From bd3df87ba7adae9dd7404b7afef02095f9829419 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 1 May 2022 11:34:54 +0200 Subject: [PATCH 1/5] Redcannary test --- ...access_win_browser_credential_stealing.yml | 6 +++- ...istry_set_creation_service_temp_folder.yml | 34 +++++++++++++++++++ 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml diff --git a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml index 40681509c..fc62737c1 100644 --- a/rules/windows/file_access/file_access_win_browser_credential_stealing.yml +++ b/rules/windows/file_access/file_access_win_browser_credential_stealing.yml @@ -4,9 +4,10 @@ status: experimental description: Detects suspicious processes based on name and location that access the browser credential stores which can be the sign of credential stealing references: - https://www.zscaler.com/blogs/security-research/ffdroider-stealer-targeting-social-media-platform-users + - https://github.com/lclevy/firepwd author: frack113 date: 2022/04/09 -modified: 2022/04/11 +modified: 2022/05/01 tags: - attack.t1003 - attack.credential_access @@ -22,6 +23,9 @@ detection: - FileName|endswith: - '\Appdata\Local\Microsoft\Windows\WebCache\WebCacheV01.dat' - '\cookies.sqlite' + - 'release\key3.db' #firefox + - 'release\key4.db' #firefox + - 'release\logins.json' #firefox filter_browser: Image|endswith: - '\firefox.exe' diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml new file mode 100644 index 000000000..62c7bdf07 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml @@ -0,0 +1,34 @@ +title: Register A Service With Temp Folder +id: c0abc838-36b0-47c9-b3b3-a90c39455382 +description: Detect the creation of a service from temp directory +status: experimental +date: 2022/05/01 +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.001/T1562.001.md +logsource: + category: registry_set + product: windows +detection: + selection_1: + EventType: SetValue + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' + TargetObject|endswith: '\Start' + Image|contains: '\Temp\' + Details: + - 'DWORD (0x00000000)' # boot + - 'DWORD (0x00000001)' # System + - 'DWORD (0x00000002)' # Automatic + # 3 - Manual , 4 - Disabled + selection_2: + EventType: SetValue + TargetObject|startswith: 'HKLM\System\CurrentControlSet\Services\' + TargetObject|endswith: '\ImagePath' + Details|contains: '\Temp\' + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1112 \ No newline at end of file From e5a30a7b893dc8598d417e3b849b145451b1b780 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 1 May 2022 19:18:39 +0200 Subject: [PATCH 2/5] Add proc_creation_win_susp_gpresult --- .../proc_creation_win_susp_gpresult.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_susp_gpresult.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml new file mode 100644 index 000000000..06417c333 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml @@ -0,0 +1,28 @@ +title: Gpresult Display Group Policy Information +id: e56d3073-83ff-4021-90fe-c658e0709e72 +status: experimental +description: Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult + - https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/ + - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf +author: frack113 +date: 2022/05/01 +logsource: + product: windows + category: process_creation +detection: + selection: + Image|endswith: + - '\gpresult.exe' + CommandLine|contains: + - '/z' + - '/v' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.discovery + - attack.t1615 \ No newline at end of file From 315a79fcf0c4bbe71f669c32f3332c2d4cd438bf Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 2 May 2022 18:13:03 +0200 Subject: [PATCH 3/5] Update proc_creation_win_susp_gpresult.yml --- .../process_creation/proc_creation_win_susp_gpresult.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml index 06417c333..98e0649ec 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml @@ -14,8 +14,7 @@ logsource: category: process_creation detection: selection: - Image|endswith: - - '\gpresult.exe' + Image|endswith: '\gpresult.exe' CommandLine|contains: - '/z' - '/v' @@ -25,4 +24,4 @@ falsepositives: level: medium tags: - attack.discovery - - attack.t1615 \ No newline at end of file + - attack.t1615 From 8b0ed3d06453525677d52b8288d902095faac6d2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 2 May 2022 19:25:42 +0200 Subject: [PATCH 4/5] Update proc_creation_win_susp_gpresult.yml --- .../process_creation/proc_creation_win_susp_gpresult.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml index 98e0649ec..0c73ba0dc 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml @@ -1,7 +1,7 @@ title: Gpresult Display Group Policy Information id: e56d3073-83ff-4021-90fe-c658e0709e72 status: experimental -description: Uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information +description: Detects cases in which a user uses the built-in Windows utility gpresult to display the Resultant Set of Policy (RSoP) information references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1615/T1615.md - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult From 9482eb92ecb2a8027c006da0d883d289e3de34b5 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 2 May 2022 19:30:43 +0200 Subject: [PATCH 5/5] Update registry_set_creation_service_temp_folder.yml --- .../registry_set_creation_service_temp_folder.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml b/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml index 62c7bdf07..1b7f15b48 100644 --- a/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml +++ b/rules/windows/registry/registry_set/registry_set_creation_service_temp_folder.yml @@ -1,6 +1,6 @@ title: Register A Service With Temp Folder id: c0abc838-36b0-47c9-b3b3-a90c39455382 -description: Detect the creation of a service from temp directory +description: Detect the creation of a service with a service binary located in a temporary directory status: experimental date: 2022/05/01 author: frack113 @@ -28,7 +28,7 @@ detection: condition: 1 of selection_* falsepositives: - Unknown -level: medium +level: high tags: - attack.defense_evasion - - attack.t1112 \ No newline at end of file + - attack.t1112