diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index fdda44bab..87bc6293c 100644 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2021/12/03 +modified: 2021/12/04 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -51,6 +51,8 @@ detection: - '\git\usr\bin\sh.exe' - '\IDE\devenv.exe' - '\GitHubDesktop\Update.exe' + - '\RuntimeBroker.exe' + - '\backgroundTaskHost.exe' - SourceImage|startswith: - 'C:\Program Files (x86)\' - 'C:\Program Files\' diff --git a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml index bc8e56724..65cf516b8 100644 --- a/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml +++ b/rules/windows/raw_access_thread/sysmon_raw_disk_access_using_illegitimate_tools.yml @@ -3,7 +3,7 @@ id: db809f10-56ce-4420-8c86-d6a7d793c79c description: Raw disk access using illegitimate tools, possible defence evasion author: Teymur Kheirkhabarov, oscd.community date: 2019/10/22 -modified: 2021/11/20 +modified: 2021/12/04 references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment tags: @@ -16,6 +16,9 @@ detection: filter_1: Device|contains: floppy filter_2: + Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SystemApps\' Image|endswith: # easy to bypass. requires extra rule to support this one - '\wmiprvse.exe' - '\sdiagnhost.exe' diff --git a/rules/windows/registry_event/sysmon_taskcache_entry.yml b/rules/windows/registry_event/sysmon_taskcache_entry.yml index f149e51cc..413657014 100644 --- a/rules/windows/registry_event/sysmon_taskcache_entry.yml +++ b/rules/windows/registry_event/sysmon_taskcache_entry.yml @@ -7,13 +7,10 @@ tags: - attack.t1053 - attack.t1053.005 date: 2021/06/18 -modified: 2021/07/27 +modified: 2021/12/04 references: - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/ author: Syed Hasan (@syedhasan009) -falsepositives: - - Unknown -level: medium logsource: category: registry_event product: windows @@ -21,4 +18,11 @@ detection: selection: EventType: SetValue TargetObject|contains: 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\' - condition: selection + filter: + TargetObject|contains: + - 'Microsoft\Windows\UpdateOrchestrator' + - 'Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTask\Index' + condition: selection and not filter +falsepositives: + - Unknown +level: medium \ No newline at end of file