From a7a753862cc0af9614fd9c483ecf5a8f37daba08 Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Fri, 25 Oct 2019 12:06:32 +1100 Subject: [PATCH 01/44] Update win_susp_net_execution.yml Added: 1. Additional tags for techniques as defined by Atomic Blue. 2. Detection for OriginalFileName as net.exe can easily be renamed. Part of oscd.community effort. --- .../process_creation/win_susp_net_execution.yml | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index 8f3ef0a65..cb43538f2 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -3,11 +3,17 @@ status: experimental description: Detects execution of Net.exe, whether suspicious or benign. references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) + - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html + - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html +author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 + - attack.t1027 + - attack.t1049 + - attack.t1135 - attack.lateral_movement - attack.discovery + - attack.defense.evasion logsource: category: process_creation product: windows @@ -16,6 +22,11 @@ detection: Image: - '*\net.exe' - '*\net1.exe' + filename: + OriginalFileName: + - 'net.exe' + - 'net1.exe' + cmdline: CommandLine: - '* group*' - '* localgroup*' @@ -25,7 +36,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection + condition: selection or filename and cmdline fields: - CommandLine - ParentCommandLine From 5678357f4ee9b88c59f4b6c6c576a5cb9e1853cf Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Fri, 25 Oct 2019 12:20:47 +1100 Subject: [PATCH 02/44] Update win_susp_net_execution.yml Added tag for: References: https://attack.mitre.org/techniques/T1077/ https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html --- rules/windows/process_creation/win_susp_net_execution.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index cb43538f2..ad5fcd6bc 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -5,11 +5,13 @@ references: - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ - https://eqllib.readthedocs.io/en/latest/analytics/4d2e7fc1-af0b-4915-89aa-03d25ba7805e.html - https://eqllib.readthedocs.io/en/latest/analytics/e61f557c-a9d0-4c25-ab5b-bbc46bb24deb.html + - https://eqllib.readthedocs.io/en/latest/analytics/9b3dd402-891c-4c4d-a662-28947168ce61.html author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements) tags: - attack.s0039 - attack.t1027 - attack.t1049 + - attack.t1077 - attack.t1135 - attack.lateral_movement - attack.discovery From ca819d87070f291a9072fa409ec3be6e2fda72a5 Mon Sep 17 00:00:00 2001 From: 4A616D6573 Date: Sun, 27 Oct 2019 14:06:52 +1100 Subject: [PATCH 03/44] Update win_susp_net_execution.yml Updated tags to pass Travis CI checks. --- rules/windows/process_creation/win_susp_net_execution.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index ad5fcd6bc..dfa3e7307 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -15,7 +15,7 @@ tags: - attack.t1135 - attack.lateral_movement - attack.discovery - - attack.defense.evasion + - attack.defense_evasion logsource: category: process_creation product: windows From becfca6b41aa8900b444395120b9fd8a40ab952e Mon Sep 17 00:00:00 2001 From: RRRabbit Date: Mon, 28 Oct 2019 11:59:49 +0100 Subject: [PATCH 04/44] Added Atomic Blue Detections Repo --- .../auditd/lnx_auditd_ld_so_preload_mod.yml | 21 ++++++++++++ .../process_creation/win_bootconf_mod.yml | 26 +++++++++++++++ .../windows/process_creation/win_cmd_rar.yml | 21 ++++++++++++ .../process_creation/win_eventlog_cleared.yml | 21 ++++++++++++ .../win_fsutil_usn_delete.yml | 24 ++++++++++++++ rules/windows/process_creation/win_hh_chm.yml | 22 +++++++++++++ .../process_creation/win_indirect_cmd.yml | 20 ++++++++++++ .../process_creation/win_interactive_at.yml | 21 ++++++++++++ .../process_creation/win_lsass_dump.yml | 28 ++++++++++++++++ .../process_creation/win_mshta_javascript.yml | 22 +++++++++++++ .../windows/process_creation/win_net_enum.yml | 23 +++++++++++++ .../process_creation/win_net_user_add.yml | 21 ++++++++++++ .../win_powershell_audio_capture.yml | 19 +++++++++++ .../win_powershell_bitsjob.yaml | 21 ++++++++++++ .../process_creation/win_reg_sam_dumping.yml | 32 +++++++++++++++++++ .../win_remote_time_discovery.yml | 24 ++++++++++++++ .../win_soundrec_audio_capture.yml | 21 ++++++++++++ .../process_creation/win_trust_discovery.yml | 21 ++++++++++++ .../process_creation/win_uac_cmstp.yml | 24 ++++++++++++++ .../process_creation/win_uac_fodhelper.yml | 19 +++++++++++ .../process_creation/win_uac_wsreset.yml | 22 +++++++++++++ 21 files changed, 473 insertions(+) create mode 100644 rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml create mode 100644 rules/windows/process_creation/win_bootconf_mod.yml create mode 100644 rules/windows/process_creation/win_cmd_rar.yml create mode 100644 rules/windows/process_creation/win_eventlog_cleared.yml create mode 100644 rules/windows/process_creation/win_fsutil_usn_delete.yml create mode 100644 rules/windows/process_creation/win_hh_chm.yml create mode 100644 rules/windows/process_creation/win_indirect_cmd.yml create mode 100644 rules/windows/process_creation/win_interactive_at.yml create mode 100644 rules/windows/process_creation/win_lsass_dump.yml create mode 100644 rules/windows/process_creation/win_mshta_javascript.yml create mode 100644 rules/windows/process_creation/win_net_enum.yml create mode 100644 rules/windows/process_creation/win_net_user_add.yml create mode 100644 rules/windows/process_creation/win_powershell_audio_capture.yml create mode 100644 rules/windows/process_creation/win_powershell_bitsjob.yaml create mode 100644 rules/windows/process_creation/win_reg_sam_dumping.yml create mode 100644 rules/windows/process_creation/win_remote_time_discovery.yml create mode 100644 rules/windows/process_creation/win_soundrec_audio_capture.yml create mode 100644 rules/windows/process_creation/win_trust_discovery.yml create mode 100644 rules/windows/process_creation/win_uac_cmstp.yml create mode 100644 rules/windows/process_creation/win_uac_fodhelper.yml create mode 100644 rules/windows/process_creation/win_uac_wsreset.yml diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml new file mode 100644 index 000000000..97643378a --- /dev/null +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -0,0 +1,21 @@ +title: Modification of ld.so.preload +description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1055 +logsource: + product: linux + service: auditd +detection: + selection: + type: 'PATH' + name: + - '/etc/ld.so.preload' + condition: selection + condition: selection +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml new file mode 100644 index 000000000..c6834ebe3 --- /dev/null +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -0,0 +1,26 @@ +title: Modification of Boot Configuration +description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.impact + - attack.t1490 +detection: + selection1: + Image: + - '*bcdedit.exe' + selection2: + CommandLine: + - '* set*' + selection3: + CommandLine: + - '* bootstatuspolicy *ignoreallfailures*' + - '* recoveryenabled* no*' + condition: selection1 and selection2 and selection3 +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_cmd_rar.yml b/rules/windows/process_creation/win_cmd_rar.yml new file mode 100644 index 000000000..098378a27 --- /dev/null +++ b/rules/windows/process_creation/win_cmd_rar.yml @@ -0,0 +1,21 @@ +title: Command-Line Creation of a RAR file +description: Detect compression of data into a RAR file using the rar.exe utility. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.exfiltration + - attack.t1002 +detection: + selection: + Image: + - '*rar.exe' + CommandLine: + - '* a *' + condition: selection +falsepositives: + - legit creation of a rar file using cmd +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_eventlog_cleared.yml b/rules/windows/process_creation/win_eventlog_cleared.yml new file mode 100644 index 000000000..3806ec5fd --- /dev/null +++ b/rules/windows/process_creation/win_eventlog_cleared.yml @@ -0,0 +1,21 @@ +title: Clearing Windows Event Logs with wevtutil +description: Identifies attempts to clear Windows event logs with the command wevtutil. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1070 +detection: + selection: + Image: + - '*wevtutil.exe' + CommandLine: + - '* cl *' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_fsutil_usn_delete.yml b/rules/windows/process_creation/win_fsutil_usn_delete.yml new file mode 100644 index 000000000..bd955931b --- /dev/null +++ b/rules/windows/process_creation/win_fsutil_usn_delete.yml @@ -0,0 +1,24 @@ +title: Delete Volume USN Journal with fsutil +description: Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1070 +detection: + selection1: + Image: + - '*fsutil.exe' + CommandLine: + - '*usn*' + selection2: + CommandLine: + - '* deletejournal*' + condition: selection1 and selection2 +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml new file mode 100644 index 000000000..50e3988d3 --- /dev/null +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -0,0 +1,22 @@ +title: HH.exe execution +description: Identifies usage of hh.exe executing recently modified .chm files. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1223 +detection: + selection: + Image: + - '*hh.exe' + CommandLine: + - '* .chm*' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml new file mode 100644 index 000000000..316a276ea --- /dev/null +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -0,0 +1,20 @@ +title: Indirect Command Execution +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.t1202 +detection: + selection: + ParentImage: + - '*pcalua.exe' + - '*forfiles.exe' + condition: selection | count(CommandLine) > 10 +falsepositives: + - legit usage of scripts +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml new file mode 100644 index 000000000..3333f2ef0 --- /dev/null +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -0,0 +1,21 @@ +title: Interactive AT Job +description: Detect an interactive AT job, which may be used as a form of privilege escalation. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1053 +detection: + selection: + Image: + - '*at.exe' + CommandLine: + - '* interactive*' + condition: selection +falsepositives: + - unlike (at.exe deprecated as of Windows 8) +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml new file mode 100644 index 000000000..c0f7f9e74 --- /dev/null +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -0,0 +1,28 @@ +title: LSASS Memory Dumping +description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.credential_access + - attack.t1003 +detection: + selection1: + CommandLine: + - '* lsass*.dmp*' + selection2: + Image: + - '*werfault.exe' + selection3: + Image: + - '*procdump*.exe' + selection4: + CommandLine: + - '* lsass*' + condition: selection1 and not selection2 or selection3 and selection4 +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml new file mode 100644 index 000000000..678efff6c --- /dev/null +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -0,0 +1,22 @@ +title: Mshta Network Connections +description: Identifies suspicious mshta.exe commands. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.execution + - attack.defense_evasion + - attack.t1170 +detection: + selection: + Image: + - '*mshta.exe' + CommandLine: + - '* javascript*' + condition: selection +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml new file mode 100644 index 000000000..947b48121 --- /dev/null +++ b/rules/windows/process_creation/win_net_enum.yml @@ -0,0 +1,23 @@ +title: Windows Network Enumeration +status: stable +description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html +author: Endgame, JHasenbusch (ported for oscd.community) +date: 2018/11/30 +tags: + - attack.discovery + - attack.t1018 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\net.exe' + CommandLine: '* view*' + filter: + CommandLine: '*\\\\*' + condition: selection and not filter +falsepositives: + - unknown +level: low diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml new file mode 100644 index 000000000..477b35903 --- /dev/null +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -0,0 +1,21 @@ +title: Net.exe User Account Creation +status: experimental +description: Identifies creation of local users via the net[1].exe command. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html +author: Endgame, JHasenbusch (adapted to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.persistance + - attack.credential_access + - attack.1136 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*\net*.exe * user */ad*' + condition: selection +falsepositives: + - Legit user creation +level: low diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml new file mode 100644 index 000000000..4865300e1 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -0,0 +1,19 @@ +title: Audio Capture via PowerShell +description: Detect attacker collecting audio via PowerShell Cmdlet. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.collection + - attack.t1123 +detection: + selection: + CommandLine: + - '* WindowsAudioDevice-Powershell-Cmdlet *' + condition: selection +falsepositives: + - legit audio capture +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml new file mode 100644 index 000000000..2eb6db523 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml @@ -0,0 +1,21 @@ +title: Suspicious Bitsadmin Job via PowerShell +status: experimental +description: Detect download of BITS jobs via PowerShell. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1197 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*powershell.exe *Start-BitsTransfer*' + condition: selection +falsepositives: + - Unknown +level: medium diff --git a/rules/windows/process_creation/win_reg_sam_dumping.yml b/rules/windows/process_creation/win_reg_sam_dumping.yml new file mode 100644 index 000000000..6e01cb270 --- /dev/null +++ b/rules/windows/process_creation/win_reg_sam_dumping.yml @@ -0,0 +1,32 @@ +title: SAM Dumping via Reg.exe +status: experimental +description: Identifies usage of reg.exe to export registry hives which contain the SAM and LSA secrets. +references: + - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html +author: Endgame, JHasenbusch (ported to sigma for oscd.community) +date: 2018/30/11 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: '*\reg.exe' + CommandLine: + - '* save *' + - '* export *' + selection2: + CommandLine: + - '*hklm*' + - '*hkey_local_machine*' + selection3: + CommandLine: + - '*\\sam *' + - '*\\security *' + - '*\\system *' + condition: selection1 and selection2 and selection3 +falsepositives: + - Unknown +level: low diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml new file mode 100644 index 000000000..20813ab4b --- /dev/null +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -0,0 +1,24 @@ +title: Command-Line Creation of a RAR file +description: Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.discovery + - attack.t1124 +detection: + selection1: + Image: + - '*net.exe' + CommandLine: + - '* time *' + selection2: + CommandLine: + - '*\\\*' + condition: selection1 and selection2 +falsepositives: + - legit admin usage +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml new file mode 100644 index 000000000..dd8798cd1 --- /dev/null +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -0,0 +1,21 @@ +title: Audio Capture via SoundRecorder +description: Detect attacker collecting audio via SoundRecorder application. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.collection + - attack.t1123 +detection: + selection: + Image: + - "*\SoundRecorder.exe" + CommandLine: + - "* /FILE *" + condition: selection +falsepositives: + - legit audio capture +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml new file mode 100644 index 000000000..2929f545d --- /dev/null +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -0,0 +1,21 @@ +title: Domain Trust Discovery via Nltest.exe +description: Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.discovery + - attack.t1482 +detection: + selection: + Image: + - '*nltest.exe' + CommandLine: + - '* domain_trusts*' + condition: selection +falsepositives: + - unlike +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml new file mode 100644 index 000000000..915b9b2e9 --- /dev/null +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -0,0 +1,24 @@ +title: Bypass UAC via CMSTP +description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +date: 2019/10/24 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1191 + - attack.t1088 +detection: + selection: + Image: + - "*\\cmstp.exe" + CommandLine: + - "* /s *" + - "* /au *" + condition: selection +falsepositives: + - unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml new file mode 100644 index 000000000..d811ca637 --- /dev/null +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -0,0 +1,19 @@ +title: Bypass UAC via Fodhelper.exe +description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage: + - "*\fodhelper.exe" + condition: selection +falsepositives: + - unlikely +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml new file mode 100644 index 000000000..a4314c5ce --- /dev/null +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -0,0 +1,22 @@ +title: Bypass UAC via WSReset.exe +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +status: experimental +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +date: 2019/10/24 +tags: + - attack.privilege_escalation + - attack.t1088 +detection: + selection: + ParentImage: + - '*wsreset.exe' + filter: + Image: + - '*conhost.exe' + condition: selection and not filter +falsepositives: + - unknown +level: high +logsource: + category: process_creation + product: windows From 4251d9f490cb566cfe37781fc61d1d8066f1fcd4 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:44:22 +0300 Subject: [PATCH 05/44] ilyas ochkov contribution --- rules/network/net_possible_dns_rebinding.yml | 22 +++++++++ ...picious_reverse_connect_via_http_proxy.yml | 18 +++++++ ..._renamed_user_account_with_dollar_sign.yml | 33 +++++++++++++ .../windows/builtin/win_possible_dc_sync.yml | 24 ++++++++++ ...n_register_new_logon_process_by_rubeus.yml | 23 +++++++++ ...uspicious_outbound_kerberos_connection.yml | 27 +++++++++++ ...ileged_service_lsaregisterlogonprocess.yml | 23 +++++++++ .../powershell_clear_powershell_history.yml | 23 +++++++++ ...y_events_logging_adding_reg_key_minint.yml | 38 +++++++++++++++ ..._dll_added_to_appcertdlls_registry_key.yml | 48 +++++++++++++++++++ ...dll_added_to_appinit_dlls_registry_key.yml | 47 ++++++++++++++++++ .../sysmon/sysmon_possible_dns_rebinding.yml | 42 ++++++++++++++++ ...uspicious_outbound_kerberos_connection.yml | 28 +++++++++++ 13 files changed, 396 insertions(+) create mode 100644 rules/network/net_possible_dns_rebinding.yml create mode 100644 rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml create mode 100644 rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml create mode 100644 rules/windows/builtin/win_possible_dc_sync.yml create mode 100644 rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml create mode 100644 rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml create mode 100644 rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml create mode 100644 rules/windows/powershell/powershell_clear_powershell_history.yml create mode 100644 rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml create mode 100644 rules/windows/sysmon/sysmon_possible_dns_rebinding.yml create mode 100644 rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml diff --git a/rules/network/net_possible_dns_rebinding.yml b/rules/network/net_possible_dns_rebinding.yml new file mode 100644 index 000000000..cc8f2a234 --- /dev/null +++ b/rules/network/net_possible_dns_rebinding.yml @@ -0,0 +1,22 @@ +title: Possible DNS Rebinding +status: experimental +description: 'Detects DNS-answer with TTL <10.' +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: dns +detection: + selection: + answer: '*' + filter1: + ttl: '>0' + filter2: + ttl: '<10' + timeframe: 30s + condition: selection and filter1 and filter2 | count(answer) by src_ip > 3 +level: medium diff --git a/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml new file mode 100644 index 000000000..68a629cda --- /dev/null +++ b/rules/proxy/proxy_suspicious_reverse_connect_via_http_proxy.yml @@ -0,0 +1,18 @@ +title: Suspicious reverse connect via HTTP proxy +status: experimental +description: Detects auth on proxy-server by machine account (aka SYSTEM) +author: Ilyas Ochkov, oscd.community +references: + - https://blog.redxorblue.com/2019/09/proxy-aware-payload-testing.html +tags: + - attack.command_and_control + - attack.t1043 +logsource: + category: proxy +detection: + selection: + username|re: '\S+\$$' + condition: selection +falsepositives: + - Update OS or other softs which start by SYSTEM + - User account with $ in attribute "SamAccountName" diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml new file mode 100644 index 000000000..420b71027 --- /dev/null +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -0,0 +1,33 @@ +title: New (or renamed) user account with '$' in attribute 'SamAccountName'. +status: experimental +description: Detects possible bypass EDR and SIEM via abnormal user account name. +tags: + - attack.defense_evasion + - attack.t1036 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - UserName + - SubjectAccountName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: security +detection: + create_user: + EventID: 4720 + UserName: '*$*' #SamAccountName +--- +logsource: + product: windows + service: security +detection: + rename_user: + EventID: 4781 + UserName: '*$*' #NewTargetUserName diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml new file mode 100644 index 000000000..73b44994d --- /dev/null +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -0,0 +1,24 @@ +title: Possible DC Sync +description: Detects DC sync via create new SPN +status: experimental +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +references: + - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml + - https://twitter.com/gentilkiwi/status/1003236624925413376 + - https://gist.github.com/gentilkiwi/dcc132457408cf11ad2061340dcb53c2 + - https://jsecurity101.com/2019/Syncing-into-the-Shadows/ +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + service: security +detection: + selection: + EventID: 4742 + ServicePrincipalNames: '*GC/*' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml new file mode 100644 index 000000000..dd1635351 --- /dev/null +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -0,0 +1,23 @@ +title: Register new logon process by Rubeus +description: Detects potential use of Rubeus via registered new trusted logon process +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security + definition: Ubnormal logon process name 'User32LogonProcesss' - with three 's' at the end +detection: + selection: + - EventID: 4611 + LogonProcessName: 'User32LogonProcesss' + condition: selection +falsepositives: + - Unkown +level: high diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..10d08ce14 --- /dev/null +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,27 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: security +detection: + selection: + EventID: 5156 + DestinationPort: 88 + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high \ No newline at end of file diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml new file mode 100644 index 000000000..0a7a760b8 --- /dev/null +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -0,0 +1,23 @@ +title: User couldn't call a privileged service 'LsaRegisterLogonProcess' +description: The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. +status: experimental +references: + - https://posts.specterops.io/hunting-in-active-directory-unconstrained-delegation-forests-trusts-71f2b33688e1 +tags: + - attack.lateral_movement + - attack.privilege_escalation + - attack.t1208 +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +date: 2019/10/24 +logsource: + product: windows + service: security +detection: + selection: + - EventID: 4673 + Service: 'LsaRegisterLogonProcess()' + Keywords: '0x8010000000000000' #failure + condition: selection +falsepositives: + - Unkown +level: high \ No newline at end of file diff --git a/rules/windows/powershell/powershell_clear_powershell_history.yml b/rules/windows/powershell/powershell_clear_powershell_history.yml new file mode 100644 index 000000000..6f5eeed2c --- /dev/null +++ b/rules/windows/powershell/powershell_clear_powershell_history.yml @@ -0,0 +1,23 @@ +title: Clear PowerShell History +status: experimental +description: Detects keywords that could indicate clearing PowerShell history +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://gist.github.com/hook-s3c/7363a856c3cdbadeb71085147f042c1a +tags: + - attack.defense_evasion + - attack.t1146 +logsource: + product: windows + service: powershell +detection: + keywords: + - 'del (Get-PSReadlineOption).HistorySavePath' + - 'Set-PSReadlineOption –HistorySaveStyle SaveNothing' + - 'Remove-Item (Get-PSReadlineOption).HistorySavePath' + - 'rm (Get-PSReadlineOption).HistorySavePath' + condition: keywords +falsepositives: + - some PS-scripts +level: medium diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml new file mode 100644 index 000000000..0e3e926c2 --- /dev/null +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -0,0 +1,38 @@ +title: Disable security events logging adding reg key MiniNt +status: experimental +description: Detects the addition of a key 'MiniNt' to the registry. Upon a reboot, Windows Event Log service will stopped write events. +references: + - https://twitter.com/0gtweet/status/1182516740955226112 +tags: + - attack.defense_evasion + - attack.t1089 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: high +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\MiniNt' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\MiniNt' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml new file mode 100644 index 000000000..ae970f27a --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -0,0 +1,48 @@ +title: New DLL added to AppCertDlls registry key +status: experimental +description: Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. +references: + - http://www.hexacorn.com/blog/2013/01/19/beyond-good-ol-run-key-part-3/ + - https://eqllib.readthedocs.io/en/latest/analytics/14f90406-10a0-4d36-a672-31cabe149f2f.html +tags: + - attack.persistence + - attack.t1182 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml new file mode 100644 index 000000000..403ceeadc --- /dev/null +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -0,0 +1,47 @@ +title: New DLL added to AppInit_DLLs registry key +status: experimental +description: DLLs that are specified in the AppInit_DLLs value in the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows are loaded by user32.dll into every process that loads user32.dll +references: + - https://eqllib.readthedocs.io/en/latest/analytics/822dc4c5-b355-4df8-bd37-29c458997b8f.html +tags: + - attack.persistence + - attack.t1103 +author: Ilyas Ochkov, oscd.community +date: 2019/10/25 +detection: + condition: 1 of them +fields: + - EventID + - Image + - TargetObject + - NewName +falsepositives: + - Unkown +level: medium +--- +logsource: + product: windows + service: sysmon +detection: + key_create: + EventID: 12 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + value_set: + EventID: 13 + TargetObject: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' +--- +logsource: + product: windows + service: sysmon +detection: + key_rename: + EventID: 14 + NewName: + - '*\SOFTWARE\*\Windows\AppInit_Dlls' diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml new file mode 100644 index 000000000..015acde37 --- /dev/null +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -0,0 +1,42 @@ +title: Possible DNS Rebinding +status: experimental +description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). +date: 2019/10/25 +author: Ilyas Ochkov, oscd.community +references: + - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 +tags: + - attack.command_and_control + - attack.t1043 +logsource: + product: windows + service: sysmon +detection: + dns_answer: + EventID: 22 + QueryName: '*' + QueryStatus: '0' + filter_int_ip: + QueryResults: + - '(::ffff:)?10.*' + - '(::ffff:)?192.168.*' + - '(::ffff:)?172.16.*' + - '(::ffff:)?172.17.*' + - '(::ffff:)?172.18.*' + - '(::ffff:)?172.19.*' + - '(::ffff:)?172.20.*' + - '(::ffff:)?172.21.*' + - '(::ffff:)?172.22.*' + - '(::ffff:)?172.23.*' + - '(::ffff:)?172.24.*' + - '(::ffff:)?172.25.*' + - '(::ffff:)?172.26.*' + - '(::ffff:)?172.27.*' + - '(::ffff:)?172.28.*' + - '(::ffff:)?172.29.*' + - '(::ffff:)?172.30.*' + - '(::ffff:)?172.31.*' + - '(::ffff:)?127.*' + timeframe: 30s + condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 +level: medium diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml new file mode 100644 index 000000000..c644fda97 --- /dev/null +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -0,0 +1,28 @@ +title: Suspicious outbound Kerberos connection +status: experimental +description: Detects suspicious outbound network activity via kerberos default port indicating possible lateral movement or first stage PrivEsc via delegation. +references: + - https://github.com/GhostPack/Rubeus8 +author: Ilyas Ochkov, oscd.community +date: 2019/10/24 +tags: + - attack.lateral_movement + - attack.t1208 +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 3 + DestinationPort: 88 + Initiated: 'true' + filter: + Image: + - '*\lsass.exe' + - '*\opera.exe' + - '*\chrome.exe' + - '*\firefox.exe' + condition: selection and not filter +falsepositives: + - Other browsers +level: high From fd606cb3760c3003bc963465679617847c8e6e86 Mon Sep 17 00:00:00 2001 From: Yugoslavskiy Daniil Date: Tue, 29 Oct 2019 03:59:07 +0300 Subject: [PATCH 06/44] spaces fix --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- rules/windows/builtin/win_possible_dc_sync.yml | 2 +- .../builtin/win_register_new_logon_process_by_rubeus.yml | 2 +- .../builtin/win_suspicious_outbound_kerberos_connection.yml | 2 +- ..._couldnt_call_privileged_service_lsaregisterlogonprocess.yml | 2 +- ...on_disable_security_events_logging_adding_reg_key_minint.yml | 2 +- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- .../sysmon_new_dll_added_to_appinit_dlls_registry_key.yml | 2 +- .../sysmon/sysmon_suspicious_outbound_kerberos_connection.yml | 2 +- 9 files changed, 9 insertions(+), 9 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 420b71027..4f55fd485 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -5,7 +5,7 @@ tags: - attack.defense_evasion - attack.t1036 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/builtin/win_possible_dc_sync.yml b/rules/windows/builtin/win_possible_dc_sync.yml index 73b44994d..b73091fd4 100644 --- a/rules/windows/builtin/win_possible_dc_sync.yml +++ b/rules/windows/builtin/win_possible_dc_sync.yml @@ -2,7 +2,7 @@ title: Possible DC Sync description: Detects DC sync via create new SPN status: experimental author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 references: - https://github.com/Neo23x0/sigma/blob/ec5bb710499caae6667c7f7311ca9e92c03b9039/rules/windows/builtin/win_dcsync.yml - https://twitter.com/gentilkiwi/status/1003236624925413376 diff --git a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml index dd1635351..7be412525 100644 --- a/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml +++ b/rules/windows/builtin/win_register_new_logon_process_by_rubeus.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 10d08ce14..4167b05c3 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 diff --git a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml index 0a7a760b8..90a55c0f1 100644 --- a/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml +++ b/rules/windows/builtin/win_user_couldnt_call_privileged_service_lsaregisterlogonprocess.yml @@ -7,7 +7,7 @@ tags: - attack.lateral_movement - attack.privilege_escalation - attack.t1208 -author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community +author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community date: 2019/10/24 logsource: product: windows diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 0e3e926c2..12afd3d55 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -7,7 +7,7 @@ tags: - attack.defense_evasion - attack.t1089 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index ae970f27a..1deb58c74 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -8,7 +8,7 @@ tags: - attack.persistence - attack.t1182 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 403ceeadc..77304269a 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -7,7 +7,7 @@ tags: - attack.persistence - attack.t1103 author: Ilyas Ochkov, oscd.community -date: 2019/10/25 +date: 2019/10/25 detection: condition: 1 of them fields: diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index c644fda97..2bc9e19f9 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -4,7 +4,7 @@ description: Detects suspicious outbound network activity via kerberos default p references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community -date: 2019/10/24 +date: 2019/10/24 tags: - attack.lateral_movement - attack.t1208 From 37098be2915c00b1547b00da4d8c8602037b5a8e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:35:51 +0300 Subject: [PATCH 07/44] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 477b35903..99ebe7bf5 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -8,7 +8,7 @@ date: 2018/30/11 tags: - attack.persistance - attack.credential_access - - attack.1136 + - attack.t1136 logsource: category: process_creation product: windows From 570f5b238e20ee4d83948f9650f1da5098c8eb5d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:40:45 +0300 Subject: [PATCH 08/44] Update win_soundrec_audio_capture.yml --- .../win_soundrec_audio_capture.yml | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index dd8798cd1..a6bb8e747 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -1,20 +1,21 @@ title: Audio Capture via SoundRecorder -description: Detect attacker collecting audio via SoundRecorder application. +description: Detect attacker collecting audio via SoundRecorder application status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml tags: - attack.collection - attack.t1123 detection: selection: - Image: - - "*\SoundRecorder.exe" - CommandLine: - - "* /FILE *" + Image|endswith: '\SoundRecorder.exe' + CommandLine|contains: '/FILE' condition: selection falsepositives: - - legit audio capture + - Legitimate audio capture by legitimate user level: medium logsource: category: process_creation From bdff2c312b0b84398797eba4d0e08cd1cff4d0d7 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:44:53 +0300 Subject: [PATCH 09/44] Update lnx_auditd_ld_so_preload_mod.yml --- rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml index 97643378a..526e3f965 100644 --- a/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml +++ b/rules/linux/auditd/lnx_auditd_ld_so_preload_mod.yml @@ -1,8 +1,12 @@ title: Modification of ld.so.preload description: Identifies modification of ld.so.preload for shared object injection. This technique is used by attackers to load arbitrary code into processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1055/T1055.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/fd9b987a-1101-4ed3-bda6-a70300eaf57e.html tags: - attack.defense_evasion - attack.t1055 @@ -12,10 +16,8 @@ logsource: detection: selection: type: 'PATH' - name: - - '/etc/ld.so.preload' - condition: selection + name: '/etc/ld.so.preload' condition: selection falsepositives: - - unknown + - Unknown level: medium From fc8901fa1af750f42d0d2adc0b9a00be72ab8be9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:45:39 +0300 Subject: [PATCH 10/44] Update win_soundrec_audio_capture.yml --- rules/windows/process_creation/win_soundrec_audio_capture.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_soundrec_audio_capture.yml b/rules/windows/process_creation/win_soundrec_audio_capture.yml index a6bb8e747..923d8ee36 100644 --- a/rules/windows/process_creation/win_soundrec_audio_capture.yml +++ b/rules/windows/process_creation/win_soundrec_audio_capture.yml @@ -6,6 +6,7 @@ date: 2019/10/24 modified: 2019/11/11 references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/f72a98cb-7b3d-4100-99c3-a138b6e9ff6e.html tags: - attack.collection - attack.t1123 From afb17d0e0e13caf790c31e2322cad3be1ea80bad Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:53:46 +0300 Subject: [PATCH 11/44] Update win_bootconf_mod.yml --- .../process_creation/win_bootconf_mod.yml | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/rules/windows/process_creation/win_bootconf_mod.yml b/rules/windows/process_creation/win_bootconf_mod.yml index c6834ebe3..aff9b51ef 100644 --- a/rules/windows/process_creation/win_bootconf_mod.yml +++ b/rules/windows/process_creation/win_bootconf_mod.yml @@ -1,25 +1,29 @@ title: Modification of Boot Configuration description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html tags: - attack.impact - attack.t1490 detection: selection1: - Image: - - '*bcdedit.exe' + Image|endswith: '\bcdedit.exe' + CommandLine: 'set' selection2: - CommandLine: - - '* set*' - selection3: - CommandLine: - - '* bootstatuspolicy *ignoreallfailures*' - - '* recoveryenabled* no*' - condition: selection1 and selection2 and selection3 + - CommandLine|contains|all: + - 'bootstatuspolicy' + - 'ignoreallfailures' + - CommandLine|contains|all: + - 'recoveryenabled' + - 'no' + condition: selection1 and selection2 falsepositives: - - unlike + - Unlikely level: high logsource: category: process_creation From 521d9311c7133027a393d39164326bd892fcabe9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:58:22 +0300 Subject: [PATCH 12/44] Delete win_cmd_rar.yml redundant with ./rules/windows/process_creation/win_data_compressed_with_rar.yml authorship was updated --- .../windows/process_creation/win_cmd_rar.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/process_creation/win_cmd_rar.yml diff --git a/rules/windows/process_creation/win_cmd_rar.yml b/rules/windows/process_creation/win_cmd_rar.yml deleted file mode 100644 index 098378a27..000000000 --- a/rules/windows/process_creation/win_cmd_rar.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Command-Line Creation of a RAR file -description: Detect compression of data into a RAR file using the rar.exe utility. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.exfiltration - - attack.t1002 -detection: - selection: - Image: - - '*rar.exe' - CommandLine: - - '* a *' - condition: selection -falsepositives: - - legit creation of a rar file using cmd -level: high -logsource: - category: process_creation - product: windows From e7e9185f996311cb7787a7436f11860f344da3df Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 01:59:29 +0300 Subject: [PATCH 13/44] Delete win_eventlog_cleared.yml redundant with ./rules/windows/process_creation/win_susp_eventlog_clear.yml --- .../process_creation/win_eventlog_cleared.yml | 21 ------------------- 1 file changed, 21 deletions(-) delete mode 100644 rules/windows/process_creation/win_eventlog_cleared.yml diff --git a/rules/windows/process_creation/win_eventlog_cleared.yml b/rules/windows/process_creation/win_eventlog_cleared.yml deleted file mode 100644 index 3806ec5fd..000000000 --- a/rules/windows/process_creation/win_eventlog_cleared.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Clearing Windows Event Logs with wevtutil -description: Identifies attempts to clear Windows event logs with the command wevtutil. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.defense_evasion - - attack.t1070 -detection: - selection: - Image: - - '*wevtutil.exe' - CommandLine: - - '* cl *' - condition: selection -falsepositives: - - unknown -level: high -logsource: - category: process_creation - product: windows From 03d08067b5806dac1785f0f9c8a0ea3dc895e411 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 02:11:28 +0300 Subject: [PATCH 14/44] Delete win_fsutil_usn_delete.yml redundant with ./rules/windows/process_creation/win_susp_fsutil_usage.yml. authorship has been updated --- .../win_fsutil_usn_delete.yml | 24 ------------------- 1 file changed, 24 deletions(-) delete mode 100644 rules/windows/process_creation/win_fsutil_usn_delete.yml diff --git a/rules/windows/process_creation/win_fsutil_usn_delete.yml b/rules/windows/process_creation/win_fsutil_usn_delete.yml deleted file mode 100644 index bd955931b..000000000 --- a/rules/windows/process_creation/win_fsutil_usn_delete.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Delete Volume USN Journal with fsutil -description: Identifies use of the fsutil command to delete the volume USNJRNL. This technique is used by attackers to eliminate evidence of files created during post-exploitation activities. -status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) -date: 2019/10/24 -tags: - - attack.defense_evasion - - attack.t1070 -detection: - selection1: - Image: - - '*fsutil.exe' - CommandLine: - - '*usn*' - selection2: - CommandLine: - - '* deletejournal*' - condition: selection1 and selection2 -falsepositives: - - unknown -level: high -logsource: - category: process_creation - product: windows From 24ea49a2a1e2b7fcf015907bbc9f7a2c568314a5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 02:57:59 +0300 Subject: [PATCH 15/44] Update win_susp_net_execution.yml --- rules/windows/process_creation/win_susp_net_execution.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml index dfa3e7307..31dd19509 100644 --- a/rules/windows/process_creation/win_susp_net_execution.yml +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -24,10 +24,6 @@ detection: Image: - '*\net.exe' - '*\net1.exe' - filename: - OriginalFileName: - - 'net.exe' - - 'net1.exe' cmdline: CommandLine: - '* group*' @@ -38,7 +34,7 @@ detection: - '* accounts*' - '* use*' - '* stop *' - condition: selection or filename and cmdline + condition: selection and cmdline fields: - CommandLine - ParentCommandLine From f585c556a479bcc183e086857c06e184223b70ad Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 03:04:54 +0300 Subject: [PATCH 16/44] Update win_hh_chm.yml --- rules/windows/process_creation/win_hh_chm.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_hh_chm.yml b/rules/windows/process_creation/win_hh_chm.yml index 50e3988d3..a4f6756a3 100644 --- a/rules/windows/process_creation/win_hh_chm.yml +++ b/rules/windows/process_creation/win_hh_chm.yml @@ -1,18 +1,20 @@ title: HH.exe execution description: Identifies usage of hh.exe executing recently modified .chm files. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Dan Beavin), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1223/T1223.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/b25aa548-7937-11e9-8f5c-d46d6d62a49e.html date: 2019/10/24 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.execution - attack.t1223 detection: selection: - Image: - - '*hh.exe' - CommandLine: - - '* .chm*' + Image|endswith: '\hh.exe' + CommandLine|contains: '.chm' condition: selection falsepositives: - unlike From c584b67095fa4247aa557d39392bd058601f3890 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 03:20:09 +0300 Subject: [PATCH 17/44] Update win_indirect_cmd.yml --- .../process_creation/win_indirect_cmd.yml | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_indirect_cmd.yml b/rules/windows/process_creation/win_indirect_cmd.yml index 316a276ea..41c13d4c5 100644 --- a/rules/windows/process_creation/win_indirect_cmd.yml +++ b/rules/windows/process_creation/win_indirect_cmd.yml @@ -1,19 +1,24 @@ title: Indirect Command Execution -description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe. +description: Detect indirect command execution via Program Compatibility Assistant pcalua.exe or forfiles.exe status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1202/T1202.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/884a7ccd-7305-4130-82d0-d4f90bc118b6.html date: 2019/10/24 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.t1202 detection: selection: - ParentImage: - - '*pcalua.exe' - - '*forfiles.exe' - condition: selection | count(CommandLine) > 10 + ParentImage|endswith: + - '\pcalua.exe' + - '\forfiles.exe' + condition: selection falsepositives: - - legit usage of scripts + - Need to use extra processing with 'unique_count' / 'filter' to focus on outliers as opposed to commonly seen artifacts + - Legit usage of scripts level: high logsource: category: process_creation From e18ff0b9f921334c58a096af8899f034c6cc702f Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 04:05:21 +0300 Subject: [PATCH 18/44] Update win_interactive_at.yml --- rules/windows/process_creation/win_interactive_at.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 3333f2ef0..9d04e1681 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,20 +1,19 @@ title: Interactive AT Job description: Detect an interactive AT job, which may be used as a form of privilege escalation. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 tags: - attack.privilege_escalation - attack.t1053 detection: selection: - Image: - - '*at.exe' - CommandLine: - - '* interactive*' + Image|endswith: '\at.exe' + CommandLine|contains: 'interactive' condition: selection falsepositives: - - unlike (at.exe deprecated as of Windows 8) + - Unlikely (at.exe deprecated as of Windows 8) level: high logsource: category: process_creation From 119a3417c615112216d23fb6a15e72ad222246cd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 04:06:37 +0300 Subject: [PATCH 19/44] Update win_interactive_at.yml --- rules/windows/process_creation/win_interactive_at.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_interactive_at.yml b/rules/windows/process_creation/win_interactive_at.yml index 9d04e1681..b7c3340e7 100644 --- a/rules/windows/process_creation/win_interactive_at.yml +++ b/rules/windows/process_creation/win_interactive_at.yml @@ -1,7 +1,10 @@ title: Interactive AT Job -description: Detect an interactive AT job, which may be used as a form of privilege escalation. +description: Detect an interactive AT job, which may be used as a form of privilege escalation status: experimental author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1053/T1053.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/d8db43cf-ed52-4f5c-9fb3-c9a4b95a0b56.html date: 2019/10/24 modified: 2019/11/11 tags: From 20a116cde5419a9da04ddff85b911020af91f497 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:46:54 +0300 Subject: [PATCH 20/44] Update win_lsass_dump.yml --- .../process_creation/win_lsass_dump.yml | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/rules/windows/process_creation/win_lsass_dump.yml b/rules/windows/process_creation/win_lsass_dump.yml index c0f7f9e74..0124c25f3 100644 --- a/rules/windows/process_creation/win_lsass_dump.yml +++ b/rules/windows/process_creation/win_lsass_dump.yml @@ -1,27 +1,30 @@ title: LSASS Memory Dumping description: Detect creation of dump files containing the memory space of lsass.exe, which contains sensitive credentials. Identifies usage of Sysinternals procdump.exe to export the memory space of lsass.exe which contains sensitive credentials. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/1e1ef6be-12fc-11e9-8d76-4d6bb837cda4.html + - https://eqllib.readthedocs.io/en/latest/analytics/210b4ea4-12fc-11e9-8d76-4d6bb837cda4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003/T1003.yaml tags: - attack.credential_access - attack.t1003 detection: selection1: - CommandLine: - - '* lsass*.dmp*' + CommandLine|contains|all: + - 'lsass' + - '.dmp' selection2: - Image: - - '*werfault.exe' + Image|endswith: '\werfault.exe' selection3: - Image: - - '*procdump*.exe' - selection4: - CommandLine: - - '* lsass*' - condition: selection1 and not selection2 or selection3 and selection4 + Image|contains: '\procdump' + Image|endswith: '.exe' + CommandLine|contains: 'lsass' + condition: selection1 and not selection2 or selection3 falsepositives: - - unlike + - Unlikely level: high logsource: category: process_creation From f169163d3e34dbadcb6ed4a5bc7d15d6649db378 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:49:46 +0300 Subject: [PATCH 21/44] Update win_mshta_javascript.yml --- .../process_creation/win_mshta_javascript.yml | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_mshta_javascript.yml b/rules/windows/process_creation/win_mshta_javascript.yml index 678efff6c..86ab993e7 100644 --- a/rules/windows/process_creation/win_mshta_javascript.yml +++ b/rules/windows/process_creation/win_mshta_javascript.yml @@ -1,18 +1,20 @@ title: Mshta Network Connections -description: Identifies suspicious mshta.exe commands. +description: Identifies suspicious mshta.exe commands status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/6bc283c4-21f2-4aed-a05c-a9a3ffa95dd4.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.yaml tags: - attack.execution - attack.defense_evasion - attack.t1170 detection: selection: - Image: - - '*mshta.exe' - CommandLine: - - '* javascript*' + Image|endswith: '\mshta.exe' + CommandLine|contains: 'javascript' condition: selection falsepositives: - unknown @@ -20,3 +22,4 @@ level: high logsource: category: process_creation product: windows +## todo — add sysmon eid 3 for this rule From b181f0933931e3a54b7b4ddd7f8e4f1149928025 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:53:18 +0300 Subject: [PATCH 22/44] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 947b48121..c76da83c6 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -5,6 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/11/30 +modified: 2019/11/11 tags: - attack.discovery - attack.t1018 @@ -13,11 +14,13 @@ logsource: product: windows detection: selection: - Image: '*\net.exe' - CommandLine: '* view*' + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'view' filter: - CommandLine: '*\\\\*' + CommandLine|contains: '\\' condition: selection and not filter falsepositives: - - unknown + - Legitimate use of net.exe utility by legitimate user level: low From 81b373cea70d73766c86c607addf26c09fd202b0 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 21:54:23 +0300 Subject: [PATCH 23/44] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index c76da83c6..41b67c704 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -3,6 +3,7 @@ status: stable description: Identifies attempts to enumerate hosts in a network using the built-in Windows net.exe tool. references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/11/30 modified: 2019/11/11 From 8d9e293143f81ec2f5249b3c1636e56a2ec4c139 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:00:46 +0300 Subject: [PATCH 24/44] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 99ebe7bf5..951600fd2 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -1,10 +1,12 @@ title: Net.exe User Account Creation status: experimental -description: Identifies creation of local users via the net[1].exe command. +description: Identifies creation of local users via the net.exe command references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml author: Endgame, JHasenbusch (adapted to sigma for oscd.community) date: 2018/30/11 +modified: 2019/11/11 tags: - attack.persistance - attack.credential_access @@ -14,8 +16,14 @@ logsource: product: windows detection: selection: - CommandLine: '*\net*.exe * user */ad*' + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' condition: selection falsepositives: - Legit user creation + - Better use event ids for user creation rather than command line rules level: low From 90bf1c41877bc5f58f3375c2ca39ab462a4b8c44 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:03:49 +0300 Subject: [PATCH 25/44] Update win_powershell_audio_capture.yml --- .../win_powershell_audio_capture.yml | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_audio_capture.yml b/rules/windows/process_creation/win_powershell_audio_capture.yml index 4865300e1..dbfdf05db 100644 --- a/rules/windows/process_creation/win_powershell_audio_capture.yml +++ b/rules/windows/process_creation/win_powershell_audio_capture.yml @@ -1,18 +1,21 @@ title: Audio Capture via PowerShell -description: Detect attacker collecting audio via PowerShell Cmdlet. +description: Detects audio capture via PowerShell Cmdlet status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1123/T1123.yaml + - https://eqllib.readthedocs.io/en/latest/analytics/ab7a6ef4-0983-4275-a4f1-5c6bd3c31c23.html tags: - attack.collection - attack.t1123 detection: selection: - CommandLine: - - '* WindowsAudioDevice-Powershell-Cmdlet *' + CommandLine|contains: 'WindowsAudioDevice-Powershell-Cmdlet' condition: selection falsepositives: - - legit audio capture + - Legitimate audio capture by legitimate user level: medium logsource: category: process_creation From bf4c2a508de3b1071400da70f88d2ebcefdae3bd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:06:57 +0300 Subject: [PATCH 26/44] Update win_powershell_bitsjob.yaml --- .../windows/process_creation/win_powershell_bitsjob.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_powershell_bitsjob.yaml b/rules/windows/process_creation/win_powershell_bitsjob.yaml index 2eb6db523..1bbba2098 100644 --- a/rules/windows/process_creation/win_powershell_bitsjob.yaml +++ b/rules/windows/process_creation/win_powershell_bitsjob.yaml @@ -1,10 +1,12 @@ title: Suspicious Bitsadmin Job via PowerShell status: experimental -description: Detect download of BITS jobs via PowerShell. +description: Detect download by BITS jobs via PowerShell references: - https://eqllib.readthedocs.io/en/latest/analytics/ec5180c9-721a-460f-bddc-27539a284273.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1197/T1197.md author: Endgame, JHasenbusch (ported to sigma for oscd.community) -date: 2018/30/11 +date: 2018/10/30 +modified: 2019/11/11 tags: - attack.defense_evasion - attack.persistence @@ -14,7 +16,8 @@ logsource: product: windows detection: selection: - CommandLine: '*powershell.exe *Start-BitsTransfer*' + Image|endswith: '\powershell.exe' + CommandLine|contains: 'Start-BitsTransfer' condition: selection falsepositives: - Unknown From 4635c5b1f9281b6f1ee02cd9dee6fda02fb347d1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:35:43 +0300 Subject: [PATCH 27/44] Update win_net_user_add.yml --- rules/windows/process_creation/win_net_user_add.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_user_add.yml b/rules/windows/process_creation/win_net_user_add.yml index 951600fd2..7dbef3b56 100644 --- a/rules/windows/process_creation/win_net_user_add.yml +++ b/rules/windows/process_creation/win_net_user_add.yml @@ -5,7 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/014c3f51-89c6-40f1-ac9c-5688f26090ab.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1136/T1136.yaml author: Endgame, JHasenbusch (adapted to sigma for oscd.community) -date: 2018/30/11 +date: 2018/10/30 modified: 2019/11/11 tags: - attack.persistance From ef55a580cf38516cc1d9ca24533cc0a9f28860fe Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:36:00 +0300 Subject: [PATCH 28/44] Update win_net_enum.yml --- rules/windows/process_creation/win_net_enum.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_net_enum.yml b/rules/windows/process_creation/win_net_enum.yml index 41b67c704..62d76d6db 100644 --- a/rules/windows/process_creation/win_net_enum.yml +++ b/rules/windows/process_creation/win_net_enum.yml @@ -5,7 +5,7 @@ references: - https://eqllib.readthedocs.io/en/latest/analytics/b8a94d2f-dc75-4630-9d73-1edc6bd26fff.html - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1018/T1018.yaml author: Endgame, JHasenbusch (ported for oscd.community) -date: 2018/11/30 +date: 2018/10/30 modified: 2019/11/11 tags: - attack.discovery From 4c10a36e940ba2d7c77b71bd5663f7320552624c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 22:51:35 +0300 Subject: [PATCH 29/44] Update win_remote_time_discovery.yml --- .../win_remote_time_discovery.yml | 31 +++++++++++-------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/rules/windows/process_creation/win_remote_time_discovery.yml b/rules/windows/process_creation/win_remote_time_discovery.yml index 20813ab4b..55491edc2 100644 --- a/rules/windows/process_creation/win_remote_time_discovery.yml +++ b/rules/windows/process_creation/win_remote_time_discovery.yml @@ -1,23 +1,28 @@ -title: Command-Line Creation of a RAR file -description: Identifies use of various commands to query a remote system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. +title: Discovery of a system time +description: Identifies use of various commands to query a system’s time. This technique may be used before executing a scheduled task or to discover the time zone of a target system. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/fcdb99c2-ac3c-4bde-b664-4b336329bed2.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1124/T1124.md tags: - attack.discovery - attack.t1124 detection: - selection1: - Image: - - '*net.exe' - CommandLine: - - '* time *' - selection2: - CommandLine: - - '*\\\*' - condition: selection1 and selection2 + selection: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains: 'time' + - Image|endswith: '\w32tm.exe' + CommandLine|contains: 'tz' + - Image|endswith: '\powershell.exe' + CommandLine|contains: 'Get-Date' + condition: selection falsepositives: - - legit admin usage + - Legitimate use of the system utilities to discover system time for legitimate reason level: high logsource: category: process_creation From 7f975f5878e735dd16f61a3dcb62dfb30ec7c569 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:02:13 +0300 Subject: [PATCH 30/44] Update win_trust_discovery.yml --- .../process_creation/win_trust_discovery.yml | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_trust_discovery.yml b/rules/windows/process_creation/win_trust_discovery.yml index 2929f545d..3f667eaf0 100644 --- a/rules/windows/process_creation/win_trust_discovery.yml +++ b/rules/windows/process_creation/win_trust_discovery.yml @@ -1,20 +1,24 @@ -title: Domain Trust Discovery via Nltest.exe -description: Identifies execution of nltest.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. +title: Domain Trust Discovery +description: Identifies execution of nltest.exe and dsquery.exe for domain trust discovery. This technique is used by attackers to enumerate Active Directory trusts. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1482/T1482.md + - https://eqllib.readthedocs.io/en/latest/analytics/03e231a6-74bc-467a-acb1-e5676b0fb55e.html tags: - attack.discovery - attack.t1482 detection: selection: - Image: - - '*nltest.exe' - CommandLine: - - '* domain_trusts*' + - Image|endswith: '\nltest.exe' + CommandLine|contains: 'domain_trusts' + - Image|endswith: '\dsquery.exe' + CommandLine|contains: 'trustedDomain' condition: selection falsepositives: - - unlike + - Legitimate use of the utilities by legitimate user for legitimate reason level: high logsource: category: process_creation From f991bf20b0cbe6673333d29f4b9f92e47a17bbb2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:05:43 +0300 Subject: [PATCH 31/44] Update win_uac_cmstp.yml --- .../windows/process_creation/win_uac_cmstp.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_uac_cmstp.yml b/rules/windows/process_creation/win_uac_cmstp.yml index 915b9b2e9..7acc1a1f0 100644 --- a/rules/windows/process_creation/win_uac_cmstp.yml +++ b/rules/windows/process_creation/win_uac_cmstp.yml @@ -1,8 +1,12 @@ title: Bypass UAC via CMSTP description: Detect child processes of automatically elevated instances of Microsoft Connection Manager Profile Installer (cmstp.exe). status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Endgame), oscd.community +modified: 2019/11/11 date: 2019/10/24 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1191/T1191.md tags: - attack.defense_evasion - attack.execution @@ -10,14 +14,13 @@ tags: - attack.t1088 detection: selection: - Image: - - "*\\cmstp.exe" - CommandLine: - - "* /s *" - - "* /au *" + Image|endswith: '\cmstp.exe' + CommandLine|contains: + - '/s' + - '/au' condition: selection falsepositives: - - unlikely + - Legitimate use of cmstp.exe utility by legitimate user level: high logsource: category: process_creation From 49fb6bdf8f5dcf583a6b4bf0e5403336df976154 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:10:49 +0300 Subject: [PATCH 32/44] Update win_uac_fodhelper.yml --- rules/windows/process_creation/win_uac_fodhelper.yml | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_uac_fodhelper.yml b/rules/windows/process_creation/win_uac_fodhelper.yml index d811ca637..9947b1f97 100644 --- a/rules/windows/process_creation/win_uac_fodhelper.yml +++ b/rules/windows/process_creation/win_uac_fodhelper.yml @@ -1,18 +1,21 @@ title: Bypass UAC via Fodhelper.exe description: Identifies use of Fodhelper.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/e491ce22-792f-11e9-8f5c-d46d6d62a49e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1088/T1088.md tags: - attack.privilege_escalation - attack.t1088 detection: selection: - ParentImage: - - "*\fodhelper.exe" + ParentImage|endswith: '\fodhelper.exe' condition: selection falsepositives: - - unlikely + - Legitimate use of fodhelper.exe utility by legitimate user level: high logsource: category: process_creation From 38d0f832a48ee9472ab374c062d04d474224c524 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:13:28 +0300 Subject: [PATCH 33/44] Update win_uac_wsreset.yml --- rules/windows/process_creation/win_uac_wsreset.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/win_uac_wsreset.yml b/rules/windows/process_creation/win_uac_wsreset.yml index a4314c5ce..928264392 100644 --- a/rules/windows/process_creation/win_uac_wsreset.yml +++ b/rules/windows/process_creation/win_uac_wsreset.yml @@ -1,21 +1,22 @@ title: Bypass UAC via WSReset.exe description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. status: experimental -author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert) +author: E.M. Anhaus (orignally from Atomic Blue Detections, Tony Lambert), oscd.community date: 2019/10/24 +modified: 2019/11/11 +references: + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html tags: - attack.privilege_escalation - attack.t1088 detection: selection: - ParentImage: - - '*wsreset.exe' + ParentImage|endswith: '\wsreset.exe' filter: - Image: - - '*conhost.exe' + Image|endswith: '\conhost.exe' condition: selection and not filter falsepositives: - - unknown + - Unknown level: high logsource: category: process_creation From 1f142f661356f244cd666e898701d83228eabc7e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Mon, 11 Nov 2019 23:22:47 +0300 Subject: [PATCH 34/44] Delete win_reg_sam_dumping.yml redundant with https://github.com/Neo23x0/sigma/pull/516/files#diff-2f8d87b345d7d8c228d22b7a3b83c6ee authorship has been updated --- .../process_creation/win_reg_sam_dumping.yml | 32 ------------------- 1 file changed, 32 deletions(-) delete mode 100644 rules/windows/process_creation/win_reg_sam_dumping.yml diff --git a/rules/windows/process_creation/win_reg_sam_dumping.yml b/rules/windows/process_creation/win_reg_sam_dumping.yml deleted file mode 100644 index 6e01cb270..000000000 --- a/rules/windows/process_creation/win_reg_sam_dumping.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: SAM Dumping via Reg.exe -status: experimental -description: Identifies usage of reg.exe to export registry hives which contain the SAM and LSA secrets. -references: - - https://eqllib.readthedocs.io/en/latest/analytics/aed95fc6-5e3f-49dc-8b35-06508613f979.html -author: Endgame, JHasenbusch (ported to sigma for oscd.community) -date: 2018/30/11 -tags: - - attack.credential_access - - attack.t1003 -logsource: - category: process_creation - product: windows -detection: - selection1: - Image: '*\reg.exe' - CommandLine: - - '* save *' - - '* export *' - selection2: - CommandLine: - - '*hklm*' - - '*hkey_local_machine*' - selection3: - CommandLine: - - '*\\sam *' - - '*\\security *' - - '*\\system *' - condition: selection1 and selection2 and selection3 -falsepositives: - - Unknown -level: low From 26479485e61f31fe4875b1d7f63749c6e5fc278c Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:34:46 +0300 Subject: [PATCH 35/44] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- ..._renamed_user_account_with_dollar_sign.yml | 25 +++++++------------ 1 file changed, 9 insertions(+), 16 deletions(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 4f55fd485..393d8a45f 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -6,7 +6,16 @@ tags: - attack.t1036 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: security detection: + selection: + EventID: + - 4720 # create user + - 4781 # rename user + UserName|contains: '$' #SamAccountName condition: 1 of them fields: - EventID @@ -15,19 +24,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: security -detection: - create_user: - EventID: 4720 - UserName: '*$*' #SamAccountName ---- -logsource: - product: windows - service: security -detection: - rename_user: - EventID: 4781 - UserName: '*$*' #NewTargetUserName From 7f01a5b1bba2f3784acd469be30b4baf77e4c126 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:35:59 +0300 Subject: [PATCH 36/44] Update win_new_or_renamed_user_account_with_dollar_sign.yml --- .../win_new_or_renamed_user_account_with_dollar_sign.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml index 393d8a45f..4b1924c1a 100644 --- a/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml +++ b/rules/windows/builtin/win_new_or_renamed_user_account_with_dollar_sign.yml @@ -16,7 +16,7 @@ detection: - 4720 # create user - 4781 # rename user UserName|contains: '$' #SamAccountName - condition: 1 of them + condition: selection fields: - EventID - UserName From d8447946d6c01687eae6ba2800b2ac34aa38f3a9 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:37:25 +0300 Subject: [PATCH 37/44] Update win_suspicious_outbound_kerberos_connection.yml --- .../win_suspicious_outbound_kerberos_connection.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml index 4167b05c3..df534a554 100644 --- a/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/builtin/win_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -16,12 +17,12 @@ detection: EventID: 5156 DestinationPort: 88 filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers -level: high \ No newline at end of file +level: high From e6e308ef519b2b8c70c0627acd87ab71a241ffce Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:40:29 +0300 Subject: [PATCH 38/44] Update sysmon_disable_security_events_logging_adding_reg_key_minint.yml --- ...y_events_logging_adding_reg_key_minint.yml | 31 +++++++------------ 1 file changed, 12 insertions(+), 19 deletions(-) diff --git a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml index 12afd3d55..57be53774 100644 --- a/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml +++ b/rules/windows/sysmon/sysmon_disable_security_events_logging_adding_reg_key_minint.yml @@ -8,8 +8,19 @@ tags: - attack.t1089 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: 12 # key create + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\MiniNt' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\MiniNt' + condition: selection fields: - EventID - Image @@ -18,21 +29,3 @@ fields: falsepositives: - Unkown level: high ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\MiniNt' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\MiniNt' From bba360212ab0c09034d7bad38f3ca4f78c7af9b1 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:43:45 +0300 Subject: [PATCH 39/44] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- ..._dll_added_to_appcertdlls_registry_key.yml | 41 +++++++------------ 1 file changed, 14 insertions(+), 27 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 1deb58c74..b943d0c56 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -9,7 +9,21 @@ tags: - attack.t1182 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 detection: +logsource: + product: windows + service: sysmon +detection: + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SYSTEM\' + TargetObject|endswith: '\Control\Session Manager\AppCertDlls' + - EventID: 14 # key rename + NewName|contains: '\SYSTEM\' + NewName|endswith: '\Control\Session Manager\AppCertDlls' condition: 1 of them fields: - EventID @@ -19,30 +33,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SYSTEM\*\Control\Session Manager\AppCertDlls' From 0cb1d4fdbd5e0751df6622b554f68c34f45b18a2 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:44:03 +0300 Subject: [PATCH 40/44] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index b943d0c56..8ae921c7c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -24,7 +24,7 @@ detection: - EventID: 14 # key rename NewName|contains: '\SYSTEM\' NewName|endswith: '\Control\Session Manager\AppCertDlls' - condition: 1 of them + condition: selection fields: - EventID - Image From ded75d033afc097c1dcbc62ad64aad1a624ff92e Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Wed, 13 Nov 2019 23:47:24 +0300 Subject: [PATCH 41/44] Update sysmon_new_dll_added_to_appinit_dlls_registry_key.yml --- ...dll_added_to_appinit_dlls_registry_key.yml | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml index 77304269a..c660735b6 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appinit_dlls_registry_key.yml @@ -8,8 +8,21 @@ tags: - attack.t1103 author: Ilyas Ochkov, oscd.community date: 2019/10/25 +modified: 2019/11/13 +logsource: + product: windows + service: sysmon detection: - condition: 1 of them + selection: + - EventID: + - 12 # key create + - 13 # value set + TargetObject|contains: '\SOFTWARE\' + TargetObject|endswith: '\Windows\AppInit_Dlls' + - EventID: 14 # key rename + NewName|contains: '\SOFTWARE\' + NewName|endswith: '\Windows\AppInit_Dlls' + condition: selection fields: - EventID - Image @@ -18,30 +31,3 @@ fields: falsepositives: - Unkown level: medium ---- -logsource: - product: windows - service: sysmon -detection: - key_create: - EventID: 12 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - value_set: - EventID: 13 - TargetObject: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' ---- -logsource: - product: windows - service: sysmon -detection: - key_rename: - EventID: 14 - NewName: - - '*\SOFTWARE\*\Windows\AppInit_Dlls' From 07ad11f3ae5af174ddc0a6d4b12afe5308eb3c9d Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:08:50 +0300 Subject: [PATCH 42/44] Update sysmon_possible_dns_rebinding.yml --- .../sysmon/sysmon_possible_dns_rebinding.yml | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml index 015acde37..a53182be2 100644 --- a/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml +++ b/rules/windows/sysmon/sysmon_possible_dns_rebinding.yml @@ -2,6 +2,7 @@ title: Possible DNS Rebinding status: experimental description: Detects several different DNS-answers by one domain with IPs from internal and external networks. Normally, DNS-answer contain TTL >100. (DNS-record will saved in host cache for a while TTL). date: 2019/10/25 +modified: 2019/11/13 author: Ilyas Ochkov, oscd.community references: - https://medium.com/@brannondorsey/attacking-private-networks-from-the-internet-with-dns-rebinding-ea7098a2d325 @@ -17,26 +18,26 @@ detection: QueryName: '*' QueryStatus: '0' filter_int_ip: - QueryResults: - - '(::ffff:)?10.*' - - '(::ffff:)?192.168.*' - - '(::ffff:)?172.16.*' - - '(::ffff:)?172.17.*' - - '(::ffff:)?172.18.*' - - '(::ffff:)?172.19.*' - - '(::ffff:)?172.20.*' - - '(::ffff:)?172.21.*' - - '(::ffff:)?172.22.*' - - '(::ffff:)?172.23.*' - - '(::ffff:)?172.24.*' - - '(::ffff:)?172.25.*' - - '(::ffff:)?172.26.*' - - '(::ffff:)?172.27.*' - - '(::ffff:)?172.28.*' - - '(::ffff:)?172.29.*' - - '(::ffff:)?172.30.*' - - '(::ffff:)?172.31.*' - - '(::ffff:)?127.*' + QueryResults|startswith: + - '(::ffff:)?10.' + - '(::ffff:)?192.168.' + - '(::ffff:)?172.16.' + - '(::ffff:)?172.17.' + - '(::ffff:)?172.18.' + - '(::ffff:)?172.19.' + - '(::ffff:)?172.20.' + - '(::ffff:)?172.21.' + - '(::ffff:)?172.22.' + - '(::ffff:)?172.23.' + - '(::ffff:)?172.24.' + - '(::ffff:)?172.25.' + - '(::ffff:)?172.26.' + - '(::ffff:)?172.27.' + - '(::ffff:)?172.28.' + - '(::ffff:)?172.29.' + - '(::ffff:)?172.30.' + - '(::ffff:)?172.31.' + - '(::ffff:)?127.' timeframe: 30s condition: (dns_answer and filter_int_ip) and (dns_answer and not filter_int_ip) | count(QueryName) by ComputerName > 3 level: medium From 1fe7f55d4785a407ba7d2efe5e2c4fb886c2bbb5 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:10:05 +0300 Subject: [PATCH 43/44] Update sysmon_suspicious_outbound_kerberos_connection.yml --- ...sysmon_suspicious_outbound_kerberos_connection.yml | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml index 2bc9e19f9..8daac1661 100644 --- a/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml +++ b/rules/windows/sysmon/sysmon_suspicious_outbound_kerberos_connection.yml @@ -5,6 +5,7 @@ references: - https://github.com/GhostPack/Rubeus8 author: Ilyas Ochkov, oscd.community date: 2019/10/24 +modified: 2019/11/13 tags: - attack.lateral_movement - attack.t1208 @@ -17,11 +18,11 @@ detection: DestinationPort: 88 Initiated: 'true' filter: - Image: - - '*\lsass.exe' - - '*\opera.exe' - - '*\chrome.exe' - - '*\firefox.exe' + Image|endswith: + - '\lsass.exe' + - '\opera.exe' + - '\chrome.exe' + - '\firefox.exe' condition: selection and not filter falsepositives: - Other browsers From b47748399d3b6d2851a71353a5fd88f4ed2cd6dd Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Thu, 14 Nov 2019 00:19:30 +0300 Subject: [PATCH 44/44] Update sysmon_new_dll_added_to_appcertdlls_registry_key.yml --- .../sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml index 8ae921c7c..6ef46657c 100644 --- a/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml +++ b/rules/windows/sysmon/sysmon_new_dll_added_to_appcertdlls_registry_key.yml @@ -10,7 +10,6 @@ tags: author: Ilyas Ochkov, oscd.community date: 2019/10/25 modified: 2019/11/13 -detection: logsource: product: windows service: sysmon