security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: updates and enhancements

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2023-01-10 00:13:37 +01:00
parent 17aaf7fdcd
commit 81f75c1d2e
15 changed files with 278 additions and 148 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/security/win_security_user_driver_loaded.yml
+13 -13
View File
@@ -1,19 +1,18 @@
title: Suspicious Driver Loaded By User
title: Potential Privileged System Service Operation - SeLoadDriverPrivilege
id: f63508a0-c809-4435-b3be-ed819394d612
status: test
description: |
Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools.
So you have to work with a whitelist to find the bad stuff.
Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver.
With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode.
This user right does not apply to Plug and Play device drivers.
If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers.
This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff.
references:
- https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673
author: xknow (@xknow_infosec), xorxes (@xor_xes)
date: 2019/04/08
modified: 2022/12/12
modified: 2023/01/09
tags:
- attack.defense_evasion
- attack.t1562.001
@@ -26,8 +25,8 @@ detection:
EventID: 4673
PrivilegeList: 'SeLoadDriverPrivilege'
Service: '-'
filter:
- ProcessName:
filter_exact:
ProcessName:
- 'C:\Windows\System32\Dism.exe'
- 'C:\Windows\System32\rundll32.exe'
- 'C:\Windows\System32\fltMC.exe'
@@ -37,13 +36,14 @@ detection:
- 'C:\Windows\System32\wimserv.exe'
- 'C:\Windows\System32\RuntimeBroker.exe'
- 'C:\Windows\System32\SystemSettingsBroker.exe'
- ProcessName|endswith:
filter_endswith:
ProcessName|endswith:
- '\procexp64.exe'
- '\procexp.exe'
- '\procmon64.exe'
- '\procmon.exe'
- '\Google\Chrome\Application\chrome.exe'
condition: selection_1 and not filter
condition: selection_1 and not 1 of filter_*
falsepositives:
- 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.'
- Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers.
level: medium
rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml
+65 -2
View File
@@ -4,7 +4,7 @@ related:
- id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
type: similar
status: test
description: Detects the creation of known powershell scripts for exploitation
description: Detects the creation of known offensive powershell scripts used for exploitation
references:
- https://github.com/PowerShellMafia/PowerSploit
- https://github.com/NetSPI/PowerUpSQL
@@ -20,9 +20,10 @@ references:
- https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec
- https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein
date: 2018/04/07
modified: 2023/01/05
modified: 2023/01/09
tags:
- attack.execution
- attack.t1059.001
@@ -32,20 +33,34 @@ logsource:
detection:
selection:
TargetFilename|endswith:
- '\Add-ConstrainedDelegationBackdoor.ps1'
- '\Add-Exfiltration.ps1'
- '\Add-Persistence.ps1'
- '\Add-RegBackdoor.ps1'
- '\Add-RemoteRegBackdoor.ps1'
- '\Add-ScrnSaveBackdoor.ps1'
- '\Check-VM.ps1'
- '\ConvertTo-ROT13.ps1'
- '\Copy-VSS.ps1'
- '\Create-MultipleSessions.ps1'
- '\DNS_TXT_Pwnage.ps1'
- '\Do-Exfiltration.ps1'
- '\DomainPasswordSpray.ps1'
- '\Download_Execute.ps1'
- '\Download-Execute-PS.ps1'
- '\Enabled-DuplicateToken.ps1'
- '\Enable-DuplicateToken.ps1'
- '\Execute-Command-MSSQL.ps1'
- '\Execute-DNSTXT-Code.ps1'
- '\Execute-OnTime.ps1'
- '\ExetoText.ps1'
- '\Exploit-Jboss.ps1'
- '\Find-AVSignature.ps1'
- '\Find-Fruit.ps1'
- '\Find-GPOLocation.ps1'
- '\Find-TrustedDocuments.ps1'
- '\FireBuster.ps1'
- '\FireListener.ps1'
- '\Get-ApplicationHost.ps1'
- '\Get-ChromeDump.ps1'
- '\Get-ClipboardContents.ps1'
@@ -58,6 +73,7 @@ detection:
- '\Get-LSASecret.ps1'
- '\Get-MicrophoneAudio.ps1'
- '\Get-PassHashes.ps1'
- '\Get-PassHints.ps1'
- '\Get-RegAlwaysInstallElevated.ps1'
- '\Get-RegAutoLogon.ps1'
- '\Get-RickAstley.ps1'
@@ -76,27 +92,35 @@ detection:
- '\Get-VulnAutoRun.ps1'
- '\Get-VulnSchTask.ps1'
- '\Get-WebConfig.ps1'
- '\Get-WebCredentials.ps1'
- '\Get-WLAN-Keys.ps1'
- '\Gupt-Backdoor.ps1'
- '\HTTP-Backdoor.ps1'
- '\HTTP-Login.ps1'
- '\Install-ServiceBinary.ps1'
- '\Install-SSP.ps1'
- '\Invoke-ACLScanner.ps1'
- '\Invoke-ADSBackdoor.ps1'
- '\Invoke-AmsiBypass.ps1'
- '\Invoke-ARPScan.ps1'
- '\Invoke-BackdoorLNK.ps1'
- '\Invoke-BadPotato.ps1'
- '\Invoke-BetterSafetyKatz.ps1'
- '\Invoke-BruteForce.ps1'
- '\Invoke-BypassUAC.ps1'
- '\Invoke-Carbuncle.ps1'
- '\Invoke-Certify.ps1'
- '\Invoke-ConPtyShell.ps1'
- '\Invoke-CredentialInjection.ps1'
- '\Invoke-CredentialsPhish.ps1'
- '\Invoke-DAFT.ps1'
- '\Invoke-DCSync.ps1'
- '\Invoke-Decode.ps1'
- '\Invoke-DinvokeKatz.ps1'
- '\Invoke-DllInjection.ps1'
- '\Invoke-DowngradeAccount.ps1'
- '\Invoke-EgressCheck.ps1'
- '\Invoke-Encode.ps1'
- '\Invoke-EventViewer.ps1'
- '\Invoke-Eyewitness.ps1'
- '\Invoke-FakeLogonScreen.ps1'
@@ -106,19 +130,24 @@ detection:
- '\Invoke-Grouper2.ps1'
- '\Invoke-Grouper3.ps1'
- '\Invoke-HandleKatz.ps1'
- '\Invoke-Interceptor.ps1'
- '\Invoke-Internalmonologue.ps1'
- '\Invoke-Inveigh.ps1'
- '\Invoke-InveighRelay.ps1'
- '\Invoke-JSRatRegsvr.ps1'
- '\Invoke-JSRatRundll.ps1'
- '\Invoke-KrbRelay.ps1'
- '\Invoke-KrbRelayUp.ps1'
- '\Invoke-LdapSignCheck.ps1'
- '\Invoke-Lockless.ps1'
- '\Invoke-MalSCCM.ps1'
- '\Invoke-Mimikatz.ps1'
- '\Invoke-MimikatzWDigestDowngrade.ps1'
- '\Invoke-Mimikittenz.ps1'
- '\Invoke-MITM6.ps1'
- '\Invoke-NanoDump.ps1'
- '\Invoke-NetRipper.ps1'
- '\Invoke-NetworkRelay.ps1'
- '\Invoke-NinjaCopy.ps1'
- '\Invoke-OxidResolver.ps1'
- '\Invoke-P0wnedshell.ps1'
@@ -126,13 +155,22 @@ detection:
- '\Invoke-Paranoia.ps1'
- '\Invoke-PortScan.ps1'
- '\Invoke-PoshRatHttp.ps1'
- '\Invoke-PoshRatHttps.ps1'
- '\Invoke-PostExfil.ps1'
- '\Invoke-PowerDump.ps1'
- '\Invoke-PowerShellIcmp.ps1'
- '\Invoke-PowerShellTCP.ps1'
- '\Invoke-PowerShellTcpOneLine.ps1'
- '\Invoke-PowerShellTcpOneLineBind.ps1'
- '\Invoke-PowerShellUdp.ps1'
- '\Invoke-PowerShellUdpOneLine.ps1'
- '\Invoke-PowerShellWMI.ps1'
- '\Invoke-PowerThIEf.ps1'
- '\Invoke-PPLDump.ps1'
- '\Invoke-Prasadhak.ps1'
- '\Invoke-PsExec.ps1'
- '\Invoke-PsGcat.ps1'
- '\Invoke-PsGcatAgent.ps1'
- '\Invoke-PSInject.ps1'
- '\Invoke-PsUaCme.ps1'
- '\Invoke-ReflectivePEInjection.ps1'
@@ -144,6 +182,7 @@ detection:
- '\Invoke-SCShell.ps1'
- '\Invoke-Seatbelt.ps1'
- '\Invoke-ServiceAbuse.ps1'
- '\Invoke-SessionGopher.ps1'
- '\Invoke-SharpAllowedToAct.ps1'
- '\Invoke-SharpBlock.ps1'
- '\Invoke-SharpBypassUAC.ps1'
@@ -189,6 +228,7 @@ detection:
- '\Invoke-Snaffler.ps1'
- '\Invoke-Spoolsample.ps1'
- '\Invoke-SSHCommand.ps1'
- '\Invoke-SSIDExfil.ps1'
- '\Invoke-StandIn.ps1'
- '\Invoke-StickyNotesExtract.ps1'
- '\Invoke-Tater.ps1'
@@ -207,11 +247,25 @@ detection:
- '\Invoke-WmiCommand.ps1'
- '\Invoke-WScriptBypassUAC.ps1'
- '\Invoke-Zerologon.ps1'
- '\Keylogger.ps1'
- '\MailRaider.ps1'
- '\New-HoneyHash.ps1'
- '\OfficeMemScraper.ps1'
- '\Offline_Winpwn.ps1'
- '\Out-CHM.ps1'
- '\Out-DnsTxt.ps1'
- '\Out-Excel.ps1'
- '\Out-HTA.ps1'
- '\Out-Java.ps1'
- '\Out-JS.ps1'
- '\Out-Minidump.ps1'
- '\Out-RundllCommand.ps1'
- '\Out-SCF.ps1'
- '\Out-SCT.ps1'
- '\Out-Shortcut.ps1'
- '\Out-WebQuery.ps1'
- '\Out-Word.ps1'
- '\Parse_Keys.ps1'
- '\Port-Scan.ps1'
- '\PowerBreach.ps1'
- '\PowerSharpPack.ps1'
@@ -220,12 +274,21 @@ detection:
- '\PowerView.ps1'
- '\PSAsyncShell.ps1'
- '\RemoteHashRetrieval.ps1'
- '\Remove-Persistence.ps1'
- '\Remove-PoshRat.ps1'
- '\Remove-Update.ps1'
- '\Run-EXEonRemote.ps1'
- '\Set-DCShadowPermissions.ps1'
- '\Set-MacAttribute.ps1'
- '\Set-RemotePSRemoting.ps1'
- '\Set-RemoteWMI.ps1'
- '\Set-Wallpaper.ps1'
- '\Show-TargetScreen.ps1'
- '\Speak.ps1'
- '\Start-CaptureServer.ps1'
- '\Start-WebcamRecorder.ps1'
- '\StringToBase64.ps1'
- '\TexttoExe.ps1'
- '\VolumeShadowCopyTools.ps1'
- '\WinPwn.ps1'
- '\WSUSpendu.ps1'
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+2 -2
View File
@@ -1,4 +1,4 @@
title: System DLL Sideloading From Non System Locations
title: Potential System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: experimental
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)
@@ -9,7 +9,7 @@ references:
- https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md
author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project)
date: 2022/08/14
modified: 2022/12/09
modified: 2023/01/09
tags:
- attack.defense_evasion
- attack.persistence
rules/windows/image_load/image_load_side_load_non_existent_dlls.yml
+1 -1
View File
@@ -1,4 +1,4 @@
title: Sideloading Of Non-Existent DLLs From System Folders
title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders
id: 6b98b92b-4f00-4f62-b4fe-4d1920215771
related:
- id: df6ecb8b-7822-4f4b-b412-08f524b4576c
rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml
+10 -6
View File
@@ -6,7 +6,7 @@ references:
- https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html
author: Roberto Rodriguez @Cyb3rWard0g
date: 2019/09/12
modified: 2022/08/24
modified: 2023/01/09
tags:
- attack.execution
- attack.t1059.001
@@ -21,8 +21,8 @@ detection:
- 5985
- 5986
Initiated: 'true' # only matches of the initiating system can be evaluated
filter:
- User|contains: # covers many language settings for Network Service, please expand
filter_generic:
- User|contains: # covers many language settings for Network Service. Please expand
- 'NETWORK SERVICE'
- 'NETZWERKDIENST'
- 'SERVIZIO DI RETE'
@@ -35,9 +35,13 @@ detection:
- 'C:\Program Files\Avast Software\Avast\AvastSvc.exe'
- 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe'
filter_localhost:
SourceIp: '::1'
DestinationIp: '::1'
condition: selection and not 1 of filter*
SourceIp:
- '::1'
- '127.0.0.1'
DestinationIp:
- '::1'
- '127.0.0.1'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate usage of remote PowerShell, e.g. remote administration and monitoring.
- Network Service user name of a not-covered localization
rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml
+47 -43
View File
@@ -1,12 +1,15 @@
title: Accessing WinAPI in PowerShell
title: Potential WinAPI Calls Via PowerShell Scripts
id: 03d83090-8cba-44a0-b02f-0b756a050306
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: similar
status: experimental
description: Detecting use WinAPI Functions in PowerShell
description: Detects use of WinAPI Functions in PowerShell scripts
references:
- https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse
author: Nikita Nazarov, oscd.community, Tim Shelton
date: 2020/10/06
modified: 2022/09/29
modified: 2023/01/09
tags:
- attack.execution
- attack.t1059.001
@@ -18,56 +21,57 @@ logsource:
detection:
selection:
ScriptBlockText|contains:
- 'WaitForSingleObject'
- 'QueueUserApc'
- 'RtlCreateUserThread'
- 'OpenProcess'
- 'VirtualAlloc'
- 'VirtualFree'
- 'WriteProcessMemory'
- 'CreateUserThread'
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'GetDelegateForFunctionPointer'
- 'CreateProcessWithToken'
- 'CreateRemoteThread'
- 'CreateThread'
- 'memcpy'
- 'LoadLibrary'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
#- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'VirtualProtect'
- 'FreeLibrary'
- 'ReadProcessMemory'
- 'CreateRemoteThread'
- 'AdjustTokenPrivileges'
# - 'WriteByte' # FP with .NET System.IO.FileStream
- 'WriteInt32'
- 'OpenThreadToken'
# - 'PtrToString'
# - 'FreeHGlobal'
- 'ZeroFreeGlobalAllocUnicode'
- 'OpenProcessToken'
- 'GetTokenInformation'
- 'SetThreadToken'
- 'ImpersonateLoggedOnUser'
- 'RevertToSelf'
- 'GetLogonSessionData'
- 'CreateProcessWithToken'
- 'DuplicateTokenEx'
- 'OpenWindowStation'
- 'OpenDesktop'
- 'MiniDumpWriteDump'
- 'AddSecurityPackage'
- 'EnumerateSecurityPackages'
- 'GetProcessHandle'
- 'DangerousGetHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'Advapi32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
- 'msvcrt'
- 'ntdll'
# - 'user32' # FP with chocolatey
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
#- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
falsepositive1:
- 'SetThreadToken'
#- 'user32' # FP with chocolatey
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
#- 'WriteByte' # FP with .NET System.IO.FileStream
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
filter_amazon:
ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items
condition: selection and not 1 of falsepositive*
ScriptBlockText|contains: 'function Import-SerialPortUtil '
condition: selection and not 1 of filter_*
falsepositives:
- Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon)
level: high
rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml
+4 -3
View File
@@ -22,6 +22,7 @@ references:
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer
date: 2017/03/05
modified: 2023/01/05
@@ -118,7 +119,7 @@ detection:
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
@@ -139,7 +140,7 @@ detection:
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerShellTCP'
@@ -171,7 +172,7 @@ detection:
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc.
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml
+17 -5
View File
@@ -6,7 +6,7 @@ references:
- https://github.com/samratashok/nishang
author: Alec Costello
date: 2019/05/16
modified: 2023/01/02
modified: 2023/01/09
tags:
- attack.execution
- attack.t1059.001
@@ -18,15 +18,21 @@ detection:
selection:
ScriptBlockText|contains:
- 'Add-ConstrainedDelegationBackdoor'
- 'Add-Persistence'
#- 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
#- 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
#- 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Copy-VSS'
- 'Create-MultipleSessions'
- 'DataToEncode'
- 'DNS_TXT_Pwnage'
- 'Do-Exfiltration-Dns'
- 'Download_Execute'
- 'Download-Execute-PS'
- 'DownloadAndExtractFromRemoteRegistry'
- 'DumpCerts'
- 'DumpCreds'
- 'DumpHashes'
- 'Enable-DuplicateToken'
- 'Enable-Duplication'
- 'Execute-Command-MSSQL'
- 'Execute-DNSTXT-Code'
@@ -38,10 +44,14 @@ detection:
- 'FireBuster'
- 'FireListener'
- 'Get-Information'
#- 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Get-PassHints'
- 'Get-Web-Credentials'
- 'Get-WebCredentials'
- 'Get-WLAN-Keys'
#- 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'HTTP-Backdoor'
#- 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-AmsiBypass'
- 'Invoke-BruteForce'
- 'Invoke-CredentialsPhish'
@@ -52,19 +62,21 @@ detection:
- 'Invoke-JSRatRundll'
- 'Invoke-MimikatzWDigestDowngrade'
- 'Invoke-NetworkRelay'
- 'Invoke-PoshRatHttps'
#- 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
#- 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-PowerShellIcmp'
- 'Invoke-PowerShellUdp'
- 'Invoke-Prasadhak'
- 'Invoke-PSGcat'
- 'Invoke-PsGcatAgent'
#- 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6
- 'Invoke-SessionGopher'
- 'Invoke-SSIDExfil'
#- Jitter # Prone to FPs
- 'Keylogger'
#- 'Keylogger' # Too generic to be linked to Nishang
- 'LoggedKeys'
- 'Nishang'
- 'NotAllNameSpaces'
- 'NotAllNameSpaces' # This is param to "Set-RemoteWMI"
- 'Out-CHM'
- 'OUT-DNSTXT'
- 'Out-HTA'
rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml
+32
View File
@@ -0,0 +1,32 @@
title: Potential PowerShell Obfuscation Using Character Join
id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
related:
- id: 96cd126d-f970-49c4-848a-da3a09f55c55
type: derived
status: experimental
description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation
references:
- Internal Research
author: Nasreddine Bencherchali
date: 2023/01/09
tags:
- attack.defense_evasion
- attack.execution
- attack.t1027
- attack.t1059.001
logsource:
product: windows
category: ps_script
definition: 'Requirements: Script Block Logging must be enabled'
detection:
selection:
# Example:
# Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct"))
# Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression"))
ScriptBlockText|contains|all:
- '-Alias' # For both "New-Alias" and "Set-Alias"
- ' -Value (-join('
condition: selection
falsepositives:
- Unknown
level: low
rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml
+4 -1
View File
@@ -1,5 +1,8 @@
title: Potential PowerShell Obfuscation Using Alias Cmdlets
id: 96cd126d-f970-49c4-848a-da3a09f55c55
related:
- id: e8314f79-564d-4f79-bc13-fbc0bf2660d8
type: derived
status: experimental
description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts
references:
@@ -10,7 +13,7 @@ tags:
- attack.defense_evasion
- attack.execution
- attack.t1027
- attack.t1059.001
- attack.t1059.001
logsource:
product: windows
category: ps_script
rules/windows/process_access/proc_access_win_invoke_patchingapi.yml
+8 -1
View File
@@ -7,6 +7,7 @@ references:
- https://twitter.com/D1rkMtr/status/1611471891193298944?s=20
author: frack113
date: 2023/01/07
modified: 2023/01/09
tags:
- attack.defense_evasion
- attack.t1562.002
@@ -19,7 +20,13 @@ detection:
CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+'
CallTrace|contains: '|UNKNOWN('
CallTrace|endswith: ')'
condition: selection
filter_msbuild:
SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
SourceImage|endswith:
- '\MSBuild\Current\Bin\amd64\MSBuild.exe'
- '\MSBuild\Current\Bin\MSBuild.exe'
TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\'
condition: selection and not 1 filter_*
falsepositives:
- Unknown
level: medium
rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml
+50 -49
View File
@@ -1,15 +1,15 @@
title: Potential WinAPI Access Via CommandLine
title: Potential WinAPI Calls Via CommandLine
id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702
related:
- id: 03d83090-8cba-44a0-b02f-0b756a050306
type: derived
status: experimental
description: Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec
description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec
references:
- https://twitter.com/m417z/status/1566674631788007425
author: Nasreddine Bencherchali
date: 2022/09/06
modified: 2022/12/29
modified: 2023/01/09
tags:
- attack.execution
- attack.t1106
@@ -19,52 +19,53 @@ logsource:
detection:
selection:
CommandLine|contains:
- ' WaitForSingleObject '
- ' QueueUserApc '
- ' RtlCreateUserThread '
- ' OpenProcess '
- ' VirtualAlloc '
- ' VirtualFree '
- ' WriteProcessMemory '
- ' CreateUserThread '
- ' CloseHandle '
- ' GetDelegateForFunctionPointer '
- ' CreateThread '
- ' memcpy '
- ' LoadLibrary '
- ' GetModuleHandle '
- ' GetProcAddress '
- ' VirtualProtect '
- ' FreeLibrary '
- ' ReadProcessMemory '
- ' CreateRemoteThread '
- ' AdjustTokenPrivileges '
- ' WriteInt32 '
- ' OpenThreadToken '
- ' PtrToString '
- ' FreeHGlobal '
- ' ZeroFreeGlobalAllocUnicode '
- ' OpenProcessToken '
- ' GetTokenInformation '
- ' SetThreadToken '
- ' ImpersonateLoggedOnUser '
- ' RevertToSelf '
- ' GetLogonSessionData '
- ' CreateProcessWithToken '
- ' DuplicateTokenEx '
- ' OpenWindowStation '
- ' OpenDesktop '
- ' MiniDumpWriteDump '
- ' AddSecurityPackage '
- ' EnumerateSecurityPackages '
- ' GetProcessHandle '
- ' DangerousGetHandle '
- ' kernel32 '
- ' Advapi32 '
- ' msvcrt '
- ' ntdll '
- ' user32 ' # FP with chocolatey
- ' secur32 '
- 'AddSecurityPackage'
- 'AdjustTokenPrivileges'
- 'Advapi32'
- 'CloseHandle'
- 'CreateProcessWithToken'
- 'CreatePseudoConsole'
- 'CreateRemoteThread'
- 'CreateThread'
- 'CreateUserThread'
- 'DangerousGetHandle'
- 'DuplicateTokenEx'
- 'EnumerateSecurityPackages'
- 'FreeHGlobal'
- 'FreeLibrary'
- 'GetDelegateForFunctionPointer'
- 'GetLogonSessionData'
- 'GetModuleHandle'
- 'GetProcAddress'
- 'GetProcessHandle'
- 'GetTokenInformation'
- 'ImpersonateLoggedOnUser'
- 'kernel32'
- 'LoadLibrary'
- 'memcpy'
- 'MiniDumpWriteDump'
#- 'msvcrt'
- 'ntdll'
- 'OpenDesktop'
- 'OpenProcess'
- 'OpenProcessToken'
- 'OpenThreadToken'
- 'OpenWindowStation'
- 'PtrToString'
- 'QueueUserApc'
- 'ReadProcessMemory'
- 'RevertToSelf'
- 'RtlCreateUserThread'
- 'secur32'
- 'SetThreadToken'
#- 'user32'
- 'VirtualAlloc'
- 'VirtualFree'
- 'VirtualProtect'
- 'WaitForSingleObject'
- 'WriteInt32'
- 'WriteProcessMemory'
- 'ZeroFreeGlobalAllocUnicode'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml → rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml
+4 -7
View File
@@ -1,12 +1,12 @@
title: DLL Injection with Tracker.exe
title: Potential DLL Injection Or Execution Using Tracker.exe
id: 148431ce-4b70-403d-8525-fcc2993f29ea
status: test
description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe
description: Detects potential DLL injection and execution using "Tracker.exe"
references:
- https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/
author: 'Avneet Singh @v3t0_, oscd.community'
date: 2020/10/18
modified: 2023/01/06
modified: 2023/01/09
tags:
- attack.defense_evasion
- attack.t1055.001
@@ -28,12 +28,9 @@ detection:
# GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe
# ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false
# CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe"
ParentImage|endswith:
ParentImage|endswith:
- '\Msbuild\Current\Bin\MSBuild.exe'
- '\Msbuild\Current\Bin\amd64\MSBuild.exe'
CommandLine|contains|all:
- '\VC\Tools\MSVC\'
- '\bin\HostX86\x64\'
condition: all of selection_* and not 1 of filter_*
falsepositives:
- Unknown
rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml
+4 -3
View File
@@ -18,6 +18,7 @@ references:
- https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1
- https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html
- https://github.com/HarmJ0y/DAMP
- https://github.com/samratashok/nishang
author: Nasreddine Bencherchali
date: 2023/01/02
modified: 2023/01/05
@@ -113,7 +114,7 @@ detection:
- 'Invoke-Farmer'
- 'Invoke-Get-RBCD-Threaded'
- 'Invoke-Gopher'
- 'Invoke-Grouper' # cover Invoke-GrouperX
- 'Invoke-Grouper' # Also Covers Invoke-GrouperX
- 'Invoke-HandleKatz'
- 'Invoke-Internalmonologue'
- 'Invoke-Inveigh'
@@ -134,7 +135,7 @@ detection:
- 'Invoke-P0wnedshell'
- 'Invoke-Paranoia'
- 'Invoke-PortScan'
- 'Invoke-PoshRatHttp'
- 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps
- 'Invoke-PostExfil'
- 'Invoke-PowerDump'
- 'Invoke-PowerShellTCP'
@@ -166,7 +167,7 @@ detection:
- 'Invoke-SharpGPO-RemoteAccessPolicies'
- 'Invoke-SharpHandler'
- 'Invoke-SharpHide'
- 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,.
- 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc.
- 'Invoke-SharpImpersonation'
- 'Invoke-SharpImpersonationNoSpace'
- 'Invoke-SharpKatz'
rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml
+17 -12
View File
@@ -1,13 +1,14 @@
title: Powershell Reverse Shell Connection
title: Potential Powershell ReverseShell Connection
id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be
status: experimental
description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell
status: stable
description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell.
references:
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
- https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1
author: FPT.EagleEye, wagga
date: 2021/03/03
modified: 2022/07/14
modified: 2023/01/09
tags:
- attack.execution
- attack.t1059.001
@@ -15,15 +16,19 @@ logsource:
category: process_creation
product: windows
detection:
selection:
Image|endswith:
selection_img:
- OriginalFileName:
- 'PowerShell.EXE'
- 'pwsh.dll'
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
CommandLine|contains: 'new-object system.net.sockets.tcpclient'
condition: selection
fields:
- CommandLine
- ParentCommandLine
selection_cli:
CommandLine|contains|all:
- ' System.Net.Sockets.TCPClient'
- '.GetBytes'
- '.Write'
condition: all of selection_*
falsepositives:
- Administrative might use this function for checking network connectivity
- Administrative might use this function to check network connectivity
level: high