From a1222c7716cf58fba03e10278d7a80674f674e33 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:50:30 +0200 Subject: [PATCH 1/4] Update sysmon_apt_oceanlotus_registry --- .../sysmon_apt_oceanlotus_registry.yml | 35 ++++++++++--------- 1 file changed, 19 insertions(+), 16 deletions(-) diff --git a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml index d726d245e..cd6eefdbf 100755 --- a/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml +++ b/rules/windows/registry_event/sysmon_apt_oceanlotus_registry.yml @@ -4,39 +4,42 @@ status: experimental description: Detects registry keys created in OceanLotus (also known as APT32) attacks references: - https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/ + - https://github.com/eset/malware-ioc/tree/master/oceanlotus tags: - attack.defense_evasion - attack.t1112 author: megan201296, Jonhnathan Ribeiro date: 2019/04/14 -modified: 2021/09/13 +modified: 2021/09/17 logsource: category: registry_event product: windows detection: - selection: - TargetObject: - - 'HKCU\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + ioc_1: + TargetObject: 'HKCU\SOFTWARE\Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + ioc_2: + TargetObject|startswith: + - HKCU\SOFTWARE\App\ + - HKLM\SOFTWARE\App\ + TargetObject|contains: + - AppXbf13d4ea2945444d8b13e2121cb6b663\ + - AppX70162486c7554f7f80f481985d67586d\ + - AppX37cc7fdccd644b4f85f4b22d5a3f105a\ TargetObject|endswith: - # covers HKU\* and HKLM.. - - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\Application' - - '\SOFTWARE\App\AppXbf13d4ea2945444d8b13e2121cb6b663\DefaultIcon' - - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\Application' - - '\SOFTWARE\App\AppX70162486c7554f7f80f481985d67586d\DefaultIcon' - - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\Application' - - '\SOFTWARE\App\AppX37cc7fdccd644b4f85f4b22d5a3f105a\DefaultIcon' + - Application + - DefaultIcon selection2: TargetObject|startswith: - 'HKCU\' TargetObject|contains: # HKCU\SOFTWARE\Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\ - - '_Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' + - 'Classes\AppXc52346ec40fb4061ad96be0e6cb7d16a\' # HKCU\SOFTWARE\Classes\AppX3bbba44c6cae4d9695755183472171e2\ - - '_Classes\AppX3bbba44c6cae4d9695755183472171e2\' + - 'Classes\AppX3bbba44c6cae4d9695755183472171e2\' # HKCU\SOFTWARE\Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\ - - '_Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' - - '_Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' - condition: selection or selection2 + - 'Classes\CLSID\{E3517E26-8E93-458D-A6DF-8030BC80528B}\' + - 'Classes\CLSID\{E08A0F4B-1F65-4D4D-9A09-BD4625B9C5A1}\Model' + condition: ioc_1 or ioc_2 or selection2 falsepositives: - Unknown level: critical From d22382d0b998fc0614dde3af0fe3f1f397853aa4 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:52:40 +0200 Subject: [PATCH 2/4] fix detection --- .../sysmon_registry_persistence_key_linking.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml index 34447d116..2e2d8bef6 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_key_linking.yml @@ -6,7 +6,7 @@ references: - https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/ author: Kutepov Anton, oscd.community date: 2019/10/23 -modified: 2019/11/07 +modified: 2021/09/17 tags: - attack.persistence - attack.t1122 # an old one @@ -19,7 +19,7 @@ detection: EventType: 'CreateKey' # don't want DeleteKey events TargetObject|contains|all: - 'HKU\' - - '_Classes\CLSID\' + - 'Classes\CLSID\' - '\TreatAs' condition: selection falsepositives: From 509a4c2822ad7b8e724a4d5c5c04bc752b43b112 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:54:50 +0200 Subject: [PATCH 3/4] fix detection --- rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml index f05853b8c..01c566580 100755 --- a/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_sdclt.yml @@ -7,17 +7,15 @@ references: - https://github.com/hfiref0x/UACME author: Omer Yampel, Christian Burkard date: 2017/03/17 -modified: 2021/08/31 +modified: 2021/09/17 logsource: category: registry_event product: windows detection: selection1: - # usrclass.dat is mounted on HKU\USERSID_Classes\... - TargetObject|startswith: 'HKU\' - TargetObject|endswith: '_Classes\exefile\shell\runas\command\isolatedCommand' + TargetObject|endswith: Software\Classes\exefile\shell\runas\command\isolatedCommand selection2: - TargetObject|endswith: '-1???_Classes\Folder\shell\open\command\SymbolicLinkValue' + TargetObject|endswith: Software\Classes\Folder\shell\open\command\SymbolicLinkValue Details|contains: '-1???\Software\Classes\' condition: 1 of selection* tags: From 81bf864d94379ec2ae2ac28593d199e5fd8f3a79 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 17 Sep 2021 19:56:26 +0200 Subject: [PATCH 4/4] fix detection --- .../registry_event/sysmon_uac_bypass_shell_open.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml index 032e1146f..9b2cf67ac 100644 --- a/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml +++ b/rules/windows/registry_event/sysmon_uac_bypass_shell_open.yml @@ -3,6 +3,7 @@ id: 152f3630-77c1-4284-bcc0-4cc68ab2f6e7 description: Detects the pattern of UAC Bypass using fodhelper.exe, computerdefaults.exe, slui.exe via registry keys (e.g. UACMe 33 or 62) author: Christian Burkard date: 2021/08/30 +modified: 2021/09/17 status: experimental references: - https://github.com/hfiref0x/UACME @@ -17,14 +18,14 @@ logsource: product: windows detection: selection1: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\SymbolicLinkValue' + TargetObject|endswith: 'Classes\ms-settings\shell\open\command\SymbolicLinkValue' Details|contains: '\Software\Classes\{' selection2: - TargetObject|endswith: '_Classes\ms-settings\shell\open\command\DelegateExecute' + TargetObject|endswith: 'Classes\ms-settings\shell\open\command\DelegateExecute' selection3: TargetObject|endswith: - - '_Classes\ms-settings\shell\open\command\(Default)' - - '_Classes\exefile\shell\open\command\(Default)' + - 'Classes\ms-settings\shell\open\command\(Default)' + - 'Classes\exefile\shell\open\command\(Default)' filter_sel3: Details: '(Empty)' condition: selection1 or selection2 or (selection3 and not filter_sel3)