diff --git a/rules/windows/sysmon/sysmon_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml similarity index 100% rename from rules/windows/sysmon/sysmon_renamed_jusched.yml rename to rules/windows/process_creation/win_renamed_jusched.yml diff --git a/rules/windows/sysmon/sysmon_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml similarity index 95% rename from rules/windows/sysmon/sysmon_renamed_powershell.yml rename to rules/windows/process_creation/win_renamed_powershell.yml index 157f5876f..9522fcee2 100644 --- a/rules/windows/sysmon/sysmon_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -10,7 +10,7 @@ tags: - car.2013-05-009 logsource: product: windows - service: sysmon + category: process_creation detection: selection: Description: 'Windows PowerShell' diff --git a/rules/windows/sysmon/sysmon_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml similarity index 95% rename from rules/windows/sysmon/sysmon_renamed_procdump.yml rename to rules/windows/process_creation/win_renamed_procdump.yml index 803ad3398..2fbe3a4a1 100644 --- a/rules/windows/sysmon/sysmon_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -11,7 +11,7 @@ tags: - attack.t1036 logsource: product: windows - service: sysmon + category: process_creation detection: selection: OriginalFileName: 'procdump' diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml similarity index 96% rename from rules/windows/sysmon/sysmon_renamed_psexec.yml rename to rules/windows/process_creation/win_renamed_psexec.yml index 75d5838ad..208af0d3a 100644 --- a/rules/windows/sysmon/sysmon_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -10,7 +10,7 @@ tags: - car.2013-05-009 logsource: product: windows - service: sysmon + category: process_creation detection: selection: Description: 'Execute processes remotely' diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml similarity index 96% rename from rules/windows/sysmon/sysmon_susp_file_characteristics.yml rename to rules/windows/process_creation/win_susp_file_characteristics.yml index 27359b185..083ccf703 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -14,7 +14,7 @@ tags: - attack.t1064 logsource: product: windows - service: sysmon + category: process_creation detection: selection1: Description: '\?' diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml index d6108e16d..76d5b989f 100644 --- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml +++ b/rules/windows/sysmon/sysmon_in_memory_powershell.yml @@ -24,7 +24,7 @@ detection: Image|endswith: - '\powershell.exe' - '\WINDOWS\System32\sdiagnhost.exe' - User: 'NT AUTHORITY\SYSTEM' + # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: - Used by some .NET binaries, minimal on user workstation. diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml similarity index 79% rename from rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml rename to rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml index 556b2b6f9..b5f36b4e4 100644 --- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml +++ b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,12 +1,12 @@ -title: Dumping Lsass.exe Memory with MiniDumpWriteDump API -id: dd5ab153-beaa-4315-9647-65abc5f71541 +title: Load of dbghelp/dbgcore DLL from Suspicious Process +id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 -modified: 2019/11/13 -author: Perez Diego (@darkquassar), oscd.community +modified: 2020/05/23 +author: Perez Diego (@darkquassar), oscd.community, Ecco references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html @@ -35,7 +35,7 @@ detection: - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - - '\msiexec.exe' + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - '\bash.exe' - '\wscript.exe' - '\cscript.exe' @@ -62,4 +62,4 @@ fields: - ImageLoaded falsepositives: - Penetration tests -level: critical +level: high diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml index 69fa4c760..5b3eca687 100644 --- a/rules/windows/sysmon/sysmon_wmi_module_load.yml +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -29,9 +29,9 @@ detection: filter: Image|endswith: - '\WmiPrvSe.exe' - - '\WmiPrvSE.exe' - '\WmiAPsrv.exe' - '\svchost.exe' + - '\DeviceCensus.exe' condition: selection and not filter fields: - ComputerName diff --git a/tests/test_rules.py b/tests/test_rules.py index 881dbcd7e..752611ed0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -486,6 +486,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") + def test_sysmon_rule_without_eventid(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + logsource = self.get_rule_part(file_path=file, part_name="logsource") + service = logsource.get('service', '') + if service.lower() == 'sysmon': + with open(file) as f: + found = False + for line in f: + if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines + found = True + break + if not found: + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using sysmon events but with no EventID specified") + + def test_missing_date(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules): @@ -538,7 +557,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) wrong_casing = [] for word in title.split(" "): - if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not word[0].isdigit(): + if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): wrong_casing.append(word) if len(wrong_casing) > 0: print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing)))