From 4b9075e5570758ecf4654a56e9a5c4b7f9b7a2ee Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 28 Nov 2022 12:09:00 +0100 Subject: [PATCH 1/5] feat: new rules related to service creation New service creation rules related to remote software tools --- ...=> win_system_service_install_anydesk.yml} | 0 .../win_system_service_install_mesh_agent.yml | 25 +++++++++++++++++++ ...win_system_service_install_tacticalrmm.yml | 25 +++++++++++++++++++ 3 files changed, 50 insertions(+) rename rules/windows/builtin/system/{win_system_anydesk_service_installation.yml => win_system_service_install_anydesk.yml} (100%) create mode 100644 rules/windows/builtin/system/win_system_service_install_mesh_agent.yml create mode 100644 rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml diff --git a/rules/windows/builtin/system/win_system_anydesk_service_installation.yml b/rules/windows/builtin/system/win_system_service_install_anydesk.yml similarity index 100% rename from rules/windows/builtin/system/win_system_anydesk_service_installation.yml rename to rules/windows/builtin/system/win_system_service_install_anydesk.yml diff --git a/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml new file mode 100644 index 000000000..2d51a1dad --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_mesh_agent.yml @@ -0,0 +1,25 @@ +title: Mesh Agent Service Installation +id: e0d1ad53-c7eb-48ec-a87a-72393cc6cedc +status: experimental +description: Detects a Mesh Agent service installation. Mesh Agent is used to remotely manage computers +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'MeshAgent.exe' + - ServiceName|contains: 'Mesh Agent' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium diff --git a/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml new file mode 100644 index 000000000..ea4a33722 --- /dev/null +++ b/rules/windows/builtin/system/win_system_service_install_tacticalrmm.yml @@ -0,0 +1,25 @@ +title: TacticalRMM Service Installation +id: 4bb79b62-ef12-4861-981d-2aab43fab642 +status: experimental +description: Detects a TacticalRMM service installation. Tactical RMM is a remote monitoring & management tool. +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ +author: Nasreddine Bencherchali +date: 2022/11/28 +tags: + - attack.command_and_control + - attack.t1219 +logsource: + product: windows + service: system +detection: + selection_root: + Provider_Name: 'Service Control Manager' + EventID: 7045 + selection_service: + - ImagePath|contains: 'tacticalrmm.exe' + - ServiceName|contains: 'TacticalRMM Agent Service' + condition: all of selection_* +falsepositives: + - Legitimate use of the tool +level: medium From 81e8acf535753deb776fdc8330b145c0afb2324e Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 28 Nov 2022 13:19:37 +0100 Subject: [PATCH 2/5] fix: fix fp in testing --- ...c_creation_win_raspberry_robin_single_dot_ending_file.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml index e909bcbd2..dabffeceb 100644 --- a/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml +++ b/rules/windows/process_creation/proc_creation_win_raspberry_robin_single_dot_ending_file.yml @@ -1,11 +1,12 @@ title: Raspberry Robin Dot Ending File id: a35c97c8-d9c4-4c89-a3e7-533dc0bcb73a status: experimental -description: Detects commandline containing reference to files ending with a ".". This scheme has been seen used by raspberry-robin +description: Detects commandline containing reference to files ending with a "." This scheme has been seen used by raspberry-robin author: Nasreddine Bencherchali references: - https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ date: 2022/10/28 +modified: 2022/11/28 tags: - attack.execution logsource: @@ -16,7 +17,7 @@ detection: # Example 1: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-3f-raspberryrobin-runonce.png # Example 2: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-5f-odbcconf.png # Example 3: https://www.microsoft.com/en-us/security/blog/wp-content/uploads/2022/10/fig-6f-fauppod-command-line.png - CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{0,1}" + CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[ |\"|']{1}" filter: # This filter is used to exclude double extension files CommandLine|re: "\\.[a-zA-Z0-9]{1,6}\\.[a-zA-Z0-9]{1}" From 04a1d29eacf9645050656d05da4109f3f494cedd Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:24:34 +0100 Subject: [PATCH 3/5] feat: update driver rules --- .../driver_load/driver_load_vuln_drivers.yml | 30 ++++++++++++++++++- .../driver_load_vuln_drivers_names.yml | 8 ++++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers.yml b/rules/windows/driver_load/driver_load_vuln_drivers.yml index d544236f3..5d9bf7866 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers.yml @@ -21,7 +21,7 @@ references: - https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part author: Nasreddine Bencherchali date: 2022/08/18 -modified: 2022/11/28 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 @@ -287,6 +287,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA1=06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA1=a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - 'SHA1=4927d843577bada119a17b249ff4e7f5e9983a92' + - 'SHA1=e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - 'SHA1=3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - 'SHA1=755349d56cdd668ca22eebc4fc89f0cccef47327' + - 'SHA1=56af49e030eb85528e82849d7d1b6147f3c4973e' # The list below is from https://github.com/namazso/physmem_drivers - 'SHA256=05F052C64D192CF69A462A5EC16DDA0D43CA5D0245900C9FCB9201685A2E7748' - 'SHA256=4045AE77859B1DBF13972451972EAAF6F3C97BEA423E9E78F1C2F14330CD47CA' @@ -540,6 +547,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - 'SHA256=5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'SHA256=e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - 'SHA256=7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - 'SHA256=97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - 'SHA256=8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - 'SHA256=09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - 'SHA256=2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' selection_other: - SHA1: # The list below is from https://github.com/namazso/physmem_drivers and the SHA1 are from VT @@ -798,6 +812,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '06232f7ea7ea24102d452427aedbbc8b8e188a0c' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'a380aeb3ffaecc53ca48bb1d4d622c46f1de7962' + - '4927d843577bada119a17b249ff4e7f5e9983a92' + - 'e5114fd50904c7fb75d8c86367b9a2dd4f79dfb1' + - '3ccf1f3ac636a5e21b39ede48ff49fa23e05413f' + - '755349d56cdd668ca22eebc4fc89f0cccef47327' + - '56af49e030eb85528e82849d7d1b6147f3c4973e' - SHA256: # The list below is from https://github.com/namazso/physmem_drivers - '04A85E359525D662338CAE86C1E59B1D7AA9BD12B920E8067503723DC1E03162' @@ -1059,6 +1080,13 @@ detection: # Vuln driver version obtained from: https://www.zscaler.com/blogs/security-research/technical-analysis-windows-clfs-zero-day-vulnerability-cve-2022-37969-part # Version hash obtained from: https://winbindex.m417z.com/?arch=&file=clfs.sys - '5d712d3fad791bdc67502ed7c6586ca39d12ae26c7b245c36effec92e3cda08e' + # Powertool Drivers obtained from VT by pivoting on the Imphash: f5030145594c486434040aa2636a5dde + - 'e61004335dfe7349f2b2252baa1e111fb47c0f2d6c78a060502b6fcc92f801e4' + - '7c0f77d103015fc29379ba75d133dc3450d557b0ba1f7495c6b43447abdae230' + - '97363f377aaf3c01641ac04a15714acbec978afb1219ac8f22c7e5df7f2b2d56' + - '8e6363a6393eb4234667c6f614b2072e33512866b3204f8395bbe01530d63f2f' + - '09b0e07af8b17db1d896b78da4dd3f55db76738ee1f4ced083a97d737334a184' + - '2a4f4400402cdc475d39389645ca825bb0e775c3ecb7c527e30c5be44e24af7d' condition: 1 of selection* falsepositives: - Unknown diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 36e520478..4cc6e8b17 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -20,7 +20,7 @@ references: - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37969 author: Nasreddine Bencherchali date: 2022/10/03 -modified: 2022/10/17 +modified: 2022/11/29 tags: - attack.privilege_escalation - attack.t1543.003 @@ -187,6 +187,7 @@ detection: - '\gmer.sys' - '\PCADRVX64.sys' - '\clfs.sys' + - '' # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) - '\ActiveHealth.sys' - '\CAM_V3.sys' @@ -203,6 +204,11 @@ detection: - '\ohm.sys' - '\sensorsview32_64.sys' - '\touchpointanalyticsclient.sys' + # PowerTool driver (kEvP64) renames from VT + - '\CQg5Jf.sys' + - '\HCdRDh.sys' + - '\NcDgDn.sys' + - '\vLTZ19.sys' condition: selection falsepositives: - Some false positives may occure if one of the vulnerable driver names mentioned above didn't change it's name between versions. So always make sure that the driver being loaded is the legitimate one and the non vulnerable version. From 02e68a3d2658d8807d1afdcfbe7aea02b8cc2ee5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 29 Nov 2022 23:24:49 +0100 Subject: [PATCH 4/5] feat: new powertool rule --- .../proc_creation_win_powertool_execution.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_powertool_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_powertool_execution.yml b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml new file mode 100644 index 000000000..89f26df5e --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powertool_execution.yml @@ -0,0 +1,27 @@ +title: PowerTool Execution +id: a34f79a3-8e5f-4cc3-b765-de00695452c2 +status: experimental +description: Detects the execution of the tool PowerTool which has the ability to kill a process, delete its process file, unload drivers, and delete the driver files +references: + - https://thedfirreport.com/2022/11/28/emotet-strikes-again-lnk-file-leads-to-domain-wide-ransomware/ + - https://www.trendmicro.com/en_us/research/22/i/play-ransomware-s-attack-playbook-unmasks-it-as-another-hive-aff.html + - https://twitter.com/gbti_sa/status/1249653895900602375?lang=en + - https://www.softpedia.com/get/Antivirus/Removal-Tools/ithurricane-PowerTool.shtml +author: Nasreddine Bencherchali +date: 2022/11/29 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: process_creation +detection: + selection: + - Image|endswith: + - '\PowerTool.exe' + - '\PowerTool64.exe' + - OriginalFileName: 'PowerTool.exe' + condition: selection +falsepositives: + - Unlikely +level: high From d82e3de11ce582b03077936950ebfee377f479e7 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Wed, 30 Nov 2022 00:57:38 +0100 Subject: [PATCH 5/5] fix: fix empty field in selection --- rules/windows/driver_load/driver_load_vuln_drivers_names.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml index 4cc6e8b17..07d18c8ef 100644 --- a/rules/windows/driver_load/driver_load_vuln_drivers_names.yml +++ b/rules/windows/driver_load/driver_load_vuln_drivers_names.yml @@ -187,7 +187,6 @@ detection: - '\gmer.sys' - '\PCADRVX64.sys' - '\clfs.sys' - - '' # WinRing0 other names from VT (https://eclypsium.com/2019/11/12/mother-of-all-drivers/) - '\ActiveHealth.sys' - '\CAM_V3.sys'