From 8869bc6cfff2ac6b2eb71d346e552a44565fe5b2 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 15 Aug 2022 00:22:16 +0100 Subject: [PATCH] New rules --- .../application/win_esent_ntdsutil_abuse.yml | 34 ++ ...win_esent_ntdsutil_abuse_susp_location.yml | 28 ++ ...diagnosis_scripted_load_remote_diagcab.yml | 22 ++ ...win_shell_core_susp_packages_installed.yml | 34 ++ ..._load_rundll32_loading_renamed_comsvcs.yml | 31 ++ ...oad_side_load_from_non_system_location.yml | 368 ++++++++++++++++++ ...ion_win_susp_mshtml_runhtmlapplication.yml | 26 ++ 7 files changed, 543 insertions(+) create mode 100644 rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml create mode 100644 rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml create mode 100644 rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml create mode 100644 rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml create mode 100644 rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml create mode 100644 rules/windows/image_load/image_load_side_load_from_non_system_location.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml new file mode 100644 index 000000000..fc953c4cc --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse.yml @@ -0,0 +1,34 @@ +title: Ntdsutil Abuse +id: e6e88853-5f20-4c4a-8d26-cd469fd8d31f +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'ESENT' + EventID: 325 # New Database Created + Data|contains: 'ntds.dit' + selection_paths: + Data|contains: + # Add more locations that you don't use in your env or that are just suspicious + - '\Users\Public\' + - '\Perflogs\' + - '\Temp\' + - '\Appdata\' + - '\Desktop\' + - '\Downloads\' + - 'C:\ntds.dit' + condition: selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml new file mode 100644 index 000000000..47f24809b --- /dev/null +++ b/rules/windows/builtin/application/win_esent_ntdsutil_abuse_susp_location.yml @@ -0,0 +1,28 @@ +title: Dump Ntds.dit To Suspicious Location +id: 94dc4390-6b7c-4784-8ffc-335334404650 +status: experimental +description: Detects potential abuse of ntdsutil to dump ntds.dit database to a suspicious location +author: Nasreddine Bencherchali +references: + - https://twitter.com/mgreen27/status/1558223256704122882 + - https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj574207(v=ws.11) +date: 2022/08/14 +logsource: + product: windows + service: application + # warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly +detection: + selection: + Provider_Name: 'ESENT' + EventID: + - 216 + - 325 + - 326 + - 327 + Data|contains: 'ntds.dit' + condition: selection +falsepositives: + - Legitimate backup operation/creating shadow copies +level: medium +tags: + - attack.execution diff --git a/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml new file mode 100644 index 000000000..16264d94f --- /dev/null +++ b/rules/windows/builtin/diagnosis/scripted/win_diagnosis_scripted_load_remote_diagcab.yml @@ -0,0 +1,22 @@ +title: Loading Diagcab Package From Remote Path +id: 50cb47b8-2c33-4b23-a2e9-4600657d9746 +status: experimental +description: Detects loading of diagcab packages from a remote path, as seen in DogWalk vulnerability +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/nas_bench/status/1539679555908141061 + - https://twitter.com/j00sean/status/1537750439701225472 +tags: + - attack.execution +logsource: + product: windows + service: diagnosis +detection: + selection: + EventID: 101 + PackagePath|contains: '\\\\' # Example would be: \\webdav-test.herokuapp.com@ssl\DavWWWRoot\package + condition: selection +falsepositives: + - Legitimate package hosted on a known and authorized remote location +level: high diff --git a/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml new file mode 100644 index 000000000..853b1a314 --- /dev/null +++ b/rules/windows/builtin/shell_core/win_shell_core_susp_packages_installed.yml @@ -0,0 +1,34 @@ +title: Suspicious Application Installed +id: 83c161b6-ca67-4f33-8ad0-644a0737cf07 +status: experimental +description: Detects suspicious application installed by looking at the added shortcut to the app resolver cache +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://nasbench.medium.com/finding-forensic-goodness-in-obscure-windows-event-logs-60e978ea45a3 +tags: + - attack.execution +logsource: + product: windows + service: shell-core +detection: + selection_name: + EventID: 28115 + Name|contains: + # Please add more + - 'Zenmap' + - 'AnyDesk' + - 'wireshark' + - 'openvpn' + selection_packageid: + EventID: 28115 + AppID|contains: + # Please add more + - 'zenmap.exe' + - 'prokzult ad' # AnyDesk + - 'wireshark' + - 'openvpn' + condition: selection +falsepositives: + - Packages or applications being legitimately used by users or administrators +level: medium diff --git a/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml new file mode 100644 index 000000000..8c30f6338 --- /dev/null +++ b/rules/windows/image_load/image_load_rundll32_loading_renamed_comsvcs.yml @@ -0,0 +1,31 @@ +title: Rundll32 Loading Renamed Comsvcs DLL +id: 8cde342c-ba48-4b74-b615-172c330f2e93 +status: experimental +description: Detects rundll32 loading a renamed comsvcs.dll to dump process memory +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/sbousseaden/status/1555200155351228419 +tags: + - attack.credential_access + - attack.defense_evasion + - attack.t1003.001 +logsource: + product: windows + category: image_load +detection: + selection: + Image|endswith: '\rundll32.exe' + Hashes|contains: + # Add more hashes for other windows verions + - IMPHASH=eed93054cb555f3de70eaa9787f32ebb # Windows 11 21H2 x64 + - IMPHASH=5e0dbdec1fce52daae251a110b4f309d # Windows 10 1607 + - IMPHASH=eadbccbb324829acb5f2bbe87e5549a8 # Windows 10 1809 + - IMPHASH=407ca0f7b523319d758a40d7c0193699 # Windows 10 2004 x64 + - IMPHASH=281d618f4e6271e527e6386ea6f748de # Windows 10 2004 x86 + filter: + ImageLoaded|endswith: '\comsvcs.dll' + condition: selection and not filter +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/image_load/image_load_side_load_from_non_system_location.yml b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml new file mode 100644 index 000000000..1d99e4852 --- /dev/null +++ b/rules/windows/image_load/image_load_side_load_from_non_system_location.yml @@ -0,0 +1,368 @@ +title: System DLL Sideloading From Non System Locations +id: 4fc0deee-0057-4998-ab31-d24e46e0aba4 +status: experimental +description: Detects DLL sideloading of DLLs usually located in system locations (System32, SysWOW64...) +references: + - https://hijacklibs.net/ # For list of DLLs that could be sideloaded (search for dlls mentioned here in there) + - https://blog.cyble.com/2022/07/21/qakbot-resurfaces-with-new-playbook/ # WindowsCodecs.dll + - https://blog.cyble.com/2022/07/27/targeted-attacks-being-carried-out-via-dll-sideloading/ # iphlpapi.dll +author: Nasreddine Bencherchali, Wietze Beukema (project and research) +date: 2022/08/14 +tags: + - attack.defense_evasion + - attack.persistence + - attack.privilege_escalation + - attack.t1574.001 + - attack.t1574.002 +logsource: + category: image_load + product: windows +detection: + selection_both: + ImageLoaded|endswith: + - '\shfolder.dll' + - '\activeds.dll' + - '\adsldpc.dll' + - '\aepic.dll' + - '\apphelp.dll' + - '\applicationframe.dll' + - '\appxalluserstore.dll' + - '\appxdeploymentclient.dll' + - '\archiveint.dll' + - '\atl.dll' + - '\audioses.dll' + - '\auditpolcore.dll' + - '\authfwcfg.dll' + - '\authz.dll' + - '\avrt.dll' + - '\bcd.dll' + - '\bcp47langs.dll' + - '\bcp47mrm.dll' + - '\bcrypt.dll' + - '\cabinet.dll' + - '\cabview.dll' + - '\certenroll.dll' + - '\cldapi.dll' + - '\clipc.dll' + - '\clusapi.dll' + - '\cmpbk32.dll' + - '\coloradapterclient.dll' + - '\colorui.dll' + - '\comdlg32.dll' + - '\connect.dll' + - '\coremessaging.dll' + - '\credui.dll' + - '\cryptbase.dll' + - '\cryptdll.dll' + - '\cryptui.dll' + - '\cryptxml.dll' + - '\cscapi.dll' + - '\cscobj.dll' + - '\cscui.dll' + - '\d2d1.dll' + - '\d3d10.dll' + - '\d3d10_1.dll' + - '\d3d10_1core.dll' + - '\d3d10core.dll' + - '\d3d10warp.dll' + - '\d3d11.dll' + - '\d3d12.dll' + - '\d3d9.dll' + - '\dataexchange.dll' + - '\davclnt.dll' + - '\dcomp.dll' + - '\defragproxy.dll' + - '\desktopshellext.dll' + - '\deviceassociation.dll' + - '\devicecredential.dll' + - '\devicepairing.dll' + - '\devobj.dll' + - '\devrtl.dll' + - '\dhcpcmonitor.dll' + - '\dhcpcsvc.dll' + - '\dhcpcsvc6.dll' + - '\directmanipulation.dll' + - '\dismapi.dll' + - '\dismcore.dll' + - '\dmcfgutils.dll' + - '\dmcmnutils.dll' + - '\dmenrollengine.dll' + - '\dmenterprisediagnostics.dll' + - '\dmiso8601utils.dll' + - '\dmoleaututils.dll' + - '\dmprocessxmlfiltered.dll' + - '\dmpushproxy.dll' + - '\dmxmlhelputils.dll' + - '\dnsapi.dll' + - '\dot3api.dll' + - '\dot3cfg.dll' + - '\dpx.dll' + - '\drprov.dll' + - '\dsclient.dll' + - '\dsparse.dll' + - '\dsreg.dll' + - '\dsrole.dll' + - '\dui70.dll' + - '\duser.dll' + - '\dusmapi.dll' + - '\dwmapi.dll' + - '\dwrite.dll' + - '\dxgi.dll' + - '\dxva2.dll' + - '\eappcfg.dll' + - '\eappprxy.dll' + - '\edputil.dll' + - '\efsadu.dll' + - '\efsutil.dll' + - '\esent.dll' + - '\execmodelproxy.dll' + - '\explorerframe.dll' + - '\fastprox.dll' + - '\faultrep.dll' + - '\fddevquery.dll' + - '\feclient.dll' + - '\fhcfg.dll' + - '\firewallapi.dll' + - '\flightsettings.dll' + - '\fltlib.dll' + - '\fveapi.dll' + - '\fwbase.dll' + - '\fwcfg.dll' + - '\fwpolicyiomgr.dll' + - '\fwpuclnt.dll' + - '\getuname.dll' + - '\hid.dll' + - '\hnetmon.dll' + - '\httpapi.dll' + - '\idstore.dll' + - '\ieadvpack.dll' + - '\iedkcs32.dll' + - '\iertutil.dll' + - '\ifmon.dll' + - '\iphlpapi.dll' + - '\iri.dll' + - '\iscsidsc.dll' + - '\iscsium.dll' + - '\isv.exe_rsaenh.dll' + - '\joinutil.dll' + - '\ksuser.dll' + - '\ktmw32.dll' + - '\licensemanagerapi.dll' + - '\licensingdiagspp.dll' + - '\linkinfo.dll' + - '\loadperf.dll' + - '\logoncli.dll' + - '\logoncontroller.dll' + - '\lpksetupproxyserv.dll' + - '\magnification.dll' + - '\mapistub.dll' + - '\mfcore.dll' + - '\mfplat.dll' + - '\mi.dll' + - '\midimap.dll' + - '\miutils.dll' + - '\mlang.dll' + - '\mmdevapi.dll' + - '\mobilenetworking.dll' + - '\mpr.dll' + - '\mprapi.dll' + - '\mrmcorer.dll' + - '\msacm32.dll' + - '\mscms.dll' + - '\mscoree.dll' + - '\msctf.dll' + - '\msctfmonitor.dll' + - '\msdrm.dll' + - '\msftedit.dll' + - '\msi.dll' + - '\msutb.dll' + - '\mswb7.dll' + - '\mswsock.dll' + - '\msxml3.dll' + - '\mtxclu.dll' + - '\napinsp.dll' + - '\ncrypt.dll' + - '\ndfapi.dll' + - '\netid.dll' + - '\netiohlp.dll' + - '\netplwiz.dll' + - '\netprofm.dll' + - '\netsetupapi.dll' + - '\netshell.dll' + - '\netutils.dll' + - '\networkexplorer.dll' + - '\newdev.dll' + - '\ninput.dll' + - '\nlaapi.dll' + - '\nlansp_c.dll' + - '\npmproxy.dll' + - '\nshhttp.dll' + - '\nshipsec.dll' + - '\nshwfp.dll' + - '\ntdsapi.dll' + - '\ntlanman.dll' + - '\ntlmshared.dll' + - '\ntmarta.dll' + - '\ntshrui.dll' + - '\oleacc.dll' + - '\omadmapi.dll' + - '\onex.dll' + - '\osbaseln.dll' + - '\osuninst.dll' + - '\p2p.dll' + - '\p2pnetsh.dll' + - '\p9np.dll' + - '\pcaui.dll' + - '\pdh.dll' + - '\peerdistsh.dll' + - '\pla.dll' + - '\pnrpnsp.dll' + - '\policymanager.dll' + - '\polstore.dll' + - '\printui.dll' + - '\propsys.dll' + - '\prvdmofcomp.dll' + - '\puiapi.dll' + - '\radcui.dll' + - '\rasapi32.dll' + - '\rasgcw.dll' + - '\rasman.dll' + - '\rasmontr.dll' + - '\reagent.dll' + - '\regapi.dll' + - '\resutils.dll' + - '\rmclient.dll' + - '\rpcnsh.dll' + - '\rsaenh.dll' + - '\rtutils.dll' + - '\rtworkq.dll' + - '\samcli.dll' + - '\samlib.dll' + - '\sapi_onecore.dll' + - '\sas.dll' + - '\scansetting.dll' + - '\scecli.dll' + - '\schedcli.dll' + - '\secur32.dll' + - '\shell32.dll' + - '\slc.dll' + - '\snmpapi.dll' + - '\spp.dll' + - '\sppc.dll' + - '\srclient.dll' + - '\srpapi.dll' + - '\srvcli.dll' + - '\ssp.exe_rsaenh.dll' + - '\ssp_isv.exe_rsaenh.dll' + - '\sspicli.dll' + - '\ssshim.dll' + - '\staterepository.core.dll' + - '\structuredquery.dll' + - '\sxshared.dll' + - '\tapi32.dll' + - '\tbs.dll' + - '\tdh.dll' + - '\tquery.dll' + - '\tsworkspace.dll' + - '\ttdrecord.dll' + - '\twext.dll' + - '\twinapi.dll' + - '\twinui.appcore.dll' + - '\uianimation.dll' + - '\uiautomationcore.dll' + - '\uireng.dll' + - '\uiribbon.dll' + - '\updatepolicy.dll' + - '\userenv.dll' + - '\utildll.dll' + - '\uxinit.dll' + - '\uxtheme.dll' + - '\vaultcli.dll' + - '\virtdisk.dll' + - '\vssapi.dll' + - '\vsstrace.dll' + - '\wbemprox.dll' + - '\wbemsvc.dll' + - '\wcmapi.dll' + - '\wcnnetsh.dll' + - '\wdi.dll' + - '\wdscore.dll' + - '\webservices.dll' + - '\wecapi.dll' + - '\wer.dll' + - '\wevtapi.dll' + - '\whhelper.dll' + - '\wimgapi.dll' + - '\winbrand.dll' + - '\windows.storage.dll' + - '\windows.storage.search.dll' + - '\windowscodecs.dll' + - '\windowscodecsext.dll' + - '\windowsudk.shellcommon.dll' + - '\winhttp.dll' + - '\wininet.dll' + - '\winipsec.dll' + - '\winmde.dll' + - '\winmm.dll' + - '\winnsi.dll' + - '\winrnr.dll' + - '\winsqlite3.dll' + - '\winsta.dll' + - '\wkscli.dll' + - '\wlanapi.dll' + - '\wlancfg.dll' + - '\wldp.dll' + - '\wlidprov.dll' + - '\wmiclnt.dll' + - '\wmidcom.dll' + - '\wmiutils.dll' + - '\wmsgapi.dll' + - '\wofutil.dll' + - '\wpdshext.dll' + - '\wshbth.dll' + - '\wshelper.dll' + - '\wtsapi32.dll' + - '\wwapi.dll' + - '\xmllite.dll' + - '\xolehlp.dll' + - '\xwizards.dll' + - '\xwtpw32.dll' + - '\aclui.dll' + selection_sys32: + ImageLoaded|endswith: + - '*\bderepair.dll' + - '\bootmenuux.dll' + - '\dcntel.dll' + - '\dwmcore.dll' + - '\dynamoapi.dll' + - '\fhsvcctl.dll' + - '\fxsst.dll' + - '\inproclogger.dll' + - '\iumbase.dll' + - '\kdstub.dll' + - '\maintenanceui.dll' + - '\mdmdiagnostics.dll' + - '\mintdh.dll' + - '\msdtctm.dll' + - '\nettrace.dll' + - '\osksupport.dll' + - '\reseteng.dll' + - '\resetengine.dll' + - '\spectrumsyncclient.dll' + - '\srcore.dll' + - '\systemsettingsthresholdadminflowui.dll' + - '\timesync.dll' + - '\upshared.dll' + - '\wmpdui.dll' + - '\wwancfg.dll' + + filter_sys32: + ImageLoaded|startswith: 'C:\Windows\System32\' + filter_both: + ImageLoaded|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + condition: (selection_both and not filter_both) or (selection_sys32 and not filter_sys32) +falsepositives: + - Legitimate applications loading their own versions of the DLLs mentioned in this rule +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml new file mode 100644 index 000000000..16b66e8cb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml @@ -0,0 +1,26 @@ +title: Rundll32 JS RunHTMLApplication Pattern +id: 4782eb5a-a513-4523-a0ac-f3082b26ac5c +related: + - id: 9f06447a-a33a-4cbe-a94f-a3f43184a7a3 + type: derived +status: experimental +description: Detects suspicious command line using the "mshtml.dll" RunHTMLApplication export to run arbitrary code via different protocol handlers (vbscript, javascript, file, htpp...) +author: Nasreddine Bencherchali +date: 2022/08/14 +references: + - https://twitter.com/n1nj4sec/status/1421190238081277959 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '\..\' + - 'mshtml' + - 'RunHTMLApplication' + condition: selection +falsepositives: + - Unlikely +level: high