diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 87734617e..b0da98354 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -6,7 +6,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 author: Florian Roth date: 2022/08/24 -modified: 2022/09/07 +modified: 2022/11/12 tags: - attack.defense_evasion - attack.s0139 @@ -105,6 +105,9 @@ detection: - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - 19584675d94829987952432e018d5056 # SysmonQuiet - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam @@ -193,6 +196,9 @@ detection: - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller condition: selection fields: - TargetFilename diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_process_hacker.yml new file mode 100644 index 000000000..5275b99d0 --- /dev/null +++ b/rules/windows/driver_load/driver_load_process_hacker.yml @@ -0,0 +1,68 @@ +title: Process Hacker and System Informer Driver Load +id: 67add051-9ee7-4ad3-93ba-42935615ae8d +status: experimental +description: Detects the load of drivers used by Process Hacker and System Informer +references: + - https://processhacker.sourceforge.io/ + - https://systeminformer.sourceforge.io/ + - https://github.com/winsiderss/systeminformer +author: Florian Roth +date: 2022/11/16 +tags: + - attack.privilege_escalation + - cve.2021.21551 + - attack.t1543 +logsource: + category: driver_load + product: windows +detection: + selection_image: + ImageLoaded|endswith: + - '\kprocesshacker.sys' + - '\SystemInformer.sys' + selection_processhack_sysmon: + Hashes|contains: + - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' + - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' + - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' + - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' + selection_processhack_hashes: + Imphash: + - '821D74031D3F625BCBD0DF08B70F1E77' + - 'F86759BB4DE4320918615DC06E998A39' + - '0A64EEB85419257D0CE32BD5D55C3A18' + - '6E7B34DFC017700B1517B230DF6FF0D0' + selection_systeminformer_sysmon: + Hashes|contains: + - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' + - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' + - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' + - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' + - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' + - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' + - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' + - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' + - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' + - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' + - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' + - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' + - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' + selection_systeminformer_hashes: + SHA256: + - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' + - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' + - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' + - 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b' + - '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d' + - '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34' + - '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89' + - '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb' + - 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b' + - '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97' + - '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656' + - 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4' + - '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138' + condition: 1 of selection* +falsepositives: + - Legitimate user of process hacker or system informer by low level developers or system administrators +level: medium diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml index ba0d94fc1..2b3b1ecee 100644 --- a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml @@ -6,6 +6,7 @@ references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali date: 2022/08/18 +modified: 2022/11/19 tags: - attack.privilege_escalation - attack.t1543.003 @@ -20,7 +21,7 @@ detection: - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 selection_other: - IMPHASH: + Imphash: - 'f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - 'c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 condition: 1 of selection* diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml index 020a5b49c..57fe1d4dc 100644 --- a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml @@ -7,7 +7,7 @@ references: - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth date: 2022/07/26 -modified: 2022/10/03 +modified: 2022/11/19 tags: - attack.privilege_escalation - attack.t1543.003 @@ -25,7 +25,7 @@ detection: selection_sysmon: Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' selection_other: - IMPHASH: 'd41fa95d4642dc981f10de36f4dc8cd7' + Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index 1601358c5..3910b8002 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -7,7 +7,7 @@ references: - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth date: 2021/07/30 -modified: 2022/07/27 +modified: 2022/11/19 tags: - attack.collection - attack.defense_evasion @@ -46,7 +46,7 @@ detection: - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' selection_hashes: - IMPHASH: + Imphash: - '0604bb7cb4bb851e2168d5c7d9399087' - '2e5f0e649d97f32b03c09e4686d0574f' - '52f8aa269f69f0edad9e8fcdaedce276' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml index 108a4a80c..8d155ceb9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard, Florian Roth date: 2021/08/30 -modified: 2022/07/27 +modified: 2022/11/19 tags: - attack.defense_evasion - attack.privilege_escalation @@ -47,7 +47,7 @@ detection: - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74' - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B' selection_hash: - IMPHASH: + Imphash: - '767637c23bb42cd5d7397cf58b0be688' - '14c4e4c72ba075e9069ee67f39188ad8' - '3c782813d4afce07bbfc5a9772acdbdc' diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml index 3587cba01..7bce65719 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth, oscd.community date: 2019/01/29 -modified: 2022/01/07 +modified: 2022/11/14 tags: - attack.lateral_movement - attack.defense_evasion @@ -19,7 +19,7 @@ detection: selection: Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'i' + - ' i' - ' p' - '=3389' - ' c' diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml new file mode 100644 index 000000000..9acbd7d38 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml @@ -0,0 +1,36 @@ +title: Suspicious RunAs-Like Flag Combination +id: 50d66fb0-03f8-4da0-8add-84e77d12a020 +status: experimental +description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools +references: + - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html +author: Florian Roth +date: 2022/11/11 +logsource: + category: process_creation + product: windows +detection: + selection_user: + CommandLine|contains: + - ' -u system ' + - ' --user system ' + - ' -u NT' + - ' -u "NT' + - " -u 'NT" + - ' --system ' + - ' -u administrator ' + selection_command: + CommandLine|contains: + - ' -c cmd' + - ' -c "cmd' + - ' -c powershell' + - ' -c "powershell' + - ' --command cmd' + - ' --command powershell' + - ' -c whoami' + - ' -c wscript' + - ' -c cscript' + condition: all of selection* +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 0a1df0ac2..494e98675 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -1,23 +1,31 @@ -title: Process Hacker Usage +title: Process Hacker / System Informer Usage id: 811e0002-b13b-4a15-9d00-a613fce66e42 status: experimental -description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff +description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff references: - https://processhacker.sourceforge.io/ + - https://github.com/winsiderss/systeminformer - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth date: 2022/10/10 +modified: 2022/11/16 logsource: category: process_creation product: windows detection: selection_image: - Image|contains: '\ProcessHacker_' + - Image|contains: '\ProcessHacker_' + - Image|endswith: + - '\SystemInformer.exe' + - '\ProcessHacker.exe' selection_pe: - OriginalFileName: - 'ProcessHacker.exe' - 'Process Hacker' - - Description: 'Process Hacker' + - 'SystemInformer.exe' + - Description: + - 'Process Hacker' + - 'System Informer' - Product: 'Process Hacker' selection_hashes: Hashes|contains: