diff --git a/rules/linux/lnx_clear_logs.yml b/rules/linux/lnx_clear_logs.yml index 11e904054..39899711a 100644 --- a/rules/linux/lnx_clear_logs.yml +++ b/rules/linux/lnx_clear_logs.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1070.002 diff --git a/rules/linux/lnx_file_and_directory_discovery.yml b/rules/linux/lnx_file_and_directory_discovery.yml index 61d35d415..af52c7765 100644 --- a/rules/linux/lnx_file_and_directory_discovery.yml +++ b/rules/linux/lnx_file_and_directory_discovery.yml @@ -18,12 +18,12 @@ detection: CommandLine|contains: '-R' find_execution: Image|endswith: '/find' - tree_execution: + tree_execution: Image|endswith: '/tree' condition: 1 of them falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1083 \ No newline at end of file diff --git a/rules/linux/lnx_file_deletion.yml b/rules/linux/lnx_file_deletion.yml index b909a853c..391975730 100644 --- a/rules/linux/lnx_file_deletion.yml +++ b/rules/linux/lnx_file_deletion.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.defense_evasion - attack.t1070.004 diff --git a/rules/linux/lnx_process_discovery.yml b/rules/linux/lnx_process_discovery.yml index bee127ac9..1785e7ef8 100644 --- a/rules/linux/lnx_process_discovery.yml +++ b/rules/linux/lnx_process_discovery.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1057 diff --git a/rules/linux/lnx_split_file_into_pieces.yml b/rules/linux/lnx_split_file_into_pieces.yml index 99f26d7c8..36b1a82db 100644 --- a/rules/linux/lnx_split_file_into_pieces.yml +++ b/rules/linux/lnx_split_file_into_pieces.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: low tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/lnx_system_info_discovery.yml b/rules/linux/lnx_system_info_discovery.yml index c74cb3010..43f8f6563 100644 --- a/rules/linux/lnx_system_info_discovery.yml +++ b/rules/linux/lnx_system_info_discovery.yml @@ -9,7 +9,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1082/T1082.md falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1082 diff --git a/rules/linux/lnx_system_network_discovery.yml b/rules/linux/lnx_system_network_discovery.yml index 541737062..fa5c6f748 100644 --- a/rules/linux/lnx_system_network_discovery.yml +++ b/rules/linux/lnx_system_network_discovery.yml @@ -26,7 +26,7 @@ detection: condition: selection1 or selection2 falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/lnx_system_shutdown_reboot.yml b/rules/linux/lnx_system_shutdown_reboot.yml index 1e1abcf27..88c476d4b 100644 --- a/rules/linux/lnx_system_shutdown_reboot.yml +++ b/rules/linux/lnx_system_shutdown_reboot.yml @@ -34,7 +34,7 @@ detection: condition: selection1 or (selection2 and selection3) falsepositives: - 'Legitimate administrative activity' -level: high +level: informational tags: - attack.impact - attack.t1529 diff --git a/rules/linux/macos_clear_system_logs.yml b/rules/linux/macos_clear_system_logs.yml index 055cc98e9..33ce525a3 100644 --- a/rules/linux/macos_clear_system_logs.yml +++ b/rules/linux/macos_clear_system_logs.yml @@ -21,7 +21,7 @@ detection: condition: selection1 and (selection2 or selection3) falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1070.002 diff --git a/rules/linux/macos_create_account.yml b/rules/linux/macos_create_account.yml index 6bde23a2a..42d1d4931 100644 --- a/rules/linux/macos_create_account.yml +++ b/rules/linux/macos_create_account.yml @@ -18,7 +18,7 @@ detection: condition: selection falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.t1136 # an old one - attack.t1136.001 diff --git a/rules/linux/macos_create_hidden_account.yml b/rules/linux/macos_create_hidden_account.yml index 95890a4bf..56cf55fdf 100644 --- a/rules/linux/macos_create_hidden_account.yml +++ b/rules/linux/macos_create_hidden_account.yml @@ -1,7 +1,7 @@ title: Hidden User Creation id: b22a5b36-2431-493a-8be1-0bae56c28ef3 status: experimental -description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option +description: Detects creation of a hidden user account on macOS (UserID < 500) or with IsHidden option author: Daniil Yugoslavskiy, oscd.community date: 2020/10/10 references: @@ -27,7 +27,7 @@ detection: dscl_create and (ishidden_option_declaration and ishidden_option_confirmation) falsepositives: - Legitimate administration activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1564.002 \ No newline at end of file diff --git a/rules/linux/macos_disable_security_tools.yml b/rules/linux/macos_disable_security_tools.yml index 2c983500b..0f843c789 100644 --- a/rules/linux/macos_disable_security_tools.yml +++ b/rules/linux/macos_disable_security_tools.yml @@ -21,7 +21,7 @@ detection: - 'com.carbonblack.defense.daemon.plist' # carbon black - 'com.carbonblack.daemon.plist' # carbon black - 'at.obdev.littlesnitchd.plist' # Objective Development Software firewall management utility - - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus + - 'com.tenablesecurity.nessusagent.plist' # Tenable Nessus - 'com.opendns.osx.RoamingClientConfigUpdater.plist' # OpenDNS Umbrella - 'com.crowdstrike.falcond.plist' # Crowdstrike Falcon - 'com.crowdstrike.userdaemon.plist' # Crowdstrike Falcon @@ -36,7 +36,7 @@ detection: condition: (launchctl_unload and security_plists) or disable_gatekeeper falsepositives: - Legitimate activities -level: low +level: medium tags: - attack.defense_evasion - attack.t1562.001 \ No newline at end of file diff --git a/rules/linux/macos_file_and_directory_discovery.yml b/rules/linux/macos_file_and_directory_discovery.yml index 6e16e85d8..025babc38 100644 --- a/rules/linux/macos_file_and_directory_discovery.yml +++ b/rules/linux/macos_file_and_directory_discovery.yml @@ -20,12 +20,12 @@ detection: Image: '/usr/bin/find' mdfind_execution: Image: '/usr/bin/mdfind' - tree_execution|endswith: + tree_execution|endswith: Image: '/tree' condition: 1 of them falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1083 \ No newline at end of file diff --git a/rules/linux/macos_local_groups.yml b/rules/linux/macos_local_groups.yml index 2c26fc45f..7cffce09d 100644 --- a/rules/linux/macos_local_groups.yml +++ b/rules/linux/macos_local_groups.yml @@ -30,7 +30,7 @@ detection: condition: 1 of them falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1069.001 diff --git a/rules/linux/macos_network_sniffing.yml b/rules/linux/macos_network_sniffing.yml index cf316429b..ef95ea36d 100644 --- a/rules/linux/macos_network_sniffing.yml +++ b/rules/linux/macos_network_sniffing.yml @@ -11,13 +11,13 @@ logsource: product: macos detection: selection: - Image|endswith: + Image|endswith: - '/tcpdump' - '/tshark' condition: selection falsepositives: - Legitimate administration activities -level: medium +level: informational tags: - attack.discovery - attack.credential_access diff --git a/rules/linux/macos_remote_system_discovery.yml b/rules/linux/macos_remote_system_discovery.yml index dbe79e461..a7a1fdf22 100644 --- a/rules/linux/macos_remote_system_discovery.yml +++ b/rules/linux/macos_remote_system_discovery.yml @@ -40,9 +40,9 @@ detection: - ' 127.' #127.0.0.0/8 - ' 169.254.' #169.254.0.0/16 condition: 1 of them -falsepositives: +falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1018 diff --git a/rules/linux/macos_security_software_discovery.yml b/rules/linux/macos_security_software_discovery.yml index b26fbcd16..ae896a953 100644 --- a/rules/linux/macos_security_software_discovery.yml +++ b/rules/linux/macos_security_software_discovery.yml @@ -13,7 +13,7 @@ detection: grep_execution: Image: '/usr/bin/grep' security_services_and_processes: - CommandLine|contains: + CommandLine|contains: - 'nessusd' # nessus vulnerability scanner - 'santad' # google santa - 'CbDefense' # carbon black @@ -26,14 +26,14 @@ detection: - 'BlockBlock' # Objective-See persistence locations watcher/blocker - 'LuLu' # Objective-See firewall management utility little_snitch_process: # Objective Development Software firewall management utility - CommandLine|contains|all: + CommandLine|contains|all: - 'Little' - 'Snitch' - condition: grep_execution and security_services_and_processes or + condition: grep_execution and security_services_and_processes or grep_execution and little_snitch_process falsepositives: - Legitimate activities -level: low +level: medium tags: - attack.discovery - attack.t1518.001 \ No newline at end of file diff --git a/rules/linux/macos_split_file_into_pieces.yml b/rules/linux/macos_split_file_into_pieces.yml index b19c5aeab..f65d96dee 100644 --- a/rules/linux/macos_split_file_into_pieces.yml +++ b/rules/linux/macos_split_file_into_pieces.yml @@ -17,7 +17,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: low tags: - attack.exfiltration - attack.t1030 diff --git a/rules/linux/macos_startup_items.yml b/rules/linux/macos_startup_items.yml index 2153bd39d..89102e3ff 100644 --- a/rules/linux/macos_startup_items.yml +++ b/rules/linux/macos_startup_items.yml @@ -17,7 +17,7 @@ detection: condition: selection_1 and selection_2 falsepositives: - Legitimate administration activities -level: medium +level: low tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/linux/macos_system_network_connections_discovery.yml b/rules/linux/macos_system_network_connections_discovery.yml index 8503e7803..1a3fb7d41 100644 --- a/rules/linux/macos_system_network_connections_discovery.yml +++ b/rules/linux/macos_system_network_connections_discovery.yml @@ -11,7 +11,7 @@ logsource: product: macos detection: selection: - Image: + Image: - '/usr/bin/who' - '/usr/bin/w' - '/usr/bin/last' @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - Legitimate activities -level: low +level: informational tags: - attack.discovery - attack.t1049 \ No newline at end of file diff --git a/rules/linux/macos_system_network_discovery.yml b/rules/linux/macos_system_network_discovery.yml index f754a1e3c..40b2f33d5 100644 --- a/rules/linux/macos_system_network_discovery.yml +++ b/rules/linux/macos_system_network_discovery.yml @@ -20,13 +20,13 @@ detection: - '/usr/sbin/arp' selection2: Image: '/usr/bin/defaults' - Commandline|contains|all: + Commandline|contains|all: - 'read' - '/Library/Preferences/com.apple.alf' condition: selection1 or selection2 falsepositives: - Legitimate administration activities -level: low +level: informational tags: - attack.discovery - attack.t1016 diff --git a/rules/linux/macos_system_shutdown_reboot.yml b/rules/linux/macos_system_shutdown_reboot.yml index e7b463653..fe4d4b645 100644 --- a/rules/linux/macos_system_shutdown_reboot.yml +++ b/rules/linux/macos_system_shutdown_reboot.yml @@ -20,7 +20,7 @@ detection: condition: selection falsepositives: - 'Legitimate administrative activity' -level: high +level: informational tags: - attack.impact - attack.t1529 diff --git a/rules/windows/driver_load/sysmon_susp_driver_load.yml b/rules/windows/driver_load/sysmon_susp_driver_load.yml index 73f423d2a..083b9f7f5 100755 --- a/rules/windows/driver_load/sysmon_susp_driver_load.yml +++ b/rules/windows/driver_load/sysmon_susp_driver_load.yml @@ -13,9 +13,9 @@ logsource: category: driver_load product: windows detection: - selection: + selection: ImageLoaded|contains: '\Temp\' condition: selection falsepositives: - there is a relevant set of false positives depending on applications in the environment -level: medium +level: high diff --git a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml index 488512208..6304043ad 100644 --- a/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml +++ b/rules/windows/file_event/win_susp_multiple_files_renamed_or_deleted.yml @@ -24,4 +24,4 @@ detection: falsepositives: - Software uninstallation - Files restore activities -level: high +level: medium diff --git a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml index 02e3ae288..6247ee4f9 100755 --- a/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml +++ b/rules/windows/image_load/sysmon_svchost_dll_search_order_hijack.yml @@ -29,7 +29,7 @@ detection: - '\wlbsctrl.dll' filter: ImageLoaded|startswith: - - 'C:\Windows\WinSxS\' + - 'C:\Windows\WinSxS\' condition: selection and not filter falsepositives: - Pentest diff --git a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml index f339f382e..46200f57b 100644 --- a/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml +++ b/rules/windows/image_load/sysmon_uac_bypass_via_dism.yml @@ -12,9 +12,9 @@ tags: - attack.t1574.002 author: oscd.community, Dmitry Uchakin date: 2020/10/06 -logsource: - category: image_load - product: windows +logsource: + category: image_load + product: windows detection: selection: Image|endswith: diff --git a/rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml b/rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml similarity index 100% rename from rules/windows/sysmon/silenttrinity_stager_msbuild_activity.yml rename to rules/windows/network_connection/silenttrinity_stager_msbuild_activity.yml diff --git a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml index 8bbb7d5be..6bfa956ee 100644 --- a/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml +++ b/rules/windows/powershell/powershell_cmdline_specific_comb_methods.yml @@ -52,4 +52,4 @@ detection: condition: (selection2 and selection3) or selection1 or selection4 or selection5 or selection6 falsepositives: - Unlikely -level: high +level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml index a6e7e1743..7d9b4abc9 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_clip+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml index c73b781b5..7e2b0ef2d 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_stdin+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml index c6c6bceec..9c2ab871f 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_var+.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' selection_2: - - ScriptBlockText|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + condition: 1 of them falsepositives: - Unknown level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml index bb6ba2b99..365149a58 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_compress.yml @@ -21,7 +21,7 @@ detection: selection_2: EventID: 4103 Payload|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' - condition: selection_1 or selection_2 + condition: 1 of them falsepositives: - unknown level: medium \ No newline at end of file diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml index 4dc879bcc..793dc3c14 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_rundll.yml @@ -21,7 +21,7 @@ detection: selection_2: EventID: 4103 Payload|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' - condition: selection_1 or selection_2 + condition: 1 of them falsepositives: - Unknown level: medium diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml index 266887248..ab358c642 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_stdin.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' selection_2: - - ScriptBlockText|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml index 6e67ecd32..5f514bc69 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_clip.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' selection_2: - - ScriptBlockText|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml index eb5f0e924..45764546f 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_mhsta.yml @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' selection_2: - - ScriptBlockText|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml index bce2ea533..a0abb7616 100644 --- a/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/powershell/powershell_invoke_obfuscation_via_use_rundll32.yml @@ -4,7 +4,7 @@ description: Detects Obfuscated Powershell via use Rundll32 in Scripts status: experimental author: Nikita Nazarov, oscd.community date: 2019/10/08 -references: +references: - https://github.com/Neo23x0/sigma/issues/1009 tags: - attack.defense_evasion @@ -17,13 +17,11 @@ logsource: detection: selection_1: EventID: 4104 + ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' selection_2: - - ScriptBlockText|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - selection_3: EventID: 4103 - selection_4: - - Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' - condition: ( selection_1 and selection_2 ) or ( selection_3 and selection_4 ) + Payload|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + condition: 1 of them falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_shellcode_b64.yml b/rules/windows/powershell/powershell_shellcode_b64.yml index ba269aca2..3d7988b68 100644 --- a/rules/windows/powershell/powershell_shellcode_b64.yml +++ b/rules/windows/powershell/powershell_shellcode_b64.yml @@ -23,7 +23,7 @@ detection: EventID: 4104 ScriptBlockText|contains: 'AAAAYInlM' selection2: - ScriptBlockText|contains: + ScriptBlockText|contains|all: - 'OiCAAAAYInlM' - 'OiJAAAAYInlM' condition: selection and selection2 diff --git a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml index c313d0afc..615b10461 100755 --- a/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/sysmon_in_memory_assembly_execution.yml @@ -32,7 +32,7 @@ detection: - "UNKNOWN(" - ")|UNKNOWN(" CallTrace|endswith: ")" - selection3: + selection3: CallTrace|contains: "UNKNOWN" granted_access: GrantedAccess: @@ -44,7 +44,7 @@ detection: - "0x1F2FFF" - "0x1F3FFF" - "0x1FFFFF" - condition: (selection1 OR selection2) or (selection3 AND granted_access) + condition: (selection1 or selection2) or (selection3 and granted_access) fields: - ComputerName - User diff --git a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml index 85f1f5fb7..703f86b32 100644 --- a/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml +++ b/rules/windows/process_access/sysmon_load_undocumented_autoelevated_com_interface.yml @@ -3,7 +3,7 @@ id: fb3722e4-1a06-46b6-b772-253e2e7db933 status: experimental description: COM interface (EditionUpgradeManager) that is not used by standard executables. references: - - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ + - https://www.snip2code.com/Snippet/4397378/UAC-bypass-using-EditionUpgradeManager-C/ - https://gist.github.com/hfiref0x/de9c83966623236f5ebf8d9ae2407611 tags: - attack.defense_evasion @@ -11,9 +11,9 @@ tags: - attack.t1548.002 author: oscd.community, Dmitry Uchakin date: 2020/10/07 -logsource: +logsource: category: process_access - product: windows + product: windows detection: selection: CallTrace|contains: 'editionupgrademanagerobj.dll' diff --git a/rules/windows/process_creation/cmstp_execution.yml b/rules/windows/process_creation/cmstp_execution.yml index 007077507..7a27dc2f2 100644 --- a/rules/windows/process_creation/cmstp_execution.yml +++ b/rules/windows/process_creation/cmstp_execution.yml @@ -27,5 +27,5 @@ logsource: detection: # CMSTP Spawning Child Process selection: - ParentImage|contains: '\cmstp.exe' + ParentImage|endswith: '\cmstp.exe' condition: selection diff --git a/rules/windows/process_creation/process_creation_dotnet.yml b/rules/windows/process_creation/process_creation_dotnet.yml index 9182bb218..bbc19c20a 100644 --- a/rules/windows/process_creation/process_creation_dotnet.yml +++ b/rules/windows/process_creation/process_creation_dotnet.yml @@ -26,8 +26,8 @@ fields: - ComputerName - User - CommandLine - - ParentCommandLine + - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_msdeploy.yml b/rules/windows/process_creation/process_creation_msdeploy.yml index 236e747d3..cf35510fa 100644 --- a/rules/windows/process_creation/process_creation_msdeploy.yml +++ b/rules/windows/process_creation/process_creation_msdeploy.yml @@ -27,8 +27,8 @@ fields: - ComputerName - User - CommandLine - - ParentCommandLine + - ParentCommandLine falsepositives: - System administrator Usage - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml index 0bfa8ec82..399103d25 100644 --- a/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml +++ b/rules/windows/process_creation/sysmon_abusing_debug_privilege.yml @@ -24,11 +24,11 @@ detection: - '\spoolsv.exe' - '\searchindexer.exe' selection2: - Image|endswith: + Image|endswith: - '\powershell.exe' - '\cmd.exe' selection3: - User: 'NT AUTHORITY\SYSTEM' #NT AUTHORITY\SYSTEM same result with NT AUTHORITY\\SYSTEM + User: 'NT AUTHORITY\SYSTEM' filter: CommandLine|contains|all: - ' route ' diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml index 56efab11b..73a21e295 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell.yml @@ -1,10 +1,10 @@ title: Always Install Elevated MSI Spawned Cmd And Powershell id: 1e53dd56-8d83-4eb4-a43e-b790a05510aa -description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell +description: This rule will looks for Windows Installer service (msiexec.exe) spawned command line and/or powershell status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -references: +references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg tags: - attack.privilege_escalation @@ -14,19 +14,19 @@ logsource: category: process_creation detection: image: - Image|contains: + Image|endswith: - '\cmd.exe' - '\powershell.exe' parent_image: - ParentImage|contains|all: + ParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentImage|endswith: + ParentImage|endswith: - 'tmp' condition: image and parent_image fields: - Image - ParentImage falsepositives: - - Penetration test + - Penetration test level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml index 1bfb4d988..cd2d7a6d6 100644 --- a/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml +++ b/rules/windows/process_creation/sysmon_always_install_elevated_msi_spawned_cmd_and_powershell_spawned_processes.yml @@ -4,7 +4,7 @@ description: This rule will looks for Windows Installer service (msiexec.exe) sp status: experimental author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community date: 2020/10/13 -references: +references: - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-50-638.jpg tags: - attack.privilege_escalation @@ -14,21 +14,21 @@ logsource: category: process_creation detection: parent_image: - ParentImage|contains: + ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' parent_of_parent_image: - ParentOfParentImage|contains|all: + ParentOfParentImage|contains|all: - '\Windows\Installer\' - 'msi' - ParentOfParentImage|endswith: + ParentOfParentImage|endswith: - 'tmp' condition: parent_image and parent_of_parent_image fields: - ParentImage - ParentOfParentImage falsepositives: - - Penetration test + - Penetration test level: high enrichment: - EN_0001_cache_sysmon_event_id_1_info # http://bit.ly/314zc6x diff --git a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml index f80cbcfcc..2feca4fc3 100644 --- a/rules/windows/process_creation/sysmon_long_powershell_commandline.yml +++ b/rules/windows/process_creation/sysmon_long_powershell_commandline.yml @@ -14,13 +14,13 @@ logsource: product: windows detection: Powershell_selection: - - CommandLine|contains: + - CommandLine|contains: - 'powershell' - 'pwsh' - Description: 'Windows Powershell' - Product: 'PowerShell Core 6' Length_selection: - CommandLine|re: '(.){1000,}' + CommandLine|re: '.{1000,}' condition: all of them falsepositives: Unknown level: medium diff --git a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml index f2ec5d31d..41edce51f 100644 --- a/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml +++ b/rules/windows/process_creation/win_apt_lazarus_session_highjack.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection: - Image|endswith: - - '\mstdc.exe' + Image|endswith: + - '\msdtc.exe' - '\gpvc.exe' filter: Image|startswith: diff --git a/rules/windows/process_creation/win_apt_zxshell.yml b/rules/windows/process_creation/win_apt_zxshell.yml index 4bd1603ba..515d541e7 100755 --- a/rules/windows/process_creation/win_apt_zxshell.yml +++ b/rules/windows/process_creation/win_apt_zxshell.yml @@ -20,8 +20,8 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'rundll32.exe' + Image|endswith: + - '\rundll32.exe' CommandLine|contains: - 'zxFunction' - 'RemoteDiskXXXXX' diff --git a/rules/windows/process_creation/win_hktl_createminidump.yml b/rules/windows/process_creation/win_hktl_createminidump.yml index 13239e5f1..b1e40cded 100644 --- a/rules/windows/process_creation/win_hktl_createminidump.yml +++ b/rules/windows/process_creation/win_hktl_createminidump.yml @@ -18,7 +18,7 @@ logsource: category: process_creation product: windows detection: - selection1: + selection1: Image|contains: '\CreateMiniDump.exe' selection2: Imphash: '4a07f944a83e8a7c2525efa35dd30e2f' @@ -30,5 +30,5 @@ logsource: detection: selection: EventID: 11 - TargetFilename|contains: '\lsass.dmp' + TargetFilename|endswith: '\lsass.dmp' condition: 1 of them diff --git a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml index 57469abe2..cc229f08e 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_clip+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+clip(?:\.exe)?.{0,4}&&.+clipboard]::\(\s\\\"\{\d\}.+\-f.+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml index 18ac9ca90..dbdb4cbaa 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_stdin+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r).+powershell.+(?:\$\{?input\}?|noexit).+\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml index 531fed7c7..63ae15f8c 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_var+.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_var+.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' + CommandLine|re: '.*cmd.{0,5}(?:\/c|\/r)(?:\s|)\"set\s[a-zA-Z]{3,6}.*(?:\{\d\}){1,}\\\"\s+?\-f(?:.*\)){1,}.*\"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml index 00527484d..60a494a55 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_compress.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' + CommandLine|re: '(?i).*new-object.*(?:system\.io\.compression\.deflatestream|system\.io\.streamreader).*text\.encoding\]::ascii.*readtoend' condition: selection falsepositives: - unknown -level: medium \ No newline at end of file +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml index 4883f3265..d8b91c93c 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_rundll.yml @@ -16,8 +16,8 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' + CommandLine|re: '(?i).*rundll32(?:\.exe)?(?:\s+)?shell32\.dll.*shellexec_rundll.*powershell.*\"' condition: selection falsepositives: - Unknown -level: medium +level: medium diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml index 8f6466f93..71f178496 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_stdin.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' + CommandLine|re: '(?i).*(set).*&&\s?set.*(environment|invoke|\${?input).*&&.*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml index c59540cf6..ce8d6bfc8 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_clip.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' + CommandLine|re: '(?i).*?echo.*clip.*&&.*(Clipboard|i`?n`?v`?o`?k`?e`?).*' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml index cec51806e..95f4633a1 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_mhsta.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' + CommandLine|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml index 67aceabbf..169d86471 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_use_rundll32.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' + CommandLine|re: '(?i).*&&.*rundll32.*shell32\.dll.*shellexec_rundll.*(value|invoke|comspec|iex).*"' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml index 1fd2993b4..248c69830 100644 --- a/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml +++ b/rules/windows/process_creation/win_invoke_obfuscation_via_var++.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - - CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' + CommandLine|re: '(?i).*&&set.*(\{\d\}){2,}\\\"\s+?\-f.*&&.*cmd.*\/c|\/r' condition: selection falsepositives: - Unknown diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml index 35833f3bd..815de36f2 100644 --- a/rules/windows/process_creation/win_malware_wannacry.yml +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -39,8 +39,7 @@ detection: - CommandLine|contains|all: - 'icacls' - '/grant' - - 'Everyone:' - - 'F' + - 'Everyone:F' - '/T' - '/C' - '/Q' diff --git a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml index fb3a33036..ed87b52e3 100644 --- a/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml +++ b/rules/windows/process_creation/win_office_spawn_exe_from_users_directory.yml @@ -11,7 +11,7 @@ tags: - attack.t1204.002 - FIN7 - car.2013-05-002 -author: Jason Lynch +author: Jason Lynch date: 2019/04/02 modified: 2020/09/01 logsource: @@ -26,9 +26,8 @@ detection: - '\MSPUB.exe' - '\VISIO.exe' - '\OUTLOOK.EXE' - Image|contains|all: - - 'C:\users\' - - '.exe' + Image|startswith: 'C:\users\' + Image|endswith: '.exe' condition: selection fields: - CommandLine diff --git a/rules/windows/process_creation/win_susp_Register_cimprovider.yml b/rules/windows/process_creation/win_susp_Register_cimprovider.yml index aee7498bd..5244e22ff 100644 --- a/rules/windows/process_creation/win_susp_Register_cimprovider.yml +++ b/rules/windows/process_creation/win_susp_Register_cimprovider.yml @@ -1,4 +1,4 @@ -title: DLL Execution Via Register-cimprovider.exe +title: DLL Execution Via Register-cimprovider.exe id: a2910908-e86f-4687-aeba-76a5f996e652 status: experimental description: Detects using register-cimprovider.exe to execute arbitrary dll file. @@ -7,12 +7,12 @@ references: - https://github.com/api0cradle/LOLBAS/blob/master/OSBinaries/Register-cimprovider.md tags: - attack.defense_evasion - - attack.t1574 + - attack.t1574 author: Ivan Dyachkov, Yulia Fomina, oscd.community -date: 2020/10/07 -logsource: - category: process_creation - product: windows +date: 2020/10/07 +logsource: + category: process_creation + product: windows definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit msut Include command line in process creation events' detection: selection: diff --git a/rules/windows/process_creation/win_susp_atbroker.yml b/rules/windows/process_creation/win_susp_atbroker.yml index ca842b913..ac9584df3 100644 --- a/rules/windows/process_creation/win_susp_atbroker.yml +++ b/rules/windows/process_creation/win_susp_atbroker.yml @@ -49,5 +49,5 @@ detection: - windowtrackingzorder condition: selection1 and selection2 and not filter falsepositives: - - Legitimate, non-deafualt Assistive Technology applications execution + - Legitimate, non-default assistive technology applications execution level: high diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml index 08eff719f..8137eafe6 100644 --- a/rules/windows/process_creation/win_susp_certutil_command.yml +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -18,28 +18,19 @@ logsource: category: process_creation product: windows detection: - suffixes_1: - CommandLine|contains: - - ' -' - - ' /' - selection: + parameters: CommandLine|contains: - 'decode ' - 'decodehex ' - 'urlcache ' - 'verifyctl ' - 'encode ' - suffixes_2: - CommandLine|contains: - - '-' - - '/' certutil: Image|endswith: '\certutil.exe' CommandLine|contains: - 'URL' - 'ping' - condition: suffixes_1 and selection or - suffixes_2 and certutil + condition: parameters or certutil fields: - CommandLine - ParentCommandLine @@ -54,7 +45,7 @@ tags: - attack.g0045 - attack.g0049 - attack.g0075 - - attack.g0096 + - attack.g0096 falsepositives: - False positives depend on scripts and administrative tools used in the monitored environment level: high diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml index ed63ad947..726bb7ce1 100644 --- a/rules/windows/process_creation/win_susp_control_dll_load.yml +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -17,7 +17,7 @@ logsource: detection: selection: ParentImage|endswith: '\System32\control.exe' - CommandLine|contains: '\rundll32.exe ' + Image|endswith: '\rundll32.exe ' filter: CommandLine|contains: 'Shell32.dll' condition: selection and not filter diff --git a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml index ed44d56c4..e5d69a30a 100644 --- a/rules/windows/process_creation/win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/win_susp_crackmapexec_execution.yml @@ -1,6 +1,6 @@ title: CrackMapExec Command Execution id: 058f4380-962d-40a5-afce-50207d36d7e2 -status: experimental +status: stable description: Detect various execution methods of the CrackMapExec pentesting framework references: - https://github.com/byt3bl33d3r/CrackMapExec @@ -8,7 +8,7 @@ tags: - attack.execution - attack.t1047 - attack.t1053 - - attack.t1059.003 + - attack.t1059.003 - attack.t1059.001 - attack.s0106 - attack.t1086 # an old one @@ -19,31 +19,18 @@ logsource: product: windows detection: selection: - - CommandLine|contains|all: + CommandLine|endswith: # cme/protocols/smb/wmiexec.py (generalized execute_remote and execute_fileless) - - 'cmd.exe /Q /c' - - '1> \\\\' - - '\' - - '\\' - - '2>&1' - - CommandLine|contains|all: + - 'cmd.exe /Q /c * 1> \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:109 (fileless output via share) - - 'cmd.exe /C' - - '> \\\\' - - '\' - - '\\' - - '2>&1' - - CommandLine|contains|all: + - 'cmd.exe /C * > \\\\*\\*\\* 2>&1' # cme/protocols/smb/atexec.py:111 (fileless output via share) - - 'cmd.exe /C' - - '>' - - '\\Temp\\' - - '2>&1' - - CommandLine|contains: + - 'cmd.exe /C * > *\\Temp\\* 2>&1' + CommandLine|contains: # cme/helpers/powershell.py:139 (PowerShell execution with obfuscation) - - 'powershell.exe -exec bypass -noni -nop -w 1 -C "' + - '*powershell.exe -exec bypass -noni -nop -w 1 -C "*' # cme/helpers/powershell.py:149 (PowerShell execution without obfuscation) - - 'powershell.exe -noni -nop -w 1 -enc ' + - '*powershell.exe -noni -nop -w 1 -enc *' condition: selection fields: - ComputerName diff --git a/rules/windows/process_creation/win_susp_gup.yml b/rules/windows/process_creation/win_susp_gup.yml index 8b34c2dd6..a6d7d8e3f 100644 --- a/rules/windows/process_creation/win_susp_gup.yml +++ b/rules/windows/process_creation/win_susp_gup.yml @@ -19,10 +19,10 @@ detection: Image|endswith: '\GUP.exe' filter: Image|endswith: - - ':\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' - - ':\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' - - ':\Program Files\Notepad++\updater\GUP.exe' - - ':\Program Files (x86)\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Local\Notepad++\updater\GUP.exe' + - '\Users\\*\AppData\Roaming\Notepad++\updater\GUP.exe' + - '\Program Files\Notepad++\updater\GUP.exe' + - '\Program Files (x86)\Notepad++\updater\GUP.exe' condition: selection and not filter falsepositives: - Execution of tools named GUP.exe and located in folders different than Notepad++\updater diff --git a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml index aa89d6de3..e609f086e 100644 --- a/rules/windows/process_creation/win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/win_susp_mounted_share_deletion.yml @@ -22,4 +22,4 @@ detection: condition: selection falsepositives: - Administrators or Power users may remove their shares via cmd line -level: medium +level: low diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml index 1651ac8c0..45e867f75 100644 --- a/rules/windows/process_creation/win_susp_ntdsutil.yml +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -10,7 +10,7 @@ modified: 2020/11/28 tags: - attack.credential_access - attack.t1003.003 - - attack.t1003 # an old one + - attack.t1003 # an old one logsource: category: process_creation product: windows @@ -20,4 +20,4 @@ detection: condition: selection falsepositives: - NTDS maintenance -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml index f07e84b98..bf9c48a62 100644 --- a/rules/windows/process_creation/win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -8,7 +8,7 @@ references: tags: - attack.execution - attack.t1059.001 - - attack.t1086 # an old one + - attack.t1086 # an old one author: Florian Roth, Jonhnathan Ribeiro, oscd.community date: 2019/01/09 modified: 2020/11/28 diff --git a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml index 04e207f6c..2a850916d 100644 --- a/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml +++ b/rules/windows/process_creation/win_susp_rundll32_by_ordinal.yml @@ -1,7 +1,7 @@ title: Suspicious Call by Ordinal id: e79a9e79-eb72-4e78-a628-0e7e8f59e89c description: Detects suspicious calls of DLLs in rundll32.dll exports by ordinal -status: experimental +status: stable references: - https://techtalk.pcmatic.com/2017/11/30/running-dll-files-malware-analysis/ - https://github.com/Neo23x0/DLLRunner @@ -19,7 +19,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - '\rundll32.exe' - ',#' condition: selection diff --git a/rules/windows/process_creation/win_susp_runonce_execution.yml b/rules/windows/process_creation/win_susp_runonce_execution.yml index 1f4b7f1b9..f36b66f6f 100644 --- a/rules/windows/process_creation/win_susp_runonce_execution.yml +++ b/rules/windows/process_creation/win_susp_runonce_execution.yml @@ -26,4 +26,4 @@ detection: condition: (process_name or process_description) and command_line falsepositives: - Unknown -level: medium +level: low diff --git a/rules/windows/process_creation/win_susp_sqldumper_activity.yml b/rules/windows/process_creation/win_susp_sqldumper_activity.yml index 93087628f..41b2a3c2e 100644 --- a/rules/windows/process_creation/win_susp_sqldumper_activity.yml +++ b/rules/windows/process_creation/win_susp_sqldumper_activity.yml @@ -11,7 +11,7 @@ author: Kirill Kiryanov, oscd.community date: 2020/10/08 tags: - attack.credential_access - - attack.t1003.001 + - attack.t1003.001 logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml index 56694bf67..dea91d765 100644 --- a/rules/windows/process_creation/win_susp_sysprep_appdata.yml +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -15,8 +15,9 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'sysprep.exe' + Image|endswith: + - '\sysprep.exe' + CommandLine|contains: - '\AppData\' condition: selection falsepositives: diff --git a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml index 2a90f98cd..28b3928a0 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqlps_bin.yml @@ -1,15 +1,15 @@ -title: Detection of PowerShell Execution via Sqlps.exe -id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 +title: Detection of PowerShell Execution via Sqlps.exe +id: 0152550d-3a26-4efd-9f0e-54a0b28ae2f3 status: experimental -description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +description: This rule detects execution of a PowerShell code through the sqlps.exe utility, which is included in the standard set of utilities supplied with the MSSQL Server. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 + - https://docs.microsoft.com/en-us/sql/tools/sqlps-utility?view=sql-server-ver15 - https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqlps/ - https://twitter.com/bryon_/status/975835709587075072 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense_evasion - attack.t1127 author: 'Agro (@agro_sev) oscd.community' date: 2020/10/10 @@ -19,7 +19,7 @@ logsource: detection: selection1: Image|endswith: '\sqlps.exe' - selection2: + selection2: ParentImage|endswith: '\sqlps.exe' selection3: OriginalFileName: '\sqlps.exe' @@ -28,4 +28,4 @@ detection: condition: selection1 or selection2 or selection3 and not reduction falsepositives: - Direct PS command execution through SQLPS.exe is uncommon, childprocess sqlps.exe spawned by sqlagent.exe is a legitimate action. -level: medium +level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml index 1f240db80..0e74bea2b 100644 --- a/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_sqltoolsps_bin.yml @@ -1,14 +1,14 @@ title: SQL Client Tools PowerShell Session Detection -id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 +id: a746c9b8-a2fb-4ee5-a428-92bee9e99060 status: experimental -description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. +description: This rule detects execution of a PowerShell code through the sqltoolsps.exe utility, which is included in the standard set of utilities supplied with the Microsoft SQL Server Management studio. Script blocks are not logged in this case, so this utility helps to bypass protection mechanisms based on the analysis of these logs. references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml - - https://twitter.com/pabraeken/status/993298228840992768 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Sqltoolsps.yml + - https://twitter.com/pabraeken/status/993298228840992768 tags: - attack.execution - attack.t1059.001 - - attack.defense_evasion + - attack.defense_evasion - attack.t1127 author: 'Agro (@agro_sev) oscd.communitly' date: 2020/10/13 @@ -18,7 +18,7 @@ logsource: detection: selection1: Image|endswith: '\sqltoolsps.exe' - selection2: + selection2: ParentImage|endswith: '\sqltoolsps.exe' selection3: OriginalFileName: '\sqltoolsps.exe' @@ -27,5 +27,5 @@ detection: condition: selection1 or selection2 or selection3 and not reduction falsepositives: - Direct PS command execution through SQLToolsPS.exe is uncommon, childprocess sqltoolsps.exe spawned by smss.exe is a legitimate action. -level: medium +level: medium diff --git a/rules/windows/process_creation/win_susp_use_of_te_bin.yml b/rules/windows/process_creation/win_susp_use_of_te_bin.yml index 357380c7b..d74b74b0b 100644 --- a/rules/windows/process_creation/win_susp_use_of_te_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_te_bin.yml @@ -1,10 +1,10 @@ title: Malicious Windows Script Components File Execution by TAEF Detection -id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b +id: 634b00d5-ccc3-4a06-ae3b-0ec8444dd51b status: experimental description: Windows Test Authoring and Execution Framework (TAEF) framework allows you to run automation by executing tests files written on different languages (C, C#, Microsoft COM Scripting interfaces). Adversaries may execute malicious code (such as WSC file with VBScript, dll and so on) directly by running te.exe references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml - - https://twitter.com/pabraeken/status/993298228840992768 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Te.yml + - https://twitter.com/pabraeken/status/993298228840992768 - https://docs.microsoft.com/en-us/windows-hardware/drivers/taef/ tags: - attack.t1218 @@ -16,11 +16,11 @@ logsource: detection: selection1: Image|endswith: '\te.exe' - selection2: + selection2: ParentImage|endswith: '\te.exe' selection3: OriginalFileName: '\te.exe' - condition: selection1 or selection2 or selection3 + condition: selection1 or selection2 or selection3 falsepositives: - It's not an uncommon to use te.exe directly to execute legal TAEF tests level: low diff --git a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml index 28e943f3e..529aff91d 100644 --- a/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml +++ b/rules/windows/process_creation/win_susp_use_of_vsjitdebugger_bin.yml @@ -1,7 +1,7 @@ title: Malicious PE Execution by Microsoft Visual Studio Debugger id: 15c7904e-6ad1-4a45-9b46-5fb25df37fd2 status: experimental -description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. +description: There is an option for a MS VS Just-In-Time Debugger "vsjitdebugger.exe" to launch specified executable and attach a debugger. This option may be used adversaries to execute malicious code by signed verified binary. The debugger is installed alongside with Microsoft Visual Studio package. references: - https://twitter.com/pabraeken/status/990758590020452353 - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OtherMSBinaries/Vsjitdebugger.yml @@ -15,7 +15,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection: ParentImage|endswith: '\vsjitdebugger.exe' reduction1: ChildImage|endswith: '\vsimmersiveactivatehelper*.exe' @@ -23,6 +23,6 @@ detection: ChildImage|endswith: '\devenv.exe' condition: selection and not (reduction1 or reduction2) falsepositives: - - the process spawned by vsjitdebugger.exe is uncommon. -level: medium + - the process spawned by vsjitdebugger.exe is uncommon. +level: medium diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml index 97238db4f..5fab95fae 100644 --- a/rules/windows/process_creation/win_susp_whoami.yml +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -23,4 +23,5 @@ detection: falsepositives: - Admin activity - Scripts and administrative tools used in the monitored environment -level: high + - Monitoring activity +level: medium diff --git a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml index d1e5e4769..203fefb92 100644 --- a/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml +++ b/rules/windows/process_creation/win_syncappvpublishingserver_exe.yml @@ -4,13 +4,13 @@ id: fde7929d-8beb-4a4c-b922-be9974671667 description: Detects SyncAppvPublishingServer process execution which usually utilized by adversaries to bypass PowerShell execution restrictions. references: - https://lolbas-project.github.io/lolbas/Binaries/Syncappvpublishingserver/ -author: 'Ensar Şamil, @sblmsrsn, OSCD Community' +author: 'Ensar Şamil, @sblmsrsn, OSCD Community' date: 2020/10/05 tags: - attack.defense_evasion - attack.t1218 detection: - condition: 1 of them + condition: selection falsepositives: - App-V clients level: medium @@ -19,12 +19,12 @@ logsource: product: windows category: process_creation detection: - selection1: + selection: Image|endswith: '\SyncAppvPublishingServer.exe' --- logsource: product: windows service: powershell detection: - selection2: + selection: Message|contains: 'SyncAppvPublishingServer.exe' \ No newline at end of file diff --git a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml index 4ed71d3f9..4e8ce30d6 100644 --- a/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml +++ b/rules/windows/process_creation/win_wmi_backdoor_exchange_transport_agent.yml @@ -1,7 +1,7 @@ title: WMI Backdoor Exchange Transport Agent id: 797011dc-44f4-4e6f-9f10-a8ceefbe566b status: experimental -description: Detects a WMi backdoor in Exchange Transport Agents via WMi event filters +description: Detects a WMI backdoor in Exchange Transport Agents via WMI event filters author: Florian Roth date: 2019/10/11 references: diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml index a3e03568d..a8bb54d79 100755 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification.yml @@ -3,7 +3,7 @@ id: 17f878b8-9968-4578-b814-c4217fc5768c description: Detects modification of autostart extensibility point (ASEP) in registry. status: experimental references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1060/T1060.yaml + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.001/T1547.001.md - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys tags: @@ -15,10 +15,10 @@ modified: 2020/11/04 author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community logsource: category: registry_event - product: windows + product: windows level: medium detection: - main_selection: + main_selection: TargetObject|contains: - '\SOFTWARE\Wow6432Node\Microsoft\Windows CE Services\AutoStart' - '\Software\Wow6432Node\Microsoft\Command Processor\Autorun' @@ -38,9 +38,9 @@ detection: - '\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components' - '\Software\Classes\Clsid\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\Inprocserver32' - '\Control Panel\Desktop\Scrnsave.exe' + session_manager_base: + TargetObject|contains: '\System\CurrentControlSet\Control\Session Manager' session_manager: - TargetObject|contains|all: - - '\System\CurrentControlSet\Control\Session Manager' TargetObject|contains: - '\SetupExecute' - '\S0InitialCommand' @@ -48,9 +48,9 @@ detection: - '\Execute' - '\BootExecute' - '\AppCertDlls' + current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows\CurrentVersion' current_version: - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows\CurrentVersion' TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -68,9 +68,9 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' + nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' nt_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion' TargetObject|contains: - '\Winlogon\VmApplet' - '\Winlogon\Userinit' @@ -86,9 +86,9 @@ detection: - '\Drivers32' - '\Windows\Run' - '\Windows\Load' + wow_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' wow_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion' TargetObject|contains: - '\ShellServiceObjectDelayLoad' - '\Run' @@ -97,16 +97,16 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' + wow_nt_current_version_base: + TargetObject|contains: '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' wow_nt_current_version: - TargetObject|contains|all: - - '\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion' TargetObject|contains: - '\Windows\Appinit_Dlls' - '\Image File Execution Options' - '\Drivers32' - wow_office: + wow_office: TargetObject|contains: '\Software\Wow6432Node\Microsoft\Office' - office: + office: TargetObject|contains: '\Software\Microsoft\Office' wow_office_details: TargetObject|contains: @@ -117,7 +117,7 @@ detection: - '\Excel\Addins' - '\Access\Addins' - 'test\Special\Perf' - wow_ie: + wow_ie: TargetObject|contains: '\Software\Wow6432Node\Microsoft\Internet Explorer' ie: TargetObject|contains: '\Software\Microsoft\Internet Explorer' @@ -126,9 +126,9 @@ detection: - '\Toolbar' - '\Extensions' - '\Explorer Bars' + wow_classes_base: + TargetObject|contains: '\Software\Wow6432Node\Classes' wow_classes: - TargetObject|contains|all: - - '\Software\Wow6432Node\Classes' TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -142,9 +142,9 @@ detection: - '\AllFileSystemObjects\ShellEx\DragDropHandlers' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' + classes_base: + TargetObject|contains: '\Software\Classes' classes: - TargetObject|contains|all: - - '\Software\Classes' TargetObject|contains: - '\Folder\ShellEx\ExtShellFolderViews' - '\Folder\ShellEx\DragDropHandlers' @@ -162,23 +162,23 @@ detection: - '\.cmd' - '\ShellEx\PropertySheetHandlers' - '\ShellEx\ContextMenuHandlers' + scripts_base: + TargetObject|contains: '\Software\Policies\Microsoft\Windows\System\Scripts' scripts: - TargetObject|contains|all: - - '\Software\Policies\Microsoft\Windows\System\Scripts' TargetObject|contains: - '\Startup' - '\Shutdown' - '\Logon' - '\Logoff' + winsock_parameters_base: + TargetObject|contains: '\System\CurrentControlSet\Services\WinSock2\Parameters' winsock_parameters: - TargetObject|contains|all: - - '\System\CurrentControlSet\Services\WinSock2\Parameters' TargetObject|contains: - '\Protocol_Catalog9\Catalog_Entries' - '\NameSpace_Catalog5\Catalog_Entries' + system_control_base: + TargetObject|contains: '\SYSTEM\CurrentControlSet\Control' system_control: - TargetObject|contains|all: - - '\SYSTEM\CurrentControlSet\Control' TargetObject|contains: - '\Terminal Server\WinStations\RDP-Tcp\InitialProgram' - '\Terminal Server\Wds\rdpwd\StartupPrograms' @@ -190,19 +190,19 @@ detection: - '\Lsa\Notification Packages' - '\Lsa\Authentication Packages' - '\BootVerificationProgram\ImagePath' - condition: main_selection OR - session_manager OR - current_version OR - nt_current_version OR - wow_current_version OR - wow_nt_current_version OR - (wow_office OR office) AND wow_office_details OR - (wow_ie OR ie) AND wow_ie_details OR - wow_classes OR - classes OR - scripts OR - winsock_parameters OR - system_control + condition: main_selection OR + session_manager_base AND session_manager OR + current_version_base AND current_version OR + nt_current_version_base AND nt_current_version OR + wow_current_version_base AND wow_current_version OR + wow_nt_current_version_base AND wow_nt_current_version OR + (wow_office OR office) AND wow_office_details OR + (wow_ie OR ie) AND wow_ie_details OR + wow_classes_base AND wow_classes OR + classes_base AND classes OR + scripts_base AND scripts OR + winsock_parameters_base AND winsock_parameters OR + system_control_base AND system_control fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_cmstp_execution.yml b/rules/windows/registry_event/sysmon_cmstp_execution.yml index 81dd64679..10c7f0b17 100755 --- a/rules/windows/registry_event/sysmon_cmstp_execution.yml +++ b/rules/windows/registry_event/sysmon_cmstp_execution.yml @@ -25,11 +25,6 @@ logsource: category: registry_event product: windows detection: - # Registry Object Add - selection1: - TargetObject|contains: '\cmmgr32.exe*' - EventType: 'CreateKey' - # Registry Object Value Set - selection2: - TargetObject|contains: '\cmmgr32.exe*' - condition: 1 of them + selection: + TargetObject|contains: '\cmmgr32.exe' + condition: selection diff --git a/rules/windows/registry_event/sysmon_hack_wce_reg.yml b/rules/windows/registry_event/sysmon_hack_wce_reg.yml index 88b35f834..e3f50de16 100755 --- a/rules/windows/registry_event/sysmon_hack_wce_reg.yml +++ b/rules/windows/registry_event/sysmon_hack_wce_reg.yml @@ -15,7 +15,7 @@ logsource: category: registry_event product: windows detection: - selection: + selection: TargetObject|contains: Services\WCESERVICE\Start condition: selection falsepositives: diff --git a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml index 7a6b78194..667c8448a 100755 --- a/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml +++ b/rules/windows/registry_event/sysmon_stickykey_like_backdoor.yml @@ -23,8 +23,8 @@ logsource: category: registry_event product: windows detection: - selection_registry: - TargetObject|endswith: + selection_registry: + TargetObject|endswith: - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger' - '\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\Debugger' diff --git a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml index e060cdb8f..9f36c3763 100644 --- a/rules/windows/registry_event/sysmon_susp_atbroker_change.yml +++ b/rules/windows/registry_event/sysmon_susp_atbroker_change.yml @@ -15,11 +15,11 @@ logsource: category: registry_event product: windows detection: - creation: + creation: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\ATs' persistance: TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Accessibility\Configuration' condition: creation or persistance falsepositives: - - Creation of non-default, legitimate AT. + - Creation of non-default, legitimate AT. level: High diff --git a/rules/windows/registry_event/sysmon_susp_download_run_key.yml b/rules/windows/registry_event/sysmon_susp_download_run_key.yml index 9d55cf0a7..fcc8c3b45 100755 --- a/rules/windows/registry_event/sysmon_susp_download_run_key.yml +++ b/rules/windows/registry_event/sysmon_susp_download_run_key.yml @@ -1,4 +1,4 @@ -title: Suspicious RUN Key from Download +title: Suspicious Run Key from Download id: 9c5037d1-c568-49b3-88c7-9846a5bdc2be status: experimental description: Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - Image|contains: + Image|contains: - '\Downloads\' - '\Temporary Internet Files\Content.Outlook\' - '\Local Settings\Temporary Internet Files\'