From 899c2ff23a9fec9336f3691536f588d32e5ffbe5 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Mon, 5 Jun 2023 11:50:43 +0200 Subject: [PATCH] chore: update defender rules --- .github/workflows/known-FPs.csv | 1 + ...posh_pc_tamper_windows_defender_set_mp.yml | 65 +++++++++++++++++++ .../posh_pc_tamper_with_windows_defender.yml | 62 ------------------ ...osh_ps_tamper_windows_defender_rem_mp.yml} | 0 ...osh_ps_tamper_windows_defender_set_mp.yml} | 33 +++++----- ..._creation_win_reg_disable_sec_services.yml | 47 ++++---------- ...ation_win_reg_windows_defender_tamper.yml} | 40 +++++++----- .../registry_set_windows_defender_tamper.yml | 20 +++--- 8 files changed, 128 insertions(+), 140 deletions(-) create mode 100644 rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml delete mode 100644 rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml rename rules/windows/powershell/powershell_script/{posh_ps_tamper_defender_remove_mppreference.yml => posh_ps_tamper_windows_defender_rem_mp.yml} (100%) rename rules/windows/powershell/powershell_script/{posh_ps_tamper_defender.yml => posh_ps_tamper_windows_defender_set_mp.yml} (88%) rename rules/windows/process_creation/{proc_creation_win_reg_defender_tampering.yml => proc_creation_win_reg_windows_defender_tamper.yml} (84%) diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 6f9c94743..d103c30a3 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -56,3 +56,4 @@ a62b37e0-45d3-48d9-a517-90c1a1b0186b;Eventlog Cleared;Computer: WIN-06FB45IHQ35 4eec988f-7bf0-49f1-8675-1e6a510b3a2a;Potential PendingFileRenameOperations Tamper;target\.tmp 48bfd177-7cf2-412b-ad77-baf923489e82;Image Load of VSS Dll by Uncommon Executable;SetupFrontEnd.exe 87911521-7098-470b-a459-9a57fc80bdfd;Sysmon Configuration Updated;.* +0eb46774-f1ab-4a74-8238-1155855f2263;Disable Windows Defender Functionalities Via Registry Keys;.* diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml new file mode 100644 index 000000000..e6b12df7f --- /dev/null +++ b/rules/windows/powershell/powershell_classic/posh_pc_tamper_windows_defender_set_mp.yml @@ -0,0 +1,65 @@ +title: Tamper Windows Defender - PSClassic +id: ec19ebab-72dc-40e1-9728-4c0b805d722c +related: + - id: ec19ebab-72dc-40e1-9728-4c0b805d722c + type: similar +status: experimental +description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md +author: frack113, Nasreddine Bencherchali (Nextron Systems) +date: 2021/06/07 +modified: 2023/06/05 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + product: windows + category: ps_classic_provider_start + definition: fields have to be extract from event +detection: + selection_options_disabling_preference: + HostApplication|contains: 'Set-MpPreference' + selection_options_disabling_value: + HostApplication|contains: + - ' 1 ' + - '$true' + selection_options_disabling_function: + HostApplication|contains: + - 'dbaf' + - 'dbm' + - 'dips' + - 'DisableArchiveScanning' + - 'DisableBehaviorMonitoring' + - 'DisableBlockAtFirstSeen' + - 'DisableIntrusionPreventionSystem' + - 'DisableIOAVProtection' + - 'DisableRealtimeMonitoring' + - 'DisableRemovableDriveScanning' + - 'DisableScanningMappedNetworkDrivesForFullScan' + - 'DisableScanningNetworkFiles' + - 'DisableScriptScanning' + - 'drdsc' + - 'drtm' + - 'dscrptsc' + - 'dsmndf' + - 'dsnf' + - 'dss' + selection_other_default_actions_allow: + HostApplication|contains|all: + - 'Set-MpPreference' + - 'Allow' + HostApplication|contains: + - 'LowThreatDefaultAction' + - 'ModerateThreatDefaultAction' + - 'HighThreatDefaultAction' + selection_other_use_of_alias: + HostApplication|contains: + - 'ltdefac ' + - 'mtdefac ' + - 'htdefac ' + - 'stdefac ' + condition: all of selection_options_disabling_* or 1 of selection_other_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml b/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml deleted file mode 100644 index b5e017597..000000000 --- a/rules/windows/powershell/powershell_classic/posh_pc_tamper_with_windows_defender.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: Tamper Windows Defender - PSClassic -id: ec19ebab-72dc-40e1-9728-4c0b805d722c -related: - - id: ec19ebab-72dc-40e1-9728-4c0b805d722c - type: similar -status: experimental -description: Attempting to disable scheduled scanning and other parts of windows defender atp. Or set default actions to allow. -references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1562.001/T1562.001.md -author: frack113 -date: 2021/06/07 -modified: 2023/01/12 -tags: - - attack.defense_evasion - - attack.t1562.001 -logsource: - product: windows - category: ps_classic_provider_start - definition: fields have to be extract from event -detection: - selection_tamper_ps_action: - HostApplication|contains: 'Set-MpPreference' - selection_tamper_ps_option: - HostApplication|contains: - - 'DisableRealtimeMonitoring 1' - - 'DisableBehaviorMonitoring 1' - - 'DisableScriptScanning 1' - - 'DisableArchiveScanning 1' - - 'DisableBlockAtFirstSeen 1' - - 'DisableIOAVProtection 1' - - 'DisableIntrusionPreventionSystem 1' - - 'DisableRemovableDriveScanning 1' - - 'DisableScanningMappedNetworkDrivesForFullScan 1' - - 'DisableScanningNetworkFiles 1' - - 'DisableRealtimeMonitoring $true' - - 'DisableBehaviorMonitoring $true' - - 'DisableScriptScanning $true' - - 'DisableArchiveScanning $true' - - 'DisableBlockAtFirstSeen $true' - - 'DisableIOAVProtection $true' - - 'DisableIntrusionPreventionSystem $true' - - 'DisableRemovableDriveScanning $true' - - 'DisableScanningMappedNetworkDrivesForFullScan $true' - - 'DisableScanningNetworkFiles $true' - selection_tamper_other_default_actions_allow: - HostApplication|contains|all: - - 'Set-MpPreference' - - Allow - HostApplication|contains: - - LowThreatDefaultAction - - ModerateThreatDefaultAction - - HighThreatDefaultAction - selection_tamper_other_alias: - HostApplication|contains: - - 'ltdefac ' - - 'mtdefac ' - - 'htdefac ' - - 'stdefac ' - condition: all of selection_tamper_ps_* or 1 of selection_tamper_other_* -falsepositives: - - Unknown -level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml similarity index 100% rename from rules/windows/powershell/powershell_script/posh_ps_tamper_defender_remove_mppreference.yml rename to rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_rem_mp.yml diff --git a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml similarity index 88% rename from rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml rename to rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml index a0ca2b8f9..372585a87 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_tamper_defender.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_tamper_windows_defender_set_mp.yml @@ -11,7 +11,7 @@ references: - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: frack113, elhoim, Tim Shelton (fps, alias support), Swachchhanda Shrawan Poudel date: 2022/01/16 -modified: 2023/05/10 +modified: 2023/06/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -24,45 +24,44 @@ detection: ScriptBlockText|contains: 'Set-MpPreference' selection_options_disabling_value: ScriptBlockText|contains: - - '1' + - ' 1 ' - '$true' selection_options_disabling_function: ScriptBlockText|contains: - - 'DisableRealtimeMonitoring' - - 'DisableBehaviorMonitoring' - - 'DisableScriptScanning' + - 'dbaf' + - 'dbm' + - 'dips' - 'DisableArchiveScanning' + - 'DisableBehaviorMonitoring' - 'DisableBlockAtFirstSeen' - - 'DisableIOAVProtection' - 'DisableIntrusionPreventionSystem' + - 'DisableIOAVProtection' + - 'DisableRealtimeMonitoring' - 'DisableRemovableDriveScanning' - 'DisableScanningMappedNetworkDrivesForFullScan' - 'DisableScanningNetworkFiles' + - 'DisableScriptScanning' + - 'drdsc' - 'drtm' - - 'dbm' - - 'dss' - - 'dbaf' - - 'dip' - - 'dips' - - 'drds' - 'dscrptsc' - 'dsmndf' - 'dsnf' + - 'dss' selection_other_default_actions_allow: ScriptBlockText|contains|all: - 'Set-MpPreference' - - Allow + - 'Allow' ScriptBlockText|contains: - - LowThreatDefaultAction - - ModerateThreatDefaultAction - - HighThreatDefaultAction + - 'LowThreatDefaultAction' + - 'ModerateThreatDefaultAction' + - 'HighThreatDefaultAction' selection_other_use_of_alias: ScriptBlockText|contains: - 'ltdefac ' - 'mtdefac ' - 'htdefac ' - 'stdefac ' - condition: all of selection_options_disabling* or 1 of selection_other_* + condition: all of selection_options_disabling_* or 1 of selection_other_* falsepositives: - Legitimate PowerShell scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml index 73c55dd89..8b09edd8e 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml @@ -1,7 +1,7 @@ -title: Reg Disable Security Service +title: Security Service Disabled Via Reg.EXE id: 5e95028c-5229-4214-afae-d653d573d0ec -status: experimental -description: Detects a suspicious reg.exe invocation that looks as if it would disable an important security service +status: test +description: Detects execution of "reg.exe" to disable security service such as Windows Defender. references: - https://twitter.com/JohnLaTwC/status/1415295021041979392 - https://github.com/gordonbay/Windows-On-Reins/blob/e587ac7a0407847865926d575e3c46f68cf7c68d/wor.ps1 @@ -9,7 +9,7 @@ references: - https://bidouillesecurity.com/disable-windows-defender-in-powershell/ author: Florian Roth (Nextron Systems), John Lambert (idea), elhoim date: 2021/07/14 -modified: 2022/05/05 +modified: 2023/06/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -23,44 +23,23 @@ detection: - 'add' selection_cli_reg_start: CommandLine|contains|all: - - ' /d 4' - - ' /v Start' + - 'd 4' + - 'v Start' CommandLine|contains: - - '\Sense' - - '\WinDefend' + - '\AppIDSvc' - '\MsMpSvc' - '\NisSrv' + - '\SecurityHealthService' + - '\Sense' + - '\UsoSvc' - '\WdBoot' + - '\WdFilter' - '\WdNisDrv' - '\WdNisSvc' + - '\WinDefend' - '\wscsvc' - - '\SecurityHealthService' - '\wuauserv' - - '\UsoSvc' - - '\WdFilter' - - '\AppIDSvc' - selection_cli_reg_disable_defender: - CommandLine|contains|all: - - ' /d 1' - - 'Windows Defender' - CommandLine|contains: - - 'DisableIOAVProtection' - - 'DisableOnAccessProtection' - - 'DisableRoutinelyTakingAction' - - 'DisableScanOnRealtimeEnable' - - 'DisableBlockAtFirstSeen' - - 'DisableBehaviorMonitoring' - - 'DisableEnhancedNotifications' - - 'DisableAntiSpyware' - - 'DisableAntiSpywareRealtimeProtection' - - 'DisableConfig' - - 'DisablePrivacyMode' - - 'SignatureDisableUpdateOnStartupWithoutEngine' - - 'DisableArchiveScanning' - - 'DisableIntrusionPreventionSystem' - - 'DisableScriptScanning' condition: selection_reg_add and 1 of selection_cli_* falsepositives: - - Unknown - - Other security solution installers + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml similarity index 84% rename from rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml rename to rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml index 2b841adfd..4485ee7fb 100644 --- a/rules/windows/process_creation/proc_creation_win_reg_defender_tampering.yml +++ b/rules/windows/process_creation/proc_creation_win_reg_windows_defender_tamper.yml @@ -6,9 +6,9 @@ references: - https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/ - https://github.com/swagkarna/Defeat-Defender-V1.2.0 - https://www.elevenforum.com/t/video-guide-how-to-completely-disable-microsoft-defender-antivirus.14608/page-2 -author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel +author: Florian Roth (Nextron Systems), Swachchhanda Shrawan Poudel, Nasreddine Bencherchali (Nextron Systems) date: 2022/03/22 -modified: 2023/05/10 +modified: 2023/06/05 tags: - attack.defense_evasion - attack.t1562.001 @@ -22,40 +22,46 @@ detection: selection_root_path: CommandLine|contains: - 'SOFTWARE\Microsoft\Windows Defender\' + - 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center' - 'SOFTWARE\Policies\Microsoft\Windows Defender\' - - 'SOFTWARE\Policies\Microsoft\Windows Defender Security Center' selection_dword_0: CommandLine|contains|all: - ' add ' - - ' /d 0' - - ' -d 0' + - 'd 0' CommandLine|contains: - - 'SpynetReporting' - - 'SubmitSamplesConsent' + - 'DisallowExploitProtectionOverride' + - 'EnableControlledFolderAccess' - 'MpEnablePus' - 'PUAProtection' - - 'DisallowExploitProtectionOverride' + - 'SpynetReporting' + - 'SubmitSamplesConsent' - 'TamperProtection' - - 'EnableControlledFolderAccess' selection_dword_1: CommandLine|contains|all: - ' add ' - - ' /d 1' - - ' -d 1' - CommandLine|contains: - - 'Notification_Suppress' + - 'd 1' + CommandLine|contains: + - 'DisableAntiSpyware' + - 'DisableAntiSpywareRealtimeProtection' + - 'DisableAntiVirus' + - 'DisableArchiveScanning' - 'DisableBehaviorMonitoring' + - 'DisableBlockAtFirstSeen' + - 'DisableConfig' + - 'DisableEnhancedNotifications' - 'DisableIntrusionPreventionSystem' - 'DisableIOAVProtection' - 'DisableOnAccessProtection' + - 'DisablePrivacyMode' - 'DisableRealtimeMonitoring' + - 'DisableRoutinelyTakingAction' - 'DisableScanOnRealtimeEnable' - 'DisableScriptScanning' - - 'DisableEnhancedNotifications' - - 'DisableBlockAtFirstSeen' - - 'DisableAntiSpyware' - - 'DisableAntiVirus' + - 'Notification_Suppress' + - 'SignatureDisableUpdateOnStartupWithoutEngine' condition: all of selection_root_* and 1 of selection_dword_* falsepositives: - Rare legitimate use by administrators to test software (should always be investigated) level: high + + \ No newline at end of file diff --git a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml index aef54c459..33f8c1991 100644 --- a/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml +++ b/rules/windows/registry/registry_set/registry_set_windows_defender_tamper.yml @@ -27,12 +27,14 @@ logsource: detection: selection_main: EventType: SetValue - TargetObject|contains: + TargetObject|contains: - '\SOFTWARE\Microsoft\Windows Defender\' - - '\SOFTWARE\Policies\Microsoft\Windows Defender\' - '\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\' + - '\SOFTWARE\Policies\Microsoft\Windows Defender\' selection_dword_1: TargetObject|endswith: + - '\DisableAntiSpyware' + - '\DisableAntiVirus' - '\Real-Time Protection\DisableBehaviorMonitoring' - '\Real-Time Protection\DisableIntrusionPreventionSystem' - '\Real-Time Protection\DisableIOAVProtection' @@ -42,21 +44,19 @@ detection: - '\Real-Time Protection\DisableScriptScanning' - '\Reporting\DisableEnhancedNotifications' - '\SpyNet\DisableBlockAtFirstSeen' - - '\DisableAntiSpyware' - - '\DisableAntiVirus' Details: 'DWORD (0x00000001)' selection_dword_0: TargetObject|endswith: - - '\SpyNet\SpynetReporting' - - '\SpyNet\SubmitSamplesConsent' + - '\App and Browser protection\DisallowExploitProtectionOverride' + - '\Features\TamperProtection' - '\MpEngine\MpEnablePus' - '\PUAProtection' - - '\App and Browser protection\DisallowExploitProtectionOverride' - #- '\Features\TamperProtection' #filtering for false positive - - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess' - '\Signature Update\ForceUpdateFromMU' + - '\SpyNet\SpynetReporting' + - '\SpyNet\SubmitSamplesConsent' + - '\Windows Defender Exploit Guard\Controlled Folder Access\EnableControlledFolderAccess' Details: 'DWORD (0x00000000)' condition: selection_main and 1 of selection_dword_* falsepositives: - - Administrator actions + - Administrator actions via the Windows Defender interface level: high