diff --git a/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml new file mode 100644 index 000000000..cbe9ce0dc --- /dev/null +++ b/rules/application/jvm/java_jndi_injection_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: Potential JNDI Injection Exploitation In JVM Based Application +id: bb0e9cec-d4da-46f5-997f-22efc59f3dca +status: experimental +description: Detects potential JNDI Injection exploitation. Often coupled with Log4Shell exploitation. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs + - https://secariolabs.com/research/analysing-and-reproducing-poc-for-log4j-2-15-0 +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'com.sun.jndi.ldap.' + - 'org.apache.logging.log4j.core.net.JndiManager' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_local_file_read.yml b/rules/application/jvm/java_local_file_read.yml new file mode 100644 index 000000000..ce63649eb --- /dev/null +++ b/rules/application/jvm/java_local_file_read.yml @@ -0,0 +1,26 @@ +title: Potential Local File Read Vulnerability In JVM Based Application +id: e032f5bc-4563-4096-ae3b-064bab588685 +status: experimental +description: | + Detects potential local file read vulnerability in JVM based apps. + If the exceptions are caused due to user input and contain path traversal payloads then it's a red flag. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords_local_file_read: + '|all': + - 'FileNotFoundException' + - '/../../..' + condition: keywords_local_file_read +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml new file mode 100644 index 000000000..fa109bcf2 --- /dev/null +++ b/rules/application/jvm/java_ognl_injection_exploitation_attempt.yml @@ -0,0 +1,28 @@ +title: Potential OGNL Injection Exploitation In JVM Based Application +id: 4d0af518-828e-4a04-a751-a7d03f3046ad +status: experimental +description: | + Detects potential OGNL Injection exploitation, which may lead to RCE. + OGNL is an expression language that is supported in many JVM based systems. + OGNL Injection is the reason for some high profile RCE's such as Apache Struts (CVE-2017-5638) and Confluence (CVE-2022-26134) +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 + - cve.2017.5638 + - cve.2022.26134 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'org.apache.commons.ognl.OgnlException' + - 'ExpressionSyntaxException' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_rce_exploitation_attempt.yml b/rules/application/jvm/java_rce_exploitation_attempt.yml new file mode 100644 index 000000000..c350a2e70 --- /dev/null +++ b/rules/application/jvm/java_rce_exploitation_attempt.yml @@ -0,0 +1,24 @@ +title: Process Execution Error In JVM Based Application +id: d65f37da-a26a-48f8-8159-3dde96680ad2 +status: experimental +description: Detects process execution related exceptions in JVM based apps, often relates to RCE +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'Cannot run program' + - 'java.lang.ProcessImpl' + - 'java.lang.ProcessBuilder' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/jvm/java_xxe_exploitation_attempt.yml b/rules/application/jvm/java_xxe_exploitation_attempt.yml new file mode 100644 index 000000000..b129ff2ec --- /dev/null +++ b/rules/application/jvm/java_xxe_exploitation_attempt.yml @@ -0,0 +1,25 @@ +title: Potential XXE Exploitation Attempt In JVM Based Application +id: c4e06896-e27c-4583-95ac-91ce2279345d +status: experimental +description: Detects XML parsing issues, if the application expects to work with XML make sure that the parser is initialized safely. +references: + - https://rules.sonarsource.com/java/RSPEC-2755 + - https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: jvm + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'SAXParseException' + - 'DOMException' + condition: keywords +falsepositives: + - If the application expects to work with XML there may be parsing issues that don't neccecarily mean XXE. +level: high diff --git a/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml new file mode 100644 index 000000000..a5426932c --- /dev/null +++ b/rules/application/nodejs/nodejs_rce_exploitation_attempt.yml @@ -0,0 +1,22 @@ +title: Potential RCE Exploitation Attempt In NodeJS +id: 97661d9d-2beb-4630-b423-68985291a8af +status: experimental +description: Detects process execution related errors in NodeJS. If the exceptions are caused due to user input then they may suggest an RCE vulnerability. +references: + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: nodejs + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'node:child_process' + condition: keywords +falsepositives: + - Puppeteer invocation exceptions often contain child_process related errors, that doesn't necessarily mean that the app is vulnerable. +level: high diff --git a/rules/application/spring/appframework_spring_exceptions.yml b/rules/application/spring/spring_application_exceptions.yml similarity index 100% rename from rules/application/spring/appframework_spring_exceptions.yml rename to rules/application/spring/spring_application_exceptions.yml diff --git a/rules/application/spring/spring_spel_injection.yml b/rules/application/spring/spring_spel_injection.yml new file mode 100644 index 000000000..6176cb517 --- /dev/null +++ b/rules/application/spring/spring_spel_injection.yml @@ -0,0 +1,23 @@ +title: Potential SpEL Injection In Spring Framework +id: e9edd087-89d8-48c9-b0b4-5b9bb10896b8 +status: experimental +description: Detects potential SpEL Injection exploitation, which may lead to RCE. +references: + - https://owasp.org/www-community/vulnerabilities/Expression_Language_Injection + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: spring + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'org.springframework.expression.ExpressionException' + condition: keywords +falsepositives: + - Application bugs +level: high diff --git a/rules/application/sql/app_sqlinjection_errors.yml b/rules/application/sql/app_sqlinjection_errors.yml index f9f4a9be4..f7447aefb 100644 --- a/rules/application/sql/app_sqlinjection_errors.yml +++ b/rules/application/sql/app_sqlinjection_errors.yml @@ -6,13 +6,14 @@ references: - http://www.sqlinjection.net/errors author: Bjoern Kimminich date: 2017/11/27 -modified: 2021/11/27 +modified: 2023/02/12 tags: - attack.initial_access - attack.t1190 logsource: category: application product: sql + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)' detection: keywords: # Oracle @@ -26,5 +27,5 @@ detection: - SELECTs to the left and right of UNION do not have the same number of result columns condition: keywords falsepositives: - - Application bugs + - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case. level: high diff --git a/rules/application/velocity/velocity_ssti_injection.yml b/rules/application/velocity/velocity_ssti_injection.yml new file mode 100644 index 000000000..70373fb24 --- /dev/null +++ b/rules/application/velocity/velocity_ssti_injection.yml @@ -0,0 +1,26 @@ +title: Potential Server Side Template Injection In Velocity +id: 16c86189-b556-4ee8-b4c7-7e350a195a4f +status: experimental +description: Detects exceptions in velocity template renderer, this most likely happens due to dynamic rendering of user input and may lead to RCE. +references: + - https://antgarsil.github.io/posts/velocity/ + - https://www.wix.engineering/post/threat-and-vulnerability-hunting-with-application-server-error-logs +author: Moti Harmats +date: 2023/02/11 +tags: + - attack.initial_access + - attack.t1190 +logsource: + category: application + product: velocity + definition: 'Requirements: application error logs must be collected (with LOG_LEVEL=ERROR and above)' +detection: + keywords: + - 'ParseErrorException' + - 'VelocityException' + - 'TemplateInitException' + condition: keywords +falsepositives: + - Application bugs + - Missing .vm files +level: high diff --git a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml index 786d5f2de..674f9e2a2 100644 --- a/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml +++ b/rules/windows/file/file_event/file_event_win_create_non_existent_dlls.yml @@ -1,4 +1,4 @@ -title: Creation Of Non-Existent DLLs In System Folders +title: Creation Of Non-Existent System DLL id: df6ecb8b-7822-4f4b-b412-08f524b4576c related: - id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 # ImageLoad rule @@ -11,9 +11,10 @@ references: - https://clement.notin.org/blog/2020/09/12/CVE-2020-7315-McAfee-Agent-DLL-injection/ - https://github.com/Wh04m1001/SysmonEoP - https://www.hexacorn.com/blog/2013/12/08/beyond-good-ol-run-key-part-5/ -author: Nasreddine Bencherchali (Nextron Systems) + - https://github.com/blackarrowsec/redteam-research/tree/26e6fc0c0d30d364758fa11c2922064a9a7fd309/LPE%20via%20StorSvc +author: Nasreddine Bencherchali (Nextron Systems), fornotes date: 2022/12/01 -modified: 2023/02/14 +modified: 2023/02/15 tags: - attack.defense_evasion - attack.persistence @@ -25,13 +26,14 @@ logsource: category: file_event detection: selection: - TargetFilename: + - TargetFilename: - 'C:\Windows\System32\WLBSCTRL.dll' - 'C:\Windows\System32\TSMSISrv.dll' - 'C:\Windows\System32\TSVIPSrv.dll' - 'C:\Windows\System32\wow64log.dll' - 'C:\Windows\System32\WptsExtensions.dll' - 'C:\Windows\System32\wbem\wbemcomn.dll' + - TargetFilename|endswith: '\SprintCSP.dll' filter: Image|startswith: 'C:\Windows\System32\' condition: selection and not filter diff --git a/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml new file mode 100644 index 000000000..3dd224222 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_localpotato.yml @@ -0,0 +1,35 @@ +title: HackTool - LocalPotato Execution +id: 6bd75993-9888-4f91-9404-e1e4e4e34b77 +status: experimental +description: Detects the execution of the LocalPotato POC based on basic PE metadata information and default CLI examples +references: + - https://www.localpotato.com/localpotato_html/LocalPotato.html + - https://github.com/decoder-it/LocalPotato +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/14 +tags: + - attack.defense_evasion + - attack.privilege_escalation + - cve.2023.21746 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\LocalPotato.exe' + selection_cli: + CommandLine|contains|all: + - '.exe -i C:\' + - '-o Windows\' + selection_hash_plain: + Hashes|contains: + - 'IMPHASH=E1742EE971D6549E8D4D81115F88F1FC' + - 'IMPHASH=DD82066EFBA94D7556EF582F247C8BB5' + selection_hash_ext: + Imphash: + - 'E1742EE971D6549E8D4D81115F88F1FC' + - 'DD82066EFBA94D7556EF582F247C8BB5' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/tests/logsource.json b/tests/logsource.json index 7e05d1e34..a3f8d50e6 100644 --- a/tests/logsource.json +++ b/tests/logsource.json @@ -236,6 +236,30 @@ }, "service":{} }, + "jvm":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "nodejs":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, + "velocity":{ + "commun": [], + "empty": [], + "category":{ + "application":[] + }, + "service":{} + }, "aws":{ "commun": [], "empty": [],