Merge branch 'master' into wmic-rules-updates

2023-02-15 19:58:11 +01:00
parent 5aeedfa813 e52edb69c4
commit 7ec76db26c
13 changed files with 266 additions and 6 deletions
@@ -0,0 +1,24 @@
+title: Potential JNDI Injection Exploitation In JVM Based Application
+id: bb0e9cec-d4da-46f5-997f-22efc59f3dca
+status: experimental
+description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation.
+references:
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+    - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: jvm
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'com.sun.jndi.ldap.'
+        - 'org.apache.logging.log4j.core.net.JndiManager'
+    condition: keywords
+falsepositives:
+    - Application bugs
+level: high
@@ -0,0 +1,26 @@
+title: Potential Local File Read Vulnerability In JVM Based Application
+id: e032f5bc-4563-4096-ae3b-064bab588685
+status: experimental
+description: |
+    Detects potential local file read vulnerability in JVM based apps.
+    If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag.
+references:
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: jvm
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords_local_file_read:
+        '|all':
+            - 'FileNotFoundException'
+            - '/../../..'
+    condition: keywords_local_file_read
+falsepositives:
+    - Application bugs
+level: high
@@ -0,0 +1,28 @@
+title: Potential OGNL Injection Exploitation In JVM Based Application
+id: 4d0af518-828e-4a04-a751-a7d03f3046ad
+status: experimental
+description: |
+    Detects potential OGNL Injection exploitation, which may lead to RCE.
+    OGNL is an expression language that is supported in many JVM based systems.
+    OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134)
+references:
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+    - cve.2017.5638
+    - cve.2022.26134
+logsource:
+    category: application
+    product: jvm
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'org.apache.commons.ognl.OgnlException'
+        - 'ExpressionSyntaxException'
+    condition: keywords
+falsepositives:
+    - Application bugs
+level: high
@@ -0,0 +1,24 @@
+title: Process Execution Error In JVM Based Application
+id: d65f37da-a26a-48f8-8159-3dde96680ad2
+status: experimental
+description: Detects process execution related exceptions in JVM based apps, often relates to RCE
+references:
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: jvm
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'Cannot run program'
+        - 'java.lang.ProcessImpl'
+        - 'java.lang.ProcessBuilder'
+    condition: keywords
+falsepositives:
+    - Application bugs
+level: high
@@ -0,0 +1,25 @@
+title: Potential XXE Exploitation Attempt In JVM Based Application
+id: c4e06896-e27c-4583-95ac-91ce2279345d
+status: experimental
+description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely.
+references:
+    - https://rules.sonarsource.com/java/RSPEC-2755
+    - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: jvm
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'SAXParseException'
+        - 'DOMException'
+    condition: keywords
+falsepositives:
+    - If the application expects to work with XML there may be parsing issues that don't neccecarily mean XXE.
+level: high
@@ -0,0 +1,22 @@
+title: Potential RCE Exploitation Attempt In NodeJS
+id: 97661d9d-2beb-4630-b423-68985291a8af
+status: experimental
+description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability.
+references:
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: nodejs
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'node:child_process'
+    condition: keywords
+falsepositives:
+    - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable.
+level: high
@@ -0,0 +1,23 @@
+title: Potential SpEL Injection In Spring Framework
+id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8
+status: experimental
+description: Detects potential SpEL Injection exploitation, which may lead to RCE.
+references:
+    - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: spring
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'org.springframework.expression.ExpressionException'
+    condition: keywords
+falsepositives:
+    - Application bugs
+level: high
@@ -6,13 +6,14 @@ references:
    - http://www.sqlinjection.net/errors
 author: Bjoern Kimminich
 date: 2017/11/27
-modified: 2021/11/27
+modified: 2023/02/12
 tags:
    - attack.initial_access
    - attack.t1190
 logsource:
    category: application
    product: sql
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'
 detection:
    keywords:
        # Oracle
@@ -26,5 +27,5 @@ detection:
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
 falsepositives:
-    - Application bugs
+    - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
 level: high
@@ -0,0 +1,26 @@
+title: Potential Server Side Template Injection In Velocity
+id: 16c86189-b556-4ee8-b4c7-7e350a195a4f
+status: experimental
+description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE.
+references:
+    - https://antgarsil.github.io/posts/velocity/
+    - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs
+author: Moti Harmats
+date: 2023/02/11
+tags:
+    - attack.initial_access
+    - attack.t1190
+logsource:
+    category: application
+    product: velocity
+    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)'
+detection:
+    keywords:
+        - 'ParseErrorException'
+        - 'VelocityException'
+        - 'TemplateInitException'
+    condition: keywords
+falsepositives:
+    - Application bugs
+    - Missing .vm files
+level: high
@@ -1,4 +1,4 @@
-title: Creation Of Non-Existent DLLs In System Folders
+title: Creation Of Non-Existent System DLL
 id: df6ecb8b-7822-4f4b-b412-08f524b4576c
 related:
    - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule
@@ -11,9 +11,10 @@ references:
    - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/
    - https://github.com/Wh04m1001/SysmonEoP
    - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/
-author: Nasreddine Bencherchali (Nextron Systems)
+    - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc
+author: Nasreddine Bencherchali (Nextron Systems), fornotes
 date: 2022/12/01
-modified: 2023/02/14
+modified: 2023/02/15
 tags:
    - attack.defense_evasion
    - attack.persistence
@@ -25,13 +26,14 @@ logsource:
    category: file_event
 detection:
    selection:
-        TargetFilename:
+        - TargetFilename:
            - 'C:\Windows\System32\WLBSCTRL.dll'
            - 'C:\Windows\System32\TSMSISrv.dll'
            - 'C:\Windows\System32\TSVIPSrv.dll'
            - 'C:\Windows\System32\wow64log.dll'
            - 'C:\Windows\System32\WptsExtensions.dll'
            - 'C:\Windows\System32\wbem\wbemcomn.dll'
+        - TargetFilename|endswith: '\SprintCSP.dll'
    filter:
        Image|startswith: 'C:\Windows\System32\'
    condition: selection and not filter
@@ -0,0 +1,35 @@
+title: HackTool - LocalPotato Execution
+id: 6bd75993-9888-4f91-9404-e1e4e4e34b77
+status: experimental
+description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples
+references:
+    - https://www.localpotato.com/localpotato_html/LocalPotato.html
+    - https://github.com/decoder-it/LocalPotato
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/14
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - cve.2023.21746
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        Image|endswith: '\LocalPotato.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - '.exe -i C:\'
+            - '-o Windows\'
+    selection_hash_plain:
+        Hashes|contains:
+            - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC'
+            - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5'
+    selection_hash_ext:
+        Imphash:
+            - 'E1742EE971D6549E8D4D81115F88F1FC'
+            - 'DD82066EFBA94D7556EF582F247C8BB5'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -236,6 +236,30 @@
            },
            "service":{}
        },
+        "jvm":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "nodejs":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
+        "velocity":{
+            "commun": [],
+            "empty": [],
+            "category":{
+                "application":[]
+            },
+            "service":{}
+        },
        "aws":{
            "commun": [],
            "empty": [],