diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 000000000..526e3f965 --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,23 @@ +title: Modification of ld.so.preload +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: '/etc/ld.so.preload' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/network/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/network/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..4b1924c1a --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,26 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security +detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName + condition: selection +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..b73091fd4 --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..7be412525 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..df534a554 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..90a55c0f1 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml new file mode 100644 index 000000000..aff9b51ef --- /dev/null +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -0,0 +1,30 @@ +title: Modification of Boot Configuration +description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html +tags: + - attack.impact + - attack.t1490 +detection: + selection1: + Image|endswith: '\bcdedit.exe' + CommandLine: 'set' + selection2: + - CommandLine|contains|all: + - 'bootstatuspolicy' + - 'ignoreallfailures' + - CommandLine|contains|all: + - 'recoveryenabled' + - 'no' + condition: selection1 and selection2 +falsepositives: + - Unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml new file mode 100644 index 000000000..a4f6756a3 --- /dev/null +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -0,0 +1,24 @@ +title: HH.exe execution +description: Identifies usage of hh.exe executing recently modified .chm files. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1223 +detection: + selection: + Image|endswith: '\hh.exe' + CommandLine|contains: '.chm' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml new file mode 100644 index 000000000..41c13d4c5 --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -0,0 +1,25 @@ +title: Indirect Command Execution +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.t1202 +detection: + selection: + ParentImage|endswith: + - '\pcalua.exe' + - '\forfiles.exe' + condition: selection +falsepositives: + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml new file mode 100644 index 000000000..b7c3340e7 --- /dev/null +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -0,0 +1,23 @@ +title: Interactive AT Job +description: Detect an interactive AT job, which may be used as a form of privilege escalation +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html +date: 2019/10/24 +modified: 2019/11/11 +tags: + - attack.privilege_escalation + - attack.t1053 +detection: + selection: + Image|endswith: '\at.exe' + CommandLine|contains: 'interactive' + condition: selection +falsepositives: + - Unlikely (at.exe deprecated as of Windows 8) +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml new file mode 100644 index 000000000..0124c25f3 --- /dev/null +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -0,0 +1,31 @@ +title: LSASS Memory Dumping +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html + - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml +tags: + - attack.credential_access + - attack.t1003 +detection: + selection1: + CommandLine|contains|all: + - 'lsass' + - '.dmp' + selection2: + Image|endswith: '\werfault.exe' + selection3: + Image|contains: '\procdump' + Image|endswith: '.exe' + CommandLine|contains: 'lsass' + condition: selection1 and not selection2 or selection3 +falsepositives: + - Unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml new file mode 100644 index 000000000..86ab993e7 --- /dev/null +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -0,0 +1,25 @@ +title: Mshta Network Connections +description: Identifies suspicious mshta.exe commands +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml +tags: + - attack.execution + - attack.defense_evasion + - attack.t1170 +detection: + selection: + Image|endswith: '\mshta.exe' + CommandLine|contains: 'javascript' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows +## todo — add sysmon eid 3 for this rule diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml new file mode 100644 index 000000000..62d76d6db --- /dev/null +++ b/rules/windows/process_creation/win_net_enum.yml @@ -0,0 +1,27 @@ +title: Windows Network Enumeration +status: stable +description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml +author: Endgame, JHasenbusch (ported for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.discovery + - attack.t1018 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' + filter: + CommandLine|contains: '\\' + condition: selection and not filter +falsepositives: + - Legitimate use of net.exe utility by legitimate user +level: low diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml new file mode 100644 index 000000000..7dbef3b56 --- /dev/null +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -0,0 +1,29 @@ +title: Net.exe User Account Creation +status: experimental +description: Identifies creation of local users via the net.exe command +references: + - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml +author: Endgame, JHasenbusch (adapted to sigma for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.persistance + - attack.credential_access + - attack.t1136 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' + condition: selection +falsepositives: + - Legit user creation + - Better use event ids for user creation rather than command line rules +level: low diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml new file mode 100644 index 000000000..dbfdf05db --- /dev/null +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -0,0 +1,22 @@ +title: Audio Capture via PowerShell +description: Detects audio capture via PowerShell Cmdlet +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html +tags: + - attack.collection + - attack.t1123 +detection: + selection: + CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' + condition: selection +falsepositives: + - Legitimate audio capture by legitimate user +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml new file mode 100644 index 000000000..1bbba2098 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml @@ -0,0 +1,24 @@ +title: Suspicious Bitsadmin Job via PowerShell +status: experimental +description: Detect download by BITS jobs via PowerShell +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/10/30 +modified: 2019/11/11 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Start-BitsTransfer' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml new file mode 100644 index 000000000..55491edc2 --- /dev/null +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -0,0 +1,29 @@ +title: Discovery of a system time +description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md +tags: + - attack.discovery + - attack.t1124 +detection: + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'time' + - Image|endswith: '\w32tm.exe' + CommandLine|contains: 'tz' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'Get-Date' + condition: selection +falsepositives: + - Legitimate use of the system utilities to discover system time for legitimate reason +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml new file mode 100644 index 000000000..923d8ee36 --- /dev/null +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -0,0 +1,23 @@ +title: Audio Capture via SoundRecorder +description: Detect attacker collecting audio via SoundRecorder application +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html +tags: + - attack.collection + - attack.t1123 +detection: + selection: + Image|endswith: '\SoundRecorder.exe' + CommandLine|contains: '/FILE' + condition: selection +falsepositives: + - Legitimate audio capture by legitimate user +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 8f3ef0a65..31dd19509 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -3,11 +3,19 @@ status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) + - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html + - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html + - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 + - attack.t1027 + - attack.t1049 + - attack.t1077 + - attack.t1135 - attack.lateral_movement - attack.discovery + - attack.defense_evasion logsource: category: process_creation product: windows @@ -16,6 +24,7 @@ detection: Image: - '*\net.exe' - '*\net1.exe' + cmdline: CommandLine: - '* group*' - '* localgroup*' @@ -25,7 +34,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection + condition: selection and cmdline fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml new file mode 100644 index 000000000..3f667eaf0 --- /dev/null +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -0,0 +1,25 @@ +title: Domain Trust Discovery +description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md + - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html +tags: + - attack.discovery + - attack.t1482 +detection: + selection: + - Image|endswith: '\nltest.exe' + CommandLine|contains: 'domain_trusts' + - Image|endswith: '\dsquery.exe' + CommandLine|contains: 'trustedDomain' + condition: selection +falsepositives: + - Legitimate use of the utilities by legitimate user for legitimate reason +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml new file mode 100644 index 000000000..7acc1a1f0 --- /dev/null +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -0,0 +1,27 @@ +title: Bypass UAC via CMSTP +description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +modified: 2019/11/11 +date: 2019/10/24 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md +tags: + - attack.defense_evasion + - attack.execution + - attack.t1191 + - attack.t1088 +detection: + selection: + Image|endswith: '\cmstp.exe' + CommandLine|contains: + - '/s' + - '/au' + condition: selection +falsepositives: + - Legitimate use of cmstp.exe utility by legitimate user +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml new file mode 100644 index 000000000..9947b1f97 --- /dev/null +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -0,0 +1,22 @@ +title: Bypass UAC via Fodhelper.exe +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage|endswith: '\fodhelper.exe' + condition: selection +falsepositives: + - Legitimate use of fodhelper.exe utility by legitimate user +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml new file mode 100644 index 000000000..928264392 --- /dev/null +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -0,0 +1,23 @@ +title: Bypass UAC via WSReset.exe +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community +date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage|endswith: '\wsreset.exe' + filter: + Image|endswith: '\conhost.exe' + condition: selection and not filter +falsepositives: + - Unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..57be53774 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,31 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..6ef46657c --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,34 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..c660735b6 --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,33 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..a53182be2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,43 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +modified: 2019/11/13 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..8daac1661 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,29 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +modified: 2019/11/13 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high