security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New rules

Browse Source
This commit is contained in:
Nasreddine Bencherchali
2022-08-15 00:22:16 +01:00
parent 6798d69d00
commit 8869bc6cff
7 changed files with 543 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml
+34
View File
@@ -0,0 +1,34 @@
title: Ntdsutil Abuse
id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f
status: experimental
description: Detects potential abuse of ntdsutil to dump ntds.dit database
author: Nasreddine Bencherchali
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
date: 2022/08/14
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID: 325 # New Database Created
Data|contains: 'ntds.dit'
selection_paths:
Data|contains:
# Add more locations that you don't use in your env or that are just suspicious
- '\Users\Public\'
- '\Perflogs\'
- '\Temp\'
- '\Appdata\'
- '\Desktop\'
- '\Downloads\'
- 'C:\ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
tags:
- attack.execution
rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml
+28
View File
@@ -0,0 +1,28 @@
title: Dump Ntds.dit To Suspicious Location
id: 94dc4390-6b7c-4784-8ffc-335334404650
status: experimental
description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location
author: Nasreddine Bencherchali
references:
- https://twitter.com/mgreen27/status/1558223256704122882
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11)
date: 2022/08/14
logsource:
product: windows
service: application
# warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly
detection:
selection:
Provider_Name: 'ESENT'
EventID:
- 216
- 325
- 326
- 327
Data|contains: 'ntds.dit'
condition: selection
falsepositives:
- Legitimate backup operation/creating shadow copies
level: medium
tags:
- attack.execution
rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml
+22
View File
@@ -0,0 +1,22 @@
title: Loading Diagcab Package From Remote Path
id: 50cb47b8-2c33-4b23-a2e9-4600657d9746
status: experimental
description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://twitter.com/nas_bench/status/1539679555908141061
- https://twitter.com/j00sean/status/1537750439701225472
tags:
- attack.execution
logsource:
product: windows
service: diagnosis
detection:
selection:
EventID: 101
PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package
condition: selection
falsepositives:
- Legitimate package hosted on a known and authorized remote location
level: high
rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml
+34
View File
@@ -0,0 +1,34 @@
title: Suspicious Application Installed
id: 83c161b6-ca67-4f33-8ad0-644a0737cf07
status: experimental
description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3
tags:
- attack.execution
logsource:
product: windows
service: shell-core
detection:
selection_name:
EventID: 28115
Name|contains:
# Please add more
- 'Zenmap'
- 'AnyDesk'
- 'wireshark'
- 'openvpn'
selection_packageid:
EventID: 28115
AppID|contains:
# Please add more
- 'zenmap.exe'
- 'prokzult ad' # AnyDesk
- 'wireshark'
- 'openvpn'
condition: selection
falsepositives:
- Packages or applications being legitimately used by users or administrators
level: medium
rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml
+31
View File
@@ -0,0 +1,31 @@
title: Rundll32 Loading Renamed Comsvcs DLL
id: 8cde342c-ba48-4b74-b615-172c330f2e93
status: experimental
description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://twitter.com/sbousseaden/status/1555200155351228419
tags:
- attack.credential_access
- attack.defense_evasion
- attack.t1003.001
logsource:
product: windows
category: image_load
detection:
selection:
Image|endswith: '\rundll32.exe'
Hashes|contains:
# Add more hashes for other windows verions
- IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64
- IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607
- IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809
- IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64
- IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86
filter:
ImageLoaded|endswith: '\comsvcs.dll'
condition: selection and not filter
falsepositives:
- Unlikely
level: high
rules/windows/image_load/image_load_side_load_from_non_system_location.yml
+368
View File
@@ -0,0 +1,368 @@
title: System DLL Sideloading From Non System Locations
id: 4fc0deee-0057-4998-ab31-d24e46e0aba4
status: experimental
description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...)
references:
- https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there)
- https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll
- https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll
author: Nasreddine Bencherchali, Wietze Beukema (project and research)
date: 2022/08/14
tags:
- attack.defense_evasion
- attack.persistence
- attack.privilege_escalation
- attack.t1574.001
- attack.t1574.002
logsource:
category: image_load
product: windows
detection:
selection_both:
ImageLoaded|endswith:
- '\shfolder.dll'
- '\activeds.dll'
- '\adsldpc.dll'
- '\aepic.dll'
- '\apphelp.dll'
- '\applicationframe.dll'
- '\appxalluserstore.dll'
- '\appxdeploymentclient.dll'
- '\archiveint.dll'
- '\atl.dll'
- '\audioses.dll'
- '\auditpolcore.dll'
- '\authfwcfg.dll'
- '\authz.dll'
- '\avrt.dll'
- '\bcd.dll'
- '\bcp47langs.dll'
- '\bcp47mrm.dll'
- '\bcrypt.dll'
- '\cabinet.dll'
- '\cabview.dll'
- '\certenroll.dll'
- '\cldapi.dll'
- '\clipc.dll'
- '\clusapi.dll'
- '\cmpbk32.dll'
- '\coloradapterclient.dll'
- '\colorui.dll'
- '\comdlg32.dll'
- '\connect.dll'
- '\coremessaging.dll'
- '\credui.dll'
- '\cryptbase.dll'
- '\cryptdll.dll'
- '\cryptui.dll'
- '\cryptxml.dll'
- '\cscapi.dll'
- '\cscobj.dll'
- '\cscui.dll'
- '\d2d1.dll'
- '\d3d10.dll'
- '\d3d10_1.dll'
- '\d3d10_1core.dll'
- '\d3d10core.dll'
- '\d3d10warp.dll'
- '\d3d11.dll'
- '\d3d12.dll'
- '\d3d9.dll'
- '\dataexchange.dll'
- '\davclnt.dll'
- '\dcomp.dll'
- '\defragproxy.dll'
- '\desktopshellext.dll'
- '\deviceassociation.dll'
- '\devicecredential.dll'
- '\devicepairing.dll'
- '\devobj.dll'
- '\devrtl.dll'
- '\dhcpcmonitor.dll'
- '\dhcpcsvc.dll'
- '\dhcpcsvc6.dll'
- '\directmanipulation.dll'
- '\dismapi.dll'
- '\dismcore.dll'
- '\dmcfgutils.dll'
- '\dmcmnutils.dll'
- '\dmenrollengine.dll'
- '\dmenterprisediagnostics.dll'
- '\dmiso8601utils.dll'
- '\dmoleaututils.dll'
- '\dmprocessxmlfiltered.dll'
- '\dmpushproxy.dll'
- '\dmxmlhelputils.dll'
- '\dnsapi.dll'
- '\dot3api.dll'
- '\dot3cfg.dll'
- '\dpx.dll'
- '\drprov.dll'
- '\dsclient.dll'
- '\dsparse.dll'
- '\dsreg.dll'
- '\dsrole.dll'
- '\dui70.dll'
- '\duser.dll'
- '\dusmapi.dll'
- '\dwmapi.dll'
- '\dwrite.dll'
- '\dxgi.dll'
- '\dxva2.dll'
- '\eappcfg.dll'
- '\eappprxy.dll'
- '\edputil.dll'
- '\efsadu.dll'
- '\efsutil.dll'
- '\esent.dll'
- '\execmodelproxy.dll'
- '\explorerframe.dll'
- '\fastprox.dll'
- '\faultrep.dll'
- '\fddevquery.dll'
- '\feclient.dll'
- '\fhcfg.dll'
- '\firewallapi.dll'
- '\flightsettings.dll'
- '\fltlib.dll'
- '\fveapi.dll'
- '\fwbase.dll'
- '\fwcfg.dll'
- '\fwpolicyiomgr.dll'
- '\fwpuclnt.dll'
- '\getuname.dll'
- '\hid.dll'
- '\hnetmon.dll'
- '\httpapi.dll'
- '\idstore.dll'
- '\ieadvpack.dll'
- '\iedkcs32.dll'
- '\iertutil.dll'
- '\ifmon.dll'
- '\iphlpapi.dll'
- '\iri.dll'
- '\iscsidsc.dll'
- '\iscsium.dll'
- '\isv.exe_rsaenh.dll'
- '\joinutil.dll'
- '\ksuser.dll'
- '\ktmw32.dll'
- '\licensemanagerapi.dll'
- '\licensingdiagspp.dll'
- '\linkinfo.dll'
- '\loadperf.dll'
- '\logoncli.dll'
- '\logoncontroller.dll'
- '\lpksetupproxyserv.dll'
- '\magnification.dll'
- '\mapistub.dll'
- '\mfcore.dll'
- '\mfplat.dll'
- '\mi.dll'
- '\midimap.dll'
- '\miutils.dll'
- '\mlang.dll'
- '\mmdevapi.dll'
- '\mobilenetworking.dll'
- '\mpr.dll'
- '\mprapi.dll'
- '\mrmcorer.dll'
- '\msacm32.dll'
- '\mscms.dll'
- '\mscoree.dll'
- '\msctf.dll'
- '\msctfmonitor.dll'
- '\msdrm.dll'
- '\msftedit.dll'
- '\msi.dll'
- '\msutb.dll'
- '\mswb7.dll'
- '\mswsock.dll'
- '\msxml3.dll'
- '\mtxclu.dll'
- '\napinsp.dll'
- '\ncrypt.dll'
- '\ndfapi.dll'
- '\netid.dll'
- '\netiohlp.dll'
- '\netplwiz.dll'
- '\netprofm.dll'
- '\netsetupapi.dll'
- '\netshell.dll'
- '\netutils.dll'
- '\networkexplorer.dll'
- '\newdev.dll'
- '\ninput.dll'
- '\nlaapi.dll'
- '\nlansp_c.dll'
- '\npmproxy.dll'
- '\nshhttp.dll'
- '\nshipsec.dll'
- '\nshwfp.dll'
- '\ntdsapi.dll'
- '\ntlanman.dll'
- '\ntlmshared.dll'
- '\ntmarta.dll'
- '\ntshrui.dll'
- '\oleacc.dll'
- '\omadmapi.dll'
- '\onex.dll'
- '\osbaseln.dll'
- '\osuninst.dll'
- '\p2p.dll'
- '\p2pnetsh.dll'
- '\p9np.dll'
- '\pcaui.dll'
- '\pdh.dll'
- '\peerdistsh.dll'
- '\pla.dll'
- '\pnrpnsp.dll'
- '\policymanager.dll'
- '\polstore.dll'
- '\printui.dll'
- '\propsys.dll'
- '\prvdmofcomp.dll'
- '\puiapi.dll'
- '\radcui.dll'
- '\rasapi32.dll'
- '\rasgcw.dll'
- '\rasman.dll'
- '\rasmontr.dll'
- '\reagent.dll'
- '\regapi.dll'
- '\resutils.dll'
- '\rmclient.dll'
- '\rpcnsh.dll'
- '\rsaenh.dll'
- '\rtutils.dll'
- '\rtworkq.dll'
- '\samcli.dll'
- '\samlib.dll'
- '\sapi_onecore.dll'
- '\sas.dll'
- '\scansetting.dll'
- '\scecli.dll'
- '\schedcli.dll'
- '\secur32.dll'
- '\shell32.dll'
- '\slc.dll'
- '\snmpapi.dll'
- '\spp.dll'
- '\sppc.dll'
- '\srclient.dll'
- '\srpapi.dll'
- '\srvcli.dll'
- '\ssp.exe_rsaenh.dll'
- '\ssp_isv.exe_rsaenh.dll'
- '\sspicli.dll'
- '\ssshim.dll'
- '\staterepository.core.dll'
- '\structuredquery.dll'
- '\sxshared.dll'
- '\tapi32.dll'
- '\tbs.dll'
- '\tdh.dll'
- '\tquery.dll'
- '\tsworkspace.dll'
- '\ttdrecord.dll'
- '\twext.dll'
- '\twinapi.dll'
- '\twinui.appcore.dll'
- '\uianimation.dll'
- '\uiautomationcore.dll'
- '\uireng.dll'
- '\uiribbon.dll'
- '\updatepolicy.dll'
- '\userenv.dll'
- '\utildll.dll'
- '\uxinit.dll'
- '\uxtheme.dll'
- '\vaultcli.dll'
- '\virtdisk.dll'
- '\vssapi.dll'
- '\vsstrace.dll'
- '\wbemprox.dll'
- '\wbemsvc.dll'
- '\wcmapi.dll'
- '\wcnnetsh.dll'
- '\wdi.dll'
- '\wdscore.dll'
- '\webservices.dll'
- '\wecapi.dll'
- '\wer.dll'
- '\wevtapi.dll'
- '\whhelper.dll'
- '\wimgapi.dll'
- '\winbrand.dll'
- '\windows.storage.dll'
- '\windows.storage.search.dll'
- '\windowscodecs.dll'
- '\windowscodecsext.dll'
- '\windowsudk.shellcommon.dll'
- '\winhttp.dll'
- '\wininet.dll'
- '\winipsec.dll'
- '\winmde.dll'
- '\winmm.dll'
- '\winnsi.dll'
- '\winrnr.dll'
- '\winsqlite3.dll'
- '\winsta.dll'
- '\wkscli.dll'
- '\wlanapi.dll'
- '\wlancfg.dll'
- '\wldp.dll'
- '\wlidprov.dll'
- '\wmiclnt.dll'
- '\wmidcom.dll'
- '\wmiutils.dll'
- '\wmsgapi.dll'
- '\wofutil.dll'
- '\wpdshext.dll'
- '\wshbth.dll'
- '\wshelper.dll'
- '\wtsapi32.dll'
- '\wwapi.dll'
- '\xmllite.dll'
- '\xolehlp.dll'
- '\xwizards.dll'
- '\xwtpw32.dll'
- '\aclui.dll'
selection_sys32:
ImageLoaded|endswith:
- '*\bderepair.dll'
- '\bootmenuux.dll'
- '\dcntel.dll'
- '\dwmcore.dll'
- '\dynamoapi.dll'
- '\fhsvcctl.dll'
- '\fxsst.dll'
- '\inproclogger.dll'
- '\iumbase.dll'
- '\kdstub.dll'
- '\maintenanceui.dll'
- '\mdmdiagnostics.dll'
- '\mintdh.dll'
- '\msdtctm.dll'
- '\nettrace.dll'
- '\osksupport.dll'
- '\reseteng.dll'
- '\resetengine.dll'
- '\spectrumsyncclient.dll'
- '\srcore.dll'
- '\systemsettingsthresholdadminflowui.dll'
- '\timesync.dll'
- '\upshared.dll'
- '\wmpdui.dll'
- '\wwancfg.dll'
filter_sys32:
ImageLoaded|startswith: 'C:\Windows\System32\'
filter_both:
ImageLoaded|startswith:
- 'C:\Windows\System32\'
- 'C:\Windows\SysWOW64\'
condition: (selection_both and not filter_both) or (selection_sys32 and not filter_sys32)
falsepositives:
- Legitimate applications loading their own versions of the DLLs mentioned in this rule
level: medium
rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml
+26
View File
@@ -0,0 +1,26 @@
title: Rundll32 JS RunHTMLApplication Pattern
id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c
related:
- id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3
type: derived
status: experimental
description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...)
author: Nasreddine Bencherchali
date: 2022/08/14
references:
- https://twitter.com/n1nj4sec/status/1421190238081277959
tags:
- attack.defense_evasion
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains|all:
- '\..\'
- 'mshtml'
- 'RunHTMLApplication'
condition: selection
falsepositives:
- Unlikely
level: high