From 8efa10465e2d48a155a9dda8f5e1de94e91d6164 Mon Sep 17 00:00:00 2001 From: Ian Thieves Date: Mon, 26 Apr 2021 11:25:16 -0700 Subject: [PATCH 01/44] Update win_scm_database_privileged_operation.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4" --- .../windows/builtin/win_scm_database_privileged_operation.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_privileged_operation.yml b/rules/windows/builtin/win_scm_database_privileged_operation.yml index 9c9df1cb1..e5e6a0206 100644 --- a/rules/windows/builtin/win_scm_database_privileged_operation.yml +++ b/rules/windows/builtin/win_scm_database_privileged_operation.yml @@ -15,8 +15,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' PrivilegeList: 'SeTakeOwnershipPrivilege' + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical From 65294d97c4aacc65bd5383b067634f19b93a2334 Mon Sep 17 00:00:00 2001 From: Ian Thieves Date: Mon, 26 Apr 2021 11:28:16 -0700 Subject: [PATCH 02/44] Update win_scm_database_handle_failure.yml Per ThreatHunterPlaybook Issue here: https://github.com/OTRF/ThreatHunter-Playbook/issues/43 Query should match where SubjectLogonID != "0x3e4" --- rules/windows/builtin/win_scm_database_handle_failure.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_scm_database_handle_failure.yml b/rules/windows/builtin/win_scm_database_handle_failure.yml index 865cbc5b1..7efc27dbb 100644 --- a/rules/windows/builtin/win_scm_database_handle_failure.yml +++ b/rules/windows/builtin/win_scm_database_handle_failure.yml @@ -17,8 +17,9 @@ detection: ObjectType: 'SC_MANAGER OBJECT' ObjectName: 'servicesactive' Keywords: "Audit Failure" + filter: SubjectLogonId: "0x3e4" - condition: selection + condition: selection and not filter falsepositives: - Unknown level: critical From cc13a5e3de187f9a69c7e7fe3280e57f909b9fc1 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Sun, 2 May 2021 14:39:41 +0200 Subject: [PATCH 03/44] Add a backend option to specify table name for SQL Backend --- tools/sigma/backends/sql.py | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index bd734bfa6..077de1bbc 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -43,9 +43,16 @@ class SQLBackend(SingleTextQueryBackend): mapListValueExpression = "%s OR %s" # Syntax for field/value condititons where map value is a list mapLength = "(%s %s)" - def __init__(self, sigmaconfig, table): + options = SingleTextQueryBackend.options + ( + ("table", False, "Use this option to specify table name, default is \"eventlog\"", None), + ) + + def __init__(self, sigmaconfig, options): super().__init__(sigmaconfig) - self.table = table + if "table" in options: + self.table = options["table"] + else: + self.table = "eventlog" def generateANDNode(self, node): generated = [ self.generateNode(val) for val in node ] From 5a98e36905375f3a1e5893aee6b6b02891185877 Mon Sep 17 00:00:00 2001 From: partyh4rd <31990479+P4rtyH4RD@users.noreply.github.com> Date: Tue, 4 May 2021 14:04:52 +0300 Subject: [PATCH 04/44] Update powershell_suspicious_getprocess_lsass.yml fix mitre_code 1552.004 -> 1003.001 --- .../powershell/powershell_suspicious_getprocess_lsass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml index b89b2b086..cb8754e21 100644 --- a/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml +++ b/rules/windows/powershell/powershell_suspicious_getprocess_lsass.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/PythonResponder/status/1385064506049630211 tags: - attack.credential_access - - attack.t1552.004 + - attack.t1003.001 author: Florian Roth date: 2021/04/23 logsource: From 3926e2388fdc1ee684e29796a2721969b8d55312 Mon Sep 17 00:00:00 2001 From: John Connor McLaughlin Date: Tue, 4 May 2021 15:23:47 -0400 Subject: [PATCH 05/44] Added ScriptBlockText as a field for winlogbeat configs as per https://www.elastic.co/guide/en/beats/winlogbeat/master/exported-fields-winlog.html --- tools/config/winlogbeat-modules-enabled.yml | 1 + tools/config/winlogbeat-old.yml | 1 + tools/config/winlogbeat.yml | 1 + 3 files changed, 3 insertions(+) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 7e91eb360..2a4bf2621 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -135,6 +135,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName diff --git a/tools/config/winlogbeat-old.yml b/tools/config/winlogbeat-old.yml index 34fef1fdd..789d5f2b8 100644 --- a/tools/config/winlogbeat-old.yml +++ b/tools/config/winlogbeat-old.yml @@ -119,6 +119,7 @@ fieldmappings: ProcessName: event_data.ProcessName Product: event_data.Product Properties: event_data.Properties + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: event_data.SecurityID ServiceFileName: event_data.ServiceFileName ServiceName: event_data.ServiceName diff --git a/tools/config/winlogbeat.yml b/tools/config/winlogbeat.yml index 9bb3c5559..1b1f4bdea 100644 --- a/tools/config/winlogbeat.yml +++ b/tools/config/winlogbeat.yml @@ -125,6 +125,7 @@ fieldmappings: Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName SAMAccountName: winlog.event_data.SamAccountName + ScriptBlockText: winlog.event_data.ScriptBlockText SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName From d4bd69dd77bb77a896a9211c8d363928c3e220fd Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 4 May 2021 18:13:08 -0400 Subject: [PATCH 06/44] Suspicious DNS Z Flag Set The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tools.ietf.org/html/rfc2929#section-2.1' - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' --- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml new file mode 100644 index 000000000..5ea101f56 --- /dev/null +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -0,0 +1,61 @@ +title: Suspicious DNS Z Flag Bit Set +id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 +description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +references: + - 'https://twitter.com/neu5ron/status/1346245602502443009' + - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' + - 'https://tools.ietf.org/html/rfc2929#section-2.1' + - 'https://www.netresec.com/?page=Blog&month=2021-01&post=Finding-Targeted-SUNBURST-Victims-with-pDNS' +author: '@neu5ron, SOC Prime Team, Corelight' +tags: + - attack.t1094 + - attack.t1043 + - attack.command_and_control +logsource: + product: zeek + service: dns +detection: + z_flag_unset: + Z: '0' + most_probable_valid_domain: + query|contains: '.' + exclude_tlds: + query|endswith: + - '.arpa' + - '.local' + - '.ultradns.net' + - '.twtrdns.net' + - '.azuredns-prd.info' + - '.azure-dns.com' + - '.azuredns-ff.info' + - '.azuredns-ff.org' + - '.azuregov-dns.org' + exclude_query_types: + qtype_name: + - 'NS' + - 'ns' + exclude_responses: + answers|endswith: '\\x00' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses) +falsepositive: + - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' + - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' +level: medium +fields: +- ts +- id.orig_h +- id.orig_p +- id.resp_h +- id.resp_p +- proto +- qtype_name +- qtype +- query +- answers +- rcode +- rcode_name +- trans_id +- qtype +- ttl +- AA +- uid From 415219907321173dabde42fda6d0b3d7d19fac06 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Tue, 4 May 2021 18:27:05 -0400 Subject: [PATCH 07/44] add netbios port exclusion netbios - every defenders nightmare and reality of FPs --- .../zeek/zeek_dns_suspicious_zbit_flag.yml | 41 +++++++++++-------- 1 file changed, 23 insertions(+), 18 deletions(-) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index 5ea101f56..d1bbe0e48 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -36,26 +36,31 @@ detection: - 'ns' exclude_responses: answers|endswith: '\\x00' - condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses) + exclude_netbios: + id.resp_p: + - '137' + - '138' + - '139' + condition: NOT z_flag_unset AND most_probable_valid_domain AND NOT (exclude_tlds OR exclude_tlds OR exclude_query_types OR exclude_responses OR exclude_netbios) falsepositive: - 'Internal or legitimate external domains using DNSSec. Verify if these are legitimate DNSSec domains and then exclude them.' - 'If you work in a Public Sector then it may be good to exclude things like endswith ".edu", ".gov" and or ".mil"' level: medium fields: -- ts -- id.orig_h -- id.orig_p -- id.resp_h -- id.resp_p -- proto -- qtype_name -- qtype -- query -- answers -- rcode -- rcode_name -- trans_id -- qtype -- ttl -- AA -- uid + - ts + - id.orig_h + - id.orig_p + - id.resp_h + - id.resp_p + - proto + - qtype_name + - qtype + - query + - answers + - rcode + - rcode_name + - trans_id + - qtype + - ttl + - AA + - uid From 1352f0b0a6ccb82d8edc389b5aa90b6cd4877bd1 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 5 May 2021 12:37:50 +0545 Subject: [PATCH 08/44] Added rule for Pingback backdoor --- .../sysmon/sysmon_pingback_backdoor.yml | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_pingback_backdoor.yml diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml new file mode 100644 index 000000000..5aa9dc93e --- /dev/null +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -0,0 +1,47 @@ +action: global +title: Pingback Backdoor +id: 2bd63d53-84d4-4210-80ff-bf0658f1bf78 +status: experimental +description: Detects the use of Pingback backdoor that creates ICMP tunnel for C2 as described in the trustwave report +author: Bhabesh Raj +date: 2021/05/05 +falsepositives: + - Very unlikely +level: high +references: + - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel + - https://app.any.run/tasks/4a54c651-b70b-4b72-84d7-f34d301d6406 +tags: + - attack.persistence + - attack.t1574.001 +--- +logsource: + product: windows + category: file_event +detection: + selection: + Image|endswith: updata.exe + TargetFilename: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: 'msdtc.exe' + ImageLoaded: 'C:\Windows\oci.dll' + condition: selection +--- +logsource: + product: windows + category: process_creation +detection: + selection: + ParentImage|endswith: 'updata.exe' + CommandLine|contains|all: + - 'config' + - 'msdtc' + - 'start' + - 'auto' + condition: selection From 4529fbd1f3ba3d96b14c854113adb6f2d7b55a1d Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Wed, 5 May 2021 12:48:29 +0545 Subject: [PATCH 09/44] Fixed too many spaces after hyphen error --- rules/windows/sysmon/sysmon_pingback_backdoor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_pingback_backdoor.yml b/rules/windows/sysmon/sysmon_pingback_backdoor.yml index 5aa9dc93e..085c739e9 100644 --- a/rules/windows/sysmon/sysmon_pingback_backdoor.yml +++ b/rules/windows/sysmon/sysmon_pingback_backdoor.yml @@ -41,7 +41,7 @@ detection: ParentImage|endswith: 'updata.exe' CommandLine|contains|all: - 'config' - - 'msdtc' + - 'msdtc' - 'start' - 'auto' condition: selection From 9e662b91595d6c10d281c5e0d3464c58d442f1e8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 5 May 2021 14:31:01 +0200 Subject: [PATCH 10/44] Update sysmon_vuln_dell_driver_load.yml --- rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index c050853f6..39517aa8b 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -1,6 +1,6 @@ title: Vulnerable Dell BIOS Update Driver Load id: 21b23707-60d6-41bb-96e3-0f0481b0fed9 -description: Detects the load of the vulnerable Dell BIOS update driver +description: Detects the load of the vulnerable Dell BIOS update driver as reported in CVE-2021-21551 author: Florian Roth date: 2021/05/05 references: @@ -8,6 +8,8 @@ references: logsource: category: driver_load product: windows +tags: + - cve.2021-21551 detection: selection_image: ImageLoaded|contains: '\DBUtil_2_3.Sys' @@ -19,6 +21,9 @@ detection: - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - 'd2fd132ab7bbc6bbb87a84f026fa0244' + + + condition: selection_image or selection_hash falsepositives: - legitimate BIOS driver updates (should be rare) From 4b520de3734a1bd2eac3684107d538acd52104ad Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:05:06 +0200 Subject: [PATCH 11/44] new rule detecting ld.so preload persistence by keyword --- rules/linux/lnx_ldso_preload_injection.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 rules/linux/lnx_ldso_preload_injection.yml diff --git a/rules/linux/lnx_ldso_preload_injection.yml b/rules/linux/lnx_ldso_preload_injection.yml new file mode 100644 index 000000000..be1b937b7 --- /dev/null +++ b/rules/linux/lnx_ldso_preload_injection.yml @@ -0,0 +1,17 @@ +title: Code Injection by ld.so Preload +id: 7e3c4651-c347-40c4-b1d4-d48590fdf684 +status: experimental +description: Detects the ld.so preload persistence file. See `man ld.so` for more information. +author: Christian Burkard +date: 2021/05/05 +references: + - https://man7.org/linux/man-pages/man8/ld.so.8.html +logsource: + product: linux +detection: + keyword: + - '/etc/ld.so.preload' + condition: keyword +falsepositives: + - rare temporary workaround for library misconfiguration +level: high From 254a3bb1226b7fee54b7361124d091d623091497 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:06:00 +0200 Subject: [PATCH 12/44] new rules detecting the creation of a local hidden user --- .../builtin/win_hidden_user_creation.yml | 25 +++++++++++++++++++ .../sysmon_registry_add_local_hidden_user.yml | 23 +++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 rules/windows/builtin/win_hidden_user_creation.yml create mode 100644 rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml diff --git a/rules/windows/builtin/win_hidden_user_creation.yml b/rules/windows/builtin/win_hidden_user_creation.yml new file mode 100644 index 000000000..8dee8a7c3 --- /dev/null +++ b/rules/windows/builtin/win_hidden_user_creation.yml @@ -0,0 +1,25 @@ +title: Hidden Local User Creation +id: 7b449a5e-1db5-4dd0-a2dc-4e3a67282538 +description: Detects the creation of a local hidden user account which should not happen for event ID 4720. +status: experimental +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387743867663958021 +author: Christian Burkard +date: 2021/05/03 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4720 + TargetUserName|endswith: '$' + condition: selection +fields: + - EventCode + - AccountName +falsepositives: + - unkown +level: high diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml new file mode 100644 index 000000000..3cd86d664 --- /dev/null +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -0,0 +1,23 @@ +title: Creation of a local hidden user account by Registry +id: 460479f3-80b7-42da-9c43-2cc1d54dbccd +description: Sysmon registry detection of a local hidden user account. +status: experimental +date: 2021/05/03 +author: Christian Burkard +tags: + - attack.persistence + - attack.t1136.001 +references: + - https://twitter.com/SBousseaden/status/1387530414185664538 +logsource: + product: windows + service: registry_event +detection: + selection: + TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' + TargetObject|endswith: '$' + Image|endswith: "lsass.exe" + condition: selection +falsepositives: + - unknown +level: high From da533c74251ae8502654a9ef69b9f65304a97f58 Mon Sep 17 00:00:00 2001 From: phantinuss Date: Wed, 5 May 2021 15:22:09 +0200 Subject: [PATCH 13/44] fixed title capitalization --- .../registry_event/sysmon_registry_add_local_hidden_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 3cd86d664..61841f9bc 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -1,4 +1,4 @@ -title: Creation of a local hidden user account by Registry +title: Creation of a Local Hidden User Account by Registry id: 460479f3-80b7-42da-9c43-2cc1d54dbccd description: Sysmon registry detection of a local hidden user account. status: experimental From 1574d263ccfb4be2b640f78e26532201d8485661 Mon Sep 17 00:00:00 2001 From: JohnConnorRF Date: Wed, 5 May 2021 10:25:36 -0400 Subject: [PATCH 14/44] Updated Winlogbeat Modules config based on: https://github.com/elastic/beats/blob/048c3cc19bf43c8a6b332afaafdd0a2eb8e5bd49/x-pack/winlogbeat/module/powershell/config/winlogbeat-powershell.js#L171-L178 --- tools/config/winlogbeat-modules-enabled.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 2a4bf2621..a3034b7c5 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -135,7 +135,7 @@ fieldmappings: Product: winlog.event_data.Product Properties: winlog.event_data.Properties RuleName: winlog.event_data.RuleName - ScriptBlockText: winlog.event_data.ScriptBlockText + ScriptBlockText: powershell.file.script_block_text SecurityID: winlog.event_data.SecurityID ServiceFileName: winlog.event_data.ServiceFileName ServiceName: winlog.event_data.ServiceName From e5f95cac0ceca6bd35393ac36f323ce3a4d32e87 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Thu, 6 May 2021 17:29:20 +0545 Subject: [PATCH 15/44] Added rule for Moriya rootkit --- rules/windows/builtin/win_moriya_rootkit.yml | 33 ++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/win_moriya_rootkit.yml diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml new file mode 100644 index 000000000..d3eb94af6 --- /dev/null +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -0,0 +1,33 @@ +action: global +title: Moriya Rootkit +id: 25b9c01c-350d-4b95-bed1-836d04a4f324 +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +status: experimental +author: Bhabesh Raj +date: 2021/05/06 +level: Critical +falsepositives: + - None +references: + - https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +--- +logsource: + product: windows + service: system +detection: + selection: + EventID: 7045 + ServiceName: ZzNetSvc + condition: selection +--- +logsource: + product: windows + service: file_event +detection: + selection: + TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' + condition: selection From 79c11a5cba52e41ffdcf5b392b0839934a08e8a8 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 6 May 2021 14:59:28 +0200 Subject: [PATCH 16/44] Update win_moriya_rootkit.yml --- rules/windows/builtin/win_moriya_rootkit.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index d3eb94af6..544f3ae89 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,11 +1,11 @@ action: global title: Moriya Rootkit id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report +description: 'Detects the use of Moriya rootkit as described in the securelist\'s Operation TunnelSnake report' status: experimental author: Bhabesh Raj date: 2021/05/06 -level: Critical +level: critical falsepositives: - None references: From 453fa0f299333d7ed7746082ac26955411cc094a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 6 May 2021 15:24:21 +0200 Subject: [PATCH 17/44] Update win_moriya_rootkit.yml --- rules/windows/builtin/win_moriya_rootkit.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 544f3ae89..2458d0c93 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -1,7 +1,7 @@ action: global title: Moriya Rootkit id: 25b9c01c-350d-4b95-bed1-836d04a4f324 -description: 'Detects the use of Moriya rootkit as described in the securelist\'s Operation TunnelSnake report' +description: Detects the use of Moriya rootkit as described in the securelist's Operation TunnelSnake report status: experimental author: Bhabesh Raj date: 2021/05/06 From 39a21a9e891cad524af66a9356d48e702cdb9406 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Thu, 6 May 2021 14:14:08 -0500 Subject: [PATCH 18/44] Got Rid of References that are no longer valid. --- rules/windows/process_creation/win_susp_certutil_command.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 26cc7c489..b643eb4fc 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -8,8 +8,6 @@ date: 2019/01/16 modified: 2021/04/23 references: - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - https://twitter.com/egre55/status/1087685529016193025 From ad3b829f2d9eb5afa614cc55e01b3ce9ca625618 Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+2d4d@users.noreply.github.com> Date: Sat, 8 May 2021 08:49:17 +0200 Subject: [PATCH 19/44] Update av_webshell.yml Added new strings and moved some from startwith to contains. --- rules/windows/malware/av_webshell.yml | 47 +++++++++++++++++++++------ 1 file changed, 37 insertions(+), 10 deletions(-) diff --git a/rules/windows/malware/av_webshell.yml b/rules/windows/malware/av_webshell.yml index 3942662be..3d9cc3105 100644 --- a/rules/windows/malware/av_webshell.yml +++ b/rules/windows/malware/av_webshell.yml @@ -1,14 +1,19 @@ title: Antivirus Web Shell Detection id: fdf135a2-9241-4f96-a114-bb404948f736 -description: Detects a highly relevant Antivirus alert that reports a web shell +description: Detects a highly relevant Antivirus alert that reports a web shell. It's highly recommended to tune this rule to the specific strings used by your anti virus solution by downloading a big webshell repo from e.g. github and checking the matches. date: 2018/09/09 -modified: 2001/01/07 +modified: 2021/05/08 author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2019/10/04/antivirus-event-analysis-cheat-sheet-v1-7-2/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ + - https://github.com/tennc/webshell - https://www.virustotal.com/gui/file/bd1d52289203866645e556e2766a21d2275877fbafa056a76fe0cf884b7f8819/detection - https://www.virustotal.com/gui/file/308487ed28a3d9abc1fec7ebc812d4b5c07ab025037535421f64c60d3887a3e8/detection - https://www.virustotal.com/gui/file/7d3cb8a8ff28f82b07f382789247329ad2d7782a72dde9867941f13266310c80/detection + - https://www.virustotal.com/gui/file/e841675a4b82250c75273ebf0861245f80c6a1c3d5803c2d995d9d3b18d5c4b5/detection + - https://www.virustotal.com/gui/file/a80042c61a0372eaa0c2c1e831adf0d13ef09feaf71d1d20b216156269045801/detection + - https://www.virustotal.com/gui/file/b219f7d3c26f8bad7e175934cd5eda4ddb5e3983503e94ff07d39c0666821b7e/detection + - https://www.virustotal.com/gui/file/b8702acf32fd651af9f809ed42d15135f842788cd98d81a8e1b154ee2a2b76a2/detection tags: - attack.persistence - attack.t1100 @@ -18,26 +23,48 @@ logsource: detection: selection: - Signature|startswith: - - "PHP/Backdoor" - - "JSP/Backdoor" - - "ASP/Backdoor" - - "Backdoor.PHP" - - "Backdoor.JSP" - - "Backdoor.ASP" - - "Backdoor?Java" + - "PHP/" + - "JSP/" + - "ASP/" + - "Perl/" + - "PHP." + - "JSP." + - "ASP." + - "Perl." + - "VBS/Uxor" # looking for "VBS/" would also find downloaders and droppers meant for desktops + - "IIS/BackDoor" + - "JAVA/Backdoor" + - "Troj/ASP" + - "Troj/PHP" + - "Troj/JSP" - Signature|contains: - "Webshell" - "Chopper" + - "SinoChoper" - "ASPXSpy" - "Aspdoor" + - "filebrowser" + - "PHP_" + - "JSP_" + - "ASP_" # looking for "VBS_" would also find downloaders and droppers meant for desktops - "PHP:" + - "JSP:" + - "ASP:" + - "Perl:" - "PHPShell" - "Trojan.PHP" - "Trojan.ASP" - "Trojan.JSP" + - "Trojan.VBS" - "PHP?Agent" - "ASP?Agent" - "JSP?Agent" + - "VBS?Agent" + - "Backdoor?PHP" + - "Backdoor?JSP" + - "Backdoor?ASP" + - "Backdoor?VBS" + - "Backdoor?Java" condition: selection fields: - FileName From b9fc25712470f6c1e3b3b8eb0996ef07bc34bb6a Mon Sep 17 00:00:00 2001 From: Arnim Rupp <46819580+2d4d@users.noreply.github.com> Date: Sun, 9 May 2021 00:03:47 +0200 Subject: [PATCH 20/44] Update av_relevant_files.yml added extensions and paths from cheat sheet 1.8 plus some more (maybe add webserver roots + scripting languages to cheat sheet?) --- rules/windows/malware/av_relevant_files.yml | 34 ++++++++++++++++++--- 1 file changed, 30 insertions(+), 4 deletions(-) diff --git a/rules/windows/malware/av_relevant_files.yml b/rules/windows/malware/av_relevant_files.yml index 4975c1e95..c200959a2 100644 --- a/rules/windows/malware/av_relevant_files.yml +++ b/rules/windows/malware/av_relevant_files.yml @@ -2,27 +2,37 @@ title: Antivirus Relevant File Paths Alerts id: c9a88268-0047-4824-ba6e-4d81ce0b907c description: Detects an Antivirus alert in a highly relevant file path or with a relevant file name date: 2018/09/09 -modified: 2019/10/04 -author: Florian Roth +modified: 2021/05/09 +author: Florian Roth, Arnim Rupp references: - - https://www.nextron-systems.com/2018/09/08/antivirus-event-analysis-cheat-sheet-v1-4/ + - https://www.nextron-systems.com/2021/03/25/antivirus-event-analysis-cheat-sheet-v1-8/ logsource: product: antivirus detection: selection: - FileName|startswith: - - 'C:\Windows\Temp\' + - 'C:\Windows\' - 'C:\Temp\' - 'C:\PerfLogs\' - 'C:\Users\Public\' - 'C:\Users\Default\' - FileName|contains: - '\Client\' + - '\tsclient\' + - '\inetpub\' + - '/www/' + - 'apache' + - 'tomcat' + - 'nginx' + - 'weblogic' selection2: Filename|endswith: - '.ps1' + - '.psm1' - '.vbs' - '.bat' + - '.cmd' + - '.sh' - '.chm' - '.xml' - '.txt' @@ -30,8 +40,18 @@ detection: - '.jspx' - '.asp' - '.aspx' + - '.ashx' + - '.asax' + - '.asmx' - '.php' + - '.cfm' + - '.py' + - '.pyc' + - '.pl' + - '.rb' + - '.cgi' - '.war' + - '.ear' - '.hta' - '.lnk' - '.scf' @@ -39,6 +59,12 @@ detection: - '.vbe' - '.wsf' - '.wsh' + - '.gif' + - '.png' + - '.jpg' + - '.jpeg' + - '.svg' + - '.dat' condition: selection or selection2 fields: - Signature From 0bee1b006f75265df16101360390d41313fe8879 Mon Sep 17 00:00:00 2001 From: Nate Guagenti Date: Sat, 8 May 2021 21:37:25 -0400 Subject: [PATCH 21/44] fix - add date --- rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml index d1bbe0e48..ec83f8866 100644 --- a/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml +++ b/rules/network/zeek/zeek_dns_suspicious_zbit_flag.yml @@ -1,6 +1,7 @@ title: Suspicious DNS Z Flag Bit Set id: ede05abc-2c9e-4624-9944-9ff17fdc0bf5 description: 'The DNS Z flag is bit within the DNS protocol header that is, per the IETF design, meant to be used reserved (unused). Although recently it has been used in DNSSec, the value being set to anything other than 0 should be rare. Otherwise if it is set to non 0 and DNSSec is being used, then excluding the legitimate domains is low effort and high reward. Determine if multiple of these files were accessed in a short period of time to further enhance the possibility of seeing if this was a one off or the possibility of larger sensitive file gathering. This Sigma query is designed to accompany the Corelight Threat Hunting Guide, which can be found here: https://www3.corelight.com/corelights-introductory-guide-to-threat-hunting-with-zeek-bro-logs' +date: 2021/05/04 references: - 'https://twitter.com/neu5ron/status/1346245602502443009' - 'https://tdm.socprime.com/tdm/info/eLbyj4JjI15v#sigma' From 9c8b9756e5f4b1d97087dffa832124f165452d54 Mon Sep 17 00:00:00 2001 From: Bhabesh Rai Date: Mon, 10 May 2021 14:06:53 +0545 Subject: [PATCH 22/44] Added rule for RClone usage for exfiltration --- .../sysmon_rclone_execution.yml | 32 +++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 rules/windows/process_creation/sysmon_rclone_execution.yml diff --git a/rules/windows/process_creation/sysmon_rclone_execution.yml b/rules/windows/process_creation/sysmon_rclone_execution.yml new file mode 100644 index 000000000..6cf58dc45 --- /dev/null +++ b/rules/windows/process_creation/sysmon_rclone_execution.yml @@ -0,0 +1,32 @@ +title: RClone Execution +id: a0d63692-a531-4912-ad39-4393325b2a9c +status: experimental +description: Detects execution of RClone utility for exfiltration as used by various ransomwares strains like REvil, Conti, FiveHands, etc +tags: + - attack.exfiltration + - attack.t1567.002 +author: Bhabesh Raj +date: 2021/05/10 +references: + - https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware + - https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a + - https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone +fields: + - CommandLine + - ParentCommandLine + - Details +falsepositives: + - Legitimate RClone use +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + Description: 'Rsync for cloud storage' + selection2: + CommandLine|contains|all: + - '--config ' + - '--no-check-certificate ' + - ' copy ' + condition: 1 of them From a1b0dfc0cdc029f30829d3c674ff005e7aa046ef Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 10:49:10 +0200 Subject: [PATCH 23/44] Correct cast-sensitive Key "DestinationIp" --- .../windows/network_connection/sysmon_rdp_reverse_tunnel.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml index ad50510af..b42525448 100755 --- a/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml +++ b/rules/windows/network_connection/sysmon_rdp_reverse_tunnel.yml @@ -6,7 +6,7 @@ references: - https://twitter.com/SBousseaden/status/1096148422984384514 author: Samir Bousseaden date: 2019/02/16 -modified: 2020/08/24 +modified: 2021/05/11 tags: - attack.command_and_control - attack.t1572 @@ -25,7 +25,7 @@ detection: selection2: - DestinationIp|startswith: - '127.' - - DestinationIP: + - DestinationIp: - '::1' condition: selection and selection2 falsepositives: From 720dd24814d47f97e103a2a0f67c71996e7b0c74 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:13:33 +0200 Subject: [PATCH 24/44] Correct cast-sensitive Key "OriginalFilename" --- rules/windows/process_creation/win_hack_secutyxploded.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_hack_secutyxploded.yml b/rules/windows/process_creation/win_hack_secutyxploded.yml index d36b3844d..d8899df42 100644 --- a/rules/windows/process_creation/win_hack_secutyxploded.yml +++ b/rules/windows/process_creation/win_hack_secutyxploded.yml @@ -6,7 +6,7 @@ references: - https://securityxploded.com/ - https://cyberx-labs.com/blog/gangnam-industrial-style-apt-campaign-targets-korean-industrial-companies/ date: 2018/12/19 -modified: 2020/09/01 +modified: 2021/05/11 tags: - attack.credential_access - attack.t1555 @@ -21,7 +21,7 @@ detection: selection2: Image|endswith: 'PasswordDump.exe' selection3: - OriginalFilename|endswith: 'PasswordDump.exe' + OriginalFileName|endswith: 'PasswordDump.exe' condition: 1 of them falsepositives: - unlikely From c4c720cc304c28febe4e200f53f3c4b51c7b32a2 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:16:12 +0200 Subject: [PATCH 25/44] Correct cast-sensitive Key "OriginalFileName" --- rules/windows/process_creation/win_susp_csi.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_csi.yml b/rules/windows/process_creation/win_susp_csi.yml index 6599c02b5..ee19fca90 100644 --- a/rules/windows/process_creation/win_susp_csi.yml +++ b/rules/windows/process_creation/win_susp_csi.yml @@ -4,6 +4,7 @@ description: Csi.exe is a signed binary from Micosoft that comes with Visual Stu status: experimental author: Konstantin Grishchenko, oscd.community date: 2020/10/17 +modified: 2021/05/11 references: - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Csi.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Rcsi.yml @@ -22,8 +23,8 @@ detection: - Image|endswith: '\csi.exe' - Image|endswith: '\rcsi.exe' renamed: - - OriginalFilename: 'csi.exe' - - OriginalFilename: 'rcsi.exe' + - OriginalFileName: 'csi.exe' + - OriginalFileName: 'rcsi.exe' selection: Company: 'Microsoft Corporation' condition: (basic or renamed) and selection From f07c368ae0e841808c139c03aa72767c44718f14 Mon Sep 17 00:00:00 2001 From: frack113 Date: Tue, 11 May 2021 11:18:01 +0200 Subject: [PATCH 26/44] Correct cast-sensitive Key "OriginalFileName" --- rules/windows/process_creation/win_susp_renamed_debugview.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_renamed_debugview.yml b/rules/windows/process_creation/win_susp_renamed_debugview.yml index dcab5bd63..f421c1cd6 100644 --- a/rules/windows/process_creation/win_susp_renamed_debugview.yml +++ b/rules/windows/process_creation/win_susp_renamed_debugview.yml @@ -15,7 +15,7 @@ detection: - 'Sysinternals DebugView' - 'Sysinternals Debugview' filter: - OriginalFilename: 'Dbgview.exe' + OriginalFileName: 'Dbgview.exe' Image|endswith: '\Dbgview.exe' condition: selection and not filter falsepositives: From 026320f613d9d682af21547ca773c26fc1ccfc3e Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:36:42 +0200 Subject: [PATCH 27/44] registry_event is a category --- .../sysmon_sysinternals_sdelete_registry_keys.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml index 5a0e5fb05..ea6a92f21 100644 --- a/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml +++ b/rules/windows/registry_event/sysmon_sysinternals_sdelete_registry_keys.yml @@ -3,6 +3,7 @@ id: 9841b233-8df8-4ad7-9133-b0b4402a9014 description: A General detection to trigger for the creation or modification of .*\Software\Sysinternals\SDelete registry keys. Indicators of the use of Sysinternals SDelete tool. status: experimental date: 2020/05/02 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://threathunterplaybook.com/evals/apt29/detections/4.B.2_59A9AC92-124D-4C4B-A6BF-3121C98677C3.html logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|contains: '\Software\Sysinternals\SDelete' From 70a5c8bb5f7f78be1bd2601dec61202c803c47c4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:51:38 +0200 Subject: [PATCH 28/44] registry_event is a category --- .../registry_event/sysmon_registry_add_local_hidden_user.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml index 61841f9bc..0b9558835 100644 --- a/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml +++ b/rules/windows/registry_event/sysmon_registry_add_local_hidden_user.yml @@ -3,6 +3,7 @@ id: 460479f3-80b7-42da-9c43-2cc1d54dbccd description: Sysmon registry detection of a local hidden user account. status: experimental date: 2021/05/03 +modified: 2021/05/12 author: Christian Burkard tags: - attack.persistence @@ -11,7 +12,7 @@ references: - https://twitter.com/SBousseaden/status/1387530414185664538 logsource: product: windows - service: registry_event + category: registry_event detection: selection: TargetObject|startswith: 'HKLM\SAM\SAM\Domains\Account\Users\Names\' From cf0a710b4d89337612a7a1f3ccbba7d4ccf00916 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:55:35 +0200 Subject: [PATCH 29/44] process_creation is a category --- rules/windows/process_creation/win_susp_wuauclt.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_wuauclt.yml b/rules/windows/process_creation/win_susp_wuauclt.yml index 55659f9a0..9d36bc717 100644 --- a/rules/windows/process_creation/win_susp_wuauclt.yml +++ b/rules/windows/process_creation/win_susp_wuauclt.yml @@ -6,6 +6,7 @@ references: - https://dtm.uk/wuauclt/ author: FPT.EagleEye Team date: 2020/10/17 +modified: 2021/05/12 tags: - attack.command_and_control - attack.execution @@ -13,7 +14,7 @@ tags: - attack.t1218 logsource: product: windows - service: process_creation + category: process_creation detection: selection: ProcessCommandLine|contains|all: From ecc0fcb082ca42491dac0a043a0c010927f1c908 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:57:57 +0200 Subject: [PATCH 30/44] process_creation is a category --- rules/windows/process_creation/win_susp_adfind.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_adfind.yml b/rules/windows/process_creation/win_susp_adfind.yml index eca94458b..831fefe48 100644 --- a/rules/windows/process_creation/win_susp_adfind.yml +++ b/rules/windows/process_creation/win_susp_adfind.yml @@ -8,7 +8,7 @@ references: - https://thedfirreport.com/2020/05/08/adfind-recon/ author: FPT.EagleEye Team, omkar72, oscd.community date: 2020/09/26 -modified: 2020/10/11 +modified: 2021/05/12 tags: - attack.discovery - attack.t1018 @@ -17,7 +17,7 @@ tags: - attack.t1069.002 logsource: product: windows - service: process_creation + category: process_creation detection: selection: CommandLine|contains: From fa72242ff07b7081c98ea1d2b466a4569f6dc650 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 08:59:51 +0200 Subject: [PATCH 31/44] image_load is a category --- rules/windows/image_load/sysmon_susp_python_image_load.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_susp_python_image_load.yml b/rules/windows/image_load/sysmon_susp_python_image_load.yml index d5fa64cb8..ba7f3d7d4 100644 --- a/rules/windows/image_load/sysmon_susp_python_image_load.yml +++ b/rules/windows/image_load/sysmon_susp_python_image_load.yml @@ -3,6 +3,7 @@ id: cbb56d62-4060-40f7-9466-d8aaf3123f83 description: Detects the image load of Python Core indicative of a Python script bundled with Py2Exe. status: experimental date: 2020/05/03 +modified: 2021/05/12 author: Patrick St. John, OTR (Open Threat Research) tags: - attack.defense_evasion @@ -12,7 +13,7 @@ references: - https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/ logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'Python Core' From 0fd8606e0083b8fcbb6164b6d97ad7a888b42f6c Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 09:02:04 +0200 Subject: [PATCH 32/44] image_load is a category --- .../sysmon_alternate_powershell_hosts_moduleload.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..a3dc360ed 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -3,6 +3,7 @@ id: fe6e002f-f244-4278-9263-20e4b593827f description: Detects alternate PowerShell hosts potentially bypassing detections looking for powershell.exe status: experimental date: 2019/09/12 +modified: 2021/05/12 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research) tags: - attack.execution @@ -11,7 +12,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190815181010.html logsource: product: windows - service: image_load + category: image_load detection: selection: Description: 'system.management.automation' From cccfb3e59e6ef9201a139375cda1a9295a6fd1a6 Mon Sep 17 00:00:00 2001 From: frack113 Date: Wed, 12 May 2021 09:05:52 +0200 Subject: [PATCH 33/44] file_event is a category --- rules/windows/builtin/win_moriya_rootkit.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_moriya_rootkit.yml b/rules/windows/builtin/win_moriya_rootkit.yml index 2458d0c93..70636d9fa 100644 --- a/rules/windows/builtin/win_moriya_rootkit.yml +++ b/rules/windows/builtin/win_moriya_rootkit.yml @@ -5,6 +5,7 @@ description: Detects the use of Moriya rootkit as described in the securelist's status: experimental author: Bhabesh Raj date: 2021/05/06 +modified: 2021/05/12 level: critical falsepositives: - None @@ -26,7 +27,7 @@ detection: --- logsource: product: windows - service: file_event + category: file_event detection: selection: TargetFilename: 'C:\Windows\System32\drivers\MoriyaStreamWatchmen.sys' From 8944ccea04c6548541cef62b84b5d1728d3f2c7e Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 06:19:04 +0200 Subject: [PATCH 34/44] Modified some field values for case sensitive backends (SQL) --- .../sysmon_alternate_powershell_hosts_moduleload.yml | 4 ++-- .../image_load/sysmon_powershell_execution_moduleload.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml index 63f5efe97..da11d28d9 100644 --- a/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml +++ b/rules/windows/image_load/sysmon_alternate_powershell_hosts_moduleload.yml @@ -14,8 +14,8 @@ logsource: service: image_load detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' filter: Image|endswith: '\powershell.exe' condition: selection and not filter diff --git a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml index b0d0303f9..bb3cbec63 100755 --- a/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml +++ b/rules/windows/image_load/sysmon_powershell_execution_moduleload.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - Description: 'system.management.automation' - ImageLoaded|contains: 'system.management.automation' + Description: 'System.Management.Automation' + ImageLoaded|contains: 'System.Management.Automation' condition: selection fields: - ComputerName From 5e99379803821d3088b3a4eb227c54a1111d368f Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 15:01:52 +0200 Subject: [PATCH 35/44] Change to have raw log in rule results with SQL/SQlite Backends --- tools/sigma/backends/sql.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/tools/sigma/backends/sql.py b/tools/sigma/backends/sql.py index 077de1bbc..bc55a1ba1 100644 --- a/tools/sigma/backends/sql.py +++ b/tools/sigma/backends/sql.py @@ -1,6 +1,7 @@ # Output backends for sigmac # Copyright 2019 Jayden Zheng # Copyright 2020 Jonas Hagg +# Copyright 2021 wagga (https://github.com/wagga40/) # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Lesser General Public License as published by @@ -169,10 +170,10 @@ class SQLBackend(SingleTextQueryBackend): group_by = "" if agg.aggfield: - select = "{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) + select = "*,{}({}) AS agg".format(agg.aggfunc_notrans, self.fieldNameMapping(agg.aggfield, None)) else: if agg.aggfunc == SigmaAggregationParser.AGGFUNC_COUNT: - select = "{}(*) AS agg".format(agg.aggfunc_notrans) + select = "*,{}(*) AS agg".format(agg.aggfunc_notrans) else: raise SigmaParseError("For {} aggregation a fieldname needs to be specified".format(agg.aggfunc_notrans)) From 972f7a562b7fea4a9649f1b0189a0c427cc3f989 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 17:51:54 +0200 Subject: [PATCH 36/44] Updated SQL/SQLite backend tests --- tools/tests/test_backend_sql.py | 18 +++++++++--------- tools/tests/test_backend_sqlite.py | 6 +++--- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/tools/tests/test_backend_sql.py b/tools/tests/test_backend_sql.py index b4bd82026..b30da675d 100644 --- a/tools/tests/test_backend_sql.py +++ b/tools/tests/test_backend_sql.py @@ -125,7 +125,7 @@ class TestGenerateQuery(unittest.TestCase): # count detection = {"selection": {"fieldname": "test"}, "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {} WHERE fieldname = "test"'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {} WHERE fieldname = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -133,7 +133,7 @@ class TestGenerateQuery(unittest.TestCase): # min detection = {"selection": {"fieldname1": "test"}, "condition": "selection | min(fieldname2) > 5"} - inner_query = 'SELECT min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,min(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -141,7 +141,7 @@ class TestGenerateQuery(unittest.TestCase): # max detection = {"selection": {"fieldname1": "test"}, "condition": "selection | max(fieldname2) > 5"} - inner_query = 'SELECT max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,max(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -149,7 +149,7 @@ class TestGenerateQuery(unittest.TestCase): # avg detection = {"selection": {"fieldname1": "test"}, "condition": "selection | avg(fieldname2) > 5"} - inner_query = 'SELECT avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,avg(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -157,7 +157,7 @@ class TestGenerateQuery(unittest.TestCase): # sum detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) > 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -165,7 +165,7 @@ class TestGenerateQuery(unittest.TestCase): # < detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) < 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg < 5'.format(inner_query) self.validate(detection, expected_result) @@ -173,7 +173,7 @@ class TestGenerateQuery(unittest.TestCase): # == detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test"'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -181,7 +181,7 @@ class TestGenerateQuery(unittest.TestCase): # group by detection = {"selection": {"fieldname1": "test"}, "condition": "selection | sum(fieldname2) by fieldname3 == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE fieldname1 = "test" GROUP BY fieldname3'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) @@ -189,7 +189,7 @@ class TestGenerateQuery(unittest.TestCase): # multiple conditions detection = {"selection": {"fieldname1": "test"}, "filter": { "fieldname2": "tessst"}, "condition": "selection OR filter | sum(fieldname2) == 5"} - inner_query = 'SELECT sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( + inner_query = 'SELECT *,sum(fieldname2) AS agg FROM {} WHERE (fieldname1 = "test" OR fieldname2 = "tessst")'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg == 5'.format(inner_query) self.validate(detection, expected_result) diff --git a/tools/tests/test_backend_sqlite.py b/tools/tests/test_backend_sqlite.py index ac7647739..294a59de2 100644 --- a/tools/tests/test_backend_sqlite.py +++ b/tools/tests/test_backend_sqlite.py @@ -71,14 +71,14 @@ class TestFullTextSearch(unittest.TestCase): # aggregation with fts detection = {"selection": ["test"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE {0} MATCH (\'"test"\')'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) detection = {"selection": ["test1", "test2"], "condition": "selection | count() > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\'))'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) @@ -86,7 +86,7 @@ class TestFullTextSearch(unittest.TestCase): # aggregation + group by + fts detection = {"selection": ["test1", "test2"], "condition": "selection | count() by fieldname > 5"} - inner_query = 'SELECT count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( + inner_query = 'SELECT *,count(*) AS agg FROM {0} WHERE ({0} MATCH (\'"test1" OR "test2"\')) GROUP BY fieldname'.format( self.table) expected_result = 'SELECT * FROM ({}) WHERE agg > 5'.format(inner_query) self.validate(detection, expected_result) From 534898a3ce785898da8675fc2de2b5ef61490062 Mon Sep 17 00:00:00 2001 From: wagga40 <6437862+wagga40@users.noreply.github.com> Date: Thu, 13 May 2021 21:47:22 +0200 Subject: [PATCH 37/44] Resolves #1450 - Bug in es-rule backend when using "-r" argument --- tools/sigma/backends/elasticsearch.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index a60c8cc3a..1c1d5e91c 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1381,6 +1381,8 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): rule.update({"threshold": self.rule_threshold}) if references: rule.update({"references": references}) + self.rule_type = "query" + self.rule_threshold = {} return json.dumps(rule) class KibanaNdjsonBackend(ElasticsearchQuerystringBackend, MultiRuleOutputMixin): From 3b23c18f70d5d30d3ea2b338f175b8eb22626e63 Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 17 May 2021 22:12:17 +0200 Subject: [PATCH 38/44] If not null use uuid instead of title for the rule id --- tools/sigma/backends/elasticsearch.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tools/sigma/backends/elasticsearch.py b/tools/sigma/backends/elasticsearch.py index 1c1d5e91c..248640066 100644 --- a/tools/sigma/backends/elasticsearch.py +++ b/tools/sigma/backends/elasticsearch.py @@ -1346,7 +1346,11 @@ class ElasticSearchRuleBackend(ElasticsearchQuerystringBackend): tactics_list.append(tact) threat = self.create_threat_description(tactics_list=tactics_list, techniques_list=technics_list) rule_name = configs.get("title", "").lower() - rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + rule_uuid = configs.get("id", "").lower() + if rule_uuid == "": + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_name) + else: + rule_id = re.sub(re.compile('[()*+!,\[\].\s"]'), "_", rule_uuid) risk_score = self.map_risk_score(configs.get("level", "medium")) references = configs.get("reference") if references is None: From 226a666827fec3cbddbe8682859c4dc680426f38 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 16:05:13 +0200 Subject: [PATCH 39/44] rule: add rule to detect shell spawn from WinRM host process --- .../win_susp_shell_spawn_from_winrm.yml | 29 +++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml new file mode 100644 index 000000000..57c00dc75 --- /dev/null +++ b/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml @@ -0,0 +1,29 @@ +title: Suspicious Shells Spawn by WinRM +id: 5cc2cda8-f261-4d88-a2de-e9e193c86716 +description: Detects suspicious shell spawn from WinRM host process +status: experimental +author: Andreas Hunkeler (@Karneades), Markus Neis +date: 2021/05/20 +tags: + - attack.t1190 + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\wsmprovhost.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection + +level: critical From 3763e54b99b05f23ed288c6fbd14f8405a7762e8 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:00:25 +0200 Subject: [PATCH 40/44] Add keyword WinRM to remote powershell process rule --- .../win_remote_powershell_session_process.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index 7490d9b6d..a570bfdd6 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,6 +1,6 @@ -title: Remote PowerShell Session +title: Remote PowerShell Session (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 -description: Detects remote PowerShell sections by monitoring for wsmprovhost as a parent or child process (sign of an active ps remote session) +description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 modified: 2019/11/10 From b46f65965dacdb624241aa78e8d1698966e200d6 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:02:17 +0200 Subject: [PATCH 41/44] Add keyword WinRM to remote powershell network rule --- rules/windows/builtin/win_remote_powershell_session.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 9723914b0..22ee80787 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -1,6 +1,6 @@ -title: Remote PowerShell Sessions +title: Remote PowerShell Sessions Network Connections (WinRM) id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 -description: Detects basic PowerShell Remoting by monitoring for network inbound connections to ports 5985 OR 5986 +description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 author: Roberto Rodriguez @Cyb3rWard0g From 93241e7fc6a1b86d40404d316a2bf517b6846711 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Thu, 20 May 2021 17:03:32 +0200 Subject: [PATCH 42/44] Add keyword WinRM to remote powershell process rule --- .../process_creation/win_remote_powershell_session_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index a570bfdd6..f90566045 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -1,4 +1,4 @@ -title: Remote PowerShell Session (WinRM) +title: Remote PowerShell Session Host Process (WinRM) id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental From d8ec5fa6afd9b04ec0a9d6db5bec6fd0f796f5c6 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 21 May 2021 09:28:45 +0200 Subject: [PATCH 43/44] Add modified field in WinRM rule --- rules/windows/builtin/win_remote_powershell_session.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/builtin/win_remote_powershell_session.yml b/rules/windows/builtin/win_remote_powershell_session.yml index 22ee80787..a8388f876 100644 --- a/rules/windows/builtin/win_remote_powershell_session.yml +++ b/rules/windows/builtin/win_remote_powershell_session.yml @@ -3,6 +3,7 @@ id: 13acf386-b8c6-4fe0-9a6e-c4756b974698 description: Detects basic PowerShell Remoting (WinRM) by monitoring for network inbound connections to ports 5985 OR 5986 status: experimental date: 2019/09/12 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md From e58c59dcfdd4e0fd5224c0be1fe90bf7fc643981 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 21 May 2021 09:29:11 +0200 Subject: [PATCH 44/44] Update modified field in WinRM rule --- .../process_creation/win_remote_powershell_session_process.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_remote_powershell_session_process.yml b/rules/windows/process_creation/win_remote_powershell_session_process.yml index f90566045..f5bb57daa 100644 --- a/rules/windows/process_creation/win_remote_powershell_session_process.yml +++ b/rules/windows/process_creation/win_remote_powershell_session_process.yml @@ -3,7 +3,7 @@ id: 734f8d9b-42b8-41b2-bcf5-abaf49d5a3c8 description: Detects remote PowerShell sections by monitoring for wsmprovhost (WinRM host process) as a parent or child process (sign of an active ps remote session) status: experimental date: 2019/09/12 -modified: 2019/11/10 +modified: 2021/05/21 author: Roberto Rodriguez @Cyb3rWard0g references: - https://github.com/Cyb3rWard0g/ThreatHunter-Playbook/tree/master/playbooks/windows/02_execution/T1086_powershell/powershell_remote_session.md