From 70f9ff61ca3c1d78f101fa84ee8264d41f57e9b3 Mon Sep 17 00:00:00 2001 From: "nasreddine.bencherchali@nextron-systems.com" <8741929+nasbench@users.noreply.github.com> Date: Fri, 9 Sep 2022 15:02:31 +0200 Subject: [PATCH] Big Update --- .../posh_ps_root_certificate_installed.yml | 8 +-- .../proc_creation_win_apt_hurricane_panda.yml | 30 +++++------ .../proc_creation_win_apt_wocao.yml | 6 +-- ...reation_win_email_exfil_via_powershell.yml | 30 +++++++++++ ...reation_win_import_cert_susp_locations.yml | 32 ++++++++++++ ...eation_win_mal_hermetic_wiper_activity.yml | 38 +++++++------- ..._creation_win_malware_conti_shadowcopy.yml | 6 +-- .../proc_creation_win_malware_notpetya.yml | 50 +++++++++---------- .../proc_creation_win_net_add_local_user.yml | 26 ++++++++++ ..._win_net_default_accounts_manipulation.yml | 5 ++ .../proc_creation_win_net_recon.yml | 8 +-- ...proc_creation_win_netsh_allow_port_rdp.yml | 16 +++--- .../proc_creation_win_node_abuse.yml | 34 +++++++++++++ ...reation_win_redirect_local_admin_share.yml | 26 ++++++++++ .../proc_creation_win_reg_enable_rdp.yml | 5 +- ...proc_creation_win_susp_add_local_admin.yml | 23 ++++++--- ...ation_win_susp_add_user_remote_desktop.yml | 24 ++++++--- ...creation_win_susp_new_service_creation.yml | 3 +- .../proc_creation_win_susp_reg_add.yml | 3 +- .../proc_creation_win_susp_reg_bitlocker.yml | 13 +++-- ...proc_creation_win_susp_schtasks_delete.yml | 36 +++++++++++++ ..._creation_win_susp_schtasks_delete_all.yml | 25 ++++++++++ ...roc_creation_win_susp_schtasks_disable.yml | 18 +++---- ...eation_win_susp_schtasks_schedule_type.yml | 18 ++++--- ...win_susp_schtasks_schedule_type_system.yml | 37 ++++++++++++++ ...creation_win_user_discovery_get_aduser.yml | 30 +++++++++++ .../proc_creation_win_wevtutil_recon.yml | 28 +++++++++++ .../registry_event_net_ntlm_downgrade.yml | 4 +- .../registry_set_disable_system_restore.yml | 8 +-- .../registry_set_enabling_turnoffcheck.yml | 3 +- .../registry_set_hide_function_user.yml | 2 +- ...stry_set_install_root_or_ca_certificat.yml | 2 +- ...set_winlogon_allow_multiple_tssessions.yml | 22 ++++++++ 33 files changed, 492 insertions(+), 127 deletions(-) create mode 100644 rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml create mode 100644 rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml create mode 100644 rules/windows/process_creation/proc_creation_win_net_add_local_user.yml create mode 100644 rules/windows/process_creation/proc_creation_win_node_abuse.yml create mode 100644 rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml create mode 100644 rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml create mode 100644 rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml create mode 100644 rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml index 11e8de26c..7340abc67 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_root_certificate_installed.yml @@ -17,12 +17,12 @@ logsource: detection: selection1: ScriptBlockText|contains|all: - - 'Move-Item' - - 'Cert:\LocalMachine\Root' + - 'Move-Item' + - 'Cert:\LocalMachine\Root' selection2: ScriptBlockText|contains|all: - - 'Import-Certificate' - - 'Cert:\LocalMachine\Root' + - 'Import-Certificate' + - 'Cert:\LocalMachine\Root' condition: 1 of selection* falsepositives: - Help Desk or IT may need to manually add a corporate Root CA on occasion. Need to test if GPO push doesn't trigger FP diff --git a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml index e8169e203..5859e1083 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_hurricane_panda.yml @@ -4,25 +4,25 @@ status: test description: Detects Hurricane Panda Activity author: Florian Roth references: - - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ + - https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ date: 2019/03/04 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - - CommandLine|contains|all: - - 'localgroup' - - 'admin' - - '/add' - - CommandLine|contains: - - '\Win64.exe' - condition: selection + selection: + - CommandLine|contains|all: + - 'localgroup' + - 'admin' + - '' + - CommandLine|contains: + - '\Win64.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.privilege_escalation - - attack.g0009 - - attack.t1068 + - attack.privilege_escalation + - attack.g0009 + - attack.t1068 diff --git a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml index 8897c3feb..5aeb7d762 100644 --- a/rules/windows/process_creation/proc_creation_win_apt_wocao.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_wocao.yml @@ -10,7 +10,7 @@ references: - https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - https://twitter.com/SBousseaden/status/1207671369963646976 tags: - - attack.discovery + - attack.discovery - attack.t1012 - attack.defense_evasion - attack.t1036.004 @@ -25,7 +25,7 @@ logsource: product: windows detection: selection: - CommandLine|contains: + CommandLine|contains: - 'checkadmin.exe 127.0.0.1 -all' - 'netsh advfirewall firewall add rule name=powershell dir=in' - 'cmd /c powershell.exe -ep bypass -file c:\s.ps1' @@ -39,4 +39,4 @@ detection: condition: selection falsepositives: - Administrators that use checkadmin.exe tool to enumerate local administrators -level: high \ No newline at end of file +level: high diff --git a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml new file mode 100644 index 000000000..27af17f89 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml @@ -0,0 +1,30 @@ +title: Email Exifiltration Via Powershell +id: 312d0384-401c-4b8b-abdf-685ffba9a332 +status: experimental +description: Detects email exfiltration via powershell cmdlets +author: Nasreddine Bencherchali (rule), Azure-Sentinel (idea) +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://github.com/Azure/Azure-Sentinel/blob/7e6aa438e254d468feec061618a7877aa528ee9f/Hunting%20Queries/Microsoft%20365%20Defender/Ransomware/DEV-0270/Email%20data%20exfiltration%20via%20PowerShell.yaml +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + CommandLine|contains|all: + - 'Add-PSSnapin' + - 'Get-Recipient' + - '-ExpandProperty' + - 'EmailAddresses' + - 'SmtpAddress' + - '-hidetableheaders' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.exfiltration diff --git a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml new file mode 100644 index 000000000..d4b9155c8 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml @@ -0,0 +1,32 @@ +title: Root Certificate Installed From Susp Locations +id: 5f6a601c-2ecb-498b-9c33-660362323afa +status: experimental +description: Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. +references: + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ + - https://docs.microsoft.com/en-us/powershell/module/pki/import-certificate?view=windowsserver2022-ps +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1553.004 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'Import-Certificate' + - ' -File-Path ' + - 'Cert:\LocalMachine\Root' + CommandLine|contains: + - '\AppData\Local\Temp\' + - 'C:\Windows\TEMP\' + - '\Desktop\' + - '\Downloads\' + - '\Perflogs\' + - 'C:\Users\Public\' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml index 6d2b0f135..010f2b9c5 100644 --- a/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml +++ b/rules/windows/process_creation/proc_creation_win_mal_hermetic_wiper_activity.yml @@ -1,27 +1,31 @@ title: Hermetic Wiper TG Process Patterns id: 2f974656-6d83-4059-bbdf-68ac5403422f status: experimental -description: This rule detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 +description: Detects process execution patterns found in intrusions related to the Hermetic Wiper malware attacks against Ukraine in February 2022 author: Florian Roth references: - - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia + - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia date: 2022/02/25 -modified: 2022/08/13 +modified: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\policydefinitions\postgresql.exe' - selection2: - - CommandLine|contains: - - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' - - ' 1> \\\\127.0.0.1\ADMIN$\__16' - - CommandLine|contains|all: - - 'powershell -c ' - - '\comsvcs.dll MiniDump ' - - '\winupd.log full' - condition: 1 of selection* + selection1: + Image|endswith: '\policydefinitions\postgresql.exe' + selection2: + - CommandLine|contains: + - 'CSIDL_SYSTEM_DRIVE\temp\sys.tmp' + - ' 1> \\\\127.0.0.1\ADMIN$\__16' + - CommandLine|contains|all: + - 'powershell -c ' + - '\comsvcs.dll MiniDump ' + - '\winupd.log full' + condition: 1 of selection* falsepositives: - - Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml index 46f530fb0..7b5553b72 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_conti_shadowcopy.yml @@ -3,7 +3,7 @@ id: f57f8d16-1f39-4dcb-a604-6c73d9b54b3d description: Detects a command that accesses password storing registry hives via volume shadow backups author: Max Altgelt, Tobias Michalski date: 2021/08/09 -modified: 2022/08/13 +modified: 2022/09/09 status: experimental references: - https://twitter.com/vxunderground/status/1423336151860002816?s=20 @@ -25,7 +25,7 @@ detection: condition: all of selection* falsepositives: - Some rare backup scenarios -level: medium +level: high tags: - attack.impact - - attack.t1490 \ No newline at end of file + - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml index 61ff3daf2..699f0e26e 100644 --- a/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_notpetya.yml @@ -4,36 +4,36 @@ status: test description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil author: Florian Roth, Tom Ueltschi references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 date: 2019/01/16 modified: 2022/03/05 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - select_pipe_com: - CommandLine|contains|all: - - '\AppData\Local\Temp\' - - '\\\\.\\pipe\\' - select_rundll32_dash1: - Image|endswith: '\rundll32.exe' - CommandLine|endswith: - - '.dat,#1' - - '.dat #1' # Sysmon removes comma - select_perfc_keyword: - - '\perfc.dat' - condition: 1 of select* + select_pipe_com: + CommandLine|contains|all: + - '\AppData\Local\Temp\' + - '\\\\.\\pipe\\' + select_rundll32_dash1: + Image|endswith: '\rundll32.exe' + CommandLine|endswith: + - '.dat,#1' + - '.dat #1' # Sysmon removes comma + select_perfc_keyword: + - '\perfc.dat' + condition: 1 of select* fields: - - CommandLine - - ParentCommandLine + - CommandLine + - ParentCommandLine falsepositives: - - Admin activity + - Admin activity level: critical tags: - - attack.defense_evasion - - attack.t1218.011 - - attack.t1070.001 - - attack.credential_access - - attack.t1003.001 - - car.2016-04-002 + - attack.defense_evasion + - attack.t1218.011 + - attack.t1070.001 + - attack.credential_access + - attack.t1003.001 + - car.2016-04-002 diff --git a/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml b/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml new file mode 100644 index 000000000..d7cc1ee7b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_add_local_user.yml @@ -0,0 +1,26 @@ +title: Net User Add Local User +id: 57ea3cf7-f2bf-419f-b51e-6a60635ebf0d +status: stable +description: Detects attempts to add new local user +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.persistence + - attack.t1136.001 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - ' user ' + - '/add' + condition: selection +falsepositives: + - Legitimate use of net.exe utility by legitimate users and admins to add local user +level: low diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 8dedecc69..8144e75f1 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -6,7 +6,9 @@ author: Nasreddine Bencherchali references: - https://www.trellix.com/en-sg/about/newsroom/stories/threat-labs/lockergoga-ransomware-family-used-in-targeted-attacks.html - https://redacted.com/blog/bianlian-ransomware-gang-gives-it-a-go/ + - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ date: 2022/09/01 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -28,6 +30,7 @@ detection: - ' Administratör ' # Swedish - ' Administrator ' # English - ' guest ' + - ' DefaultAccount ' # The cases below are for when an attacker requests the net command via 'cmd /c....' # First in double quotes - ' "Järjestelmänvalvoja" ' # Finish @@ -38,6 +41,7 @@ detection: - ' "Administratör" ' # Swedish - ' "Administrator" ' # English - ' "guest" ' + - ' "DefaultAccount" ' # Second in single quotes - " 'Järjestelmänvalvoja' " # Finish - " 'Rendszergazda' " # Hungarian @@ -47,6 +51,7 @@ detection: - " 'Administratör' " # Swedish - " 'Administrator' " # English - " 'guest' " + - " 'DefaultAccount' " filter: CommandLine|contains|all: - 'guest' diff --git a/rules/windows/process_creation/proc_creation_win_net_recon.yml b/rules/windows/process_creation/proc_creation_win_net_recon.yml index 7a57ffdbf..d67432ef9 100644 --- a/rules/windows/process_creation/proc_creation_win_net_recon.yml +++ b/rules/windows/process_creation/proc_creation_win_net_recon.yml @@ -4,7 +4,7 @@ status: experimental description: Detects suspicious reconnaissance command line activity on Windows systems using Net.EXE author: Florian Roth, omkar72, @svch0st, Nasreddine Bencherchali date: 2019/01/16 -modified: 2022/09/02 +modified: 2022/09/09 references: - https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ - https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/ @@ -33,11 +33,13 @@ detection: CommandLine|contains: # Add more groups for other languages - 'domain admins' - - ' administrators' - - ' administrateurs' + - ' administrator' # Typo without an 'S' so we catch both + - ' administrateur' # Typo without an 'S' so we catch both - 'enterprise admins' - 'Exchange Trusted Subsystem' - 'Remote Desktop Users' + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" - ' /do' # short for domain # Covers 'accounts' flag selection_accounts_root: diff --git a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml index f2179507f..a0297ae22 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_allow_port_rdp.yml @@ -13,16 +13,16 @@ logsource: detection: selection1: CommandLine|contains|all: - - netsh - - firewall add portopening - - tcp 3389 + - 'netsh' + - 'firewall add portopening' + - 'tcp 3389' selection2: CommandLine|contains|all: - - netsh - - advfirewall firewall add rule - - action=allow - - protocol=TCP - - localport=3389 + - 'netsh' + - 'advfirewall firewall add rule' + - 'action=allow' + - 'protocol=TCP' + - 'localport=3389' condition: 1 of selection* falsepositives: - Legitimate administration diff --git a/rules/windows/process_creation/proc_creation_win_node_abuse.yml b/rules/windows/process_creation/proc_creation_win_node_abuse.yml new file mode 100644 index 000000000..9f3f670c7 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_node_abuse.yml @@ -0,0 +1,34 @@ +title: Node.exe Process Abuse +id: 6640f31c-01ad-49b5-beb5-83498a5cd8bd +status: experimental +description: Detects the execution node.exe which is shipped with multiple softwares such as VMware, Adobe...etc. In order to execute arbitrary code. For example to establish reverse shell as seen in Log4j attacks...etc +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html + - https://www.sprocketsecurity.com/resources/crossing-the-log4j-horizon-a-vulnerability-with-no-return + - https://www.rapid7.com/blog/post/2022/01/18/active-exploitation-of-vmware-horizon-servers/ + - https://nodejs.org/api/cli.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.defense_evasion + - attack.t1127 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\node.exe' + CommandLine|contains: + - ' -e ' + - ' --eval ' + # Add more pattern of abuse as actions + action_reverse_shell: + CommandLine|contains|all: + - '.exec(' + - 'net.socket' + - '.connect' + - 'child_process' + condition: selection and 1 of action_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml new file mode 100644 index 000000000..bbb5763ce --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_redirect_local_admin_share.yml @@ -0,0 +1,26 @@ +title: Suspicious Redirect To Local Admin Share +id: 77d570aa-4e72-4949-98ff-24cdeec16787 +status: experimental +description: Detects output redirection to the local admin share (ADMIN$) via the commandline +author: Nasreddine Bencherchali +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +date: 2022/09/09 +tags: + - attack.execution + - attack.lateral_movement + - attack.t1021.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - ' 1 > \\\\127.0.0.1\ADMIN$\' + - ' 1> \\\\127.0.0.1\ADMIN$\' + - ' 1 >\\\\127.0.0.1\ADMIN$\' + - ' 1>\\\\127.0.0.1\ADMIN$\' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml index 59ecd7e3a..b99236f7c 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_enable_rdp.yml @@ -6,7 +6,7 @@ author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' references: - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 -modified: 2022/08/06 +modified: 2022/09/09 logsource: product: windows category: process_creation @@ -15,7 +15,7 @@ detection: Image|endswith: '\reg.exe' CommandLine|contains|all: - ' add ' - - '\SYSTEM\CurrentControlSet\Control\Terminal Server' + - '\CurrentControlSet\Control\Terminal Server' - 'REG_DWORD' - ' /f' selection_values_1: @@ -34,6 +34,7 @@ detection: - 'TSAdvertise' - 'AllowTSConnections' - 'fSingleSessionPerUser' + - 'fDenyTSConnections' condition: selection_cli and 1 of selection_values_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml index ccce2dfb8..70609b700 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml @@ -1,9 +1,13 @@ title: Add User to Local Administrators id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 +related: + - id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e + type: similar status: experimental -description: Detects suspicious command line that adds an account to the local administrators group -author: Florian Roth +description: Detects suspicious command line that adds an account to the local administrators/administrateurs group +author: Florian Roth, Nasreddine Bencherchali date: 2022/08/12 +modified: 2022/09/09 references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 logsource: @@ -13,11 +17,18 @@ tags: - attack.persistence - attack.t1098 detection: - selection: - CommandLine|contains|all: - - 'localgroup administrators ' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' - ' /add' - condition: selection + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: + - ' administrators ' + - ' administrateur' # Typo without an 'S' so we catch both + condition: all of selection_* falsepositives: - Administrative activity level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml index 9a00f386a..fb61b61ee 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_user_remote_desktop.yml @@ -1,28 +1,38 @@ title: Suspicious Add User to Remote Desktop Users Group id: ffa28e60-bdb1-46e0-9f82-05f7a61cc06e +related: + - id: ad720b90-25ad-43ff-9b5e-5c841facc8e5 + type: similar status: experimental description: Detects suspicious command line in which a user gets added to the local Remote Desktop Users group author: Florian Roth date: 2021/12/06 +modified: 2022/09/09 references: - https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ tags: - attack.persistence + - attack.lateral_movement - attack.t1133 - attack.t1136.001 - - attack.lateral_movement - attack.t1021.001 logsource: category: process_creation product: windows detection: - selection: - CommandLine|contains|all: - - 'net ' - - 'localgroup' + selection_main: + - CommandLine|contains|all: + - 'localgroup ' + - ' /add' + - CommandLine|contains|all: + - 'Add-LocalGroupMember ' + - ' -Group ' + selection_group: + CommandLine|contains: - 'Remote Desktop Users' - - '/add' - condition: selection + - 'Utilisateurs du Bureau à distance' # French for "Remote Desktop Users" + - 'Usuarios de escritorio remoto' # Spanish for "Remote Desktop Users" + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml index 5b184ccfb..ff0b5b957 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_new_service_creation.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md - https://web.archive.org/web/20180331144337/https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html date: 2022/07/14 -modified: 2022/08/04 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -35,6 +35,7 @@ detection: - 'dllhost' - 'cmd ' - 'cmd.exe /c' + - 'cmd.exe /k' - 'rundll32' # Add more suspicious paths - 'C:\Users\Public' diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml index c034f4a89..e8fa9ebea 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1562.001/T1562.001.md author: frack113, Nasreddine Bencherchali date: 2022/08/19 -modified: 2022/09/08 +modified: 2022/09/09 logsource: category: process_creation product: windows @@ -22,6 +22,7 @@ detection: - '\Policies\Microsoft\Windows\OOBE' - '\Policies\Microsoft\Windows NT\CurrentVersion\Winlogon' - '\CurrentControlSet\Control\SecurityProviders\WDigest' + - '\Microsoft\Windows Defender\' condition: all of selection_* falsepositives: - Rare legitimate add to registry via cli (to these locations) diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml index 791985d1a..31d6d74ac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml @@ -1,7 +1,7 @@ title: Suspicious Reg Add BitLocker id: 0e0255bf-2548-47b8-9582-c0955c9283f5 status: experimental -description: Suspicious add key for BitLocker +description: Detects suspicious addition to BitLocker related registry keys via the reg.exe utility references: - https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/ tags: @@ -9,19 +9,18 @@ tags: - attack.t1486 author: frack113 date: 2021/11/15 -modified: 2022/08/05 +modified: 2022/09/09 logsource: category: process_creation product: windows detection: - set: + selection: CommandLine|contains|all: - 'REG' - 'ADD' - '\SOFTWARE\Policies\Microsoft\FVE' - '/v' - '/f' - key: CommandLine|contains: - 'EnableBDEWithNoTPM' - 'UseAdvancedStartup' @@ -31,7 +30,7 @@ detection: - 'RecoveryKeyMessageSource' - 'UseTPMPIN' - 'RecoveryKeyMessage' - condition: set and key + condition: selection falsepositives: - - Unknown -level: medium + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml new file mode 100644 index 000000000..aa3f20a37 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml @@ -0,0 +1,36 @@ +title: Delete Important Scheduled Task +id: dbc1f800-0fe0-4bc0-9c66-292c2abe3f78 +related: + - id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 + type: derived +status: experimental +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities +author: Nasreddine Bencherchali +references: + - Internal Research +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + schtasks_exe: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/delete' + - '/tn' + CommandLine|contains: + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' + condition: all of schtasks_* +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml new file mode 100644 index 000000000..28aefc946 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml @@ -0,0 +1,25 @@ +title: Delete All Scheduled Tasks +id: 220457c1-1c9f-4c2e-afe6-9598926222c1 +status: experimental +description: Detects the usage of schtasks with the delete flag and the asterisk symbole to delete all tasks from the schedule of the local computer, including tasks scheduled by other users. +author: Nasreddine Bencherchali +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-delete +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - ' /delete ' + - '/tn *' + - ' /f' + condition: selection +falsepositives: + - Unlikely +level: high +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml index 2abc0aaa4..e46a19f3b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml @@ -1,7 +1,7 @@ title: Disable Important Scheduled Task id: 9ac94dc8-9042-493c-ba45-3b5e7c86b980 status: experimental -description: Adversaries may stop services or processes in order to conduct Data Destruction or Data Encrypted for Impact on the data stores of services like Exchange, SQL Server...etc. +description: Detects when adversaries stop services or processes by disabling their respective schdueled tasks in order to conduct data destructive activities author: frack113, Nasreddine Bencherchali references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-8---windows---disable-the-sr-scheduled-task @@ -19,15 +19,15 @@ detection: - '/Change' - '/TN' - '/disable' - #split to add other CommandLine|contains: - - 'Microsoft\Windows\SystemRestore\SR' - - 'Microsoft\Windows\Windows Defender\' - - 'Microsoft\Windows\BitLocker' - - 'Microsoft\Windows\WindowsBackup\' - - 'Microsoft\Windows\WindowsUpdate\' - - 'Microsoft\Windows\UpdateOrchestrator\' - - 'Windows\ExploitGuard' + # Add more important tasks + - '\Windows\SystemRestore\SR' + - '\Windows\Windows Defender\' + - '\Windows\BitLocker' + - '\Windows\WindowsBackup\' + - '\Windows\WindowsUpdate\' + - '\Windows\UpdateOrchestrator\' + - '\Windows\ExploitGuard' condition: all of schtasks_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml index e34973df4..6ffa9e601 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml @@ -1,15 +1,19 @@ -title: Suspicious Schtasks Schedule Type -id: 7a02e22e-b885-4404-b38b-1ddc7e65258a -description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +title: Suspicious Schtasks Schedule Types +id: 24c8392b-aa3c-46b7-a545-43f71657fe98 +related: + - id: 7a02e22e-b885-4404-b38b-1ddc7e65258a + type: similar +description: Detects scheduled task creations or modification on a suspicious schedule type status: experimental references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html tags: - attack.execution - attack.t1053.005 author: Nasreddine Bencherchali -date: 2022/08/31 +date: 2022/09/09 logsource: product: windows category: process_creation @@ -23,12 +27,12 @@ detection: - ' ONSTART ' - ' ONCE ' - ' ONIDLE ' - selection_privs: + filter_privs: CommandLine|contains: - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space - 'HIGHEST' - condition: all of selection_* + condition: all of selection_* and not 1 of filter_* falsepositives: - - Unknown + - Legitmate processes that run at logon. Filter according to your environment level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml new file mode 100644 index 000000000..b2fc3c9a1 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml @@ -0,0 +1,37 @@ +title: Suspicious Schtasks Schedule Type With High Privileges +id: 7a02e22e-b885-4404-b38b-1ddc7e65258a +related: + - id: 24c8392b-aa3c-46b7-a545-43f71657fe98 + type: similar +description: Detects scheduled task creations or modification to be run with high privileges on a suspicious schedule type +status: experimental +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-change + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/schtasks-create +tags: + - attack.execution + - attack.t1053.005 +author: Nasreddine Bencherchali +date: 2022/08/31 +logsource: + product: windows + category: process_creation +detection: + selection_img: + - Image|endswith: '\schtasks.exe' + - OriginalFileName: 'schtasks.exe' + selection_time: + CommandLine|contains: + - ' ONLOGON ' + - ' ONSTART ' + - ' ONCE ' + - ' ONIDLE ' + selection_privs: + CommandLine|contains: + - 'NT AUT' # This covers the usual NT AUTHORITY\SYSTEM + - ' SYSTEM' # SYSTEM is a valid value for schtasks hence it gets it's own value with space + - 'HIGHEST' + condition: all of selection_* +falsepositives: + - Some installers were seen using this method of creation unfortunately. Filter them in your environment +level: high diff --git a/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml new file mode 100644 index 000000000..4e91b6925 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_user_discovery_get_aduser.yml @@ -0,0 +1,30 @@ +title: User Discovery Via Get-ADUser Cmdlet +id: c2993223-6da8-4b1a-88ee-668b8bf315e9 +status: experimental +description: Detects usage of the Get-ADUser cmdlet to collect user information +author: Nasreddine Bencherchali +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +date: 2022/09/09 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: + CommandLine|contains|all: + - 'Get-ADUser ' + - ' -Filter \*' + condition: all of selection +falsepositives: + - Legitimate admin scripts may use the same technique, it's better to exclude specific computers or users who execute these commands or scripts often +level: high +tags: + - attack.discovery + - attack.t1033 diff --git a/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml new file mode 100644 index 000000000..021e770a3 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_wevtutil_recon.yml @@ -0,0 +1,28 @@ +title: Wevtutil Recon +id: beaa66d6-aa1b-4e3c-80f5-e0145369bfaf +status: experimental +description: Detects usage of the wevtutil utility to perform reconnaissance +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +author: Nasreddine Bencherchali +date: 2022/09/09 +tags: + - attack.discovery +logsource: + category: process_creation + product: windows +detection: + selection_cli: + Image|endswith: '\wevtutil.exe' + CommandLine|contains: + - ' qe ' + - ' query-events ' + selection_logs: + CommandLine|contains: + # Add more event log channels that are interesting for attackers + - 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' + - 'Microsoft-Windows-Terminal-Services-RemoteConnectionManager/Operational' + condition: all of selection_* +falsepositives: + - Legitmate usage of the utility by administrators to query the event log +level: medium diff --git a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml index 0e70d3dfd..c275f908c 100644 --- a/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml +++ b/rules/windows/registry/registry_event/registry_event_net_ntlm_downgrade.yml @@ -16,7 +16,7 @@ logsource: category: registry_event detection: selection: - TargetObject|contains|all: + TargetObject|contains|all: - 'SYSTEM\' - 'ControlSet' - '\Control\Lsa' @@ -27,4 +27,4 @@ detection: condition: selection falsepositives: - Unknown -level: high \ No newline at end of file +level: high diff --git a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml index b7cf6a8f1..5e3e00f86 100644 --- a/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml +++ b/rules/windows/registry/registry_set/registry_set_disable_system_restore.yml @@ -3,7 +3,7 @@ id: 5de03871-5d46-4539-a82d-3aa992a69a83 description: Detects the modification of the registry to disable a system restore on the computer author: frack113 date: 2022/04/04 -modified: 2022/06/26 +modified: 2022/09/09 status: experimental references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry @@ -13,9 +13,9 @@ logsource: detection: selection: EventType: Setvalue - TargetObject|startswith: - - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' - - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' + TargetObject|contains: + - '\Policies\Microsoft\Windows NT\SystemRestore' + - '\Microsoft\Windows NT\CurrentVersion\SystemRestore' TargetObject|endswith: - DisableConfig - DisableSR diff --git a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml index 3c0451ff3..5fe588e2a 100644 --- a/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml +++ b/rules/windows/registry/registry_set/registry_set_enabling_turnoffcheck.yml @@ -2,6 +2,7 @@ title: Scripted Diagnostics Turn Off Check Enabled - Registry id: 7d995e63-ec83-4aa3-89d5-8a17b5c87c86 description: Detects enabling TurnOffCheck which can be used to bypass defense of MSDT Follina vulnerability date: 2022/06/15 +modified: 2022/09/09 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io' references: - https://twitter.com/wdormann/status/1537075968568877057?s=20&t=0lr18OAnmAGoGpma6grLUw @@ -12,7 +13,7 @@ logsource: detection: selection: EventType: SetValue - TargetObject: 'HKLM\SOFTWARE\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' + TargetObject|endswith: '\Policies\Microsoft\Windows\ScriptedDiagnostics\TurnOffCheck' Details: 'DWORD (0x00000001)' condition: selection falsepositives: diff --git a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml index 684ed8672..d96729b30 100644 --- a/rules/windows/registry/registry_set/registry_set_hide_function_user.yml +++ b/rules/windows/registry/registry_set/registry_set_hide_function_user.yml @@ -18,7 +18,7 @@ detection: - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCANetwork' - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAPower' - - 'Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' + - 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAVolume' Details: 'DWORD (0x00000001)' selection_set_0: EventType: SetValue diff --git a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml index 74a990b86..8da757bce 100644 --- a/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml +++ b/rules/windows/registry/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -21,7 +21,7 @@ detection: - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\' - - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\' + - '\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\' - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\' TargetObject|endswith: '\Blob' diff --git a/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml new file mode 100644 index 000000000..4fb70441a --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_winlogon_allow_multiple_tssessions.yml @@ -0,0 +1,22 @@ +title: Winlogon AllowMultipleTSSessions Enable +id: f7997770-92c3-4ec9-b112-774c4ef96f96 +description: Detects when the 'AllowMultipleTSSessions' value is enabled. Which allows for multiple Remote Desktop connection sessions to be opened at once. This is often used by attacker as a way to connect to an RDP session without disconnecting the other users +author: Nasreddine Bencherchali +date: 2022/09/09 +status: experimental +references: + - http://blog.talosintelligence.com/2022/09/lazarus-three-rats.html +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|endswith: '\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions' + Details|endswith: DWORD (0x00000001) + condition: selection +falsepositives: + - Legitmate use of the multi session functionality +level: medium +tags: + - attack.persistence