z' + - '.diagcab' + - '.appx' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/file_event/file_event_proxy_dropping_executable.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml similarity index 91% rename from rules/windows/file_event/file_event_proxy_dropping_executable.yml rename to rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml index c66000ee1..e81a063e9 100644 --- a/rules/windows/file_event/file_event_proxy_dropping_executable.yml +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml @@ -29,7 +29,7 @@ detection: # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) - \Desktopimgdownldr.exe - \esentutl.exe - - \expand.exe + # - \expand.exe - \finger.exe # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) - \notepad.exe @@ -41,12 +41,6 @@ detection: - '.exe' - '.dll' - '.ocx' - - '.ps1' - - '.bat' - - '.vbs' - - '.scf' - - '.wsf' - - '.wsh' condition: selection falsepositives: - Unknown diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml new file mode 100644 index 000000000..d737a265b --- /dev/null +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml @@ -0,0 +1,52 @@ +title: Legitimate Application Dropped Script +id: 9f340953-08a6-4ee5-b015-118bf4ee858d +description: Detects programs on a Windows system that should not write scripts to disk +status: experimental +author: frack113, Florian Roth +references: + - https://github.com/Neo23x0/sysmon-config/blob/3f808d9c022c507aae21a9346afba4a59dd533b9/sysmonconfig-export-block.xml#L1326 +date: 2022/08/21 +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: + # Microsoft Office Programs Dropping Executables + - \winword.exe + - \excel.exe + - \powerpnt.exe + - \msaccess.exe + - \mspub.exe + - \eqnedt32.exe + - \visio.exe + - \wordpad.exe + - \wordview.exe + # LOLBINs that can be used to download executables + - \certutil.exe + - \certoc.exe + - \CertReq.exe + # - \bitsadmin.exe (depends on the environment; comment in if you're sure that bitsadmin doesn't do that in your env) + - \Desktopimgdownldr.exe + - \esentutl.exe + # - \expand.exe + - \finger.exe + # Executables that should never drop an executable to disk (but may after a previous process injection or if it's malware that uses a legitimate name) + - \AcroRd32.exe + - \RdrCEF.exe + - \mshta.exe + - \hh.exe + TargetFilename|endswith: + - '.ps1' + - '.bat' + - '.vbs' + - '.scf' + - '.wsf' + - '.wsh' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 From 40a802889bb5f7a04e4807bf6bf6590223fb8428 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 20:22:31 +0200 Subject: [PATCH 8/9] fix: typo --- .../file_event/file_event_legitimate_app_dropping_exe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml index e81a063e9..9847e40d1 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml @@ -1,6 +1,6 @@ title: Legitimate Application Dropped Executable or Script id: 9f340953-08a6-4ee5-b015-118bf4ee858d -description: Detects programs on a Windows system that should not write executables or scritps to disk +description: Detects programs on a Windows system that should not write executables to disk status: experimental author: frack113, Florian Roth references: From 4f815501fd19a49fa6b74b0a6471896c3dc67efa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 22 Aug 2022 20:30:15 +0200 Subject: [PATCH 9/9] fix: UUIDs --- .../file_event/file_event_legitimate_app_dropping_archive.yml | 2 +- .../file_event/file_event_legitimate_app_dropping_exe.yml | 4 ++-- .../file_event/file_event_legitimate_app_dropping_script.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml index f7d3047f8..a50faf8b5 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_archive.yml @@ -1,5 +1,5 @@ title: Legitimate Application Dropped Archive -id: 9f340953-08a6-4ee5-b015-118bf4ee858d +id: 654fcc6d-840d-4844-9b07-2c3300e54a26 description: Detects programs on a Windows system that should not write an archive to disk status: experimental author: frack113, Florian Roth diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml index 9847e40d1..f9abb5613 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_exe.yml @@ -1,5 +1,5 @@ -title: Legitimate Application Dropped Executable or Script -id: 9f340953-08a6-4ee5-b015-118bf4ee858d +title: Legitimate Application Dropped Executable +id: f0540f7e-2db3-4432-b9e0-3965486744bc description: Detects programs on a Windows system that should not write executables to disk status: experimental author: frack113, Florian Roth diff --git a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml index d737a265b..654cbae90 100644 --- a/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml +++ b/rules/windows/file_event/file_event_legitimate_app_dropping_script.yml @@ -1,5 +1,5 @@ title: Legitimate Application Dropped Script -id: 9f340953-08a6-4ee5-b015-118bf4ee858d +id: 7d604714-e071-49ff-8726-edeb95a70679 description: Detects programs on a Windows system that should not write scripts to disk status: experimental author: frack113, Florian Roth