From cfde0625f53ef2af49ce6cf81c80c8715cbf7fe8 Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 07:05:09 -0400 Subject: [PATCH 1/8] fix false positive matching on every powershell process not run by SYSTEM account --- rules/windows/sysmon/sysmon_in_memory_powershell.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_in_memory_powershell.yml b/rules/windows/sysmon/sysmon_in_memory_powershell.yml index d6108e16d..76d5b989f 100644 --- a/rules/windows/sysmon/sysmon_in_memory_powershell.yml +++ b/rules/windows/sysmon/sysmon_in_memory_powershell.yml @@ -24,7 +24,7 @@ detection: Image|endswith: - '\powershell.exe' - '\WINDOWS\System32\sdiagnhost.exe' - User: 'NT AUTHORITY\SYSTEM' + # User: 'NT AUTHORITY\SYSTEM' # if set, matches all powershell processes not launched by SYSTEM condition: selection and not filter falsepositives: - Used by some .NET binaries, minimal on user workstation. From 9a7f462d795ffa68345179c4c2e33b1044756600 Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 07:17:56 -0400 Subject: [PATCH 2/8] move renamed bnaries rule to process creation (they made a lot of false positives in sysmon as there was no event id specified in the rule) --- .../win_renamed_jusched.yml} | 0 .../win_renamed_powershell.yml} | 2 +- .../win_renamed_procdump.yml} | 2 +- .../win_renamed_psexec.yml} | 2 +- 4 files changed, 3 insertions(+), 3 deletions(-) rename rules/windows/{sysmon/sysmon_renamed_jusched.yml => process_creation/win_renamed_jusched.yml} (100%) rename rules/windows/{sysmon/sysmon_renamed_powershell.yml => process_creation/win_renamed_powershell.yml} (95%) rename rules/windows/{sysmon/sysmon_renamed_procdump.yml => process_creation/win_renamed_procdump.yml} (95%) rename rules/windows/{sysmon/sysmon_renamed_psexec.yml => process_creation/win_renamed_psexec.yml} (96%) diff --git a/rules/windows/sysmon/sysmon_renamed_jusched.yml b/rules/windows/process_creation/win_renamed_jusched.yml similarity index 100% rename from rules/windows/sysmon/sysmon_renamed_jusched.yml rename to rules/windows/process_creation/win_renamed_jusched.yml diff --git a/rules/windows/sysmon/sysmon_renamed_powershell.yml b/rules/windows/process_creation/win_renamed_powershell.yml similarity index 95% rename from rules/windows/sysmon/sysmon_renamed_powershell.yml rename to rules/windows/process_creation/win_renamed_powershell.yml index 157f5876f..9522fcee2 100644 --- a/rules/windows/sysmon/sysmon_renamed_powershell.yml +++ b/rules/windows/process_creation/win_renamed_powershell.yml @@ -10,7 +10,7 @@ tags: - car.2013-05-009 logsource: product: windows - service: sysmon + category: process_creation detection: selection: Description: 'Windows PowerShell' diff --git a/rules/windows/sysmon/sysmon_renamed_procdump.yml b/rules/windows/process_creation/win_renamed_procdump.yml similarity index 95% rename from rules/windows/sysmon/sysmon_renamed_procdump.yml rename to rules/windows/process_creation/win_renamed_procdump.yml index 803ad3398..2fbe3a4a1 100644 --- a/rules/windows/sysmon/sysmon_renamed_procdump.yml +++ b/rules/windows/process_creation/win_renamed_procdump.yml @@ -11,7 +11,7 @@ tags: - attack.t1036 logsource: product: windows - service: sysmon + category: process_creation detection: selection: OriginalFileName: 'procdump' diff --git a/rules/windows/sysmon/sysmon_renamed_psexec.yml b/rules/windows/process_creation/win_renamed_psexec.yml similarity index 96% rename from rules/windows/sysmon/sysmon_renamed_psexec.yml rename to rules/windows/process_creation/win_renamed_psexec.yml index 75d5838ad..208af0d3a 100644 --- a/rules/windows/sysmon/sysmon_renamed_psexec.yml +++ b/rules/windows/process_creation/win_renamed_psexec.yml @@ -10,7 +10,7 @@ tags: - car.2013-05-009 logsource: product: windows - service: sysmon + category: process_creation detection: selection: Description: 'Execute processes remotely' From 75ba5f989cd7c223059222151a3e321e85c9860c Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 07:44:45 -0400 Subject: [PATCH 3/8] add 1 more FP to wmi load --- rules/windows/sysmon/sysmon_wmi_module_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_wmi_module_load.yml b/rules/windows/sysmon/sysmon_wmi_module_load.yml index 69fa4c760..5b3eca687 100644 --- a/rules/windows/sysmon/sysmon_wmi_module_load.yml +++ b/rules/windows/sysmon/sysmon_wmi_module_load.yml @@ -29,9 +29,9 @@ detection: filter: Image|endswith: - '\WmiPrvSe.exe' - - '\WmiPrvSE.exe' - '\WmiAPsrv.exe' - '\svchost.exe' + - '\DeviceCensus.exe' condition: selection and not filter fields: - ComputerName From 78a7852a4392464f12618c903da1aa82346a19b9 Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 09:16:40 -0400 Subject: [PATCH 4/8] renamed dbghelp rule with new ID and comment and removed a false positive --- ... => sysmon_suspicious_dbghelp_dbgcore_load.yml} | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) rename rules/windows/sysmon/{sysmon_minidumwritedump_lsass.yml => sysmon_suspicious_dbghelp_dbgcore_load.yml} (78%) diff --git a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml similarity index 78% rename from rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml rename to rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml index 556b2b6f9..a465cfff8 100644 --- a/rules/windows/sysmon/sysmon_minidumwritedump_lsass.yml +++ b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,12 +1,12 @@ -title: Dumping Lsass.exe Memory with MiniDumpWriteDump API -id: dd5ab153-beaa-4315-9647-65abc5f71541 +title: Load of dbghelp/dbgcore DLL from suspicious processes +id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental -description: Detects the use of MiniDumpWriteDump API for dumping lsass.exe memory in a stealth way. Tools like ProcessHacker and some attacker tradecract use this +description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump API found in dbghelp.dll or dbgcore.dll. As an example, SilentTrynity C2 Framework has a module that leverages this API to dump the contents of Lsass.exe and transfer it over the network back to the attacker's machine. date: 2019/10/27 -modified: 2019/11/13 -author: Perez Diego (@darkquassar), oscd.community +modified: 2020/05/23 +author: Perez Diego (@darkquassar), oscd.community, Ecco references: - https://docs.microsoft.com/en-us/windows/win32/api/minidumpapiset/nf-minidumpapiset-minidumpwritedump - https://www.pinvoke.net/default.aspx/dbghelp/MiniDumpWriteDump.html @@ -35,7 +35,7 @@ detection: - '\outlook.exe' - '\monitoringhost.exe' - '\wmic.exe' - - '\msiexec.exe' + # - '\msiexec.exe' an installer installing a program using one of those DLL will raise an alert - '\bash.exe' - '\wscript.exe' - '\cscript.exe' @@ -62,4 +62,4 @@ fields: - ImageLoaded falsepositives: - Penetration tests -level: critical +level: high From d9bc09c38c32333f39512614ceb1f380cc3fa44a Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 10:02:58 -0400 Subject: [PATCH 5/8] fix test --- rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml index a465cfff8..b5f36b4e4 100644 --- a/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml +++ b/rules/windows/sysmon/sysmon_suspicious_dbghelp_dbgcore_load.yml @@ -1,4 +1,4 @@ -title: Load of dbghelp/dbgcore DLL from suspicious processes +title: Load of dbghelp/dbgcore DLL from Suspicious Process id: 0e277796-5f23-4e49-a490-483131d4f6e1 status: experimental description: Detects the load of dbghelp/dbgcore DLL (used to make memory dumps) by suspicious processes. Tools like ProcessHacker and some attacker tradecract use MiniDumpWriteDump From 2b89e5605469f89c9b51e59ba1e245dcffdba18d Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 10:03:13 -0400 Subject: [PATCH 6/8] fix test --- tests/test_rules.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/test_rules.py b/tests/test_rules.py index 881dbcd7e..d76efab70 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -538,7 +538,7 @@ class TestRules(unittest.TestCase): faulty_rules.append(file) wrong_casing = [] for word in title.split(" "): - if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not word[0].isdigit(): + if word.islower() and not word.lower() in allowed_lowercase_words and not "." in word and not "/" in word and not word[0].isdigit(): wrong_casing.append(word) if len(wrong_casing) > 0: print(Fore.RED + "Rule {} has a title that has not title capitalization. Words: '{}'".format(file, ", ".join(wrong_casing))) From 10ca3006f51b6debb18a2e1067629d260d9cf416 Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 10:07:55 -0400 Subject: [PATCH 7/8] move rule where needed --- .../win_susp_file_characteristics.yml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename rules/windows/{sysmon/sysmon_susp_file_characteristics.yml => process_creation/win_susp_file_characteristics.yml} (96%) diff --git a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml b/rules/windows/process_creation/win_susp_file_characteristics.yml similarity index 96% rename from rules/windows/sysmon/sysmon_susp_file_characteristics.yml rename to rules/windows/process_creation/win_susp_file_characteristics.yml index 27359b185..083ccf703 100644 --- a/rules/windows/sysmon/sysmon_susp_file_characteristics.yml +++ b/rules/windows/process_creation/win_susp_file_characteristics.yml @@ -14,7 +14,7 @@ tags: - attack.t1064 logsource: product: windows - service: sysmon + category: process_creation detection: selection1: Description: '\?' From 327a53c120674588b3f1e439c373a45cda73c543 Mon Sep 17 00:00:00 2001 From: ecco Date: Sat, 23 May 2020 10:25:37 -0400 Subject: [PATCH 8/8] add new test for sysmon rules without eventid --- tests/test_rules.py | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tests/test_rules.py b/tests/test_rules.py index d76efab70..752611ed0 100755 --- a/tests/test_rules.py +++ b/tests/test_rules.py @@ -486,6 +486,25 @@ class TestRules(unittest.TestCase): self.assertEqual(faulty_rules, [], Fore.RED + "There are rules with missing or malformed 'id' fields. Create an id (e.g. here: https://www.uuidgenerator.net/version4) and add it to the reported rule(s).") + def test_sysmon_rule_without_eventid(self): + faulty_rules = [] + for file in self.yield_next_rule_file_path(self.path_to_rules): + logsource = self.get_rule_part(file_path=file, part_name="logsource") + service = logsource.get('service', '') + if service.lower() == 'sysmon': + with open(file) as f: + found = False + for line in f: + if re.search(r'.*EventID:.*$', line): # might be on a single line or in multiple lines + found = True + break + if not found: + faulty_rules.append(file) + + self.assertEqual(faulty_rules, [], Fore.RED + + "There are rules using sysmon events but with no EventID specified") + + def test_missing_date(self): faulty_rules = [] for file in self.yield_next_rule_file_path(self.path_to_rules):