diff --git a/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml b/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml new file mode 100644 index 000000000..87c0b306d --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_access_to_chrome_login_data.yml @@ -0,0 +1,31 @@ +title: Accessing Encrypted Credentials from Google Chrome Login Database +id: 98f4c75c-3089-44f3-b733-b327b9cd9c9d +status: experimental +author: frack113 +date: 2021/12/20 +description: | + Adversaries may acquire credentials from web browsers by reading files specific to the target browser. + Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. + Web browsers typically store the credentials in an encrypted format within a credential store. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555.003/T1555.003.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - Copy-Item + - '-Destination' + selection_path: + ScriptBlockText|contains: + - '\Google\Chrome\User Data\Default\Login Data' + - '\Google\Chrome\User Data\Default\Login Data For Account' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.tT1555.003 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml new file mode 100644 index 000000000..fac4d03e1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_dump_password_windows_credential_manager.yml @@ -0,0 +1,37 @@ +title: Dump Credentials from Windows Credential Manager With PowerShell +id: 99c49d9c-34ea-45f7-84a7-4751ae6b2cbc +status: experimental +author: frack113 +date: 2021/12/20 +description: | + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_kiddie: + ScriptBlockText|contains: + - 'Get-PasswordVaultCredentials' + - 'Get-CredManCreds' + selection_rename_Password: + ScriptBlockText|contains|all: + - 'New-Object' + - 'Windows.Security.Credentials.PasswordVault' + selection_rename_credman: + ScriptBlockText|contains|all: + - 'New-Object' + - 'Microsoft.CSharp.CSharpCodeProvider' + - '[System.Runtime.InteropServices.RuntimeEnvironment]::GetRuntimeDirectory())' + - 'Collections.ArrayList' + - 'System.CodeDom.Compiler.CompilerParameters' + condition: 1 of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1555 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml b/rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml new file mode 100644 index 000000000..dca1798f0 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_enumerate_password_windows_credential_manager.yml @@ -0,0 +1,30 @@ +title: Enumerate Credentials from Windows Credential Manager With PowerShell +id: 603c6630-5225-49c1-8047-26c964553e0e +status: experimental +author: frack113 +date: 2021/12/20 +description: | + Adversaries may search for common password storage locations to obtain user credentials. + Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1555/T1555.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection_cmd: + ScriptBlockText|contains|all: + - vaultcmd + - '/listcreds:' + selection_option: + ScriptBlockText|contains: + - 'Windows Credentials' + - 'Web Credentials' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1555 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/win_pc_enumeration_for_credentials_in_registry.yml new file mode 100644 index 000000000..285ede822 --- /dev/null +++ b/rules/windows/process_creation/win_pc_enumeration_for_credentials_in_registry.yml @@ -0,0 +1,37 @@ +title: Enumeration for Credentials in Registry +id: e0b0c2ab-3d52-46d9-8cb7-049dc775fbd1 +status: experimental +description: | + Adversaries may search the Registry on compromised systems for insecurely stored credentials. + The Windows Registry stores configuration information that can be used by the system or other programs. + Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.002/T1552.002.md +author: frack113 +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + reg: + Image|endswith: \reg.exe + CommandLine|contains|all: + - ' query ' + - '/t ' + - 'REG_SZ' + - '/s' + hive: + - CommandLine|contains|all: + - '/f ' + - 'HKLM' + - CommandLine|contains|all: + - '/f ' + - 'HKCU' + - CommandLine|contains: 'HKCU\Software\SimonTatham\PuTTY\Sessions' + condition: reg and hive +falsepositives: + - unknown +level: medium +tags: + - attack.credential_access + - attack.t1552.002 \ No newline at end of file diff --git a/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml b/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml new file mode 100644 index 000000000..2f5fe36f8 --- /dev/null +++ b/rules/windows/process_creation/win_pc_false_sysinternalsuite.yml @@ -0,0 +1,172 @@ +title: False Sysinternals Suite tools +id: 7cce6fc8-a07f-4d84-a53e-96e1879843c9 +status: experimental +description: Rename as a legitim Sysinternals Suite tools to evade detection +references: + - https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite +author: frack113 +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + exe: + Image|endswith: + - accesschk.exe + - accesschk64.exe + - AccessEnum.exe + - ADExplorer.exe + - ADExplorer64.exe + - ADInsight.exe + - ADInsight64.exe + - adrestore.exe + - adrestore64.exe + - Autologon.exe + - Autologon64.exe + - Autoruns.exe + - Autoruns64.exe + - autorunsc.exe + - autorunsc64.exe + - Bginfo.exe + - Bginfo64.exe + - Cacheset.exe + - Cacheset64.exe + - Clockres.exe + - Clockres64.exe + - Contig.exe + - Contig64.exe + - Coreinfo.exe + - Coreinfo64.exe + - CPUSTRES.EXE + - CPUSTRES64.EXE + - ctrl2cap.exe + - Dbgview.exe + - dbgview64.exe + - Desktops.exe + - Desktops64.exe + - disk2vhd.exe + - disk2vhd64.exe + - diskext.exe + - diskext64.exe + - Diskmon.exe + - Diskmon64.exe + - DiskView.exe + - DiskView64.exe + - du.exe + - du64.exe + - efsdump.exe + - FindLinks.exe + - FindLinks64.exe + - handle.exe + - handle64.exe + - hex2dec.exe + - hex2dec64.exe + - junction.exe + - junction64.exe + - ldmdump.exe + - listdlls.exe + - listdlls64.exe + - livekd.exe + - livekd64.exe + - loadOrd.exe + - loadOrd64.exe + - loadOrdC.exe + - loadOrdC64.exe + - logonsessions.exe + - logonsessions64.exe + - movefile.exe + - movefile64.exe + - notmyfault.exe + - notmyfault64.exe + - notmyfaultc.exe + - notmyfaultc64.exe + - ntfsinfo.exe + - ntfsinfo64.exe + - pendmoves.exe + - pendmoves64.exe + - pipelist.exe + - pipelist64.exe + - portmon.exe + - procdump.exe + - procdump64.exe + - procexp.exe + - procexp64.exe + - Procmon.exe + - Procmon64.exe + - psExec.exe + - psExec64.exe + - psfile.exe + - psfile64.exe + - psGetsid.exe + - psGetsid64.exe + - psInfo.exe + - psInfo64.exe + - pskill.exe + - pskill64.exe + - pslist.exe + - pslist64.exe + - psLoggedon.exe + - psLoggedon64.exe + - psloglist.exe + - psloglist64.exe + - pspasswd.exe + - pspasswd64.exe + - psping.exe + - psping64.exe + - psService.exe + - psService64.exe + - psshutdown.exe + - psshutdown64.exe + - pssuspend.exe + - pssuspend64.exe + - RAMMap.exe + - RDCMan.exe + - RegDelNull.exe + - RegDelNull64.exe + - regjump.exe + - ru.exe + - ru64.exe + - sdelete.exe + - sdelete64.exe + - ShareEnum.exe + - ShareEnum64.exe + - shellRunas.exe + - sigcheck.exe + - sigcheck64.exe + - streams.exe + - streams64.exe + - strings.exe + - strings64.exe + - sync.exe + - sync64.exe + - Sysmon.exe + - Sysmon64.exe + - tcpvcon.exe + - tcpvcon64.exe + - tcpview.exe + - tcpview64.exe + - Testlimit.exe + - Testlimit64.exe + - vmmap.exe + - vmmap64.exe + - Volumeid.exe + - Volumeid64.exe + - whois.exe + - whois64.exe + - Winobj.exe + - Winobj64.exe + - ZoomIt.exe + - ZoomIt64.exe + valid: + Company: + - "Sysinternals - www.sysinternals.com" + - "Sysinternals" + condition: exe and not valid +falsepositives: + - unknown +level: medium +tags: + - attack.execution + - attack.defense_evasion + - attack.t1218 + - attack.t1202 \ No newline at end of file