From 951ad8c453fdb495c16353be4dc3e1d7f85fdefb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Nov 2022 08:33:21 +0100 Subject: [PATCH 01/14] rule: suspicious command line flags --- ...creation_win_susp_command_flag_pattern.yml | 36 +++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml new file mode 100644 index 000000000..269a8ab07 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml @@ -0,0 +1,36 @@ +title: Suspicious RunAs-Like Flag Combination +id: 50d66fb0-03f8-4da0-8add-84e77d12a020 +status: experimental +description: Detects suspicious command line flags that let the user set a target user and command as e.g. seen in PsExec-like tools +references: + - https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html +author: Florian Roth +date: 2022/11/11 +logsource: + category: process_creation + product: windows +detection: + selection_user: + CommandLine|contains: + - ' -u system ' + - ' --user system ' + - ' -u NT' + - ' -u "NT' + - " -u 'NT" + - ' --system ' + - ' -u administrator ' + selection_command: + CommandLine|contains: + - ' -c cmd' + - ' -c "cmd' + - ' -c powershell' + - ' -c "powershell' + - ' --command cmd' + - ' --command powershell' + - ' -c whoami' + - ' -c wscript' + - ' -c cscript' + condition: selection +falsepositives: + - Unknown +level: medium From 6f26d672f14974087a58e41bd61f55e57c80c67a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Nov 2022 08:39:36 +0100 Subject: [PATCH 02/14] refactor: add forkatz imphash --- .../create_stream_hash/create_stream_hash_hacktool_download.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 87734617e..7318b0ff7 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -105,6 +105,7 @@ detection: - 84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - 19584675d94829987952432e018d5056 # SysmonQuiet - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook + - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam @@ -193,6 +194,7 @@ detection: - IMPHASH=84B763C45C0E4A3E7CA5548C710DB4EE # SysmonEnte - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook + - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz condition: selection fields: - TargetFilename From c6d02d6fe27cd69f2f40971dcc50251461f75f79 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 12 Nov 2022 09:27:41 +0100 Subject: [PATCH 03/14] rule: modified date update, PPLKiller --- .../create_stream_hash_hacktool_download.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml index 7318b0ff7..b0da98354 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_hacktool_download.yml @@ -6,7 +6,7 @@ references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 author: Florian Roth date: 2022/08/24 -modified: 2022/09/07 +modified: 2022/11/12 tags: - attack.defense_evasion - attack.s0139 @@ -106,6 +106,8 @@ detection: - 19584675d94829987952432e018d5056 # SysmonQuiet - 330768a4f172e10acb6287b87289d83b # ShaprEvtMute Hook - 885c99ccfbe77d1cbfcb9c4e7c1a3313 # Forkatz + - 22a22bc9e4e0d2f189f1ea01748816ac # PPLKiller + - 7fa30e6bb7e8e8a69155636e50bf1b28 # PPLKiller - Hashes|contains: # Sysmon field hashes contains all types - IMPHASH=BCCA3C247B619DCD13C8CDFF5F123932 # PetitPotam - IMPHASH=3A19059BD7688CB88E70005F18EFC439 # PetitPotam @@ -195,6 +197,8 @@ detection: - IMPHASH=19584675D94829987952432E018D5056 # SysmonQuiet - IMPHASH=330768A4F172E10ACB6287B87289D83B # ShaprEvtMute Hook - IMPHASH=885C99CCFBE77D1CBFCB9C4E7C1A3313 # Forkatz + - IMPHASH=22A22BC9E4E0D2F189F1EA01748816AC # PPLKiller + - IMPHASH=7FA30E6BB7E8E8A69155636E50BF1B28 # PPLKiller condition: selection fields: - TargetFilename From c03944c70062bc8c7c3f73ef059d02912be4a77d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 14 Nov 2022 14:24:00 +0100 Subject: [PATCH 04/14] fix: condition --- .../proc_creation_win_susp_command_flag_pattern.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml index 269a8ab07..9acbd7d38 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_command_flag_pattern.yml @@ -30,7 +30,7 @@ detection: - ' -c whoami' - ' -c wscript' - ' -c cscript' - condition: selection + condition: all of selection* falsepositives: - Unknown level: medium From f0681fc49f681dc3e07762a90953d71d10037539 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 14 Nov 2022 17:06:20 +0100 Subject: [PATCH 05/14] add another character --- .../proc_creation_win_netsh_port_fwd_3389.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml index 3587cba01..7bce65719 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_port_fwd_3389.yml @@ -6,7 +6,7 @@ references: - https://www.fireeye.com/blog/threat-research/2019/01/bypassing-network-restrictions-through-rdp-tunneling.html author: Florian Roth, oscd.community date: 2019/01/29 -modified: 2022/01/07 +modified: 2022/11/14 tags: - attack.lateral_movement - attack.defense_evasion @@ -19,7 +19,7 @@ detection: selection: Image|endswith: '\netsh.exe' CommandLine|contains|all: - - 'i' + - ' i' - ' p' - '=3389' - ' c' From c79f5944255e427c7d1285ca77d425d6d203f54f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 16 Nov 2022 18:12:23 +0100 Subject: [PATCH 06/14] rule: proc hacker, system informer driver load; refactor: imphash casing --- .../driver_load_process_hacker.yml | 68 +++++++++++++++++++ .../driver_load_vuln_winring0_driver.yml | 2 +- .../driver_load/driver_load_windivert.yml | 2 +- ...roc_creation_win_hktl_uacme_uac_bypass.yml | 2 +- .../proc_creation_win_susp_process_hacker.yml | 10 ++- 5 files changed, 78 insertions(+), 6 deletions(-) create mode 100644 rules/windows/driver_load/driver_load_process_hacker.yml diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_process_hacker.yml new file mode 100644 index 000000000..0c98f7449 --- /dev/null +++ b/rules/windows/driver_load/driver_load_process_hacker.yml @@ -0,0 +1,68 @@ +title: Process Hacker and System Informer Driver Load +id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 +status: experimental +description: Detects the load of drivers used by Process Hacker and System Informer +references: + - https://processhacker.sourceforge.io/ + - https://systeminformer.sourceforge.io/ + - https://github.com/winsiderss/systeminformer +author: Florian Roth +date: 2022/11/16 +tags: + - attack.privilege_escalation + - cve.2021.21551 + - attack.t1543 +logsource: + category: driver_load + product: windows +detection: + selection_image: + ImageLoaded|endswith: + - '\kprocesshacker.sys' + - '\SystemInformer.sys' + selection_processhack_sysmon: + Hashes|contains: + - 'IMPHASH=821D74031D3F625BCBD0DF08B70F1E77' + - 'IMPHASH=F86759BB4DE4320918615DC06E998A39' + - 'IMPHASH=0A64EEB85419257D0CE32BD5D55C3A18' + - 'IMPHASH=6E7B34DFC017700B1517B230DF6FF0D0' + selection_processhack_hashes: + Imphash: + - '821D74031D3F625BCBD0DF08B70F1E77' + - 'F86759BB4DE4320918615DC06E998A39' + - '0A64EEB85419257D0CE32BD5D55C3A18' + - '6E7B34DFC017700B1517B230DF6FF0D0' + selection_systeminformer_sysmon: + Hashes|contains: + - 'SHA256=8B9AD98944AC9886EA4CB07700E71B78BE4A2740934BB7E46CA3B56A7C59AD24' + - 'SHA256=A41348BEC147CA4D9EA2869817527EB5CEA2E20202AF599D2B30625433BCF454' + - 'SHA256=38EE0A88AF8535A11EFE8D8DA9C6812AA07067B75A64D99705A742589BDD846D' + - 'SHA256=A773891ACF203A7EB0C0D30942FB1347648F1CD918AE2BFD9A4857B4DCF5081B' + - 'SHA256=4C3B81AC88A987BBDF7D41FA0AECC2CEDF5B9BD2F45E7A21F376D05345FC211D' + - 'SHA256=3241BC14BEC51CE6A691B9A3562E5C1D52E9D057D27A3D67FD0B245C350B6D34' + - 'SHA256=047C42E9BBA28366868847C7DAFC1E043FB038C796422D37220493517D68EE89' + - 'SHA256=18931DC81E95D0020466FA091E16869DBE824E543A4C2C8FE644FA71A0F44FEB' + - 'SHA256=B4C2EF76C204273132FDE38F0DED641C2C5EE767652E64E4C4071A4A973B6C1B' + - 'SHA256=640954AFC268565F7DAA6E6F81A8EE05311E33E34332B501A3C3FE5B22ADEA97' + - 'SHA256=251BE949F662C838718F8AA0A5F8211FB90346D02BD63FF91E6B224E0E01B656' + - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' + - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' + selection_systeminformer_hashes: + - SHA256: + - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' + - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' + - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' + - 'a773891acf203a7eb0c0d30942fb1347648f1cd918ae2bfd9a4857b4dcf5081b' + - '4c3b81ac88a987bbdf7d41fa0aecc2cedf5b9bd2f45e7a21f376d05345fc211d' + - '3241bc14bec51ce6a691b9a3562e5c1d52e9d057d27a3d67fd0b245c350b6d34' + - '047c42e9bba28366868847c7dafc1e043fb038c796422d37220493517d68ee89' + - '18931dc81e95d0020466fa091e16869dbe824e543a4c2c8fe644fa71a0f44feb' + - 'b4c2ef76c204273132fde38f0ded641c2c5ee767652e64e4c4071a4a973b6c1b' + - '640954afc268565f7daa6e6f81a8ee05311e33e34332b501a3c3fe5b22adea97' + - '251be949f662c838718f8aa0a5f8211fb90346d02bd63ff91e6b224e0e01b656' + - 'e2606f272f7ba054df16be464fda57211ef0d14a0d959f9c8dcb0575df1186e4' + - '3a9e1d17beeb514f1b9b3bacaee7420285de5cbdce89c5319a992c6cbd1de138' + condition: 1 of selection* +falsepositives: + - Legitimate user of process hacker or system informer by low level developers or system administrators +level: medium diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml index 020a5b49c..c0f50a61e 100644 --- a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml @@ -25,7 +25,7 @@ detection: selection_sysmon: Hashes|contains: 'IMPHASH=D41FA95D4642DC981F10DE36F4DC8CD7' selection_other: - IMPHASH: 'd41fa95d4642dc981f10de36f4dc8cd7' + Imphash: 'd41fa95d4642dc981f10de36f4dc8cd7' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index 1601358c5..2fd7e3035 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -46,7 +46,7 @@ detection: - 'IMPHASH=bdcd836a46bc2415773f6b5ea77a46e4' - 'IMPHASH=c28cd6ccd83179e79dac132a553693d9' selection_hashes: - IMPHASH: + Imphash: - '0604bb7cb4bb851e2168d5c7d9399087' - '2e5f0e649d97f32b03c09e4686d0574f' - '52f8aa269f69f0edad9e8fcdaedce276' diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml index 108a4a80c..553b3e36f 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml @@ -47,7 +47,7 @@ detection: - 'IMPHASH=41923EA1F824FE63EA5BEB84DB7A3E74' - 'IMPHASH=3DE09703C8E79ED2CA3F01074719906B' selection_hash: - IMPHASH: + Imphash: - '767637c23bb42cd5d7397cf58b0be688' - '14c4e4c72ba075e9069ee67f39188ad8' - '3c782813d4afce07bbfc5a9772acdbdc' diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 0a1df0ac2..f0b1c7668 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -1,23 +1,27 @@ title: Process Hacker Usage id: 811e0002-b13b-4a15-9d00-a613fce66e42 status: experimental -description: Detects suspicious use of Process Hacker, a tool to view and manipulate processes, kernel options and other low level stuff +description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff references: - https://processhacker.sourceforge.io/ - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth date: 2022/10/10 +modified: 2022/11/16 logsource: category: process_creation product: windows detection: selection_image: - Image|contains: '\ProcessHacker_' + - Image|contains: '\ProcessHacker_' + - Image: 'SystemInformer.exe' selection_pe: - OriginalFileName: - 'ProcessHacker.exe' - 'Process Hacker' - - Description: 'Process Hacker' + - Description: + - 'Process Hacker' + - 'System Informer' - Product: 'Process Hacker' selection_hashes: Hashes|contains: From 4234018e22a28e3565f07ae805fb0a27bdcb9757 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 16 Nov 2022 20:17:29 +0100 Subject: [PATCH 07/14] fix: duplicate uuid --- rules/windows/driver_load/driver_load_process_hacker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_process_hacker.yml index 0c98f7449..88d3be67e 100644 --- a/rules/windows/driver_load/driver_load_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_process_hacker.yml @@ -1,5 +1,5 @@ title: Process Hacker and System Informer Driver Load -id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 +id: 67add051-9ee7-4ad3-93ba-42935615ae8d status: experimental description: Detects the load of drivers used by Process Hacker and System Informer references: From 136398698bbe4e76a1021171196291bc0869b0f4 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 16 Nov 2022 20:18:30 +0100 Subject: [PATCH 08/14] fix: list with one element --- rules/windows/driver_load/driver_load_process_hacker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_process_hacker.yml b/rules/windows/driver_load/driver_load_process_hacker.yml index 88d3be67e..5275b99d0 100644 --- a/rules/windows/driver_load/driver_load_process_hacker.yml +++ b/rules/windows/driver_load/driver_load_process_hacker.yml @@ -48,7 +48,7 @@ detection: - 'SHA256=E2606F272F7BA054DF16BE464FDA57211EF0D14A0D959F9C8DCB0575DF1186E4' - 'SHA256=3A9E1D17BEEB514F1B9B3BACAEE7420285DE5CBDCE89C5319A992C6CBD1DE138' selection_systeminformer_hashes: - - SHA256: + SHA256: - '8b9ad98944ac9886ea4cb07700e71b78be4a2740934bb7e46ca3b56a7c59ad24' - 'a41348bec147ca4d9ea2869817527eb5cea2e20202af599d2b30625433bcf454' - '38ee0a88af8535a11efe8d8da9c6812aa07067b75a64d99705a742589bdd846d' From 860b290f3227e6bf6250259aeaf90df025dd25ce Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 17 Nov 2022 17:34:48 +0100 Subject: [PATCH 09/14] fix: change casing --- rules/windows/driver_load/driver_load_vuln_hevd_driver.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml index ba0d94fc1..a46ae99d2 100644 --- a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml @@ -20,7 +20,7 @@ detection: - 'IMPHASH=f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - 'IMPHASH=c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 selection_other: - IMPHASH: + Imphash: - 'f26d0b110873a1c7d8c4f08fbeab89c5' #Version 3.0 - 'c46ea2e651fd5f7f716c8867c6d13594' #Version 3.0 condition: 1 of selection* From 4e27fec49b5b90f8f50222adcdfed25f94531b88 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 19 Nov 2022 08:45:30 +0100 Subject: [PATCH 10/14] Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_susp_process_hacker.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index f0b1c7668..032606924 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -1,4 +1,4 @@ -title: Process Hacker Usage +title: Process Hacker / System Informer Usage id: 811e0002-b13b-4a15-9d00-a613fce66e42 status: experimental description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff From 37f6586987db49383e5189c7d1ac1de88d5d297e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 19 Nov 2022 08:45:39 +0100 Subject: [PATCH 11/14] Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_susp_process_hacker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 032606924..00c4a68ac 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -4,6 +4,7 @@ status: experimental description: Detects suspicious use of Process Hacker and its newer version named System Informer, a tool to view and manipulate processes, kernel options and other low level stuff references: - https://processhacker.sourceforge.io/ + - https://github.com/winsiderss/systeminformer - https://www.crowdstrike.com/blog/falcon-overwatch-report-finds-increase-in-ecrime/ author: Florian Roth date: 2022/10/10 From 009ef39ca003a8b385623dd71356cf13b246fe3f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 19 Nov 2022 08:45:50 +0100 Subject: [PATCH 12/14] Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../proc_creation_win_susp_process_hacker.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 00c4a68ac..9efa4f61d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -15,7 +15,9 @@ logsource: detection: selection_image: - Image|contains: '\ProcessHacker_' - - Image: 'SystemInformer.exe' + - Image|endswith: + - '\SystemInformer.exe' + - '\ProcessHacker.exe' selection_pe: - OriginalFileName: - 'ProcessHacker.exe' From 4e36ec71751aba9422ea2fb3b3acb9111b599a52 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 19 Nov 2022 08:45:58 +0100 Subject: [PATCH 13/14] Update rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> --- .../process_creation/proc_creation_win_susp_process_hacker.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml index 9efa4f61d..494e98675 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_process_hacker.yml @@ -22,6 +22,7 @@ detection: - OriginalFileName: - 'ProcessHacker.exe' - 'Process Hacker' + - 'SystemInformer.exe' - Description: - 'Process Hacker' - 'System Informer' From 66adbb43f766ba2081e855d4ac75e0c9b4ffad7f Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 19 Nov 2022 08:48:43 +0100 Subject: [PATCH 14/14] chore: change modified date --- rules/windows/driver_load/driver_load_vuln_hevd_driver.yml | 1 + rules/windows/driver_load/driver_load_vuln_winring0_driver.yml | 2 +- rules/windows/driver_load/driver_load_windivert.yml | 2 +- .../proc_creation_win_hktl_uacme_uac_bypass.yml | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml index a46ae99d2..2b3b1ecee 100644 --- a/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_hevd_driver.yml @@ -6,6 +6,7 @@ references: - https://github.com/hacksysteam/HackSysExtremeVulnerableDriver author: Nasreddine Bencherchali date: 2022/08/18 +modified: 2022/11/19 tags: - attack.privilege_escalation - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml index c0f50a61e..57fe1d4dc 100644 --- a/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml +++ b/rules/windows/driver_load/driver_load_vuln_winring0_driver.yml @@ -7,7 +7,7 @@ references: - https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/ author: Florian Roth date: 2022/07/26 -modified: 2022/10/03 +modified: 2022/11/19 tags: - attack.privilege_escalation - attack.t1543.003 diff --git a/rules/windows/driver_load/driver_load_windivert.yml b/rules/windows/driver_load/driver_load_windivert.yml index 2fd7e3035..3910b8002 100644 --- a/rules/windows/driver_load/driver_load_windivert.yml +++ b/rules/windows/driver_load/driver_load_windivert.yml @@ -7,7 +7,7 @@ references: - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ author: Florian Roth date: 2021/07/30 -modified: 2022/07/27 +modified: 2022/11/19 tags: - attack.collection - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml index 553b3e36f..8d155ceb9 100644 --- a/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_uacme_uac_bypass.yml @@ -6,7 +6,7 @@ references: - https://github.com/hfiref0x/UACME author: Christian Burkard, Florian Roth date: 2021/08/30 -modified: 2022/07/27 +modified: 2022/11/19 tags: - attack.defense_evasion - attack.privilege_escalation