From b170af5687aab9765306ec73efb0c22d4761522d Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:08:19 +0200 Subject: [PATCH 1/3] Added rule for sam the admin suspicious computer --- .../security/win_susp_computer_name.yml | 35 +++++++++++++++++++ .../file_change_win_2022_timestomping.yml | 4 +-- 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 rules/windows/builtin/security/win_susp_computer_name.yml diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml new file mode 100644 index 000000000..e85500077 --- /dev/null +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -0,0 +1,35 @@ +title: Win Susp Computer Name containing samtheadmin +id: 39698b3f-da92-4bc6-bfb5-645a98386e45 +status: experimental +description: Detects suspicious computer name +author: elhoim +date: 2022/09/09 +references: + - https://twitter.com/malmoeb/status/1511760068743766026 + - https://github.com/WazeHell/sam-theadmin/blob/main/sam_the_admin.py + - https://github.com/helloexp/0day/blob/614227a7b9beb0e91e7e2c6a5e532e6f7a8e883c/00-CVE_EXP/CVE-2021-42287/sam-the-admin/sam_the_admin.py +tags: + - cve.2021.42278 + - cve.2021.42287 + - attack.persistence + - attack.privilege_escalation + - attack.t1078 +logsource: + category: security + product: windows +detection: + selection1: + SamAccountName|startswith: 'SAMTHEADMIN-' + SamAccountName|endswith: '$' + selection2: + TargetUserName|startswith: 'SAMTHEADMIN-' + TargetUserName|endswith: '$' + condition: 1 of selection* + fields: + - EventID + - SamAccountName + - SubjectUserName + - TargetUserName +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file_change/file_change_win_2022_timestomping.yml index cfdf05658..0a2643eaf 100644 --- a/rules/windows/file_change/file_change_win_2022_timestomping.yml +++ b/rules/windows/file_change/file_change_win_2022_timestomping.yml @@ -8,7 +8,7 @@ references: - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html author: frack113, Florian Roth date: 2022/08/12 -modified: 2022/09/05 +modified: 2022/09/09 tags: - attack.t1070.006 - attack.defense_evasion @@ -33,7 +33,7 @@ detection: - TargetFilename|endswith: - '.tmp' - '.temp' - condition: ( selection1 and not filter1 ) or ( selection2 and not filter2 ) and not 1 of gen_filter* + condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* falsepositives: - Changes made to or by the local NTP service level: high From 9a77542bc6dc85805ab10e7cc6ee9500f09ff9e4 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Fri, 9 Sep 2022 16:11:07 +0200 Subject: [PATCH 2/3] Add comment to explain lack of eventID\nBetter description --- rules/windows/builtin/security/win_susp_computer_name.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml index e85500077..f28ddfb24 100644 --- a/rules/windows/builtin/security/win_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -1,7 +1,7 @@ title: Win Susp Computer Name containing samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 status: experimental -description: Detects suspicious computer name +description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool author: elhoim date: 2022/09/09 references: @@ -18,6 +18,7 @@ logsource: category: security product: windows detection: + # Not adding an EventID on purpose to try to match on any event in security (including use of account), not just 4741 (computer account created) selection1: SamAccountName|startswith: 'SAMTHEADMIN-' SamAccountName|endswith: '$' From b9cc206d9d67c7a9a4be66cf605cf8f1d04a8d93 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 9 Sep 2022 18:53:48 +0200 Subject: [PATCH 3/3] Update win_susp_computer_name.yml --- .../builtin/security/win_susp_computer_name.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/rules/windows/builtin/security/win_susp_computer_name.yml b/rules/windows/builtin/security/win_susp_computer_name.yml index f28ddfb24..285be837e 100644 --- a/rules/windows/builtin/security/win_susp_computer_name.yml +++ b/rules/windows/builtin/security/win_susp_computer_name.yml @@ -1,4 +1,4 @@ -title: Win Susp Computer Name containing samtheadmin +title: Win Susp Computer Name Containing Samtheadmin id: 39698b3f-da92-4bc6-bfb5-645a98386e45 status: experimental description: Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool @@ -26,11 +26,11 @@ detection: TargetUserName|startswith: 'SAMTHEADMIN-' TargetUserName|endswith: '$' condition: 1 of selection* - fields: - - EventID - - SamAccountName - - SubjectUserName - - TargetUserName +fields: + - EventID + - SamAccountName + - SubjectUserName + - TargetUserName falsepositives: - - Unknown + - Unknown level: critical