From 8b6bd45b0bb421bce8317581b0950539ecddc351 Mon Sep 17 00:00:00 2001 From: Lep Date: Wed, 28 Aug 2019 10:12:01 +0700 Subject: [PATCH] rules for APT32 --- .../sysmon_detect_Compressed_Process.yml | 24 ++++++++++++ .../sysmon/sysmon_office_persistence.yml | 39 +++++++++++++++++++ .../sysmon/sysmon_permissions_modifiation.yml | 32 +++++++++++++++ .../sysmon/sysmon_service_creation.yml | 18 +++++++++ .../windows/sysmon/sysmon_susp_Timestomp.yml | 26 +++++++++++++ .../sysmon/sysmon_susp_discovery_activity.yml | 26 +++++++++++++ .../sysmon/sysmon_susp_file_deletion.yml | 29 ++++++++++++++ .../sysmon/sysmon_susp_service_modify.yml | 29 ++++++++++++++ .../sysmon_susp_signed_script_triggered.yml | 21 ++++++++++ .../sysmon/sysmon_web_folder_intergration.yml | 30 ++++++++++++++ .../windows/sysmon/win_susp_Compiled_HTML.yml | 21 ++++++++++ 11 files changed, 295 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_detect_Compressed_Process.yml create mode 100644 rules/windows/sysmon/sysmon_office_persistence.yml create mode 100644 rules/windows/sysmon/sysmon_permissions_modifiation.yml create mode 100644 rules/windows/sysmon/sysmon_service_creation.yml create mode 100644 rules/windows/sysmon/sysmon_susp_Timestomp.yml create mode 100644 rules/windows/sysmon/sysmon_susp_discovery_activity.yml create mode 100644 rules/windows/sysmon/sysmon_susp_file_deletion.yml create mode 100644 rules/windows/sysmon/sysmon_susp_service_modify.yml create mode 100644 rules/windows/sysmon/sysmon_susp_signed_script_triggered.yml create mode 100644 rules/windows/sysmon/sysmon_web_folder_intergration.yml create mode 100644 rules/windows/sysmon/win_susp_Compiled_HTML.yml diff --git a/rules/windows/sysmon/sysmon_detect_Compressed_Process.yml b/rules/windows/sysmon/sysmon_detect_Compressed_Process.yml new file mode 100644 index 000000000..7e8ca2f93 --- /dev/null +++ b/rules/windows/sysmon/sysmon_detect_Compressed_Process.yml @@ -0,0 +1,24 @@ +title: Detect compress process using for data exfiltration +description: Detects data compressing behaviour +author: Lep - VuNX +date: 2019/7/10 +tags: + + - attack.exfiltration + - attack.t1002 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*Compress-Archive*' + - 'rar*' + - 'zip*' + - 'gzip*' + selection2: + Image: C:\Users\Public\7za.exe + condition: selection1 or selection2 +falsepositives: + - Real compressed +level: critical diff --git a/rules/windows/sysmon/sysmon_office_persistence.yml b/rules/windows/sysmon/sysmon_office_persistence.yml new file mode 100644 index 000000000..62a704dd8 --- /dev/null +++ b/rules/windows/sysmon/sysmon_office_persistence.yml @@ -0,0 +1,39 @@ +title: Microsoft Office Persistence +status: experimental +description: Detect some kinds of persistence techniques using Office Startup +author: Lep +references: + - https://attack.mitre.org/techniques/T1137/ + - https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ +date: 2019/08/20 +tags: + - attack.persistence + - attack.t1137 + - attack.g0050 +logsource: + service: sysmon + product: windows +detection: + template_macro: + EventID: 11 + TargetFilename: + - '*\AppData\Roaming\Microsoft\Templates\Normal.dotm' + - '*\AppData\Roaming\Microsoft\Excel*' + office_test: + EventID: 13 + TargetObject: 'HKCU\Software\Microsoft\Office test\Special\Perf*' + enable_macros: + EventID: 13 + TargetObject: + - 'HKCU\Software\Microsoft\Office\*\Outlook*' + - 'HKCU\Software\Microsoft\Office\*\Excel\Options*' + addins: + EventID: 13 + TargetObject: + - 'HKCU\Software\Microsoft\VBA\VBE\6.0\Addins\*' + - 'HKCU\Software\Microsoft\Office\*\PowerPoint\AddIns' + - 'HKCU\Software\Microsoft\Office\*\Addins\' + condition: template_macro or office_test or addins or enable_macros +falsepositives: + - Office usage +level: low diff --git a/rules/windows/sysmon/sysmon_permissions_modifiation.yml b/rules/windows/sysmon/sysmon_permissions_modifiation.yml new file mode 100644 index 000000000..2f34b5593 --- /dev/null +++ b/rules/windows/sysmon/sysmon_permissions_modifiation.yml @@ -0,0 +1,32 @@ +title: File Permissions Modification +status: experimental +description: Detect File Permissions modification +author: Lep +references: + - https://attack.mitre.org/techniques/T1222/ +date: 2019/08/21 +tags: + - attack.defense_evasion + - attack.t1222 + - attack.g0050 +logsource: + service: sysmon + product: windows +detection: + window: + - Image_lc: + - '*cacls.exe' + - '*takeown.exe' + - '*icacls.exe' + - '*attrib.exe' + - CommandLine_lc: '*Set-Acl*' +# Use for unix, change log sources + unix: + CommandLine_lc: + - '*chmod*' + - '*chowm*' + - '*chattr*' + condition: window or unix +falsepositives: + - Uninstall programs,.. +level: low \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_service_creation.yml b/rules/windows/sysmon/sysmon_service_creation.yml new file mode 100644 index 000000000..c3543be5c --- /dev/null +++ b/rules/windows/sysmon/sysmon_service_creation.yml @@ -0,0 +1,18 @@ +title: Service Creation in Registry Detection +description: Detect Service Creation in Registry +author: Lep +date: 2019/08/16 +tags: + - attack.execution + - attack.t1035 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + Image_lc: '*\services.exe' + condition: selection +falsepositives: + - n/a +level: low diff --git a/rules/windows/sysmon/sysmon_susp_Timestomp.yml b/rules/windows/sysmon/sysmon_susp_Timestomp.yml new file mode 100644 index 000000000..f83129cb3 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_Timestomp.yml @@ -0,0 +1,26 @@ +title: Suspicious Timestomp +description: Detects a suspicious execution of csc.exe, which uses a source in a suspicious folder (e.g. AppData) +status: experimental +references: + - https://securityboulevard.com/2019/08/agent-tesla-evading-edr-by-removing-api-hooks/ + - https://app.any.run/tasks/c6993447-d1d8-414e-b856-675325e5aa09/ +author: Florian Roth +date: 2019/08/24 +tags: + - attack.defense_evasion + - attack.t1099 +logsource: + product: windows +detection: + windows: + CommandLine_lc: + - '*Get-ChildItem*' + - '*$_.LastAccessTime*' + - '*$_.LastWriteTime*' + - '*$_.CreationTime*' + linux: + CommandLine_lc: '*touch*' + condition: linux or windows +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_discovery_activity.yml b/rules/windows/sysmon/sysmon_susp_discovery_activity.yml new file mode 100644 index 000000000..426235b73 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_discovery_activity.yml @@ -0,0 +1,26 @@ +title: Discovery Activity with Command +status: experimental +description: Detects discovery activity command +author: Lep +date: 2019/09/26 +tags: + - attack.discovery + - attack.t1018 + - attack.t1012 + - attack.t1083 +logsource: + product: windows +detection: + selection: + CommandLine_lc: + - 'dir *' + - 'tree *' + - 'reg query*' + - '*arp.exe*' + - 'ipconfig /all' + - 'new-psdrive*' + timeframe: 15s + condition: selection | count() by CommandLine_lc > 4 +falsepositives: + - Admin activities +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_file_deletion.yml b/rules/windows/sysmon/sysmon_susp_file_deletion.yml new file mode 100644 index 000000000..7ead61c56 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_file_deletion.yml @@ -0,0 +1,29 @@ +title: Microsoft Office Persistence +status: experimental +description: Detect File Deletion Technique +author: Lep +references: + - https://attack.mitre.org/techniques/T1107/ + - https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/ +date: 2019/08/20 +tags: + - attack.defense_evasion + - attack.t1107 + - attack.g0050 +logsource: + service: sysmon + product: windows +detection: + sdelete: + Image: '*sdelete.exe' + CommandLine_lc: '*remove-item*' + fsulti: + Image: '*fsutil.exe' + CommandLine_lc: '*deletejournal*' + wbadmin: + Image: '*wbadmin.exe' + CommandLine_lc: '*delete*' + condition: sdelete or fsulti or addins or wbadmin +falsepositives: + - Uninstall programs,.. +level: low diff --git a/rules/windows/sysmon/sysmon_susp_service_modify.yml b/rules/windows/sysmon/sysmon_susp_service_modify.yml new file mode 100644 index 000000000..348234fd7 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_service_modify.yml @@ -0,0 +1,29 @@ +title: Modify Existing Service +description: Detect persistence technique by modifying existing services +author: Lep +date: 2019/08/17 +tags: + - attack.persistence + - attack.t1031 + - attack.g0050 +logsource: + product: windows + service: sysmon +detection: + process_creation: + EventID: 1 + sc: + Image_lc: + -'*\sc.exe' + CommandLine_lc: '*config*' + reg: + Image_lc: + -'*\reg.exe' + CommandLine_lc: '*hklm\system\currentcontrolset\services*' + registry_edit: + EventID: 13 + TargetObject: 'HKLM\SYSTEM\CurrentControlSet\Services*' + condition: (process_creation and sc) or (process_creation and reg) or registry_edit +falsepositives: + - Real service edit +level: low diff --git a/rules/windows/sysmon/sysmon_susp_signed_script_triggered.yml b/rules/windows/sysmon/sysmon_susp_signed_script_triggered.yml new file mode 100644 index 000000000..35ca95d77 --- /dev/null +++ b/rules/windows/sysmon/sysmon_susp_signed_script_triggered.yml @@ -0,0 +1,21 @@ +title: Signed Script Proxy Execution +description: Detect suspicious signed script like PubPrn triggered for validation bypassing +author: Lep +date: 2019/08/16 +tags: + - attack.execution + - attack.t1216 + - attack.g0050 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 1 + ParentImage_lc: '*cscript.exe*' + selection2: + CommandLine_lc: '*pubprn.vbs*' + condition: selection or selection2 +falsepositives: + - Real PubPrn usage +level: low diff --git a/rules/windows/sysmon/sysmon_web_folder_intergration.yml b/rules/windows/sysmon/sysmon_web_folder_intergration.yml new file mode 100644 index 000000000..b9b9a7ad8 --- /dev/null +++ b/rules/windows/sysmon/sysmon_web_folder_intergration.yml @@ -0,0 +1,30 @@ +title: File Creation Webserver Root Folder +status: experimental +description: Detects a suspicious file creation in a web service root folder +author: Lep - VuNX +tags: + - attack.persistence + - attack.t1100 +logsource: + category: process_creation + product: windows +detection: + selection: + TargetFileName_lc: + - '*\wwwroot\\*' + - '*\wmpub\\*' + - '*\htdocs\\*' + - '*inetpub*' + EventID: + 11 + filter: + Image_lc: + - '*explorer.exe' + blank: + Image: null + condition: selection and not filter and not blank +fields: + - TargetFileName +falsepositives: + - Deploy new codes +level: medium diff --git a/rules/windows/sysmon/win_susp_Compiled_HTML.yml b/rules/windows/sysmon/win_susp_Compiled_HTML.yml new file mode 100644 index 000000000..c360ee493 --- /dev/null +++ b/rules/windows/sysmon/win_susp_Compiled_HTML.yml @@ -0,0 +1,21 @@ +title: Trigger Compiled HTML +status: experimental +description: This detects compiled HTML triggered by HH +references: https://www.bleepingcomputer.com/news/security/ryuk-ransomware-adds-ip-and-computer-name-blacklisting/ +date: 2019/08/14 +author: Lep +logsource: + product: windows + service: sysmon +detection: + selection1: + EventID: 1 + Image_lc: '*\hh.exe' + condition: selection1 +falsepositives: + - Normal HTML Help File +tags: + - attack.execution + - attack.T1223 + - attack.G0050 +level: high \ No newline at end of file