From 6cd2e26fa0023878718752f7fc44f688f349d48c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 30 Jul 2021 16:54:29 +0200 Subject: [PATCH 1/9] rule: WinDivert driver load --- .../sysmon_vuln_dell_driver_load copy.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml new file mode 100644 index 000000000..b462fc2fd --- /dev/null +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml @@ -0,0 +1,26 @@ +title: WinDivert Driver Load +id: 679085d5-f427-4484-9f58-1dc30a7c426d +status: experimental +description: Detects the load of the Windiver driver, a powerful user-mode capture/sniffing/modification/blocking/re-injection package for Windows +author: Florian Roth +date: 2021/07/30 +references: + - https://reqrypt.org/windivert-doc.html + - https://rastamouse.me/ntlm-relaying-via-cobalt-strike/ +tags: + - attack.collection + - attack.defense_evasion + - attack.t1599.001 + - attack.t1557.001 +logsource: + category: driver_load + product: windows +detection: + selection: + ImageLoaded|contains: + - '\WinDivert.sys' + - '\WinDivert64.sys' + condition: selection +falsepositives: + - legitimate WinDivert driver usage +level: high From a04aa6ac49b0f72dd0735c135be635fd07c7aad5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 31 Jul 2021 10:18:21 +0200 Subject: [PATCH 2/9] rule: ADCSPwn --- .../process_creation/win_hack_adcspwn.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/process_creation/win_hack_adcspwn.yml diff --git a/rules/windows/process_creation/win_hack_adcspwn.yml b/rules/windows/process_creation/win_hack_adcspwn.yml new file mode 100644 index 000000000..fcaa5c41b --- /dev/null +++ b/rules/windows/process_creation/win_hack_adcspwn.yml @@ -0,0 +1,22 @@ +title: ADCSPwn Hack Tool +id: cd8c163e-a19b-402e-bdd5-419ff5859f12 +description: Detects command line parameters used by ADCSPwn, a tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service +author: Florian Roth +references: + - https://github.com/bats3c/ADCSPwn +date: 2021/07/31 +tags: + - attack.credential_access + - attack.t1557.001 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - ' --adcs ' + - ' --port ' + condition: selection +falsepositives: + - unlikely +level: critical From bda207660d70f2169ab522986b5a8b1d2b7077c9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 31 Jul 2021 12:51:42 +0200 Subject: [PATCH 3/9] refactor: modified CobaltStrike service install rule --- .../win_cobaltstrike_service_installs.yml | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index 9834aee86..d764e1af5 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -4,8 +4,9 @@ description: Detects known malicious service installs that appear in cases in wh author: Florian Roth, Wojciech Lesicki references: - https://www.sans.org/webcasts/119395 + - https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/ date: 2021/05/26 -modified: 2021/06/03 +modified: 2021/07/31 tags: - attack.execution - attack.privilege_escalation @@ -17,18 +18,24 @@ logsource: product: windows service: system detection: - selection1: + selection_id: EventID: 7045 - selection2: + selection1: ServiceFileName|contains|all: - 'ADMIN$' - '.exe' - selection3: + selection2: ServiceFileName|contains|all: - '%COMSPEC%' - 'start' - 'powershell' - condition: selection1 and (selection2 or selection3) + selection3: + ServiceFileName|contains: + - 'powershell -nop -w hidden -encodedcommand' + selection4: + ServiceFileName|contains|base64offset: + - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" + condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: - Unknown level: critical From 97d2dc89a875ff2269f57ca83aa1c31fb283a335 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 2 Aug 2021 00:25:09 +0200 Subject: [PATCH 4/9] fix: order of modifiers --- rules/windows/builtin/win_cobaltstrike_service_installs.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_cobaltstrike_service_installs.yml b/rules/windows/builtin/win_cobaltstrike_service_installs.yml index d764e1af5..5285feef1 100644 --- a/rules/windows/builtin/win_cobaltstrike_service_installs.yml +++ b/rules/windows/builtin/win_cobaltstrike_service_installs.yml @@ -33,7 +33,7 @@ detection: ServiceFileName|contains: - 'powershell -nop -w hidden -encodedcommand' selection4: - ServiceFileName|contains|base64offset: + ServiceFileName|base64offset|contains: - "IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:" condition: selection_id and (selection1 or selection2 or selection3 or selection4) falsepositives: From 1ac49a2055ac9ef0d196d4846176ae13e4d6698c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 09:22:24 +0200 Subject: [PATCH 5/9] rule: ProxyShell patterns --- rules/web/web_exchange_proxyshell.yml | 32 +++++++++++++++++++ .../process_mailboxexport_share.yaml | 25 +++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 rules/web/web_exchange_proxyshell.yml create mode 100644 rules/windows/process_creation/process_mailboxexport_share.yaml diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml new file mode 100644 index 000000000..2b19fe2b4 --- /dev/null +++ b/rules/web/web_exchange_proxyshell.yml @@ -0,0 +1,32 @@ +title: Exchange ProxyShell Pattern +id: 23eee45e-933b-49f9-ae1b-df706d2d52ef +status: experimental +description: Detects URP patterns that could be found in ProxyShell exloitation attempts against Exchange servers +references: + - https://youtu.be/5mqid-7zp8k?t=2231 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +author: Florian Roth +date: 2020/08/07 +tags: + - attack.initial_access +logsource: + category: webserver + +detection: + selection1: + c-uri|contains|all: + - '/autodiscover/autodiscover.json?' + - '%3f@' + selection2: + c-uri|contains: + # since we don't know how it will appear in the log files, we'll just use all versions + - 'autodiscover.json?@' + - 'autodiscover.json%3f@' + - '%3f@foo.com' + - 'Email=autodiscover/autodiscover.json' + - 'json?@foo.com' + - 'autodiscover.json?@' + condition: 1 of them +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_mailboxexport_share.yaml b/rules/windows/process_creation/process_mailboxexport_share.yaml new file mode 100644 index 000000000..77bc04c2e --- /dev/null +++ b/rules/windows/process_creation/process_mailboxexport_share.yaml @@ -0,0 +1,25 @@ +title: Suspicious MailboxExport to Share +id: 889719ef-dd62-43df-86c3-768fb08dc7c0 +status: experimental +description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations +references: + - https://youtu.be/5mqid-7zp8k?t=2481 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html +author: Florian Roth +date: 2021/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'New-MailboxExport' + - ' -Mailbox ' + - ' -FilePath \\127.0.0.1\C$' + condition: selection +falsepositives: + - unknown +level: critical +fields: + - CommandLine + - ParentCommandLine From 5f89a29ea7c89fc365f570df4ddc2cfe0c9ee906 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 7 Aug 2021 10:01:23 +0200 Subject: [PATCH 6/9] fix file name --- ...s_mailboxexport_share.yaml => process_mailboxexport_share.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/process_creation/{process_mailboxexport_share.yaml => process_mailboxexport_share.yml} (100%) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yaml b/rules/windows/process_creation/process_mailboxexport_share.yml similarity index 100% rename from rules/windows/process_creation/process_mailboxexport_share.yaml rename to rules/windows/process_creation/process_mailboxexport_share.yml From 0a8904a61e7448ed41d63ff9bd0d076e1d634cba Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 10:10:12 +0200 Subject: [PATCH 7/9] fix: issues with new rule --- rules/web/web_exchange_proxyshell.yml | 5 ++-- .../process_mailboxexport_share.yml | 26 +++++++++++++++++++ 2 files changed, 28 insertions(+), 3 deletions(-) create mode 100644 rules/windows/process_creation/process_mailboxexport_share.yml diff --git a/rules/web/web_exchange_proxyshell.yml b/rules/web/web_exchange_proxyshell.yml index 2b19fe2b4..a838600a7 100644 --- a/rules/web/web_exchange_proxyshell.yml +++ b/rules/web/web_exchange_proxyshell.yml @@ -5,18 +5,18 @@ description: Detects URP patterns that could be found in ProxyShell exloitation references: - https://youtu.be/5mqid-7zp8k?t=2231 - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 author: Florian Roth date: 2020/08/07 tags: - attack.initial_access logsource: category: webserver - detection: selection1: c-uri|contains|all: - '/autodiscover/autodiscover.json?' - - '%3f@' + - '/powershell' selection2: c-uri|contains: # since we don't know how it will appear in the log files, we'll just use all versions @@ -25,7 +25,6 @@ detection: - '%3f@foo.com' - 'Email=autodiscover/autodiscover.json' - 'json?@foo.com' - - 'autodiscover.json?@' condition: 1 of them falsepositives: - Unknown diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml new file mode 100644 index 000000000..cf828c858 --- /dev/null +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -0,0 +1,26 @@ +title: Suspicious MailboxExport to Share +id: 889719ef-dd62-43df-86c3-768fb08dc7c0 +status: experimental +description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations +references: + - https://youtu.be/5mqid-7zp8k?t=2481 + - https://blog.orange.tw/2021/08/proxylogon-a-new-attack-surface-on-ms-exchange-part-1.html + - https://peterjson.medium.com/reproducing-the-proxyshell-pwn2own-exploit-49743a4ea9a1 +author: Florian Roth +date: 2021/08/07 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'New-MailboxExport' + - ' -Mailbox ' + - ' -FilePath \\127.0.0.1\C$' + condition: selection +falsepositives: + - unknown +level: critical +fields: + - CommandLine + - ParentCommandLine From 88a721a1ab39c2264a499d3cb2a7405e96ee361c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 10:13:05 +0200 Subject: [PATCH 8/9] docs: add space in title --- rules/windows/process_creation/process_mailboxexport_share.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_mailboxexport_share.yml b/rules/windows/process_creation/process_mailboxexport_share.yml index cf828c858..da6aba619 100644 --- a/rules/windows/process_creation/process_mailboxexport_share.yml +++ b/rules/windows/process_creation/process_mailboxexport_share.yml @@ -1,4 +1,4 @@ -title: Suspicious MailboxExport to Share +title: Suspicious PowerShell Mailbox Export to Share id: 889719ef-dd62-43df-86c3-768fb08dc7c0 status: experimental description: Detects a PowerShell New-MailboxExportRequest that exports a mailbox to a local share, as used in ProxyShell exploitations From 9be9e4a24fc92746c3ea7810d3d1fea10650a30d Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 7 Aug 2021 11:22:44 +0200 Subject: [PATCH 9/9] fix: more changes to incomplete windivert rule --- rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml | 3 --- ...l_driver_load copy.yml => sysmon_windivert_driver_load.yml} | 0 2 files changed, 3 deletions(-) rename rules/windows/driver_load/{sysmon_vuln_dell_driver_load copy.yml => sysmon_windivert_driver_load.yml} (100%) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml index 39517aa8b..21868b8af 100644 --- a/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml +++ b/rules/windows/driver_load/sysmon_vuln_dell_driver_load.yml @@ -21,9 +21,6 @@ detection: - 'ddbf5ecca5c8086afde1fb4f551e9e6400e94f4428fe7fb5559da5cffa654cc1' - '10b30bdee43b3a2ec4aa63375577ade650269d25' - 'd2fd132ab7bbc6bbb87a84f026fa0244' - - - condition: selection_image or selection_hash falsepositives: - legitimate BIOS driver updates (should be rare) diff --git a/rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml b/rules/windows/driver_load/sysmon_windivert_driver_load.yml similarity index 100% rename from rules/windows/driver_load/sysmon_vuln_dell_driver_load copy.yml rename to rules/windows/driver_load/sysmon_windivert_driver_load.yml