Merge pull request #2975 from frack113/redcannary_20220501

Windows Redcannary test
2022-05-02 19:35:10 +02:00
parent 5a619f5bab 9482eb92ec
commit 956a95e424
3 changed files with 66 additions and 1 deletions
@@ -4,9 +4,10 @@ status: experimental
 description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing
 references:
    - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users
+    - https://github.com/lclevy/firepwd
 author: frack113
 date: 2022/04/09
-modified: 2022/04/11
+modified: 2022/05/01
 tags:
    - attack.t1003
    - attack.credential_access
@@ -22,6 +23,9 @@ detection:
        - FileName|endswith:
            - '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat'
            - '\cookies.sqlite'
+            - 'release\key3.db'  #firefox
+            - 'release\key4.db'  #firefox
+            - 'release\logins.json' #firefox
    filter_browser:
        Image|endswith:
            - '\firefox.exe'
@@ -0,0 +1,27 @@
+title: Gpresult Display Group Policy Information
+id: e56d3073-83ff-4021-90fe-c658e0709e72
+status: experimental
+description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md
+    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
+    - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ 
+    - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
+author: frack113
+date: 2022/05/01
+logsource:
+    product: windows
+    category: process_creation
+detection:
+    selection:
+        Image|endswith: '\gpresult.exe'
+        CommandLine|contains:
+            - '/z'
+            - '/v'
+    condition: selection 
+falsepositives:
+    - Unknown
+level: medium
+tags:
+    - attack.discovery
+    - attack.t1615
@@ -0,0 +1,34 @@
+title: Register A Service With Temp Folder
+id: c0abc838-36b0-47c9-b3b3-a90c39455382
+description: Detect the creation of a service with a service binary located in a temporary directory 
+status: experimental
+date: 2022/05/01
+author: frack113
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md
+logsource:
+    category: registry_set
+    product: windows
+detection:
+    selection_1:
+        EventType: SetValue
+        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
+        TargetObject|endswith: '\Start'
+        Image|contains: '\Temp\'
+        Details: 
+            - 'DWORD (0x00000000)'  # boot
+            - 'DWORD (0x00000001)'  # System
+            - 'DWORD (0x00000002)'  # Automatic
+            # 3 - Manual , 4 - Disabled
+    selection_2:
+        EventType: SetValue
+        TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\'
+        TargetObject|endswith: '\ImagePath'
+        Details|contains: '\Temp\'
+    condition: 1 of selection_*
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1112