diff --git a/rules/windows/builtin/security/win_security_user_driver_loaded.yml b/rules/windows/builtin/security/win_security_user_driver_loaded.yml index b7f5c465b..3c62de689 100644 --- a/rules/windows/builtin/security/win_security_user_driver_loaded.yml +++ b/rules/windows/builtin/security/win_security_user_driver_loaded.yml @@ -1,19 +1,18 @@ -title: Suspicious Driver Loaded By User +title: Potential Privileged System Service Operation - SeLoadDriverPrivilege id: f63508a0-c809-4435-b3be-ed819394d612 status: test description: | - Detects the loading of drivers via 'SeLoadDriverPrivilege' required to load or unload a device driver. - With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. - This user right does not apply to Plug and Play device drivers. - If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. - This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. - So you have to work with a whitelist to find the bad stuff. + Detects the usage of the 'SeLoadDriverPrivilege' privilege. This privilege is required to load or unload a device driver. + With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. + This user right does not apply to Plug and Play device drivers. + If you exclude privileged users/admins and processes, which are allowed to do so, you are maybe left with bad programs trying to load malicious kernel drivers. + This will detect Ghost-In-The-Logs (https://github.com/bats3c/Ghost-In-The-Logs) and the usage of Sysinternals and various other tools. So you have to work with a whitelist to find the bad stuff. references: - https://blog.dylan.codes/evading-sysmon-and-windows-event-logging/ - https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4673 author: xknow (@xknow_infosec), xorxes (@xor_xes) date: 2019/04/08 -modified: 2022/12/12 +modified: 2023/01/09 tags: - attack.defense_evasion - attack.t1562.001 @@ -26,8 +25,8 @@ detection: EventID: 4673 PrivilegeList: 'SeLoadDriverPrivilege' Service: '-' - filter: - - ProcessName: + filter_exact: + ProcessName: - 'C:\Windows\System32\Dism.exe' - 'C:\Windows\System32\rundll32.exe' - 'C:\Windows\System32\fltMC.exe' @@ -37,13 +36,14 @@ detection: - 'C:\Windows\System32\wimserv.exe' - 'C:\Windows\System32\RuntimeBroker.exe' - 'C:\Windows\System32\SystemSettingsBroker.exe' - - ProcessName|endswith: + filter_endswith: + ProcessName|endswith: - '\procexp64.exe' - '\procexp.exe' - '\procmon64.exe' - '\procmon.exe' - '\Google\Chrome\Application\chrome.exe' - condition: selection_1 and not filter + condition: selection_1 and not 1 of filter_* falsepositives: - - 'Other legimate tools loading drivers. There are some: Sysinternals, CPU-Z, AVs etc. - but not much. You have to baseline this according to your used products and allowed tools. Also try to exclude users, which are allowed to load drivers.' + - Other legimate tools loading drivers. Including but not limited to, Sysinternals, CPU-Z, AVs etc. A baseline needs to be created according to the used products and allowed tools. A good thing to do is to try and exclude users who are allowed to load drivers. level: medium diff --git a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml index 824315e1a..f613acb6e 100644 --- a/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml +++ b/rules/windows/file/file_event/file_event_win_powershell_exploit_scripts.yml @@ -4,7 +4,7 @@ related: - id: 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 type: similar status: test -description: Detects the creation of known powershell scripts for exploitation +description: Detects the creation of known offensive powershell scripts used for exploitation references: - https://github.com/PowerShellMafia/PowerSploit - https://github.com/NetSPI/PowerUpSQL @@ -20,9 +20,10 @@ references: - https://unit42.paloaltonetworks.com/threat-assessment-black-basta-ransomware/ # Invoke-TotalExec - https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/ # Invoke-TotalExec - https://github.com/HarmJ0y/DAMP + - https://github.com/samratashok/nishang author: Markus Neis, Nasreddine Bencherchali, Mustafa Kaan Demir, Georg Lauenstein date: 2018/04/07 -modified: 2023/01/05 +modified: 2023/01/09 tags: - attack.execution - attack.t1059.001 @@ -32,20 +33,34 @@ logsource: detection: selection: TargetFilename|endswith: + - '\Add-ConstrainedDelegationBackdoor.ps1' - '\Add-Exfiltration.ps1' - '\Add-Persistence.ps1' - '\Add-RegBackdoor.ps1' - '\Add-RemoteRegBackdoor.ps1' - '\Add-ScrnSaveBackdoor.ps1' - '\Check-VM.ps1' + - '\ConvertTo-ROT13.ps1' + - '\Copy-VSS.ps1' + - '\Create-MultipleSessions.ps1' + - '\DNS_TXT_Pwnage.ps1' - '\Do-Exfiltration.ps1' - '\DomainPasswordSpray.ps1' + - '\Download_Execute.ps1' + - '\Download-Execute-PS.ps1' - '\Enabled-DuplicateToken.ps1' + - '\Enable-DuplicateToken.ps1' + - '\Execute-Command-MSSQL.ps1' + - '\Execute-DNSTXT-Code.ps1' + - '\Execute-OnTime.ps1' + - '\ExetoText.ps1' - '\Exploit-Jboss.ps1' - '\Find-AVSignature.ps1' - '\Find-Fruit.ps1' - '\Find-GPOLocation.ps1' - '\Find-TrustedDocuments.ps1' + - '\FireBuster.ps1' + - '\FireListener.ps1' - '\Get-ApplicationHost.ps1' - '\Get-ChromeDump.ps1' - '\Get-ClipboardContents.ps1' @@ -58,6 +73,7 @@ detection: - '\Get-LSASecret.ps1' - '\Get-MicrophoneAudio.ps1' - '\Get-PassHashes.ps1' + - '\Get-PassHints.ps1' - '\Get-RegAlwaysInstallElevated.ps1' - '\Get-RegAutoLogon.ps1' - '\Get-RickAstley.ps1' @@ -76,27 +92,35 @@ detection: - '\Get-VulnAutoRun.ps1' - '\Get-VulnSchTask.ps1' - '\Get-WebConfig.ps1' + - '\Get-WebCredentials.ps1' + - '\Get-WLAN-Keys.ps1' - '\Gupt-Backdoor.ps1' + - '\HTTP-Backdoor.ps1' - '\HTTP-Login.ps1' - '\Install-ServiceBinary.ps1' - '\Install-SSP.ps1' - '\Invoke-ACLScanner.ps1' - '\Invoke-ADSBackdoor.ps1' + - '\Invoke-AmsiBypass.ps1' - '\Invoke-ARPScan.ps1' - '\Invoke-BackdoorLNK.ps1' - '\Invoke-BadPotato.ps1' - '\Invoke-BetterSafetyKatz.ps1' + - '\Invoke-BruteForce.ps1' - '\Invoke-BypassUAC.ps1' - '\Invoke-Carbuncle.ps1' - '\Invoke-Certify.ps1' - '\Invoke-ConPtyShell.ps1' - '\Invoke-CredentialInjection.ps1' + - '\Invoke-CredentialsPhish.ps1' - '\Invoke-DAFT.ps1' - '\Invoke-DCSync.ps1' + - '\Invoke-Decode.ps1' - '\Invoke-DinvokeKatz.ps1' - '\Invoke-DllInjection.ps1' - '\Invoke-DowngradeAccount.ps1' - '\Invoke-EgressCheck.ps1' + - '\Invoke-Encode.ps1' - '\Invoke-EventViewer.ps1' - '\Invoke-Eyewitness.ps1' - '\Invoke-FakeLogonScreen.ps1' @@ -106,19 +130,24 @@ detection: - '\Invoke-Grouper2.ps1' - '\Invoke-Grouper3.ps1' - '\Invoke-HandleKatz.ps1' + - '\Invoke-Interceptor.ps1' - '\Invoke-Internalmonologue.ps1' - '\Invoke-Inveigh.ps1' - '\Invoke-InveighRelay.ps1' + - '\Invoke-JSRatRegsvr.ps1' + - '\Invoke-JSRatRundll.ps1' - '\Invoke-KrbRelay.ps1' - '\Invoke-KrbRelayUp.ps1' - '\Invoke-LdapSignCheck.ps1' - '\Invoke-Lockless.ps1' - '\Invoke-MalSCCM.ps1' - '\Invoke-Mimikatz.ps1' + - '\Invoke-MimikatzWDigestDowngrade.ps1' - '\Invoke-Mimikittenz.ps1' - '\Invoke-MITM6.ps1' - '\Invoke-NanoDump.ps1' - '\Invoke-NetRipper.ps1' + - '\Invoke-NetworkRelay.ps1' - '\Invoke-NinjaCopy.ps1' - '\Invoke-OxidResolver.ps1' - '\Invoke-P0wnedshell.ps1' @@ -126,13 +155,22 @@ detection: - '\Invoke-Paranoia.ps1' - '\Invoke-PortScan.ps1' - '\Invoke-PoshRatHttp.ps1' + - '\Invoke-PoshRatHttps.ps1' - '\Invoke-PostExfil.ps1' - '\Invoke-PowerDump.ps1' + - '\Invoke-PowerShellIcmp.ps1' - '\Invoke-PowerShellTCP.ps1' + - '\Invoke-PowerShellTcpOneLine.ps1' + - '\Invoke-PowerShellTcpOneLineBind.ps1' + - '\Invoke-PowerShellUdp.ps1' + - '\Invoke-PowerShellUdpOneLine.ps1' - '\Invoke-PowerShellWMI.ps1' - '\Invoke-PowerThIEf.ps1' - '\Invoke-PPLDump.ps1' + - '\Invoke-Prasadhak.ps1' - '\Invoke-PsExec.ps1' + - '\Invoke-PsGcat.ps1' + - '\Invoke-PsGcatAgent.ps1' - '\Invoke-PSInject.ps1' - '\Invoke-PsUaCme.ps1' - '\Invoke-ReflectivePEInjection.ps1' @@ -144,6 +182,7 @@ detection: - '\Invoke-SCShell.ps1' - '\Invoke-Seatbelt.ps1' - '\Invoke-ServiceAbuse.ps1' + - '\Invoke-SessionGopher.ps1' - '\Invoke-SharpAllowedToAct.ps1' - '\Invoke-SharpBlock.ps1' - '\Invoke-SharpBypassUAC.ps1' @@ -189,6 +228,7 @@ detection: - '\Invoke-Snaffler.ps1' - '\Invoke-Spoolsample.ps1' - '\Invoke-SSHCommand.ps1' + - '\Invoke-SSIDExfil.ps1' - '\Invoke-StandIn.ps1' - '\Invoke-StickyNotesExtract.ps1' - '\Invoke-Tater.ps1' @@ -207,11 +247,25 @@ detection: - '\Invoke-WmiCommand.ps1' - '\Invoke-WScriptBypassUAC.ps1' - '\Invoke-Zerologon.ps1' + - '\Keylogger.ps1' - '\MailRaider.ps1' - '\New-HoneyHash.ps1' - '\OfficeMemScraper.ps1' - '\Offline_Winpwn.ps1' + - '\Out-CHM.ps1' + - '\Out-DnsTxt.ps1' + - '\Out-Excel.ps1' + - '\Out-HTA.ps1' + - '\Out-Java.ps1' + - '\Out-JS.ps1' - '\Out-Minidump.ps1' + - '\Out-RundllCommand.ps1' + - '\Out-SCF.ps1' + - '\Out-SCT.ps1' + - '\Out-Shortcut.ps1' + - '\Out-WebQuery.ps1' + - '\Out-Word.ps1' + - '\Parse_Keys.ps1' - '\Port-Scan.ps1' - '\PowerBreach.ps1' - '\PowerSharpPack.ps1' @@ -220,12 +274,21 @@ detection: - '\PowerView.ps1' - '\PSAsyncShell.ps1' - '\RemoteHashRetrieval.ps1' + - '\Remove-Persistence.ps1' + - '\Remove-PoshRat.ps1' - '\Remove-Update.ps1' + - '\Run-EXEonRemote.ps1' + - '\Set-DCShadowPermissions.ps1' - '\Set-MacAttribute.ps1' + - '\Set-RemotePSRemoting.ps1' + - '\Set-RemoteWMI.ps1' - '\Set-Wallpaper.ps1' - '\Show-TargetScreen.ps1' + - '\Speak.ps1' - '\Start-CaptureServer.ps1' - '\Start-WebcamRecorder.ps1' + - '\StringToBase64.ps1' + - '\TexttoExe.ps1' - '\VolumeShadowCopyTools.ps1' - '\WinPwn.ps1' - '\WSUSpendu.ps1' diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml index 342b35fc7..0a78caef7 100644 --- a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -1,4 +1,4 @@ -title: System DLL Sideloading From Non System Locations +title: Potential System DLL Sideloading From Non System Locations id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 status: experimental description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) @@ -9,7 +9,7 @@ references: - https://github.com/XForceIR/SideLoadHunter/blob/cc7ef2e5d8908279b0c4cee4e8b6f85f7b8eed52/SideLoads/README.md author: Nasreddine Bencherchali, Wietze Beukema (project and research), Chris Spehn (research WFH Dridex), XForceIR (SideLoadHunter Project) date: 2022/08/14 -modified: 2022/12/09 +modified: 2023/01/09 tags: - attack.defense_evasion - attack.persistence diff --git a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml index 619f4fdf7..2ef20287c 100644 --- a/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml +++ b/rules/windows/image_load/image_load_side_load_non_existent_dlls.yml @@ -1,4 +1,4 @@ -title: Sideloading Of Non-Existent DLLs From System Folders +title: Potential DLL Sideloading Of Non-Existent DLLs From System Folders id: 6b98b92b-4f00-4f62-b4fe-4d1920215771 related: - id: df6ecb8b-7822-4f4b-b412-08f524b4576c diff --git a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml index 12dbdd7ba..098aa133e 100755 --- a/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml +++ b/rules/windows/network_connection/net_connection_win_remote_powershell_session_network.yml @@ -6,7 +6,7 @@ references: - https://threathunterplaybook.com/notebooks/windows/02_execution/WIN-190511223310.html author: Roberto Rodriguez @Cyb3rWard0g date: 2019/09/12 -modified: 2022/08/24 +modified: 2023/01/09 tags: - attack.execution - attack.t1059.001 @@ -21,8 +21,8 @@ detection: - 5985 - 5986 Initiated: 'true' # only matches of the initiating system can be evaluated - filter: - - User|contains: # covers many language settings for Network Service, please expand + filter_generic: + - User|contains: # covers many language settings for Network Service. Please expand - 'NETWORK SERVICE' - 'NETZWERKDIENST' - 'SERVIZIO DI RETE' @@ -35,9 +35,13 @@ detection: - 'C:\Program Files\Avast Software\Avast\AvastSvc.exe' - 'C:\Program Files (x86)\Avast Software\Avast\AvastSvc.exe' filter_localhost: - SourceIp: '::1' - DestinationIp: '::1' - condition: selection and not 1 of filter* + SourceIp: + - '::1' + - '127.0.0.1' + DestinationIp: + - '::1' + - '127.0.0.1' + condition: selection and not 1 of filter_* falsepositives: - Legitimate usage of remote PowerShell, e.g. remote administration and monitoring. - Network Service user name of a not-covered localization diff --git a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml index 9890b9455..980b9113c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_accessing_win_api.yml @@ -1,12 +1,15 @@ -title: Accessing WinAPI in PowerShell +title: Potential WinAPI Calls Via PowerShell Scripts id: 03d83090-8cba-44a0-b02f-0b756a050306 +related: + - id: 03d83090-8cba-44a0-b02f-0b756a050306 + type: similar status: experimental -description: Detecting use WinAPI Functions in PowerShell +description: Detects use of WinAPI Functions in PowerShell scripts references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse author: Nikita Nazarov, oscd.community, Tim Shelton date: 2020/10/06 -modified: 2022/09/29 +modified: 2023/01/09 tags: - attack.execution - attack.t1059.001 @@ -18,56 +21,57 @@ logsource: detection: selection: ScriptBlockText|contains: - - 'WaitForSingleObject' - - 'QueueUserApc' - - 'RtlCreateUserThread' - - 'OpenProcess' - - 'VirtualAlloc' - - 'VirtualFree' - - 'WriteProcessMemory' - - 'CreateUserThread' + - 'AddSecurityPackage' + - 'AdjustTokenPrivileges' + - 'Advapi32' - 'CloseHandle' - - 'GetDelegateForFunctionPointer' + - 'CreateProcessWithToken' + - 'CreateRemoteThread' - 'CreateThread' - - 'memcpy' - - 'LoadLibrary' + - 'CreateUserThread' + - 'DangerousGetHandle' + - 'DuplicateTokenEx' + - 'EnumerateSecurityPackages' + #- 'FreeHGlobal' + - 'FreeLibrary' + - 'GetDelegateForFunctionPointer' + - 'GetLogonSessionData' - 'GetModuleHandle' - 'GetProcAddress' - - 'VirtualProtect' - - 'FreeLibrary' - - 'ReadProcessMemory' - - 'CreateRemoteThread' - - 'AdjustTokenPrivileges' - # - 'WriteByte' # FP with .NET System.IO.FileStream - - 'WriteInt32' - - 'OpenThreadToken' - # - 'PtrToString' - # - 'FreeHGlobal' - - 'ZeroFreeGlobalAllocUnicode' - - 'OpenProcessToken' - - 'GetTokenInformation' - - 'SetThreadToken' - - 'ImpersonateLoggedOnUser' - - 'RevertToSelf' - - 'GetLogonSessionData' - - 'CreateProcessWithToken' - - 'DuplicateTokenEx' - - 'OpenWindowStation' - - 'OpenDesktop' - - 'MiniDumpWriteDump' - - 'AddSecurityPackage' - - 'EnumerateSecurityPackages' - 'GetProcessHandle' - - 'DangerousGetHandle' + - 'GetTokenInformation' + - 'ImpersonateLoggedOnUser' - 'kernel32' - - 'Advapi32' + - 'LoadLibrary' + - 'memcpy' + - 'MiniDumpWriteDump' - 'msvcrt' - 'ntdll' - # - 'user32' # FP with chocolatey + - 'OpenDesktop' + - 'OpenProcess' + - 'OpenProcessToken' + - 'OpenThreadToken' + - 'OpenWindowStation' + #- 'PtrToString' + - 'QueueUserApc' + - 'ReadProcessMemory' + - 'RevertToSelf' + - 'RtlCreateUserThread' - 'secur32' - falsepositive1: + - 'SetThreadToken' + #- 'user32' # FP with chocolatey + - 'VirtualAlloc' + - 'VirtualFree' + - 'VirtualProtect' + - 'WaitForSingleObject' + #- 'WriteByte' # FP with .NET System.IO.FileStream + - 'WriteInt32' + - 'WriteProcessMemory' + - 'ZeroFreeGlobalAllocUnicode' + filter_amazon: ScriptBlockText|startswith: '# Copyright 2016 Amazon.com, Inc. or its affiliates.' # aws scripts leverage CreateFile and CloseHandle may filter out these 2 items - condition: selection and not 1 of falsepositive* + ScriptBlockText|contains: 'function Import-SerialPortUtil ' + condition: selection and not 1 of filter_* falsepositives: - Carbon PowerShell Module (https://github.com/webmd-health-services/Carbon) level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml index d7c926141..738b0a267 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_malicious_commandlets.yml @@ -22,6 +22,7 @@ references: - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP + - https://github.com/samratashok/nishang author: Sean Metcalf, Florian Roth, Bartlomiej Czyz @bczyz1, oscd.community, Nasreddine Bencherchali, Tim Shelton, Mustafa Kaan Demir, Georg Lauenstein, Max Altgelt, Tobias Michalski, Austin Songer date: 2017/03/05 modified: 2023/01/05 @@ -118,7 +119,7 @@ detection: - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - - 'Invoke-Grouper' # cover Invoke-GrouperX + - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' @@ -139,7 +140,7 @@ detection: - 'Invoke-P0wnedshell' - 'Invoke-Paranoia' - 'Invoke-PortScan' - - 'Invoke-PoshRatHttp' + - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps - 'Invoke-PostExfil' - 'Invoke-PowerDump' - 'Invoke-PowerShellTCP' @@ -171,7 +172,7 @@ detection: - 'Invoke-SharpGPO-RemoteAccessPolicies' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. + - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc. - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' diff --git a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml index b878064e2..f0648a849 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_nishang_malicious_commandlets.yml @@ -6,7 +6,7 @@ references: - https://github.com/samratashok/nishang author: Alec Costello date: 2019/05/16 -modified: 2023/01/02 +modified: 2023/01/09 tags: - attack.execution - attack.t1059.001 @@ -18,15 +18,21 @@ detection: selection: ScriptBlockText|contains: - 'Add-ConstrainedDelegationBackdoor' - - 'Add-Persistence' + #- 'Add-Persistence' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + #- 'Add-RegBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + #- 'Add-ScrnSaveBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Copy-VSS' - 'Create-MultipleSessions' - 'DataToEncode' - 'DNS_TXT_Pwnage' + - 'Do-Exfiltration-Dns' - 'Download_Execute' - 'Download-Execute-PS' + - 'DownloadAndExtractFromRemoteRegistry' - 'DumpCerts' - 'DumpCreds' + - 'DumpHashes' + - 'Enable-DuplicateToken' - 'Enable-Duplication' - 'Execute-Command-MSSQL' - 'Execute-DNSTXT-Code' @@ -38,10 +44,14 @@ detection: - 'FireBuster' - 'FireListener' - 'Get-Information' + #- 'Get-PassHashes' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Get-PassHints' - 'Get-Web-Credentials' + - 'Get-WebCredentials' - 'Get-WLAN-Keys' + #- 'Gupt-Backdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'HTTP-Backdoor' + #- 'Invoke-ADSBackdoor' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-AmsiBypass' - 'Invoke-BruteForce' - 'Invoke-CredentialsPhish' @@ -52,19 +62,21 @@ detection: - 'Invoke-JSRatRundll' - 'Invoke-MimikatzWDigestDowngrade' - 'Invoke-NetworkRelay' - - 'Invoke-PoshRatHttps' + #- 'Invoke-PortScan' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 + #- 'Invoke-PoshRatHttp' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-PowerShellIcmp' - 'Invoke-PowerShellUdp' - 'Invoke-Prasadhak' - 'Invoke-PSGcat' - 'Invoke-PsGcatAgent' + #- 'Invoke-PsUACme' # Covered in 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 - 'Invoke-SessionGopher' - 'Invoke-SSIDExfil' #- Jitter # Prone to FPs - - 'Keylogger' + #- 'Keylogger' # Too generic to be linked to Nishang - 'LoggedKeys' - 'Nishang' - - 'NotAllNameSpaces' + - 'NotAllNameSpaces' # This is param to "Set-RemoteWMI" - 'Out-CHM' - 'OUT-DNSTXT' - 'Out-HTA' diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml new file mode 100644 index 000000000..adc258a79 --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_alias_obfscuation.yml @@ -0,0 +1,32 @@ +title: Potential PowerShell Obfuscation Using Character Join +id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 +related: + - id: 96cd126d-f970-49c4-848a-da3a09f55c55 + type: derived +status: experimental +description: Detects specific techniques often seen used inside of PowerShell scripts to obfscuate Alias creation +references: + - Internal Research +author: Nasreddine Bencherchali +date: 2023/01/09 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1027 + - attack.t1059.001 +logsource: + product: windows + category: ps_script + definition: 'Requirements: Script Block Logging must be enabled' +detection: + selection: + # Example: + # Set-Alias -Name Y -Value (-join("Ne","w-O","bje","ct")) + # Set-Alias -Name X -Value (-join("Inv","oke","-","Exp","ression")) + ScriptBlockText|contains|all: + - '-Alias' # For both "New-Alias" and "Set-Alias" + - ' -Value (-join(' + condition: selection +falsepositives: + - Unknown +level: low diff --git a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml index abbc8cf1e..4ec7187d4 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_susp_set_alias.yml @@ -1,5 +1,8 @@ title: Potential PowerShell Obfuscation Using Alias Cmdlets id: 96cd126d-f970-49c4-848a-da3a09f55c55 +related: + - id: e8314f79-564d-4f79-bc13-fbc0bf2660d8 + type: derived status: experimental description: Detects Set-Alias or New-Alias cmdlet usage. Which can be use as a mean to obfuscate PowerShell scripts references: @@ -10,7 +13,7 @@ tags: - attack.defense_evasion - attack.execution - attack.t1027 - - attack.t1059.001 + - attack.t1059.001 logsource: product: windows category: ps_script diff --git a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml index a876d74a3..52ac2b8d8 100644 --- a/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml +++ b/rules/windows/process_access/proc_access_win_invoke_patchingapi.yml @@ -7,6 +7,7 @@ references: - https://twitter.com/D1rkMtr/status/1611471891193298944?s=20 author: frack113 date: 2023/01/07 +modified: 2023/01/09 tags: - attack.defense_evasion - attack.t1562.002 @@ -19,7 +20,13 @@ detection: CallTrace|startswith: 'C:\Windows\SYSTEM32\ntdll.dll+' CallTrace|contains: '|UNKNOWN(' CallTrace|endswith: ')' - condition: selection + filter_msbuild: + SourceImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + SourceImage|endswith: + - '\MSBuild\Current\Bin\amd64\MSBuild.exe' + - '\MSBuild\Current\Bin\MSBuild.exe' + TargetImage|startswith: 'C:\Program Files\Microsoft Visual Studio\' + condition: selection and not 1 filter_* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml index 6b958a271..4b192abfd 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_win_api_access.yml @@ -1,15 +1,15 @@ -title: Potential WinAPI Access Via CommandLine +title: Potential WinAPI Calls Via CommandLine id: ba3f5c1b-6272-4119-9dbd-0bc8d21c2702 related: - id: 03d83090-8cba-44a0-b02f-0b756a050306 type: derived status: experimental -description: Detects the use of WinAPI Functions via the commandline as seen used by threat actors via the tool winapiexec +description: Detects the use of WinAPI Functions via the commandline. As seen used by threat actors via the tool winapiexec references: - https://twitter.com/m417z/status/1566674631788007425 author: Nasreddine Bencherchali date: 2022/09/06 -modified: 2022/12/29 +modified: 2023/01/09 tags: - attack.execution - attack.t1106 @@ -19,52 +19,53 @@ logsource: detection: selection: CommandLine|contains: - - ' WaitForSingleObject ' - - ' QueueUserApc ' - - ' RtlCreateUserThread ' - - ' OpenProcess ' - - ' VirtualAlloc ' - - ' VirtualFree ' - - ' WriteProcessMemory ' - - ' CreateUserThread ' - - ' CloseHandle ' - - ' GetDelegateForFunctionPointer ' - - ' CreateThread ' - - ' memcpy ' - - ' LoadLibrary ' - - ' GetModuleHandle ' - - ' GetProcAddress ' - - ' VirtualProtect ' - - ' FreeLibrary ' - - ' ReadProcessMemory ' - - ' CreateRemoteThread ' - - ' AdjustTokenPrivileges ' - - ' WriteInt32 ' - - ' OpenThreadToken ' - - ' PtrToString ' - - ' FreeHGlobal ' - - ' ZeroFreeGlobalAllocUnicode ' - - ' OpenProcessToken ' - - ' GetTokenInformation ' - - ' SetThreadToken ' - - ' ImpersonateLoggedOnUser ' - - ' RevertToSelf ' - - ' GetLogonSessionData ' - - ' CreateProcessWithToken ' - - ' DuplicateTokenEx ' - - ' OpenWindowStation ' - - ' OpenDesktop ' - - ' MiniDumpWriteDump ' - - ' AddSecurityPackage ' - - ' EnumerateSecurityPackages ' - - ' GetProcessHandle ' - - ' DangerousGetHandle ' - - ' kernel32 ' - - ' Advapi32 ' - - ' msvcrt ' - - ' ntdll ' - - ' user32 ' # FP with chocolatey - - ' secur32 ' + - 'AddSecurityPackage' + - 'AdjustTokenPrivileges' + - 'Advapi32' + - 'CloseHandle' + - 'CreateProcessWithToken' + - 'CreatePseudoConsole' + - 'CreateRemoteThread' + - 'CreateThread' + - 'CreateUserThread' + - 'DangerousGetHandle' + - 'DuplicateTokenEx' + - 'EnumerateSecurityPackages' + - 'FreeHGlobal' + - 'FreeLibrary' + - 'GetDelegateForFunctionPointer' + - 'GetLogonSessionData' + - 'GetModuleHandle' + - 'GetProcAddress' + - 'GetProcessHandle' + - 'GetTokenInformation' + - 'ImpersonateLoggedOnUser' + - 'kernel32' + - 'LoadLibrary' + - 'memcpy' + - 'MiniDumpWriteDump' + #- 'msvcrt' + - 'ntdll' + - 'OpenDesktop' + - 'OpenProcess' + - 'OpenProcessToken' + - 'OpenThreadToken' + - 'OpenWindowStation' + - 'PtrToString' + - 'QueueUserApc' + - 'ReadProcessMemory' + - 'RevertToSelf' + - 'RtlCreateUserThread' + - 'secur32' + - 'SetThreadToken' + #- 'user32' + - 'VirtualAlloc' + - 'VirtualFree' + - 'VirtualProtect' + - 'WaitForSingleObject' + - 'WriteInt32' + - 'WriteProcessMemory' + - 'ZeroFreeGlobalAllocUnicode' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml similarity index 83% rename from rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml index aaecb1564..7d8d38076 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tracker_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_tracker.yml @@ -1,12 +1,12 @@ -title: DLL Injection with Tracker.exe +title: Potential DLL Injection Or Execution Using Tracker.exe id: 148431ce-4b70-403d-8525-fcc2993f29ea status: test -description: This rule detects DLL injection and execution via LOLBAS - Tracker.exe +description: Detects potential DLL injection and execution using "Tracker.exe" references: - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/ author: 'Avneet Singh @v3t0_, oscd.community' date: 2020/10/18 -modified: 2023/01/06 +modified: 2023/01/09 tags: - attack.defense_evasion - attack.t1055.001 @@ -28,12 +28,9 @@ detection: # GrandparentImage: C:\Program Files\Microsoft Visual Studio\2022\Community\Msbuild\Current\Bin\MSBuild.exe # ParentCommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\MSBuild.exe" /nologo /nodemode:1 /nodeReuse:true /low:false # CommandLine: "C:\Program Files\Microsoft Visual Studio\2022\Community\MSBuild\Current\Bin\Tracker.exe" @"C:\Users\user\AppData\Local\Temp\tmp05c7789bc5534838bf96d7a0fed1ffff.tmp" /c "C:\Program Files\Microsoft Visual Studio\2022\Community\VC\Tools\MSVC\14.29.30133\bin\HostX86\x64\Lib.exe" - ParentImage|endswith: + ParentImage|endswith: - '\Msbuild\Current\Bin\MSBuild.exe' - '\Msbuild\Current\Bin\amd64\MSBuild.exe' - CommandLine|contains|all: - - '\VC\Tools\MSVC\' - - '\bin\HostX86\x64\' condition: all of selection_* and not 1 of filter_* falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml index 0be61da5f..0010cf33a 100644 --- a/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml +++ b/rules/windows/process_creation/proc_creation_win_malicious_cmdlets.yml @@ -18,6 +18,7 @@ references: - https://github.com/BloodHoundAD/BloodHound/blob/0927441f67161cc6dc08a53c63ceb8e333f55874/Collectors/AzureHound.ps1 - https://bloodhound.readthedocs.io/en/latest/data-collection/azurehound.html - https://github.com/HarmJ0y/DAMP + - https://github.com/samratashok/nishang author: Nasreddine Bencherchali date: 2023/01/02 modified: 2023/01/05 @@ -113,7 +114,7 @@ detection: - 'Invoke-Farmer' - 'Invoke-Get-RBCD-Threaded' - 'Invoke-Gopher' - - 'Invoke-Grouper' # cover Invoke-GrouperX + - 'Invoke-Grouper' # Also Covers Invoke-GrouperX - 'Invoke-HandleKatz' - 'Invoke-Internalmonologue' - 'Invoke-Inveigh' @@ -134,7 +135,7 @@ detection: - 'Invoke-P0wnedshell' - 'Invoke-Paranoia' - 'Invoke-PortScan' - - 'Invoke-PoshRatHttp' + - 'Invoke-PoshRatHttp' # Also Covers Invoke-PoshRatHttps - 'Invoke-PostExfil' - 'Invoke-PowerDump' - 'Invoke-PowerShellTCP' @@ -166,7 +167,7 @@ detection: - 'Invoke-SharpGPO-RemoteAccessPolicies' - 'Invoke-SharpHandler' - 'Invoke-SharpHide' - - 'Invoke-Sharphound' # cover Invoke-SharpHound2, Invoke-SharpHound3,. + - 'Invoke-Sharphound' # Also Covers "Invoke-SharpHound2", "Invoke-SharpHound3"...etc. - 'Invoke-SharpImpersonation' - 'Invoke-SharpImpersonationNoSpace' - 'Invoke-SharpKatz' diff --git a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml index a1c10513c..bd19bc629 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_reverse_shell_connection.yml @@ -1,13 +1,14 @@ -title: Powershell Reverse Shell Connection +title: Potential Powershell ReverseShell Connection id: edc2f8ae-2412-4dfd-b9d5-0c57727e70be -status: experimental -description: Detects the Nishang Invoke-PowerShellTcpOneLine reverse shell +status: stable +description: Detects usage of the "TcpClient" class. Which can be abused to establish remote connections and reverse-shells. As seen used by the Nishang "Invoke-PowerShellTcpOneLine" reverse shell. references: - https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/ + - https://github.com/samratashok/nishang/blob/414ee1104526d7057f9adaeee196d91ae447283e/Shells/Invoke-PowerShellTcpOneLine.ps1 author: FPT.EagleEye, wagga date: 2021/03/03 -modified: 2022/07/14 +modified: 2023/01/09 tags: - attack.execution - attack.t1059.001 @@ -15,15 +16,19 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + - Image|endswith: - '\powershell.exe' - '\pwsh.exe' - CommandLine|contains: 'new-object system.net.sockets.tcpclient' - condition: selection -fields: - - CommandLine - - ParentCommandLine + selection_cli: + CommandLine|contains|all: + - ' System.Net.Sockets.TCPClient' + - '.GetBytes' + - '.Write' + condition: all of selection_* falsepositives: - - Administrative might use this function for checking network connectivity + - Administrative might use this function to check network connectivity level: high