From 96eb4609447eba4ce7ad976bbc16af6f0c3d9691 Mon Sep 17 00:00:00 2001 From: Thomas Patzke Date: Wed, 16 Jan 2019 23:36:31 +0100 Subject: [PATCH] Converted Sysmon/1 and Security/4688 to generic process creation rules --- rules/windows/builtin/win_hack_rubeus.yml | 52 ------- .../builtin/win_mavinject_proc_inj.yml | 38 ----- .../builtin/win_multiple_suspicious_cli.yml | 112 ------------- .../builtin/win_plugx_susp_exe_locations.yml | 146 ----------------- .../builtin/win_possible_applocker_bypass.yml | 44 ------ .../builtin/win_powershell_b64_shellcode.yml | 44 ------ rules/windows/builtin/win_psexesvc_start.yml | 21 --- rules/windows/builtin/win_susp_cli_escape.yml | 57 ------- .../win_susp_commands_recon_activity.yml | 73 --------- .../builtin/win_susp_iss_module_install.yml | 36 ----- .../builtin/win_susp_msiexec_web_install.yml | 34 ---- rules/windows/builtin/win_susp_ntdsutil.yml | 34 ---- .../builtin/win_susp_powershell_enc_cmd.yml | 43 ----- .../win_susp_powershell_hidden_b64_cmd.yml | 82 ---------- rules/windows/builtin/win_susp_procdump.yml | 49 ------ .../builtin/win_susp_process_creations.yml | 136 ---------------- rules/windows/builtin/win_susp_ps_appdata.yml | 39 ----- .../builtin/win_susp_rasdial_activity.yml | 32 ---- .../builtin/win_susp_run_locations.yml | 38 ----- .../builtin/win_susp_rundll32_activity.yml | 51 ------ rules/windows/builtin/win_susp_svchost.yml | 49 ------ .../builtin/win_susp_sysprep_appdata.yml | 37 ----- .../builtin/win_susp_sysvol_access.yml | 36 ----- rules/windows/builtin/win_susp_whoami.yml | 36 ----- ..._wmi_persistence_script_event_consumer.yml | 36 ----- .../windows/malware/sysmon_malware_dridex.yml | 40 ----- .../malware/sysmon_malware_notpetya.yml | 43 ----- .../malware/sysmon_malware_wannacry.yml | 41 ----- rules/windows/malware/win_mal_adwind.yml | 56 ------- rules/windows/malware/win_mal_wannacry.yml | 67 -------- .../powershell/powershell_xor_commandline.yml | 29 ---- .../powershell_xor_commandline.yml | 16 ++ .../win_attrib_hiding_files.yml | 30 ++++ .../win_bypass_squiblytwo.yml | 34 ++++ .../process_creation/win_cmdkey_recon.yml | 22 +++ .../win_cmstp_com_object_access.yml | 32 ++++ .../win_exploit_cve_2015_1641.yml} | 15 +- .../win_exploit_cve_2017_0261.yml | 18 +++ .../win_exploit_cve_2017_11882.yml | 20 +++ .../win_exploit_cve_2017_8759.yml} | 17 +- .../process_creation/win_hack_rubeus.yml | 29 ++++ .../process_creation/win_lethalhta.yml | 18 +++ .../process_creation/win_mal_adwind.yml | 48 ++++++ .../process_creation/win_mal_wannacry.yml | 33 ++++ .../process_creation/win_malware_dridex.yml | 22 +++ .../process_creation/win_malware_notpetya.yml | 39 +++++ .../win_malware_script_dropper.yml | 33 ++++ .../process_creation/win_malware_wannacry.yml | 37 +++++ .../win_mavinject_proc_inj.yml | 24 +++ .../win_mshta_spawn_shell.yml | 37 +++++ .../win_multiple_suspicious_cli.yml | 56 +++++++ .../process_creation/win_office_shell.yml | 52 +++++++ .../win_plugx_susp_exe_locations.yml | 88 +++++++++++ .../win_possible_applocker_bypass.yml | 27 ++++ .../win_powershell_amsi_bypass.yml | 25 +++ .../win_powershell_b64_shellcode.yml | 24 +++ .../win_powershell_dll_execution.yml | 28 ++++ .../win_powershell_download.yml | 23 +++ .../win_powershell_renamed_ps.yml | 26 ++++ ...ershell_suspicious_parameter_variation.yml | 61 ++++++++ .../process_creation/win_psexesvc_start.yml | 19 +++ .../win_sdbinst_shim_persistence.yml | 23 +++ .../win_shell_spawn_susp_program.yml | 33 ++++ .../win_susp_certutil_command.yml | 42 +++++ .../process_creation/win_susp_cli_escape.yml | 27 ++++ .../win_susp_cmd_http_appdata.yml | 23 +++ .../win_susp_commands_recon_activity.yml | 42 +++++ .../win_susp_control_dll_load.yml | 23 +++ .../process_creation/win_susp_exec_folder.yml | 33 ++++ .../win_susp_execution_path.yml | 26 ++++ .../win_susp_execution_path_webserver.yml | 28 ++++ .../win_susp_iss_module_install.yml | 21 +++ .../process_creation/win_susp_mmc_source.yml | 21 +++ .../win_susp_msiexec_web_install.yml | 19 +++ .../win_susp_net_execution.yml | 33 ++++ .../process_creation/win_susp_ntdsutil.yml | 19 +++ .../process_creation/win_susp_ping_hex_ip.yml | 21 +++ .../win_susp_powershell_enc_cmd.yml | 25 +++ .../win_susp_powershell_hidden_b64_cmd.yml | 70 +++++++++ .../win_susp_powershell_parent_combo.yml | 29 ++++ .../process_creation/win_susp_procdump.yml | 28 ++++ .../win_susp_process_creations.yml | 65 ++++++++ .../process_creation/win_susp_ps_appdata.yml | 20 +++ .../win_susp_rasdial_activity.yml | 17 ++ .../win_susp_recon_activity.yml | 23 +++ .../win_susp_regsvr32_anomalies.yml | 38 +++++ .../win_susp_run_locations.yml | 23 +++ .../win_susp_rundll32_activity.yml | 35 +++++ .../win_susp_schtask_creation.yml | 27 ++++ .../win_susp_script_execution.yml | 24 +++ .../process_creation/win_susp_svchost.yml | 24 +++ .../win_susp_sysprep_appdata.yml | 21 +++ .../win_susp_sysvol_access.yml | 22 +++ .../win_susp_taskmgr_localsystem.yml} | 15 +- .../win_susp_taskmgr_parent.yml | 23 +++ .../win_susp_tscon_localsystem.yml | 19 +++ .../win_susp_tscon_rdp_redirect.yml | 19 +++ .../win_susp_vssadmin_ntds_activity.yml | 31 ++++ .../process_creation/win_susp_whoami.yml | 22 +++ .../win_susp_wmi_execution.yml | 31 ++++ .../win_system_exe_anomaly.yml | 33 ++++ .../win_vul_java_remote_debugging.yml | 19 +++ .../win_webshell_detection.yml | 31 ++++ .../process_creation/win_webshell_spawn.yml | 30 ++++ ..._wmi_persistence_script_event_consumer.yml | 22 +++ .../win_workflow_compiler.yml | 22 +++ .../sysmon/sysmon_attrib_hiding_files.yml | 31 ---- .../sysmon/sysmon_bypass_squiblytwo.yml | 36 ----- rules/windows/sysmon/sysmon_cmdkey_recon.yml | 23 --- .../sysmon/sysmon_cmstp_com_object_access.yml | 34 ---- .../sysmon/sysmon_exploit_cve_2017_0261.yml | 19 --- .../sysmon/sysmon_exploit_cve_2017_11882.yml | 21 --- rules/windows/sysmon/sysmon_lethalhta.yml | 19 --- .../sysmon/sysmon_malware_script_dropper.yml | 34 ---- .../sysmon/sysmon_mshta_spawn_shell.yml | 39 ----- rules/windows/sysmon/sysmon_office_shell.yml | 53 ------- .../sysmon_plugx_susp_exe_locations.yml | 147 ------------------ .../sysmon/sysmon_powershell_amsi_bypass.yml | 27 ---- .../sysmon_powershell_dll_execution.yml | 31 ---- .../sysmon/sysmon_powershell_download.yml | 25 --- .../sysmon/sysmon_powershell_renamed_ps.yml | 27 ---- ...ershell_suspicious_parameter_variation.yml | 62 -------- .../sysmon_sdbinst_shim_persistence.yml | 24 --- .../sysmon_shell_spawn_susp_program.yml | 35 ----- .../sysmon/sysmon_susp_certutil_command.yml | 67 -------- .../sysmon/sysmon_susp_cmd_http_appdata.yml | 23 --- .../sysmon/sysmon_susp_control_dll_load.yml | 24 --- .../sysmon/sysmon_susp_exec_folder.yml | 35 ----- .../sysmon/sysmon_susp_execution_path.yml | 27 ---- .../sysmon_susp_execution_path_webserver.yml | 29 ---- .../windows/sysmon/sysmon_susp_mmc_source.yml | 22 --- .../sysmon/sysmon_susp_net_execution.yml | 35 ----- .../sysmon/sysmon_susp_ping_hex_ip.yml | 23 --- .../sysmon_susp_powershell_parent_combo.yml | 30 ---- .../sysmon/sysmon_susp_recon_activity.yml | 24 --- .../sysmon/sysmon_susp_regsvr32_anomalies.yml | 51 ------ .../sysmon/sysmon_susp_schtask_creation.yml | 28 ---- .../sysmon/sysmon_susp_script_execution.yml | 25 --- rules/windows/sysmon/sysmon_susp_svchost.yml | 25 --- .../sysmon/sysmon_susp_taskmgr_parent.yml | 24 --- .../sysmon/sysmon_susp_tscon_localsystem.yml | 20 --- .../sysmon/sysmon_susp_tscon_rdp_redirect.yml | 33 ---- .../sysmon_susp_vssadmin_ntds_activity.yml | 34 ---- .../sysmon/sysmon_susp_wmi_execution.yml | 32 ---- .../sysmon/sysmon_system_exe_anomaly.yml | 35 ----- .../sysmon_vul_java_remote_debugging.yml | 20 --- .../sysmon/sysmon_webshell_detection.yml | 32 ---- .../windows/sysmon/sysmon_webshell_spawn.yml | 31 ---- .../sysmon/sysmon_workflow_compiler.yml | 24 --- 149 files changed, 2170 insertions(+), 3096 deletions(-) delete mode 100644 rules/windows/builtin/win_hack_rubeus.yml delete mode 100644 rules/windows/builtin/win_mavinject_proc_inj.yml delete mode 100644 rules/windows/builtin/win_multiple_suspicious_cli.yml delete mode 100644 rules/windows/builtin/win_plugx_susp_exe_locations.yml delete mode 100644 rules/windows/builtin/win_possible_applocker_bypass.yml delete mode 100644 rules/windows/builtin/win_powershell_b64_shellcode.yml delete mode 100644 rules/windows/builtin/win_psexesvc_start.yml delete mode 100644 rules/windows/builtin/win_susp_cli_escape.yml delete mode 100644 rules/windows/builtin/win_susp_commands_recon_activity.yml delete mode 100644 rules/windows/builtin/win_susp_iss_module_install.yml delete mode 100644 rules/windows/builtin/win_susp_msiexec_web_install.yml delete mode 100644 rules/windows/builtin/win_susp_ntdsutil.yml delete mode 100644 rules/windows/builtin/win_susp_powershell_enc_cmd.yml delete mode 100644 rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml delete mode 100644 rules/windows/builtin/win_susp_procdump.yml delete mode 100644 rules/windows/builtin/win_susp_process_creations.yml delete mode 100644 rules/windows/builtin/win_susp_ps_appdata.yml delete mode 100644 rules/windows/builtin/win_susp_rasdial_activity.yml delete mode 100644 rules/windows/builtin/win_susp_run_locations.yml delete mode 100644 rules/windows/builtin/win_susp_rundll32_activity.yml delete mode 100644 rules/windows/builtin/win_susp_svchost.yml delete mode 100644 rules/windows/builtin/win_susp_sysprep_appdata.yml delete mode 100644 rules/windows/builtin/win_susp_sysvol_access.yml delete mode 100644 rules/windows/builtin/win_susp_whoami.yml delete mode 100644 rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml delete mode 100644 rules/windows/malware/sysmon_malware_dridex.yml delete mode 100644 rules/windows/malware/sysmon_malware_notpetya.yml delete mode 100644 rules/windows/malware/sysmon_malware_wannacry.yml delete mode 100644 rules/windows/malware/win_mal_adwind.yml delete mode 100644 rules/windows/malware/win_mal_wannacry.yml delete mode 100644 rules/windows/powershell/powershell_xor_commandline.yml create mode 100644 rules/windows/process_creation/powershell_xor_commandline.yml create mode 100644 rules/windows/process_creation/win_attrib_hiding_files.yml create mode 100644 rules/windows/process_creation/win_bypass_squiblytwo.yml create mode 100644 rules/windows/process_creation/win_cmdkey_recon.yml create mode 100644 rules/windows/process_creation/win_cmstp_com_object_access.yml rename rules/windows/{sysmon/sysmon_exploit_cve_2015_1641.yml => process_creation/win_exploit_cve_2015_1641.yml} (73%) create mode 100644 rules/windows/process_creation/win_exploit_cve_2017_0261.yml create mode 100644 rules/windows/process_creation/win_exploit_cve_2017_11882.yml rename rules/windows/{sysmon/sysmon_exploit_cve_2017_8759.yml => process_creation/win_exploit_cve_2017_8759.yml} (68%) create mode 100644 rules/windows/process_creation/win_hack_rubeus.yml create mode 100644 rules/windows/process_creation/win_lethalhta.yml create mode 100644 rules/windows/process_creation/win_mal_adwind.yml create mode 100644 rules/windows/process_creation/win_mal_wannacry.yml create mode 100644 rules/windows/process_creation/win_malware_dridex.yml create mode 100644 rules/windows/process_creation/win_malware_notpetya.yml create mode 100644 rules/windows/process_creation/win_malware_script_dropper.yml create mode 100644 rules/windows/process_creation/win_malware_wannacry.yml create mode 100644 rules/windows/process_creation/win_mavinject_proc_inj.yml create mode 100644 rules/windows/process_creation/win_mshta_spawn_shell.yml create mode 100644 rules/windows/process_creation/win_multiple_suspicious_cli.yml create mode 100644 rules/windows/process_creation/win_office_shell.yml create mode 100644 rules/windows/process_creation/win_plugx_susp_exe_locations.yml create mode 100644 rules/windows/process_creation/win_possible_applocker_bypass.yml create mode 100644 rules/windows/process_creation/win_powershell_amsi_bypass.yml create mode 100644 rules/windows/process_creation/win_powershell_b64_shellcode.yml create mode 100644 rules/windows/process_creation/win_powershell_dll_execution.yml create mode 100644 rules/windows/process_creation/win_powershell_download.yml create mode 100644 rules/windows/process_creation/win_powershell_renamed_ps.yml create mode 100644 rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml create mode 100644 rules/windows/process_creation/win_psexesvc_start.yml create mode 100644 rules/windows/process_creation/win_sdbinst_shim_persistence.yml create mode 100644 rules/windows/process_creation/win_shell_spawn_susp_program.yml create mode 100644 rules/windows/process_creation/win_susp_certutil_command.yml create mode 100644 rules/windows/process_creation/win_susp_cli_escape.yml create mode 100644 rules/windows/process_creation/win_susp_cmd_http_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_commands_recon_activity.yml create mode 100644 rules/windows/process_creation/win_susp_control_dll_load.yml create mode 100644 rules/windows/process_creation/win_susp_exec_folder.yml create mode 100644 rules/windows/process_creation/win_susp_execution_path.yml create mode 100644 rules/windows/process_creation/win_susp_execution_path_webserver.yml create mode 100644 rules/windows/process_creation/win_susp_iss_module_install.yml create mode 100644 rules/windows/process_creation/win_susp_mmc_source.yml create mode 100644 rules/windows/process_creation/win_susp_msiexec_web_install.yml create mode 100644 rules/windows/process_creation/win_susp_net_execution.yml create mode 100644 rules/windows/process_creation/win_susp_ntdsutil.yml create mode 100644 rules/windows/process_creation/win_susp_ping_hex_ip.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_enc_cmd.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml create mode 100644 rules/windows/process_creation/win_susp_powershell_parent_combo.yml create mode 100644 rules/windows/process_creation/win_susp_procdump.yml create mode 100644 rules/windows/process_creation/win_susp_process_creations.yml create mode 100644 rules/windows/process_creation/win_susp_ps_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_rasdial_activity.yml create mode 100644 rules/windows/process_creation/win_susp_recon_activity.yml create mode 100644 rules/windows/process_creation/win_susp_regsvr32_anomalies.yml create mode 100644 rules/windows/process_creation/win_susp_run_locations.yml create mode 100644 rules/windows/process_creation/win_susp_rundll32_activity.yml create mode 100644 rules/windows/process_creation/win_susp_schtask_creation.yml create mode 100644 rules/windows/process_creation/win_susp_script_execution.yml create mode 100644 rules/windows/process_creation/win_susp_svchost.yml create mode 100644 rules/windows/process_creation/win_susp_sysprep_appdata.yml create mode 100644 rules/windows/process_creation/win_susp_sysvol_access.yml rename rules/windows/{sysmon/sysmon_susp_taskmgr_localsystem.yml => process_creation/win_susp_taskmgr_localsystem.yml} (55%) create mode 100644 rules/windows/process_creation/win_susp_taskmgr_parent.yml create mode 100644 rules/windows/process_creation/win_susp_tscon_localsystem.yml create mode 100644 rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml create mode 100644 rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml create mode 100644 rules/windows/process_creation/win_susp_whoami.yml create mode 100644 rules/windows/process_creation/win_susp_wmi_execution.yml create mode 100644 rules/windows/process_creation/win_system_exe_anomaly.yml create mode 100644 rules/windows/process_creation/win_vul_java_remote_debugging.yml create mode 100644 rules/windows/process_creation/win_webshell_detection.yml create mode 100644 rules/windows/process_creation/win_webshell_spawn.yml create mode 100644 rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml create mode 100644 rules/windows/process_creation/win_workflow_compiler.yml delete mode 100644 rules/windows/sysmon/sysmon_attrib_hiding_files.yml delete mode 100644 rules/windows/sysmon/sysmon_bypass_squiblytwo.yml delete mode 100644 rules/windows/sysmon/sysmon_cmdkey_recon.yml delete mode 100644 rules/windows/sysmon/sysmon_cmstp_com_object_access.yml delete mode 100644 rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml delete mode 100644 rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml delete mode 100644 rules/windows/sysmon/sysmon_lethalhta.yml delete mode 100644 rules/windows/sysmon/sysmon_malware_script_dropper.yml delete mode 100644 rules/windows/sysmon/sysmon_mshta_spawn_shell.yml delete mode 100644 rules/windows/sysmon/sysmon_office_shell.yml delete mode 100644 rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_dll_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_download.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_renamed_ps.yml delete mode 100644 rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml delete mode 100644 rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml delete mode 100644 rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_certutil_command.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_control_dll_load.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_exec_folder.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_execution_path.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_mmc_source.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_net_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_recon_activity.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_schtask_creation.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_script_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_svchost.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml delete mode 100644 rules/windows/sysmon/sysmon_susp_wmi_execution.yml delete mode 100644 rules/windows/sysmon/sysmon_system_exe_anomaly.yml delete mode 100644 rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml delete mode 100644 rules/windows/sysmon/sysmon_webshell_detection.yml delete mode 100644 rules/windows/sysmon/sysmon_webshell_spawn.yml delete mode 100644 rules/windows/sysmon/sysmon_workflow_compiler.yml diff --git a/rules/windows/builtin/win_hack_rubeus.yml b/rules/windows/builtin/win_hack_rubeus.yml deleted file mode 100644 index 1d03d7836..000000000 --- a/rules/windows/builtin/win_hack_rubeus.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -action: global -title: Rubeus Hack Tool -description: Detects command line parameters used by Rubeus hack tool -author: Florian Roth -references: - - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ -date: 2018/12/19 -tags: - - attack.credential_access - - attack.t1003 - - attack.s0005 -detection: - condition: selection -falsepositives: - - unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* asreproast *' - - '* dump /service:krbtgt *' - - '* kerberoast *' - - '* createnetonly /program:*' - - '* ptt /ticket:*' - - '* /impersonateuser:*' - - '* renew /ticket:*' - - '* asktgt /user:*' - - '* harvest /interval:*' \ No newline at end of file diff --git a/rules/windows/builtin/win_mavinject_proc_inj.yml b/rules/windows/builtin/win_mavinject_proc_inj.yml deleted file mode 100644 index 4b2757140..000000000 --- a/rules/windows/builtin/win_mavinject_proc_inj.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -action: global -title: MavInject Process Injection -status: experimental -description: Detects process injection using the signed Windows tool Mavinject32.exe -references: - - https://twitter.com/gN3mes1s/status/941315826107510784 - - https://reaqta.com/2017/12/mavinject-microsoft-injector/ - - https://twitter.com/Hexacorn/status/776122138063409152 -author: Florian Roth -date: 2018/12/12 -tags: - - attack.process_injection - - attack.t1055 - - attack.signed_binary_proxy_execution - - attack.t1218 -detection: - condition: selection -falsepositives: - - unknown -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /INJECTRUNNING *' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /INJECTRUNNING *' diff --git a/rules/windows/builtin/win_multiple_suspicious_cli.yml b/rules/windows/builtin/win_multiple_suspicious_cli.yml deleted file mode 100644 index 3065dad27..000000000 --- a/rules/windows/builtin/win_multiple_suspicious_cli.yml +++ /dev/null @@ -1,112 +0,0 @@ -action: global -title: Quick Execution of a Series of Suspicious Commands -description: Detects multiple suspicious process in a limited timeframe -status: experimental -references: - - https://car.mitre.org/wiki/CAR-2013-04-002 -author: juju4 -modified: 2012/12/11 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe -# others - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - arp.exe - - at.exe - - attrib.exe - - cscript.exe - - dsquery.exe - - hostname.exe - - ipconfig.exe - - mimikatz.exe - - nbstat.exe - - net.exe - - netsh.exe - - nslookup.exe - - ping.exe - - quser.exe - - qwinsta.exe - - reg.exe - - runas.exe - - sc.exe - - schtasks.exe - - ssh.exe - - systeminfo.exe - - taskkill.exe - - telnet.exe - - tracert.exe - - wscript.exe - - xcopy.exe -# others - - pscp.exe - - copy.exe - - robocopy.exe - - certutil.exe - - vssadmin.exe - - powershell.exe - - wevtutil.exe - - psexec.exe - - bcedit.exe - - wbadmin.exe - - icacls.exe - - diskpart.exe - timeframe: 5m - condition: selection | count() by MachineName > 5 \ No newline at end of file diff --git a/rules/windows/builtin/win_plugx_susp_exe_locations.yml b/rules/windows/builtin/win_plugx_susp_exe_locations.yml deleted file mode 100644 index b2520542e..000000000 --- a/rules/windows/builtin/win_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,146 +0,0 @@ -title: Executable used by PlugX in Uncommon Location -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -tags: - - attack.s0013 -logsource: - product: windows - service: security -detection: - - # CamMute - selection_cammute: - EventID: 4688 - CommandLine: '*\CamMute.exe' - filter_cammute: - EventID: 4688 - CommandLine: '*\Lenovo\Communication Utility\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 4688 - CommandLine: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 4688 - CommandLine: '*\Google\Chrome\application\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 4688 - CommandLine: '*\dvcemumanager.exe' - filter_devemu: - EventID: 4688 - CommandLine: '*\Microsoft Device Emulator\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 4688 - CommandLine: '*\Gadget.exe' - filter_gadget: - EventID: 4688 - CommandLine: '*\Windows Media Player\*' - - # HTML Help Workshop - selection_hcc: - EventID: 4688 - CommandLine: '*\hcc.exe' - filter_hcc: - EventID: 4688 - CommandLine: '*\HTML Help Workshop\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 4688 - CommandLine: '*\hkcmd.exe' - filter_hkcmd: - EventID: 4688 - CommandLine: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' - - # McAfee component - selection_mc: - EventID: 4688 - CommandLine: '*\Mc.exe' - filter_mc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 4688 - CommandLine: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 4688 - CommandLine: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' - - # Microsoft Security Center - selection_msseces: - EventID: 4688 - CommandLine: '*\msseces.exe' - filter_msseces: - EventID: 4688 - CommandLine: '*\Microsoft Security Center\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 4688 - CommandLine: '*\OInfoP11.exe' - filter_oinfo: - EventID: 4688 - CommandLine: '*\Common Files\Microsoft Shared\*' - - # OLE View - selection_oleview: - EventID: 4688 - CommandLine: '*\OleView.exe' - filter_oleview: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - # RC - selection_rc: - EventID: 4688 - CommandLine: '*\rc.exe' - filter_rc: - EventID: 4688 - CommandLine: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/builtin/win_possible_applocker_bypass.yml b/rules/windows/builtin/win_possible_applocker_bypass.yml deleted file mode 100644 index 894a5e1f7..000000000 --- a/rules/windows/builtin/win_possible_applocker_bypass.yml +++ /dev/null @@ -1,44 +0,0 @@ -action: global -title: Possible Applocker Bypass -description: Detects execution of executables that can be used to bypass Applocker whitelisting -status: experimental -references: - - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt - - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ -author: juju4 -tags: - - attack.defense_evasion -detection: - selection: - CommandLine: - - '*\msdt.exe*' - - '*\installutil.exe*' - - '*\regsvcs.exe*' - - '*\regasm.exe*' - - '*\regsvr32.exe*' - - '*\msbuild.exe*' - - '*\ieexec.exe*' - - '*\mshta.exe*' - # higher risk of false positives -# - '*\cscript.EXE*' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_powershell_b64_shellcode.yml b/rules/windows/builtin/win_powershell_b64_shellcode.yml deleted file mode 100644 index 7ccb1bffe..000000000 --- a/rules/windows/builtin/win_powershell_b64_shellcode.yml +++ /dev/null @@ -1,44 +0,0 @@ -action: global -title: PowerShell Base64 Encoded Shellcode -description: Detects Base64 encoded Shellcode -status: experimental -references: - - https://twitter.com/cyb3rops/status/1063072865992523776 -author: Florian Roth -date: 2018/11/17 -tags: - - attack.defense_evasion - - attack.t1036 -detection: - condition: selection1 and selection2 -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - description: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - EventID: 4688 - ProcessCommandLine: '*AAAAYInlM*' - selection2: - ProcessCommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*AAAAYInlM*' - selection2: - CommandLine: - - '*OiCAAAAYInlM*' - - '*OiJAAAAYInlM*' - diff --git a/rules/windows/builtin/win_psexesvc_start.yml b/rules/windows/builtin/win_psexesvc_start.yml deleted file mode 100644 index 08e517099..000000000 --- a/rules/windows/builtin/win_psexesvc_start.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: PsExec Service Start -description: Detects a PsExec service start -author: Florian Roth -date: 2018/03/13 -modified: 2012/12/11 -tags: - - attack.execution - - attack.t1035 - - attack.s0029 -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: 'C:\Windows\PSEXESVC.exe' - condition: 1 of them -falsepositives: - - Administrative activity -level: low \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_cli_escape.yml b/rules/windows/builtin/win_susp_cli_escape.yml deleted file mode 100644 index 47b6ad7c0..000000000 --- a/rules/windows/builtin/win_susp_cli_escape.yml +++ /dev/null @@ -1,57 +0,0 @@ -action: global -title: Suspicious Commandline Escape -description: Detects suspicious process that use escape characters -status: experimental -references: - - https://twitter.com/vysecurity/status/885545634958385153 - - https://twitter.com/Hexacorn/status/885553465417756673 - - https://twitter.com/Hexacorn/status/885570278637678592 - - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ -author: juju4 -modified: 2018/12/11 -tags: - - attack.defense_evasion - - attack.t1140 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: low ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - #- '^' - #- '@' -# 0x002D -, 0x2013 , 0x2014 , 0x2015 ― ... FIXME! how to match hexa form? - # - '-' - # - '―' - #- 'c:/' - - '' - - '^h^t^t^p' - - 'h"t"t"p' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_commands_recon_activity.yml b/rules/windows/builtin/win_susp_commands_recon_activity.yml deleted file mode 100644 index 3710465fd..000000000 --- a/rules/windows/builtin/win_susp_commands_recon_activity.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -action: global -title: Reconnaissance Activity with Net Command -status: experimental -description: 'Detects a set of commands often used in recon stages by different attack groups' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 - - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html -author: Florian Roth, Markus Neis -date: 2018/08/22 -modified: 2018/12/11 -tags: - - attack.discovery - - attack.t1073 - - attack.t1012 -detection: - timeframe: 15s - condition: selection | count() by CommandLine > 4 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - 'tasklist' - - 'net time' - - 'systeminfo' - - 'whoami' - - 'nbtstat' - - 'net start' - - '*\net1 start' - - 'qprocess' - - 'nslookup' - - 'hostname.exe' - - '*\net1 user /domain' - - '*\net1 group /domain' - - '*\net1 group "domain admins" /domain' - - '*\net1 group "Exchange Trusted Subsystem" /domain' - - '*\net1 accounts /domain' - - '*\net1 user net localgroup administrators' - - 'netstat -an' diff --git a/rules/windows/builtin/win_susp_iss_module_install.yml b/rules/windows/builtin/win_susp_iss_module_install.yml deleted file mode 100644 index 061265531..000000000 --- a/rules/windows/builtin/win_susp_iss_module_install.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: IIS Native-Code Module Command Line Installation -description: Detects suspicious IIS native-code module installations via command line -status: experimental -references: - - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ -author: Florian Roth -modified: 2012/12/11 -tags: - - attack.persistence - - attack.t1100 -detection: - condition: selection -falsepositives: - - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\APPCMD.EXE install module /name:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\APPCMD.EXE install module /name:*' diff --git a/rules/windows/builtin/win_susp_msiexec_web_install.yml b/rules/windows/builtin/win_susp_msiexec_web_install.yml deleted file mode 100644 index 3fd59bd01..000000000 --- a/rules/windows/builtin/win_susp_msiexec_web_install.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -action: global -title: MsiExec Web Install -status: experimental -description: Detects suspicious msiexec proess starts with web addreses as parameter -references: - - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ -author: Florian Roth -date: 2018/02/09 -modified: 2012/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* msiexec*:\/\/*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* msiexec*:\/\/*' diff --git a/rules/windows/builtin/win_susp_ntdsutil.yml b/rules/windows/builtin/win_susp_ntdsutil.yml deleted file mode 100644 index 0dd7b2051..000000000 --- a/rules/windows/builtin/win_susp_ntdsutil.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- -action: global -title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) -description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) -status: experimental -references: - - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm -author: Thomas Patzke -tags: - - attack.credential_access - - attack.t1003 -detection: - selection: - CommandLine: '*\ntdsutil.exe *' - condition: selection -falsepositives: - - NTDS maintenance -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml b/rules/windows/builtin/win_susp_powershell_enc_cmd.yml deleted file mode 100644 index 1a6b9d7f0..000000000 --- a/rules/windows/builtin/win_susp_powershell_enc_cmd.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -action: global -title: Suspicious Encoded PowerShell Command Line -description: Detects suspicious powershell process starts with base64 encoded commands -status: experimental -references: - - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e -author: Florian Roth -date: 2018/09/03 -detection: - selection: - CommandLine: - # Command starts with '$' symbol - - '* -e JAB*' - - '* -enc JAB*' - - '* -encodedcommand JAB*' - # Google Rapid Response - falsepositive1: - Image: '*\GRR\*' - # PowerSponse deployments - falsepositive2: - CommandLine: '* -ExecutionPolicy remotesigned *' - condition: selection and not 1 of falsepositive* -falsepositives: - - GRR powershell hacks - - PowerSponse Deployments -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - diff --git a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml deleted file mode 100644 index 39d664d44..000000000 --- a/rules/windows/builtin/win_susp_powershell_hidden_b64_cmd.yml +++ /dev/null @@ -1,82 +0,0 @@ -title: Malicious Base64 encoded PowerShell Keywords in command lines -status: experimental -description: Detects base64 encoded strings used in hidden malicious PowerShell command lines -references: - - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ -tags: - - attack.execution - - attack.t1086 -author: John Lambert (rule) -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - encoded: - EventID: 4688 - Image: '*\powershell.exe' - CommandLine: '* hidden *' - selection: - EventID: 4688 - CommandLine: - # bitsadmin transfer - - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' - - '*aXRzYWRtaW4gL3RyYW5zZmVy*' - - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' - - '*JpdHNhZG1pbiAvdHJhbnNmZX*' - - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' - - '*Yml0c2FkbWluIC90cmFuc2Zlc*' - # chunk_size - - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' - - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' - - '*JGNodW5rX3Npem*' - - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' - - '*RjaHVua19zaXpl*' - - '*Y2h1bmtfc2l6Z*' - # IO.Compression - - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' - - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' - - '*lPLkNvbXByZXNzaW9u*' - - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' - - '*SU8uQ29tcHJlc3Npb2*' - - '*Ty5Db21wcmVzc2lvb*' - # IO.MemoryStream - - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' - - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' - - '*lPLk1lbW9yeVN0cmVhb*' - - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' - - '*SU8uTWVtb3J5U3RyZWFt*' - - '*Ty5NZW1vcnlTdHJlYW*' - # GetChunk - - '*4ARwBlAHQAQwBoAHUAbgBrA*' - - '*5HZXRDaHVua*' - - '*AEcAZQB0AEMAaAB1AG4Aaw*' - - '*LgBHAGUAdABDAGgAdQBuAGsA*' - - '*LkdldENodW5r*' - - '*R2V0Q2h1bm*' - # THREAD INFO64 - - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' - - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' - - '*RIUkVBRF9JTkZPNj*' - - '*SFJFQURfSU5GTzY0*' - - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' - - '*VEhSRUFEX0lORk82N*' - # CreateRemoteThread - - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' - - '*cmVhdGVSZW1vdGVUaHJlYW*' - - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' - - '*NyZWF0ZVJlbW90ZVRocmVhZ*' - - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' - - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' - # memmove - - '*0AZQBtAG0AbwB2AGUA*' - - '*1lbW1vdm*' - - '*AGUAbQBtAG8AdgBlA*' - - '*bQBlAG0AbQBvAHYAZQ*' - - '*bWVtbW92Z*' - - '*ZW1tb3Zl*' - - condition: encoded and selection -falsepositives: - - Penetration tests -level: high diff --git a/rules/windows/builtin/win_susp_procdump.yml b/rules/windows/builtin/win_susp_procdump.yml deleted file mode 100644 index 6909f423d..000000000 --- a/rules/windows/builtin/win_susp_procdump.yml +++ /dev/null @@ -1,49 +0,0 @@ -action: global -title: Suspicious Use of Procdump -description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This way we're also able to catch cases in which the attacker has renamed the procdump executable. -status: experimental -references: - - Internal Research -author: Florian Roth -date: 2018/10/30 -tags: - - attack.defense_evasion - - attack.t1036 - - attack.credential_access - - attack.t1003 -detection: - condition: selection and selection1 and selection2 -falsepositives: - - Unlikely, because no one should dump an lsass process memory - - Another tool that uses the command line switches of Procdump -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - selection1: - ProcessCommandLine: - - "* -ma *" - selection2: - ProcessCommandLine: - - '* lsass.exe*' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - selection1: - CommandLine: - - "* -ma *" - selection2: - CommandLine: - - '* lsass.exe*' - diff --git a/rules/windows/builtin/win_susp_process_creations.yml b/rules/windows/builtin/win_susp_process_creations.yml deleted file mode 100644 index 10512e5ca..000000000 --- a/rules/windows/builtin/win_susp_process_creations.yml +++ /dev/null @@ -1,136 +0,0 @@ ---- -action: global -title: Suspicious Process Creation -description: Detects suspicious process starts on Windows systems based on keywords -status: experimental -references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s - - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ - - https://twitter.com/subTee/status/872244674609676288 - - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples - - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ - - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html - - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat - - https://twitter.com/vector_sec/status/896049052642533376 -author: Florian Roth -modified: 2012/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - # Hacking activity - - 'vssadmin.exe delete shadows*' - - 'vssadmin delete shadows*' - - 'vssadmin create shadow /for=C:*' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit*' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM*' - - 'reg SAVE HKLM\SYSTEM *' - - '* sekurlsa:*' - - 'net localgroup adminstrators * /add' - - 'net group "Domain Admins" * /ADD /DOMAIN' - - 'certutil.exe *-urlcache* http*' - - 'certutil.exe *-urlcache* ftp*' - # Malware - - 'netsh advfirewall firewall *\AppData\*' - - 'attrib +S +H +R *\AppData\*' - - 'schtasks* /create *\AppData\*' - - 'schtasks* /sc minute*' - - '*\Regasm.exe *\AppData\*' - - '*\Regasm *\AppData\*' - - '*\bitsadmin* /transfer*' - - '*\certutil.exe * -decode *' - - '*\certutil.exe * -decodehex *' - - '*\certutil.exe -ping *' - - 'icacls * /grant Everyone:F /T /C /Q' - - '* wmic shadowcopy delete *' - - '* wbadmin.exe delete catalog -quiet*' # http://blog.talosintelligence.com/2018/02/olympic-destroyer.html - # Scripts - - '*\wscript.exe *.jse' - - '*\wscript.exe *.js' - - '*\wscript.exe *.vba' - - '*\wscript.exe *.vbe' - - '*\cscript.exe *.jse' - - '*\cscript.exe *.js' - - '*\cscript.exe *.vba' - - '*\cscript.exe *.vbe' - # UAC bypass - - '*\fodhelper.exe' - # persistence - - '*waitfor*/s*' - - '*waitfor*/si persist*' - # remote - - '*remote*/s*' - - '*remote*/c*' - - '*remote*/q*' - # AddInProcess - - '*AddInProcess*' - # NotPowershell (nps) attack - # - '*msbuild*' # too many false positives \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_ps_appdata.yml b/rules/windows/builtin/win_susp_ps_appdata.yml deleted file mode 100644 index c7f1354e0..000000000 --- a/rules/windows/builtin/win_susp_ps_appdata.yml +++ /dev/null @@ -1,39 +0,0 @@ ---- -action: global -title: PowerShell Script Run in AppData -status: experimental -description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder -references: - - https://twitter.com/JohnLaTwC/status/1082851155481288706 - - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 -author: Florian Roth -date: 2019/01/09 -logsource: - product: windows - service: sysmon -detection: - condition: selection -falsepositives: - - Administrative scripts -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '* /c powershell*\AppData\Local\*' - - '* /c powershell*\AppData\Roaming\*' \ No newline at end of file diff --git a/rules/windows/builtin/win_susp_rasdial_activity.yml b/rules/windows/builtin/win_susp_rasdial_activity.yml deleted file mode 100644 index 76676cfbf..000000000 --- a/rules/windows/builtin/win_susp_rasdial_activity.yml +++ /dev/null @@ -1,32 +0,0 @@ -action: global -title: Suspicious RASdial Activity -description: Detects suspicious process related to rasdial.exe -status: experimental -references: - - https://twitter.com/subTee/status/891298217907830785 -author: juju4 -detection: - selection: - CommandLine: - - 'rasdial' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_run_locations.yml b/rules/windows/builtin/win_susp_run_locations.yml deleted file mode 100644 index 11a26b524..000000000 --- a/rules/windows/builtin/win_susp_run_locations.yml +++ /dev/null @@ -1,38 +0,0 @@ -action: global -title: Suspicious Process Start Locations -description: Detects suspicious process run from unusual locations -status: experimental -references: - - https://car.mitre.org/wiki/CAR-2013-05-002 -author: juju4 -tags: - - attack.defense_evasion - - attack.t1036 -detection: - selection: - CommandLine: - - "*:\\RECYCLER\\*" - - "*:\\SystemVolumeInformation\\*" - - "%windir%\\Tasks\\*" - - "%systemroot%\\debug\\*" - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 diff --git a/rules/windows/builtin/win_susp_rundll32_activity.yml b/rules/windows/builtin/win_susp_rundll32_activity.yml deleted file mode 100644 index 872f40557..000000000 --- a/rules/windows/builtin/win_susp_rundll32_activity.yml +++ /dev/null @@ -1,51 +0,0 @@ -action: global -title: Suspicious Rundll32 Activity -description: Detects suspicious process related to rundll32 based on arguments -status: experimental -references: - - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ - - https://twitter.com/Hexacorn/status/885258886428725250 - - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 -tags: - - attack.defense_evasion - - attack.execution - - attack.t1085 -author: juju4 -detection: - selection: - CommandLine: - # match with or without rundll32.exe to try to catch evasion - - '*\rundll32.exe* url.dll,*OpenURL *' - - '*\rundll32.exe* url.dll,*OpenURLA *' - - '*\rundll32.exe* url.dll,*FileProtocolHandler *' - - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' - - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' - - '*\rundll32.exe javascript:*' - - '* url.dll,*OpenURL *' - - '* url.dll,*OpenURLA *' - - '* url.dll,*FileProtocolHandler *' - - '* zipfldr.dll,*RouteTheCall *' - - '* Shell32.dll,*Control_RunDLL *' - - '* javascript:*' - - '*.RegisterXLL*' - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 -level: medium diff --git a/rules/windows/builtin/win_susp_svchost.yml b/rules/windows/builtin/win_susp_svchost.yml deleted file mode 100644 index 9405f77d7..000000000 --- a/rules/windows/builtin/win_susp_svchost.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -action: global -title: Suspicious Svchost Processes -description: Detects suspicious svchost processes with parent process that is not services.exe, command line missing -k parameter or running outside Windows folder -author: Florian Roth, @c_APT_ure -date: 2018/10/26 -status: experimental -references: - - https://twitter.com/Moti_B/status/1002280132143394816 - - https://twitter.com/Moti_B/status/1002280287840153601 -falsepositives: - - Renamed %SystemRoot%s -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\svchost.exe' - filter1: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - filter2: - CommandLine: '* -k *' - filter3: - Image: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not ( filter1 or filter2 or filter3 ) ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\svchost.exe' - # Deactivated as long as some backends do not fully support the 'null' expression - # filter2: - # ProcessCommandLine: - # - null # Missing KB3004375 and Group Policy setting - # - '* -k *' - filter3: - NewProcessName: 'C:\Windows\S*' # \* is a reserved expression - condition: selection and not filter3 - - diff --git a/rules/windows/builtin/win_susp_sysprep_appdata.yml b/rules/windows/builtin/win_susp_sysprep_appdata.yml deleted file mode 100644 index 236c690b6..000000000 --- a/rules/windows/builtin/win_susp_sysprep_appdata.yml +++ /dev/null @@ -1,37 +0,0 @@ ---- -action: global -title: Sysprep on AppData Folder -status: experimental -description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) -references: - - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b -author: Florian Roth -date: 2018/06/22 -modified: 2018/12/11 -detection: - condition: selection -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\sysprep.exe *\AppData\*' - - 'sysprep.exe *\AppData\*' diff --git a/rules/windows/builtin/win_susp_sysvol_access.yml b/rules/windows/builtin/win_susp_sysvol_access.yml deleted file mode 100644 index f79a58cd3..000000000 --- a/rules/windows/builtin/win_susp_sysvol_access.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: Suspicious SYSVOL Domain Group Policy Access -status: experimental -description: Detects Access to Domain Group Policies stored in SYSVOL -references: - - https://adsecurity.org/?p=2288 - - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 -author: Markus Neis -date: 2018/04/09 -modified: 2018/12/11 -tags: - - attack.credential_access - - attack.t1003 -detection: - condition: selection -falsepositives: - - administrative activity -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*\SYSVOL\*\policies\*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\SYSVOL\*\policies\*' diff --git a/rules/windows/builtin/win_susp_whoami.yml b/rules/windows/builtin/win_susp_whoami.yml deleted file mode 100644 index 3d8ab3d4d..000000000 --- a/rules/windows/builtin/win_susp_whoami.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: Whoami Execution -status: experimental -description: 'Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators' -references: - - https://twitter.com/haroonmeer/status/939099379834658817 - - https://twitter.com/c_APT_ure/status/939475433711722497 -author: Florian Roth -date: 2018/05/22 -tags: - - attack.discovery - - attack.t1033 -detection: - condition: selection -falsepositives: - - Admin activity - - Scripts and administrative tools used in the monitored environment -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: 'whoami' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - NewProcessName: '*\whoami.exe' diff --git a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml b/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml deleted file mode 100644 index ecedd03fd..000000000 --- a/rules/windows/builtin/win_wmi_persistence_script_event_consumer.yml +++ /dev/null @@ -1,36 +0,0 @@ ---- -action: global -title: WMI Persistence - Script Event Consumer -status: experimental -description: Detects WMI script event consumers -references: - - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ -author: Thomas Patzke -date: 2018/03/07 -tags: - - attack.execution - - attack.persistence - - attack.t1047 -detection: - selection: - Image: 'C:\WINDOWS\system32\wbem\scrcons.exe' - ParentImage: 'C:\Windows\System32\svchost.exe' - condition: selection -falsepositives: - - Legitimate event consumers -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/malware/sysmon_malware_dridex.yml b/rules/windows/malware/sysmon_malware_dridex.yml deleted file mode 100644 index 9f351c5e7..000000000 --- a/rules/windows/malware/sysmon_malware_dridex.yml +++ /dev/null @@ -1,40 +0,0 @@ ---- -action: global -title: Dridex Process Pattern -status: experimental -description: Detects typical Dridex process patterns -references: - - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 -author: Florian Roth -date: 2019/01/10 -logsource: - product: windows - service: sysmon -detection: - condition: 1 of them -falsepositives: - - Unlikely -level: critical ---- -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' - selection2: - EventID: 1 - ParentImage: '*\svchost.exe*' - CommandLine: - - '*whoami.exe /all' - - '*net.exe view' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '*\svchost.exe C:\Users\*\Desktop\*' \ No newline at end of file diff --git a/rules/windows/malware/sysmon_malware_notpetya.yml b/rules/windows/malware/sysmon_malware_notpetya.yml deleted file mode 100644 index b6d8e50d0..000000000 --- a/rules/windows/malware/sysmon_malware_notpetya.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: NotPetya Ransomware Activity -status: experimental -description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive C is deleted and windows eventlogs are cleared using wevtutil -author: Florian Roth, Tom Ueltschi -references: - - https://securelist.com/schroedingers-petya/78870/ - - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 -tags: - - attack.execution - - attack.credential_access - - attack.defense_evasion - - attack.t1085 - - attack.t1070 - - attack.t1003 -logsource: - product: windows - service: sysmon -detection: - fsutil_clean_journal: - EventID: 1 - Image: '*\fsutil.exe' - CommandLine: '* deletejournal *' - pipe_com: - EventID: 1 - CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' - event_clean: - EventID: 1 - Image: '*\wevtutil.exe' - CommandLine: '* cl *' - rundll32_dash1: - EventID: 1 - Image: '*\rundll32.exe' - CommandLine: '*.dat,#1' - perfc_keyword: - - '*\perfc.dat*' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Admin activity -level: critical - diff --git a/rules/windows/malware/sysmon_malware_wannacry.yml b/rules/windows/malware/sysmon_malware_wannacry.yml deleted file mode 100644 index ee87ca239..000000000 --- a/rules/windows/malware/sysmon_malware_wannacry.yml +++ /dev/null @@ -1,41 +0,0 @@ -title: WannaCry Ransomware via Sysmon -status: experimental -description: Detects WannaCry ransomware activity via Sysmon -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 -author: Florian Roth (rule), Tom U. @c_APT_ure (collection) -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\@WanaDecryptor@*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' - selection2: - EventID: 1 - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - - '*@Please_Read_Me@.txt*' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Diskpart.exe usage to manage partitions on the local hard drive -level: critical - - diff --git a/rules/windows/malware/win_mal_adwind.yml b/rules/windows/malware/win_mal_adwind.yml deleted file mode 100644 index e75b3094b..000000000 --- a/rules/windows/malware/win_mal_adwind.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -action: global -title: Adwind RAT / JRAT -status: experimental -description: Detects javaw.exe in AppData folder as used by Adwind / JRAT -references: - - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 - - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf -author: Florian Roth, Tom Ueltschi -date: 2017/11/10 -modified: 2018/12/11 -detection: - condition: selection -level: high ---- -# Windows Security Eventlog: Process Creation with Full Command Line -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*\AppData\Roaming\Oracle*\java*.exe *' - - '*cscript.exe *Retrive*.vbs *' ---- -# Sysmon: Process Creation (ID 1) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\AppData\Roaming\Oracle\bin\java*.exe' ---- -# Sysmon: File Creation (ID 11) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 11 - TargetFilename: - - '*\AppData\Roaming\Oracle\bin\java*.exe' - - '*\Retrive*.vbs' ---- -# Sysmon: Registry Value Set (ID 13) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 13 - TargetObject: '\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run*' - Details: '%AppData%\Roaming\Oracle\bin\*' diff --git a/rules/windows/malware/win_mal_wannacry.yml b/rules/windows/malware/win_mal_wannacry.yml deleted file mode 100644 index 89a95be39..000000000 --- a/rules/windows/malware/win_mal_wannacry.yml +++ /dev/null @@ -1,67 +0,0 @@ -action: global -title: WannaCry Ransomware -description: Detects WannaCry Ransomware Activity -status: experimental -references: - - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa -author: Florian Roth -detection: - selection1: - CommandLine: - - '*vssadmin delete shadows*' - - '*icacls * /grant Everyone:F /T /C /Q*' - - '*bcdedit /set {default} recoveryenabled no*' - - '*wbadmin delete catalog -quiet*' - condition: 1 of them -falsepositives: - - Unknown -level: critical ---- -# Windows Audit Log -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 4688 - NewProcessName: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' ---- -# Sysmon -logsource: - product: windows - service: sysmon -detection: - selection1: - # Requires group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - selection2: - # Does not require group policy 'Audit Process Creation' > Include command line in process creation events - EventID: 1 - Image: - - '*\tasksche.exe' - - '*\mssecsvc.exe' - - '*\taskdl.exe' - - '*\WanaDecryptor*' - - '*\taskhsvc.exe' - - '*\taskse.exe' - - '*\111.exe' - - '*\lhdfrgui.exe' - - '*\diskpart.exe' # Rare, but can be false positive - - '*\linuxnew.exe' - - '*\wannacry.exe' diff --git a/rules/windows/powershell/powershell_xor_commandline.yml b/rules/windows/powershell/powershell_xor_commandline.yml deleted file mode 100644 index 57e4c60ec..000000000 --- a/rules/windows/powershell/powershell_xor_commandline.yml +++ /dev/null @@ -1,29 +0,0 @@ -action: global -title: Suspicious XOR Encoded PowerShell Command Line -description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. -status: experimental -author: Sami Ruohonen -date: 2018/09/05 -detection: - selection: - CommandLine: - - '* -bxor*' - condition: selection -falsepositives: - - unknown -level: medium ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 diff --git a/rules/windows/process_creation/powershell_xor_commandline.yml b/rules/windows/process_creation/powershell_xor_commandline.yml new file mode 100644 index 000000000..b6274ff57 --- /dev/null +++ b/rules/windows/process_creation/powershell_xor_commandline.yml @@ -0,0 +1,16 @@ +title: Suspicious XOR Encoded PowerShell Command Line +description: Detects suspicious powershell process which includes bxor command, alternatvide obfuscation method to b64 encoded commands. +status: experimental +author: Sami Ruohonen +date: 2018/09/05 +detection: + selection: + CommandLine: + - '* -bxor*' + condition: selection +falsepositives: + - unknown +level: medium +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_attrib_hiding_files.yml b/rules/windows/process_creation/win_attrib_hiding_files.yml new file mode 100644 index 000000000..b86350d61 --- /dev/null +++ b/rules/windows/process_creation/win_attrib_hiding_files.yml @@ -0,0 +1,30 @@ +title: Hiding files with attrib.exe +status: experimental +description: Detects usage of attrib.exe to hide files from users. +author: Sami Ruohonen +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\attrib.exe' + CommandLine: '* +h *' + ini: + CommandLine: '*\desktop.ini *' + intel: + ParentImage: '*\cmd.exe' + CommandLine: +R +H +S +A \*.cui + ParentCommandLine: C:\WINDOWS\system32\\*.bat + condition: selection and not (ini or intel) +fields: + - CommandLine + - ParentCommandLine + - User +tags: + - attack.defense_evasion + - attack.persistence + - attack.t1158 +falsepositives: + - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) + - msiexec.exe hiding desktop.ini +level: low diff --git a/rules/windows/process_creation/win_bypass_squiblytwo.yml b/rules/windows/process_creation/win_bypass_squiblytwo.yml new file mode 100644 index 000000000..94e8515b2 --- /dev/null +++ b/rules/windows/process_creation/win_bypass_squiblytwo.yml @@ -0,0 +1,34 @@ +title: SquiblyTwo +status: experimental +description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash +references: + - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html + - https://twitter.com/mattifestation/status/986280382042595328 +tags: + - attack.defense_evasion + - attack.t1047 +author: Markus Neis / Florian Roth +falsepositives: + - Unknown +level: medium +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\wmic.exe' + CommandLine: + - wmic * *format:\"http* + - wmic * /format:'http + - wmic * /format:http* + selection2: + Imphash: + - 1B1A3F43BF37B5BFE60751F2EE2F326E + - 37777A96245A3C74EB217308F3546F4C + - 9D87C9D67CE724033C0B40CC4CA1B206 + CommandLine: + - '* *format:\"http*' + - '* /format:''http' + - '* /format:http*' + condition: 1 of them diff --git a/rules/windows/process_creation/win_cmdkey_recon.yml b/rules/windows/process_creation/win_cmdkey_recon.yml new file mode 100644 index 000000000..8ec873a87 --- /dev/null +++ b/rules/windows/process_creation/win_cmdkey_recon.yml @@ -0,0 +1,22 @@ +title: Cmdkey Cached Credentials Recon +status: experimental +description: Detects usage of cmdkey to look for cached credentials +references: + - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation + - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx +author: jmallette +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\cmdkey.exe' + CommandLine: '* /list *' + condition: selection +fields: + - CommandLine + - ParentCommandLine + - User +falsepositives: + - Legitimate administrative tasks. +level: low diff --git a/rules/windows/process_creation/win_cmstp_com_object_access.yml b/rules/windows/process_creation/win_cmstp_com_object_access.yml new file mode 100644 index 000000000..5faf82be6 --- /dev/null +++ b/rules/windows/process_creation/win_cmstp_com_object_access.yml @@ -0,0 +1,32 @@ +title: CMSTP UAC Bypass via COM Object Access +status: stable +description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.execution + - attack.t1088 + - attack.t1191 + - attack.g0069 +author: Nik Seetharaman +references: + - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ + - https://twitter.com/hFireF0X/status/897640081053364225 +logsource: + category: process_creation + product: windows +detection: + selection1: + ParentCommandLine: '*\DllHost.exe' + selection2: + ParentCommandLine: + - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' + - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' + condition: selection1 and selection2 +fields: + - CommandLine + - ParentCommandLine + - Hashes +falsepositives: + - Legitimate CMSTP use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml similarity index 73% rename from rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml rename to rules/windows/process_creation/win_exploit_cve_2015_1641.yml index d4abdd93c..ce3befeae 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2015_1641.yml +++ b/rules/windows/process_creation/win_exploit_cve_2015_1641.yml @@ -7,14 +7,13 @@ references: author: Florian Roth date: 2018/02/22 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\MicroScMgmt.exe ' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\MicroScMgmt.exe ' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_exploit_cve_2017_0261.yml b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml new file mode 100644 index 000000000..fcfabffcf --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2017_0261.yml @@ -0,0 +1,18 @@ +title: Exploit for CVE-2017-0261 +status: experimental +description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 +references: + - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html +author: Florian Roth +date: 2018/02/22 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\FLTLDR.exe*' + condition: selection +falsepositives: + - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) +level: medium diff --git a/rules/windows/process_creation/win_exploit_cve_2017_11882.yml b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml new file mode 100644 index 000000000..922d2ea57 --- /dev/null +++ b/rules/windows/process_creation/win_exploit_cve_2017_11882.yml @@ -0,0 +1,20 @@ +title: Droppers exploiting CVE-2017-11882 +status: experimental +description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe +references: + - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 + - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw +author: Florian Roth +date: 2017/11/23 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\EQNEDT32.EXE' + condition: selection +fields: + - CommandLine +falsepositives: + - unknown +level: critical diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml similarity index 68% rename from rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml rename to rules/windows/process_creation/win_exploit_cve_2017_8759.yml index 7267b3d3e..b08742ff1 100644 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_8759.yml +++ b/rules/windows/process_creation/win_exploit_cve_2017_8759.yml @@ -1,4 +1,4 @@ -title: Exploit for CVE-2017-8759 +title: Exploit for CVE-2017-8759 description: Detects Winword starting uncommon sub process csc.exe as used in exploits for CVE-2017-8759 references: - https://www.hybrid-analysis.com/sample/0b4ef455e385b750d9f90749f1467eaf00e46e8d6c2885c260e1b78211a51684?environmentId=100 @@ -6,14 +6,13 @@ references: author: Florian Roth date: 15.09.2017 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\csc.exe' - condition: selection + selection: + ParentImage: '*\WINWORD.EXE' + Image: '*\csc.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: critical diff --git a/rules/windows/process_creation/win_hack_rubeus.yml b/rules/windows/process_creation/win_hack_rubeus.yml new file mode 100644 index 000000000..16884c73b --- /dev/null +++ b/rules/windows/process_creation/win_hack_rubeus.yml @@ -0,0 +1,29 @@ +title: Rubeus Hack Tool +description: Detects command line parameters used by Rubeus hack tool +author: Florian Roth +references: + - https://www.harmj0y.net/blog/redteaming/from-kekeo-to-rubeus/ +date: 2018/12/19 +tags: + - attack.credential_access + - attack.t1003 + - attack.s0005 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* asreproast *' + - '* dump /service:krbtgt *' + - '* kerberoast *' + - '* createnetonly /program:*' + - '* ptt /ticket:*' + - '* /impersonateuser:*' + - '* renew /ticket:*' + - '* asktgt /user:*' + - '* harvest /interval:*' + condition: selection +falsepositives: + - unlikely +level: critical diff --git a/rules/windows/process_creation/win_lethalhta.yml b/rules/windows/process_creation/win_lethalhta.yml new file mode 100644 index 000000000..86d4dac8a --- /dev/null +++ b/rules/windows/process_creation/win_lethalhta.yml @@ -0,0 +1,18 @@ +title: MSHTA spwaned by SVCHOST as seen in LethalHTA +status: experimental +description: Detects MSHTA.EXE spwaned by SVCHOST described in report +references: + - https://codewhitesec.blogspot.com/2018/07/lethalhta.html +author: Markus Neis +date: 2018/06/07 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\svchost.exe' + Image: '*\mshta.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_mal_adwind.yml b/rules/windows/process_creation/win_mal_adwind.yml new file mode 100644 index 000000000..916c2f4c0 --- /dev/null +++ b/rules/windows/process_creation/win_mal_adwind.yml @@ -0,0 +1,48 @@ +action: global +title: Adwind RAT / JRAT +status: experimental +description: Detects javaw.exe in AppData folder as used by Adwind / JRAT +references: + - https://www.hybrid-analysis.com/sample/ba86fa0d4b6af2db0656a88b1dd29f36fe362473ae8ad04255c4e52f214a541c?environmentId=100 + - https://www.first.org/resources/papers/conf2017/Advanced-Incident-Detection-and-Threat-Hunting-using-Sysmon-and-Splunk.pdf +author: Florian Roth, Tom Ueltschi +date: 2017/11/10 +modified: 2018/12/11 +detection: + condition: selection +level: high +--- +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandLine: + - '*\AppData\Roaming\Oracle*\java*.exe *' + - '*cscript.exe *Retrive*.vbs *' +--- +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\AppData\Roaming\Oracle\bin\java*.exe' +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 11 + TargetFilename: + - '*\AppData\Roaming\Oracle\bin\java*.exe' + - '*\Retrive*.vbs' +--- +logsource: + product: windows + service: sysmon +detection: + selection: + EventID: 13 + TargetObject: \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run* + Details: '%AppData%\Roaming\Oracle\bin\*' diff --git a/rules/windows/process_creation/win_mal_wannacry.yml b/rules/windows/process_creation/win_mal_wannacry.yml new file mode 100644 index 000000000..c8571db81 --- /dev/null +++ b/rules/windows/process_creation/win_mal_wannacry.yml @@ -0,0 +1,33 @@ +title: WannaCry Ransomware +description: Detects WannaCry Ransomware Activity +status: experimental +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + selection2: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\WanaDecryptor*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + condition: 1 of them +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_malware_dridex.yml b/rules/windows/process_creation/win_malware_dridex.yml new file mode 100644 index 000000000..aa3c5aac3 --- /dev/null +++ b/rules/windows/process_creation/win_malware_dridex.yml @@ -0,0 +1,22 @@ +title: Dridex Process Pattern +status: experimental +description: Detects typical Dridex process patterns +references: + - https://app.any.run/tasks/993daa5e-112a-4ff6-8b5a-edbcec7c7ba3 +author: Florian Roth +date: 2019/01/10 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: '*\svchost.exe C:\Users\*\Desktop\*' + selection2: + ParentImage: '*\svchost.exe*' + CommandLine: + - '*whoami.exe /all' + - '*net.exe view' + condition: 1 of them +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/process_creation/win_malware_notpetya.yml b/rules/windows/process_creation/win_malware_notpetya.yml new file mode 100644 index 000000000..d35144875 --- /dev/null +++ b/rules/windows/process_creation/win_malware_notpetya.yml @@ -0,0 +1,39 @@ +title: NotPetya Ransomware Activity +status: experimental +description: Detects NotPetya ransomware activity in which the extracted passwords are passed back to the main module via named pipe, the file system journal of drive + C is deleted and windows eventlogs are cleared using wevtutil +author: Florian Roth, Tom Ueltschi +references: + - https://securelist.com/schroedingers-petya/78870/ + - https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100 +tags: + - attack.execution + - attack.credential_access + - attack.defense_evasion + - attack.t1085 + - attack.t1070 + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + fsutil_clean_journal: + Image: '*\fsutil.exe' + CommandLine: '* deletejournal *' + pipe_com: + CommandLine: '*\AppData\Local\Temp\* \\.\pipe\*' + event_clean: + Image: '*\wevtutil.exe' + CommandLine: '* cl *' + rundll32_dash1: + Image: '*\rundll32.exe' + CommandLine: '*.dat,#1' + perfc_keyword: + - '*\perfc.dat*' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Admin activity +level: critical diff --git a/rules/windows/process_creation/win_malware_script_dropper.yml b/rules/windows/process_creation/win_malware_script_dropper.yml new file mode 100644 index 000000000..2c14688d0 --- /dev/null +++ b/rules/windows/process_creation/win_malware_script_dropper.yml @@ -0,0 +1,33 @@ +title: WScript or CScript Dropper +status: experimental +description: Detects wscript/cscript executions of scripts located in user directories +author: Margaritis Dimitrios (idea), Florian Roth (rule) +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '* C:\Users\*.jse *' + - '* C:\Users\*.vbe *' + - '* C:\Users\*.js *' + - '* C:\Users\*.vba *' + - '* C:\Users\*.vbs *' + - '* C:\ProgramData\*.jse *' + - '* C:\ProgramData\*.vbe *' + - '* C:\ProgramData\*.js *' + - '* C:\ProgramData\*.vba *' + - '* C:\ProgramData\*.vbs *' + falsepositive: + ParentImage: '*\winzip*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Winzip + - Other self-extractors +level: high diff --git a/rules/windows/process_creation/win_malware_wannacry.yml b/rules/windows/process_creation/win_malware_wannacry.yml new file mode 100644 index 000000000..f8639f654 --- /dev/null +++ b/rules/windows/process_creation/win_malware_wannacry.yml @@ -0,0 +1,37 @@ +title: WannaCry Ransomware via Sysmon +status: experimental +description: Detects WannaCry ransomware activity via Sysmon +references: + - https://www.hybrid-analysis.com/sample/ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa?environmentId=100 +author: Florian Roth (rule), Tom U. @c_APT_ure (collection) +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\tasksche.exe' + - '*\mssecsvc.exe' + - '*\taskdl.exe' + - '*\@WanaDecryptor@*' + - '*\taskhsvc.exe' + - '*\taskse.exe' + - '*\111.exe' + - '*\lhdfrgui.exe' + - '*\diskpart.exe' + - '*\linuxnew.exe' + - '*\wannacry.exe' + selection2: + CommandLine: + - '*vssadmin delete shadows*' + - '*icacls * /grant Everyone:F /T /C /Q*' + - '*bcdedit /set {default} recoveryenabled no*' + - '*wbadmin delete catalog -quiet*' + - '*@Please_Read_Me@.txt*' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Diskpart.exe usage to manage partitions on the local hard drive +level: critical diff --git a/rules/windows/process_creation/win_mavinject_proc_inj.yml b/rules/windows/process_creation/win_mavinject_proc_inj.yml new file mode 100644 index 000000000..4b049a114 --- /dev/null +++ b/rules/windows/process_creation/win_mavinject_proc_inj.yml @@ -0,0 +1,24 @@ +title: MavInject Process Injection +status: experimental +description: Detects process injection using the signed Windows tool Mavinject32.exe +references: + - https://twitter.com/gN3mes1s/status/941315826107510784 + - https://reaqta.com/2017/12/mavinject-microsoft-injector/ + - https://twitter.com/Hexacorn/status/776122138063409152 +author: Florian Roth +date: 2018/12/12 +tags: + - attack.process_injection + - attack.t1055 + - attack.signed_binary_proxy_execution + - attack.t1218 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* /INJECTRUNNING *' + condition: selection +falsepositives: + - unknown +level: critical diff --git a/rules/windows/process_creation/win_mshta_spawn_shell.yml b/rules/windows/process_creation/win_mshta_spawn_shell.yml new file mode 100644 index 000000000..7710a22a9 --- /dev/null +++ b/rules/windows/process_creation/win_mshta_spawn_shell.yml @@ -0,0 +1,37 @@ +title: MSHTA Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from MSHTA. +references: + - https://www.trustedsec.com/july-2015/malicious-htas/ +author: Michael Haag +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\mshta.exe' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\reg.exe' + - '*\regsvr32.exe' + - '*\BITSADMIN*' + filter: + CommandLine: + - '*/HP/HP*' + - '*\HP\HP*' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.execution + - attack.t1170 +falsepositives: + - Printer software / driver installations +level: high diff --git a/rules/windows/process_creation/win_multiple_suspicious_cli.yml b/rules/windows/process_creation/win_multiple_suspicious_cli.yml new file mode 100644 index 000000000..7e0fbecb6 --- /dev/null +++ b/rules/windows/process_creation/win_multiple_suspicious_cli.yml @@ -0,0 +1,56 @@ +title: Quick Execution of a Series of Suspicious Commands +description: Detects multiple suspicious process in a limited timeframe +status: experimental +references: + - https://car.mitre.org/wiki/CAR-2013-04-002 +author: juju4 +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - arp.exe + - at.exe + - attrib.exe + - cscript.exe + - dsquery.exe + - hostname.exe + - ipconfig.exe + - mimikatz.exe + - nbstat.exe + - net.exe + - netsh.exe + - nslookup.exe + - ping.exe + - quser.exe + - qwinsta.exe + - reg.exe + - runas.exe + - sc.exe + - schtasks.exe + - ssh.exe + - systeminfo.exe + - taskkill.exe + - telnet.exe + - tracert.exe + - wscript.exe + - xcopy.exe + - pscp.exe + - copy.exe + - robocopy.exe + - certutil.exe + - vssadmin.exe + - powershell.exe + - wevtutil.exe + - psexec.exe + - bcedit.exe + - wbadmin.exe + - icacls.exe + - diskpart.exe + timeframe: 5m + condition: selection | count() by MachineName > 5 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_office_shell.yml b/rules/windows/process_creation/win_office_shell.yml new file mode 100644 index 000000000..dc1ced424 --- /dev/null +++ b/rules/windows/process_creation/win_office_shell.yml @@ -0,0 +1,52 @@ +title: Microsoft Office Product Spawning Windows Shell +status: experimental +description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. +references: + - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html + - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle +tags: + - attack.execution + - attack.defense_evasion + - attack.t1059 + - attack.T1202 +author: Michael Haag, Florian Roth, Markus Neis +date: 2018/04/06 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\WINWORD.EXE' + - '*\EXCEL.EXE' + - '*\POWERPNT.exe' + - '*\MSPUB.exe' + - '*\VISIO.exe' + - '*\OUTLOOK.EXE' + Image: + - '*\cmd.exe' + - '*\powershell.exe' + - '*\wscript.exe' + - '*\cscript.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\scrcons.exe' + - '*\schtasks.exe' + - '*\regsvr32.exe' + - '*\hh.exe' + - '*\wmic.exe' + - '*\mshta.exe' + - '*\rundll32.exe' + - '*\msiexec.exe' + - '*\forfiles.exe' + - '*\scriptrunner.exe' + - '*\mftrace.exe' + - '*\AppVLP.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml new file mode 100644 index 000000000..a465f0016 --- /dev/null +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -0,0 +1,88 @@ +title: Executable used by PlugX in Uncommon Location - Sysmon Version +status: experimental +description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location +references: + - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ + - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ +author: Florian Roth +date: 2017/06/12 +logsource: + category: process_creation + product: windows +detection: + selection_cammute: + Image: '*\CamMute.exe' + filter_cammute: + Image: '*\Lenovo\Communication Utility\*' + selection_chrome_frame: + Image: '*\chrome_frame_helper.exe' + filter_chrome_frame: + Image: '*\Google\Chrome\application\*' + selection_devemu: + Image: '*\dvcemumanager.exe' + filter_devemu: + Image: '*\Microsoft Device Emulator\*' + selection_gadget: + Image: '*\Gadget.exe' + filter_gadget: + Image: '*\Windows Media Player\*' + selection_hcc: + Image: '*\hcc.exe' + filter_hcc: + Image: '*\HTML Help Workshop\*' + selection_hkcmd: + Image: '*\hkcmd.exe' + filter_hkcmd: + Image: + - '*\System32\*' + - '*\SysNative\*' + - '*\SysWowo64\*' + selection_mc: + Image: '*\Mc.exe' + filter_mc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + selection_msmpeng: + Image: '*\MsMpEng.exe' + filter_msmpeng: + Image: + - '*\Microsoft Security Client\*' + - '*\Windows Defender\*' + - '*\AntiMalware\*' + selection_msseces: + Image: '*\msseces.exe' + filter_msseces: + Image: '*\Microsoft Security Center\*' + selection_oinfo: + Image: '*\OInfoP11.exe' + filter_oinfo: + Image: '*\Common Files\Microsoft Shared\*' + selection_oleview: + Image: '*\OleView.exe' + filter_oleview: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\*' + selection_rc: + Image: '*\rc.exe' + filter_rc: + Image: + - '*\Microsoft Visual Studio*' + - '*\Microsoft SDK*' + - '*\Windows Kit*' + - '*\Windows Resource Kit\*' + - '*\Microsoft.NET\*' + condition: ( selection_cammute and not filter_cammute ) or ( selection_chrome_frame and not filter_chrome_frame ) or ( selection_devemu and not filter_devemu ) + or ( selection_gadget and not filter_gadget ) or ( selection_hcc and not filter_hcc ) or ( selection_hkcmd and not filter_hkcmd ) or ( selection_mc and not filter_mc + ) or ( selection_msmpeng and not filter_msmpeng ) or ( selection_msseces and not filter_msseces ) or ( selection_oinfo and not filter_oinfo ) or ( selection_oleview + and not filter_oleview ) or ( selection_rc and not filter_rc ) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_possible_applocker_bypass.yml b/rules/windows/process_creation/win_possible_applocker_bypass.yml new file mode 100644 index 000000000..72490fdd8 --- /dev/null +++ b/rules/windows/process_creation/win_possible_applocker_bypass.yml @@ -0,0 +1,27 @@ +title: Possible Applocker Bypass +description: Detects execution of executables that can be used to bypass Applocker whitelisting +status: experimental +references: + - https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt + - https://room362.com/post/2014/2014-01-16-application-whitelist-bypass-using-ieexec-dot-exe/ +author: juju4 +tags: + - attack.defense_evasion +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\msdt.exe*' + - '*\installutil.exe*' + - '*\regsvcs.exe*' + - '*\regasm.exe*' + - '*\regsvr32.exe*' + - '*\msbuild.exe*' + - '*\ieexec.exe*' + - '*\mshta.exe*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_powershell_amsi_bypass.yml b/rules/windows/process_creation/win_powershell_amsi_bypass.yml new file mode 100644 index 000000000..05837d3f3 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_amsi_bypass.yml @@ -0,0 +1,25 @@ +title: Powershell AMSI Bypass via .NET Reflection +status: experimental +description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning +references: + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 +tags: + - attack.execution + - attack.t1086 +author: Markus Neis +date: 2018/08/17 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '*System.Management.Automation.AmsiUtils*' + selection2: + CommandLine: + - '*amsiInitFailed*' + condition: selection1 and selection2 + falsepositives: + - Potential Admin Activity +level: high diff --git a/rules/windows/process_creation/win_powershell_b64_shellcode.yml b/rules/windows/process_creation/win_powershell_b64_shellcode.yml new file mode 100644 index 000000000..b63c8d062 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_b64_shellcode.yml @@ -0,0 +1,24 @@ +title: PowerShell Base64 Encoded Shellcode +description: Detects Base64 encoded Shellcode +status: experimental +references: + - https://twitter.com/cyb3rops/status/1063072865992523776 +author: Florian Roth +date: 2018/11/17 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: '*AAAAYInlM*' + selection2: + CommandLine: + - '*OiCAAAAYInlM*' + - '*OiJAAAAYInlM*' + condition: selection1 and selection2 +falsepositives: + - Unknown +level: critical diff --git a/rules/windows/process_creation/win_powershell_dll_execution.yml b/rules/windows/process_creation/win_powershell_dll_execution.yml new file mode 100644 index 000000000..200743312 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_dll_execution.yml @@ -0,0 +1,28 @@ +title: Detection of PowerShell Execution via DLL +status: experimental +description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll +references: + - https://github.com/p3nt4/PowerShdll/blob/master/README.md +tags: + - attack.execution + - attack.t1086 +author: Markus Neis +date: 2018/08/25 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: + - '*\rundll32.exe' + selection2: + Description: + - '*Windows-Hostprozess (Rundll32)*' + selection3: + CommandLine: + - '*Default.GetString*' + - '*FromBase64String*' + condition: (selection1 or selection2) and selection3 +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_powershell_download.yml b/rules/windows/process_creation/win_powershell_download.yml new file mode 100644 index 000000000..76f29ceba --- /dev/null +++ b/rules/windows/process_creation/win_powershell_download.yml @@ -0,0 +1,23 @@ +title: PowerShell Download from URL +status: experimental +description: Detects a Powershell process that contains download commands in its command line string +author: Florian Roth +tags: + - attack.t1086 + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\powershell.exe' + CommandLine: + - '*new-object system.net.webclient).downloadstring(*' + - '*new-object system.net.webclient).downloadfile(*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_powershell_renamed_ps.yml b/rules/windows/process_creation/win_powershell_renamed_ps.yml new file mode 100644 index 000000000..b975cf091 --- /dev/null +++ b/rules/windows/process_creation/win_powershell_renamed_ps.yml @@ -0,0 +1,26 @@ +title: Renamed Powershell.exe +status: experimental +description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) +references: + - https://attack.mitre.org/techniques/T1086/ + - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ +tags: + - attack.t1086 + - attack.execution +author: Tom Ueltschi (@c_APT_ure) +logsource: + category: process_creation + product: windows +detection: + selection: + Description: Windows PowerShell + exclusion_1: + Image: + - powershell.exe + - powershell_ise.exe + exclusion_2: + Description: Windows PowerShell ISE + condition: all of selection and not (1 of exclusion_*) +falsepositives: + - penetration tests, red teaming +level: high diff --git a/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml new file mode 100644 index 000000000..7ae0a669d --- /dev/null +++ b/rules/windows/process_creation/win_powershell_suspicious_parameter_variation.yml @@ -0,0 +1,61 @@ +title: Suspicious PowerShell Parameter Substring +status: experimental +description: Detects suspicious PowerShell invocation with a parameter substring +references: + - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier +tags: + - attack.execution + - attack.t1086 +author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\Powershell.exe' + CommandLine: + - ' -windowstyle h ' + - ' -windowstyl h' + - ' -windowsty h' + - ' -windowst h' + - ' -windows h' + - ' -windo h' + - ' -wind h' + - ' -win h' + - ' -wi h' + - ' -win h ' + - ' -win hi ' + - ' -win hid ' + - ' -win hidd ' + - ' -win hidde ' + - ' -NoPr ' + - ' -NoPro ' + - ' -NoProf ' + - ' -NoProfi ' + - ' -NoProfil ' + - ' -nonin ' + - ' -nonint ' + - ' -noninte ' + - ' -noninter ' + - ' -nonintera ' + - ' -noninterac ' + - ' -noninteract ' + - ' -noninteracti ' + - ' -noninteractiv ' + - ' -ec ' + - ' -encodedComman ' + - ' -encodedComma ' + - ' -encodedComm ' + - ' -encodedCom ' + - ' -encodedCo ' + - ' -encodedC ' + - ' -encoded ' + - ' -encode ' + - ' -encod ' + - ' -enco ' + - ' -en ' + condition: selection +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/process_creation/win_psexesvc_start.yml b/rules/windows/process_creation/win_psexesvc_start.yml new file mode 100644 index 000000000..1c8f9ae18 --- /dev/null +++ b/rules/windows/process_creation/win_psexesvc_start.yml @@ -0,0 +1,19 @@ +title: PsExec Service Start +description: Detects a PsExec service start +author: Florian Roth +date: 2018/03/13 +modified: 2012/12/11 +tags: + - attack.execution + - attack.t1035 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + ProcessCommandLine: C:\Windows\PSEXESVC.exe + condition: 1 of them +falsepositives: + - Administrative activity +level: low diff --git a/rules/windows/process_creation/win_sdbinst_shim_persistence.yml b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml new file mode 100644 index 000000000..c71f452b6 --- /dev/null +++ b/rules/windows/process_creation/win_sdbinst_shim_persistence.yml @@ -0,0 +1,23 @@ +title: Possible Shim Database Persistence via sdbinst.exe +status: experimental +description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* +references: + - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html +tags: + - attack.persistence + - attack.t1138 +author: Markus Neis +date: 2018-08-03 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\sdbinst.exe' + CommandLine: + - '*\AppPatch\*}.sdb*' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_shell_spawn_susp_program.yml b/rules/windows/process_creation/win_shell_spawn_susp_program.yml new file mode 100644 index 000000000..108daa255 --- /dev/null +++ b/rules/windows/process_creation/win_shell_spawn_susp_program.yml @@ -0,0 +1,33 @@ +title: Windows Shell Spawning Suspicious Program +status: experimental +description: Detects a suspicious child process of a Windows shell +references: + - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html +author: Florian Roth +date: 2018/04/06 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\mshta.exe' + - '*\powershell.exe' + - '*\cmd.exe' + - '*\rundll32.exe' + - '*\cscript.exe' + - '*\wscript.exe' + - '*\wmiprvse.exe' + Image: + - '*\schtasks.exe' + - '*\nslookup.exe' + - '*\certutil.exe' + - '*\bitsadmin.exe' + - '*\mshta.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative scripts +level: high diff --git a/rules/windows/process_creation/win_susp_certutil_command.yml b/rules/windows/process_creation/win_susp_certutil_command.yml new file mode 100644 index 000000000..b464a8015 --- /dev/null +++ b/rules/windows/process_creation/win_susp_certutil_command.yml @@ -0,0 +1,42 @@ +title: Suspicious Certutil Command +status: experimental +description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with + the built-in certutil utility +author: Florian Roth, juju4 +modified: 2018/12/11 +references: + - https://twitter.com/JohnLaTwC/status/835149808817991680 + - https://twitter.com/subTee/status/888102593838362624 + - https://twitter.com/subTee/status/888071631528235010 + - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*certutil * -decode *' + - '*certutil * -decodehex *' + - '*certutil *-urlcache* http*' + - '*certutil *-urlcache* ftp*' + - '*certutil *-URL*' + - '*certutil *-ping*' + - '*certutil.exe * -decode *' + - '*certutil.exe * -decodehex *' + - '*certutil.exe *-urlcache* http*' + - '*certutil.exe *-urlcache* ftp*' + - '*certutil.exe *-URL*' + - '*certutil.exe *-ping*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion + - attack.t1140 + - attack.s0189 + - attack.g0007 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/process_creation/win_susp_cli_escape.yml b/rules/windows/process_creation/win_susp_cli_escape.yml new file mode 100644 index 000000000..cf37d4009 --- /dev/null +++ b/rules/windows/process_creation/win_susp_cli_escape.yml @@ -0,0 +1,27 @@ +title: Suspicious Commandline Escape +description: Detects suspicious process that use escape characters +status: experimental +references: + - https://twitter.com/vysecurity/status/885545634958385153 + - https://twitter.com/Hexacorn/status/885553465417756673 + - https://twitter.com/Hexacorn/status/885570278637678592 + - https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html + - http://www.windowsinspired.com/understanding-the-command-line-string-and-arguments-received-by-a-windows-program/ +author: juju4 +modified: 2018/12/11 +tags: + - attack.defense_evasion + - attack.t1140 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - + - ^h^t^t^p + - h"t"t"p + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: low diff --git a/rules/windows/process_creation/win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml new file mode 100644 index 000000000..8c67992ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_cmd_http_appdata.yml @@ -0,0 +1,23 @@ +title: Command Line Execution with suspicious URL and AppData Strings +status: experimental +description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs + > powershell) +references: + - https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100 + - https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100 +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - cmd.exe /c *http://*%AppData% + - cmd.exe /c *https://*%AppData% + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - High +level: medium diff --git a/rules/windows/process_creation/win_susp_commands_recon_activity.yml b/rules/windows/process_creation/win_susp_commands_recon_activity.yml new file mode 100644 index 000000000..074cf6ed9 --- /dev/null +++ b/rules/windows/process_creation/win_susp_commands_recon_activity.yml @@ -0,0 +1,42 @@ +title: Reconnaissance Activity with Net Command +status: experimental +description: Detects a set of commands often used in recon stages by different attack groups +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 + - https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html +author: Florian Roth, Markus Neis +date: 2018/08/22 +modified: 2018/12/11 +tags: + - attack.discovery + - attack.t1073 + - attack.t1012 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - tasklist + - net time + - systeminfo + - whoami + - nbtstat + - net start + - '*\net1 start' + - qprocess + - nslookup + - hostname.exe + - '*\net1 user /domain' + - '*\net1 group /domain' + - '*\net1 group "domain admins" /domain' + - '*\net1 group "Exchange Trusted Subsystem" /domain' + - '*\net1 accounts /domain' + - '*\net1 user net localgroup administrators' + - netstat -an + timeframe: 15s + condition: selection | count() by CommandLine > 4 +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_control_dll_load.yml b/rules/windows/process_creation/win_susp_control_dll_load.yml new file mode 100644 index 000000000..7fb960a1b --- /dev/null +++ b/rules/windows/process_creation/win_susp_control_dll_load.yml @@ -0,0 +1,23 @@ +title: Suspicious Control Panel DLL Load +status: experimental +description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits +author: Florian Roth +date: 2017/04/15 +references: + - https://twitter.com/rikvduijn/status/853251879320662017 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\System32\control.exe' + CommandLine: '*\rundll32.exe *' + filter: + CommandLine: '*Shell32.dll*' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_exec_folder.yml b/rules/windows/process_creation/win_susp_exec_folder.yml new file mode 100644 index 000000000..aad005635 --- /dev/null +++ b/rules/windows/process_creation/win_susp_exec_folder.yml @@ -0,0 +1,33 @@ +title: Executables Started in Suspicious Folder +status: experimental +description: Detects process starts of binaries from a suspicious folder +author: Florian Roth +date: 2017/10/14 +references: + - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt + - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - C:\PerfLogs\* + - C:\$Recycle.bin\* + - C:\Intel\Logs\* + - C:\Users\Default\* + - C:\Users\Public\* + - C:\Users\NetworkService\* + - C:\Windows\Fonts\* + - C:\Windows\Debug\* + - C:\Windows\Media\* + - C:\Windows\Help\* + - C:\Windows\addins\* + - C:\Windows\repair\* + - C:\Windows\security\* + - '*\RSA\MachineKeys\*' + - C:\Windows\system32\config\systemprofile\* + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_execution_path.yml b/rules/windows/process_creation/win_susp_execution_path.yml new file mode 100644 index 000000000..d622ab28d --- /dev/null +++ b/rules/windows/process_creation/win_susp_execution_path.yml @@ -0,0 +1,26 @@ +title: Execution in Non-Executable Folder +status: experimental +description: Detects a suspicious exection from an uncommon folder +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\$Recycle.bin' + - '*\Users\All Users\*' + - '*\Users\Default\*' + - '*\Users\Public\*' + - C:\Perflogs\* + - '*\config\systemprofile\*' + - '*\Windows\Fonts\*' + - '*\Windows\IME\*' + - '*\Windows\addins\*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_execution_path_webserver.yml b/rules/windows/process_creation/win_susp_execution_path_webserver.yml new file mode 100644 index 000000000..ace681b0c --- /dev/null +++ b/rules/windows/process_creation/win_susp_execution_path_webserver.yml @@ -0,0 +1,28 @@ +title: Execution in Webserver Root Folder +status: experimental +description: Detects a suspicious program execution in a web service root folder (filter out false positives) +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wwwroot\*' + - '*\wmpub\*' + - '*\htdocs\*' + filter: + Image: + - '*bin\*' + - '*\Tools\*' + - '*\SMSComponent\*' + ParentImage: + - '*\services.exe' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Various applications + - Tools that include ping or nslookup command invocations +level: medium diff --git a/rules/windows/process_creation/win_susp_iss_module_install.yml b/rules/windows/process_creation/win_susp_iss_module_install.yml new file mode 100644 index 000000000..52b684596 --- /dev/null +++ b/rules/windows/process_creation/win_susp_iss_module_install.yml @@ -0,0 +1,21 @@ +title: IIS Native-Code Module Command Line Installation +description: Detects suspicious IIS native-code module installations via command line +status: experimental +references: + - https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ +author: Florian Roth +modified: 2012/12/11 +tags: + - attack.persistence + - attack.t1100 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\APPCMD.EXE install module /name:*' + condition: selection +falsepositives: + - Unknown as it may vary from organisation to arganisation how admins use to install IIS modules +level: medium diff --git a/rules/windows/process_creation/win_susp_mmc_source.yml b/rules/windows/process_creation/win_susp_mmc_source.yml new file mode 100644 index 000000000..94226405b --- /dev/null +++ b/rules/windows/process_creation/win_susp_mmc_source.yml @@ -0,0 +1,21 @@ +title: Processes created by MMC +status: experimental +description: Processes started by MMC could be a sign of lateral movement using MMC application COM object +references: + - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\mmc.exe' + Image: '*\cmd.exe' + exclusion: + CommandLine: '*\RunCmd.cmd' + condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_susp_msiexec_web_install.yml b/rules/windows/process_creation/win_susp_msiexec_web_install.yml new file mode 100644 index 000000000..5e6734058 --- /dev/null +++ b/rules/windows/process_creation/win_susp_msiexec_web_install.yml @@ -0,0 +1,19 @@ +title: MsiExec Web Install +status: experimental +description: Detects suspicious msiexec proess starts with web addreses as parameter +references: + - https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/ +author: Florian Roth +date: 2018/02/09 +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* msiexec*:\/\/*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_net_execution.yml b/rules/windows/process_creation/win_susp_net_execution.yml new file mode 100644 index 000000000..697b44629 --- /dev/null +++ b/rules/windows/process_creation/win_susp_net_execution.yml @@ -0,0 +1,33 @@ +title: Net.exe Execution +status: experimental +description: Detects execution of Net.exe, whether suspicious or benign. +references: + - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ +author: Michael Haag, Mark Woan (improvements) +tags: + - attack.s0039 + - attack.lateral_movement + - attack.discovery +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\net.exe' + - '*\net1.exe' + CommandLine: + - '* group*' + - '* localgroup*' + - '* user*' + - '* view*' + - '* share' + - '* accounts*' + - '* use*' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. +level: low diff --git a/rules/windows/process_creation/win_susp_ntdsutil.yml b/rules/windows/process_creation/win_susp_ntdsutil.yml new file mode 100644 index 000000000..e8735e074 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ntdsutil.yml @@ -0,0 +1,19 @@ +title: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) +description: Detects execution of ntdsutil.exe, which can be used for various attacks against the NTDS database (NTDS.DIT) +status: experimental +references: + - https://jpcertcc.github.io/ToolAnalysisResultSheet/details/ntdsutil.htm +author: Thomas Patzke +tags: + - attack.credential_access + - attack.t1003 +detection: + selection: + CommandLine: '*\ntdsutil.exe *' + condition: selection +falsepositives: + - NTDS maintenance +level: high +logsource: + category: process_creation + product: windows diff --git a/rules/windows/process_creation/win_susp_ping_hex_ip.yml b/rules/windows/process_creation/win_susp_ping_hex_ip.yml new file mode 100644 index 000000000..4620d0722 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ping_hex_ip.yml @@ -0,0 +1,21 @@ +title: Ping Hex IP +description: Detects a ping command that uses a hex encoded IP address +references: + - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna + - https://twitter.com/vysecurity/status/977198418354491392 +author: Florian Roth +date: 2018/03/23 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\ping.exe 0x*' + - '*\ping 0x*' + condition: selection +fields: + - ParentCommandLine +falsepositives: + - Unlikely, because no sane admin pings IP addresses in a hexadecimal form +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml new file mode 100644 index 000000000..18ae2b164 --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml @@ -0,0 +1,25 @@ +title: Suspicious Encoded PowerShell Command Line +description: Detects suspicious powershell process starts with base64 encoded commands +status: experimental +references: + - https://app.any.run/tasks/6217d77d-3189-4db2-a957-8ab239f3e01e +author: Florian Roth +date: 2018/09/03 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* -e JAB*' + - '* -enc JAB*' + - '* -encodedcommand JAB*' + falsepositive1: + Image: '*\GRR\*' + falsepositive2: + CommandLine: '* -ExecutionPolicy remotesigned *' + condition: selection and not 1 of falsepositive* +falsepositives: + - GRR powershell hacks + - PowerSponse Deployments +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml new file mode 100644 index 000000000..74e01c8bc --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_hidden_b64_cmd.yml @@ -0,0 +1,70 @@ +title: Malicious Base64 encoded PowerShell Keywords in command lines +status: experimental +description: Detects base64 encoded strings used in hidden malicious PowerShell command lines +references: + - http://www.leeholmes.com/blog/2017/09/21/searching-for-content-in-base-64-strings/ +tags: + - attack.execution + - attack.t1086 +author: John Lambert (rule) +logsource: + category: process_creation + product: windows +detection: + encoded: + Image: '*\powershell.exe' + CommandLine: '* hidden *' + selection: + CommandLine: + - '*AGkAdABzAGEAZABtAGkAbgAgAC8AdAByAGEAbgBzAGYAZQByA*' + - '*aXRzYWRtaW4gL3RyYW5zZmVy*' + - '*IAaQB0AHMAYQBkAG0AaQBuACAALwB0AHIAYQBuAHMAZgBlAHIA*' + - '*JpdHNhZG1pbiAvdHJhbnNmZX*' + - '*YgBpAHQAcwBhAGQAbQBpAG4AIAAvAHQAcgBhAG4AcwBmAGUAcg*' + - '*Yml0c2FkbWluIC90cmFuc2Zlc*' + - '*AGMAaAB1AG4AawBfAHMAaQB6AGUA*' + - '*JABjAGgAdQBuAGsAXwBzAGkAegBlA*' + - '*JGNodW5rX3Npem*' + - '*QAYwBoAHUAbgBrAF8AcwBpAHoAZQ*' + - '*RjaHVua19zaXpl*' + - '*Y2h1bmtfc2l6Z*' + - '*AE8ALgBDAG8AbQBwAHIAZQBzAHMAaQBvAG4A*' + - '*kATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8Abg*' + - '*lPLkNvbXByZXNzaW9u*' + - '*SQBPAC4AQwBvAG0AcAByAGUAcwBzAGkAbwBuA*' + - '*SU8uQ29tcHJlc3Npb2*' + - '*Ty5Db21wcmVzc2lvb*' + - '*AE8ALgBNAGUAbQBvAHIAeQBTAHQAcgBlAGEAbQ*' + - '*kATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtA*' + - '*lPLk1lbW9yeVN0cmVhb*' + - '*SQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0A*' + - '*SU8uTWVtb3J5U3RyZWFt*' + - '*Ty5NZW1vcnlTdHJlYW*' + - '*4ARwBlAHQAQwBoAHUAbgBrA*' + - '*5HZXRDaHVua*' + - '*AEcAZQB0AEMAaAB1AG4Aaw*' + - '*LgBHAGUAdABDAGgAdQBuAGsA*' + - '*LkdldENodW5r*' + - '*R2V0Q2h1bm*' + - '*AEgAUgBFAEEARABfAEkATgBGAE8ANgA0A*' + - '*QASABSAEUAQQBEAF8ASQBOAEYATwA2ADQA*' + - '*RIUkVBRF9JTkZPNj*' + - '*SFJFQURfSU5GTzY0*' + - '*VABIAFIARQBBAEQAXwBJAE4ARgBPADYANA*' + - '*VEhSRUFEX0lORk82N*' + - '*AHIAZQBhAHQAZQBSAGUAbQBvAHQAZQBUAGgAcgBlAGEAZA*' + - '*cmVhdGVSZW1vdGVUaHJlYW*' + - '*MAcgBlAGEAdABlAFIAZQBtAG8AdABlAFQAaAByAGUAYQBkA*' + - '*NyZWF0ZVJlbW90ZVRocmVhZ*' + - '*Q3JlYXRlUmVtb3RlVGhyZWFk*' + - '*QwByAGUAYQB0AGUAUgBlAG0AbwB0AGUAVABoAHIAZQBhAGQA*' + - '*0AZQBtAG0AbwB2AGUA*' + - '*1lbW1vdm*' + - '*AGUAbQBtAG8AdgBlA*' + - '*bQBlAG0AbQBvAHYAZQ*' + - '*bWVtbW92Z*' + - '*ZW1tb3Zl*' + condition: encoded and selection +falsepositives: + - Penetration tests +level: high diff --git a/rules/windows/process_creation/win_susp_powershell_parent_combo.yml b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml new file mode 100644 index 000000000..d9d59fa8e --- /dev/null +++ b/rules/windows/process_creation/win_susp_powershell_parent_combo.yml @@ -0,0 +1,29 @@ +title: Suspicious PowerShell Invocation based on Parent Process +status: experimental +description: Detects suspicious powershell invocations from interpreters or unusual programs +author: Florian Roth +references: + - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ +tags: + - attack.execution + - attack.t1086 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\wscript.exe' + - '*\cscript.exe' + Image: + - '*\powershell.exe' + falsepositive: + CurrentDirectory: '*\Health Service State\*' + condition: selection and not falsepositive +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Microsoft Operations Manager (MOM) + - Other scripts +level: medium diff --git a/rules/windows/process_creation/win_susp_procdump.yml b/rules/windows/process_creation/win_susp_procdump.yml new file mode 100644 index 000000000..e4b4a306d --- /dev/null +++ b/rules/windows/process_creation/win_susp_procdump.yml @@ -0,0 +1,28 @@ +title: Suspicious Use of Procdump +description: Detects suspicious uses of the SysInternals Procdump utility by using a special command line parameter in combination with the lsass.exe process. This + way we're also able to catch cases in which the attacker has renamed the procdump executable. +status: experimental +references: + - Internal Research +author: Florian Roth +date: 2018/10/30 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection1: + CommandLine: + - '* -ma *' + selection2: + CommandLine: + - '* lsass.exe*' + condition: selection1 and selection2 +falsepositives: + - Unlikely, because no one should dump an lsass process memory + - Another tool that uses the command line switches of Procdump +level: medium diff --git a/rules/windows/process_creation/win_susp_process_creations.yml b/rules/windows/process_creation/win_susp_process_creations.yml new file mode 100644 index 000000000..ec4152886 --- /dev/null +++ b/rules/windows/process_creation/win_susp_process_creations.yml @@ -0,0 +1,65 @@ +title: Suspicious Process Creation +description: Detects suspicious process starts on Windows systems based on keywords +status: experimental +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://www.youtube.com/watch?v=H3t_kHQG1Js&feature=youtu.be&t=15m35s + - https://winscripting.blog/2017/05/12/first-entry-welcome-and-uac-bypass/ + - https://twitter.com/subTee/status/872244674609676288 + - https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/remote-tool-examples + - https://tyranidslair.blogspot.ca/2017/07/dg-on-windows-10-s-executing-arbitrary.html + - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ + - https://subt0x10.blogspot.ca/2017/04/bypassing-application-whitelisting.html + - https://gist.github.com/subTee/7937a8ef07409715f15b84781e180c46#file-rat-bat + - https://twitter.com/vector_sec/status/896049052642533376 +author: Florian Roth +modified: 2012/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - vssadmin.exe delete shadows* + - vssadmin delete shadows* + - vssadmin create shadow /for=C:* + - copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit* + - copy \\?\GLOBALROOT\Device\*\config\SAM* + - reg SAVE HKLM\SYSTEM * + - '* sekurlsa:*' + - net localgroup adminstrators * /add + - net group "Domain Admins" * /ADD /DOMAIN + - certutil.exe *-urlcache* http* + - certutil.exe *-urlcache* ftp* + - netsh advfirewall firewall *\AppData\* + - attrib +S +H +R *\AppData\* + - schtasks* /create *\AppData\* + - schtasks* /sc minute* + - '*\Regasm.exe *\AppData\*' + - '*\Regasm *\AppData\*' + - '*\bitsadmin* /transfer*' + - '*\certutil.exe * -decode *' + - '*\certutil.exe * -decodehex *' + - '*\certutil.exe -ping *' + - icacls * /grant Everyone:F /T /C /Q + - '* wmic shadowcopy delete *' + - '* wbadmin.exe delete catalog -quiet*' + - '*\wscript.exe *.jse' + - '*\wscript.exe *.js' + - '*\wscript.exe *.vba' + - '*\wscript.exe *.vbe' + - '*\cscript.exe *.jse' + - '*\cscript.exe *.js' + - '*\cscript.exe *.vba' + - '*\cscript.exe *.vbe' + - '*\fodhelper.exe' + - '*waitfor*/s*' + - '*waitfor*/si persist*' + - '*remote*/s*' + - '*remote*/c*' + - '*remote*/q*' + - '*AddInProcess*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_ps_appdata.yml b/rules/windows/process_creation/win_susp_ps_appdata.yml new file mode 100644 index 000000000..3a04d7550 --- /dev/null +++ b/rules/windows/process_creation/win_susp_ps_appdata.yml @@ -0,0 +1,20 @@ +title: PowerShell Script Run in AppData +status: experimental +description: Detects a suspicious command line execution that invokes PowerShell with reference to an AppData folder +references: + - https://twitter.com/JohnLaTwC/status/1082851155481288706 + - https://app.any.run/tasks/f87f1c4e-47e2-4c46-9cf4-31454c06ce03 +author: Florian Roth +date: 2019/01/09 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '* /c powershell*\AppData\Local\*' + - '* /c powershell*\AppData\Roaming\*' + condition: selection +falsepositives: + - Administrative scripts +level: medium diff --git a/rules/windows/process_creation/win_susp_rasdial_activity.yml b/rules/windows/process_creation/win_susp_rasdial_activity.yml new file mode 100644 index 000000000..9f83ece21 --- /dev/null +++ b/rules/windows/process_creation/win_susp_rasdial_activity.yml @@ -0,0 +1,17 @@ +title: Suspicious RASdial Activity +description: Detects suspicious process related to rasdial.exe +status: experimental +references: + - https://twitter.com/subTee/status/891298217907830785 +author: juju4 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - rasdial + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_recon_activity.yml b/rules/windows/process_creation/win_susp_recon_activity.yml new file mode 100644 index 000000000..24b578697 --- /dev/null +++ b/rules/windows/process_creation/win_susp_recon_activity.yml @@ -0,0 +1,23 @@ +title: Suspicious Reconnaissance Activity +status: experimental +description: Detects suspicious command line activity on Windows systems +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - net group "domain admins" /domain + - net localgroup administrators + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Inventory tool runs + - Penetration tests + - Administrative activity +analysis: + recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) +level: medium diff --git a/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml new file mode 100644 index 000000000..9f6441554 --- /dev/null +++ b/rules/windows/process_creation/win_susp_regsvr32_anomalies.yml @@ -0,0 +1,38 @@ +title: Regsvr32 Anomaly +status: experimental +description: Detects various anomalies in relation to regsvr32.exe +author: Florian Roth +references: + - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html +tags: + - attack.t1117 + - attack.defense_evasion + - attack.execution +logsource: + category: process_creation + product: windows +detection: + selection1: + Image: '*\regsvr32.exe' + CommandLine: '*\Temp\*' + selection2: + Image: '*\regsvr32.exe' + ParentImage: '*\powershell.exe' + selection3: + Image: '*\regsvr32.exe' + CommandLine: + - '*/i:http* scrobj.dll' + - '*/i:ftp* scrobj.dll' + selection4: + Image: '*\wscript.exe' + ParentImage: '*\regsvr32.exe' + selection5: + Image: '*\EXCEL.EXE' + CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' + condition: 1 of them +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_run_locations.yml b/rules/windows/process_creation/win_susp_run_locations.yml new file mode 100644 index 000000000..ce74c9334 --- /dev/null +++ b/rules/windows/process_creation/win_susp_run_locations.yml @@ -0,0 +1,23 @@ +title: Suspicious Process Start Locations +description: Detects suspicious process run from unusual locations +status: experimental +references: + - https://car.mitre.org/wiki/CAR-2013-05-002 +author: juju4 +tags: + - attack.defense_evasion + - attack.t1036 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*:\RECYCLER\*' + - '*:\SystemVolumeInformation\*' + - '%windir%\Tasks\*' + - '%systemroot%\debug\*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_rundll32_activity.yml b/rules/windows/process_creation/win_susp_rundll32_activity.yml new file mode 100644 index 000000000..03a44c6ad --- /dev/null +++ b/rules/windows/process_creation/win_susp_rundll32_activity.yml @@ -0,0 +1,35 @@ +title: Suspicious Rundll32 Activity +description: Detects suspicious process related to rundll32 based on arguments +status: experimental +references: + - http://www.hexacorn.com/blog/2017/05/01/running-programs-via-proxy-jumping-on-a-edr-bypass-trampoline/ + - https://twitter.com/Hexacorn/status/885258886428725250 + - https://gist.github.com/ryhanson/227229866af52e2d963cf941af135a52 +tags: + - attack.defense_evasion + - attack.execution + - attack.t1085 +author: juju4 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\rundll32.exe* url.dll,*OpenURL *' + - '*\rundll32.exe* url.dll,*OpenURLA *' + - '*\rundll32.exe* url.dll,*FileProtocolHandler *' + - '*\rundll32.exe* zipfldr.dll,*RouteTheCall *' + - '*\rundll32.exe* Shell32.dll,*Control_RunDLL *' + - '*\rundll32.exe javascript:*' + - '* url.dll,*OpenURL *' + - '* url.dll,*OpenURLA *' + - '* url.dll,*FileProtocolHandler *' + - '* zipfldr.dll,*RouteTheCall *' + - '* Shell32.dll,*Control_RunDLL *' + - '* javascript:*' + - '*.RegisterXLL*' + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_schtask_creation.yml b/rules/windows/process_creation/win_susp_schtask_creation.yml new file mode 100644 index 000000000..905db2112 --- /dev/null +++ b/rules/windows/process_creation/win_susp_schtask_creation.yml @@ -0,0 +1,27 @@ +title: Scheduled Task Creation +status: experimental +description: Detects the creation of scheduled tasks in user session +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\schtasks.exe' + CommandLine: '* /create *' + filter: + User: NT AUTHORITY\SYSTEM + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.persistence + - attack.privelege_escalation + - attack.t1053 + - attack.s0111 +falsepositives: + - Administrative activity + - Software installation +level: low diff --git a/rules/windows/process_creation/win_susp_script_execution.yml b/rules/windows/process_creation/win_susp_script_execution.yml new file mode 100644 index 000000000..6e0773cfb --- /dev/null +++ b/rules/windows/process_creation/win_susp_script_execution.yml @@ -0,0 +1,24 @@ +title: WSF/JSE/JS/VBA/VBE File Execution +status: experimental +description: Detects suspicious file execution by wscript and cscript +author: Michael Haag +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wscript.exe' + - '*\cscript.exe' + CommandLine: + - '*.jse' + - '*.vbe' + - '*.js' + - '*.vba' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. +level: medium diff --git a/rules/windows/process_creation/win_susp_svchost.yml b/rules/windows/process_creation/win_susp_svchost.yml new file mode 100644 index 000000000..006337202 --- /dev/null +++ b/rules/windows/process_creation/win_susp_svchost.yml @@ -0,0 +1,24 @@ +title: Suspicious Svchost Process +status: experimental +description: Detects a suspicious svchost process start +author: Florian Roth +date: 2017/08/15 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\svchost.exe' + filter: + ParentImage: + - '*\services.exe' + - '*\MsMpEng.exe' + condition: selection and not filter +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.defense_evasion +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_sysprep_appdata.yml b/rules/windows/process_creation/win_susp_sysprep_appdata.yml new file mode 100644 index 000000000..ad94a7864 --- /dev/null +++ b/rules/windows/process_creation/win_susp_sysprep_appdata.yml @@ -0,0 +1,21 @@ +title: Sysprep on AppData Folder +status: experimental +description: Detects suspicious sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec) +references: + - https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets + - https://app.any.run/tasks/61a296bb-81ad-4fee-955f-3b399f4aaf4b +author: Florian Roth +date: 2018/06/22 +modified: 2018/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - '*\sysprep.exe *\AppData\*' + - sysprep.exe *\AppData\* + condition: selection +falsepositives: + - False positives depend on scripts and administrative tools used in the monitored environment +level: medium diff --git a/rules/windows/process_creation/win_susp_sysvol_access.yml b/rules/windows/process_creation/win_susp_sysvol_access.yml new file mode 100644 index 000000000..3ca1ea09d --- /dev/null +++ b/rules/windows/process_creation/win_susp_sysvol_access.yml @@ -0,0 +1,22 @@ +title: Suspicious SYSVOL Domain Group Policy Access +status: experimental +description: Detects Access to Domain Group Policies stored in SYSVOL +references: + - https://adsecurity.org/?p=2288 + - https://www.hybrid-analysis.com/sample/f2943f5e45befa52fb12748ca7171d30096e1d4fc3c365561497c618341299d5?environmentId=100 +author: Markus Neis +date: 2018/04/09 +modified: 2018/12/11 +tags: + - attack.credential_access + - attack.t1003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*\SYSVOL\*\policies\*' + condition: selection +falsepositives: + - administrative activity +level: medium diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml similarity index 55% rename from rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml rename to rules/windows/process_creation/win_susp_taskmgr_localsystem.yml index 9cf162797..f3da5750f 100644 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_localsystem.yml +++ b/rules/windows/process_creation/win_susp_taskmgr_localsystem.yml @@ -4,14 +4,13 @@ description: Detects the creation of taskmgr.exe process in context of LOCAL_SYS author: Florian Roth date: 2018/03/18 logsource: - product: windows - service: sysmon + category: process_creation + product: windows detection: - selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' - Image: '*\taskmgr.exe' - condition: selection + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\taskmgr.exe' + condition: selection falsepositives: - - Unkown + - Unkown level: high diff --git a/rules/windows/process_creation/win_susp_taskmgr_parent.yml b/rules/windows/process_creation/win_susp_taskmgr_parent.yml new file mode 100644 index 000000000..e4e516d4e --- /dev/null +++ b/rules/windows/process_creation/win_susp_taskmgr_parent.yml @@ -0,0 +1,23 @@ +title: Taskmgr as Parent +status: experimental +description: Detects the creation of a process from Windows task manager +author: Florian Roth +date: 2018/03/13 +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\taskmgr.exe' + filter: + Image: + - resmon.exe + - mmc.exe + condition: selection and not filter +fields: + - Image + - CommandLine + - ParentCommandLine +falsepositives: + - Administrative activity +level: low diff --git a/rules/windows/process_creation/win_susp_tscon_localsystem.yml b/rules/windows/process_creation/win_susp_tscon_localsystem.yml new file mode 100644 index 000000000..aa7602464 --- /dev/null +++ b/rules/windows/process_creation/win_susp_tscon_localsystem.yml @@ -0,0 +1,19 @@ +title: Suspicious TSCON Start +status: experimental +description: Detects a tscon.exe start as LOCAL SYSTEM +references: + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +author: Florian Roth +date: 2018/03/17 +logsource: + category: process_creation + product: windows +detection: + selection: + User: NT AUTHORITY\SYSTEM + Image: '*\tscon.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml new file mode 100644 index 000000000..f8c0c81d2 --- /dev/null +++ b/rules/windows/process_creation/win_susp_tscon_rdp_redirect.yml @@ -0,0 +1,19 @@ +title: Suspicious RDP Redirect Using TSCON +status: experimental +description: Detects a suspicious RDP session redirect using tscon.exe +references: + - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html + - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 +author: Florian Roth +date: 2018/03/17 +modified: 2018/12/11 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '* /dest:rdp-tcp:*' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml new file mode 100644 index 000000000..43c24a64c --- /dev/null +++ b/rules/windows/process_creation/win_susp_vssadmin_ntds_activity.yml @@ -0,0 +1,31 @@ +title: Activity Related to NTDS.dit Domain Hash Retrieval +status: experimental +description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely +author: Florian Roth, Michael Haag +references: + - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ + - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ + - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ + - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: + - vssadmin.exe Delete Shadows + - 'vssadmin create shadow /for=C:' + - copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit + - copy \\?\GLOBALROOT\Device\*\config\SAM + - 'vssadmin delete shadows /for=C:' + - 'reg SAVE HKLM\SYSTEM ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.credential_access + - attack.t1003 +falsepositives: + - Administrative activity +level: high diff --git a/rules/windows/process_creation/win_susp_whoami.yml b/rules/windows/process_creation/win_susp_whoami.yml new file mode 100644 index 000000000..974cf4567 --- /dev/null +++ b/rules/windows/process_creation/win_susp_whoami.yml @@ -0,0 +1,22 @@ +title: Whoami Execution +status: experimental +description: Detects the execution of whoami, which is often used by attackers after exloitation / privilege escalation but rarely used by administrators +references: + - https://twitter.com/haroonmeer/status/939099379834658817 + - https://twitter.com/c_APT_ure/status/939475433711722497 +author: Florian Roth +date: 2018/05/22 +tags: + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: whoami + condition: selection +falsepositives: + - Admin activity + - Scripts and administrative tools used in the monitored environment +level: high diff --git a/rules/windows/process_creation/win_susp_wmi_execution.yml b/rules/windows/process_creation/win_susp_wmi_execution.yml new file mode 100644 index 000000000..3a22fa429 --- /dev/null +++ b/rules/windows/process_creation/win_susp_wmi_execution.yml @@ -0,0 +1,31 @@ +title: Suspicious WMI execution +status: experimental +description: Detects WMI executing suspicious commands +references: + - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ + - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 + - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ +author: Michael Haag, Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\wmic.exe' + CommandLine: + - '*/NODE:*process call create *' + - '* path AntiVirusProduct get *' + - '* path FirewallProduct get *' + - '* shadowcopy delete *' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.execution + - attack.t1047 +falsepositives: + - Will need to be tuned + - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. +level: medium diff --git a/rules/windows/process_creation/win_system_exe_anomaly.yml b/rules/windows/process_creation/win_system_exe_anomaly.yml new file mode 100644 index 000000000..414f58d37 --- /dev/null +++ b/rules/windows/process_creation/win_system_exe_anomaly.yml @@ -0,0 +1,33 @@ +title: System File Execution Location Anomaly +status: experimental +description: Detects a Windows program executable started in a suspicious folder +references: + - https://twitter.com/GelosSnake/status/934900723426439170 +author: Florian Roth +date: 2017/11/27 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: + - '*\svchost.exe' + - '*\rundll32.exe' + - '*\services.exe' + - '*\powershell.exe' + - '*\regsvr32.exe' + - '*\spoolsv.exe' + - '*\lsass.exe' + - '*\smss.exe' + - '*\csrss.exe' + - '*\conhost.exe' + filter: + Image: + - '*\System32\*' + - '*\SysWow64\*' + condition: selection and not filter +tags: + - attack.defense_evasion +falsepositives: + - Exotic software +level: high diff --git a/rules/windows/process_creation/win_vul_java_remote_debugging.yml b/rules/windows/process_creation/win_vul_java_remote_debugging.yml new file mode 100644 index 000000000..edce8d264 --- /dev/null +++ b/rules/windows/process_creation/win_vul_java_remote_debugging.yml @@ -0,0 +1,19 @@ +title: Java Running with Remote Debugging +description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine: '*transport=dt_socket,address=*' + exclusion: + - CommandLine: '*address=127.0.0.1*' + - CommandLine: '*address=localhost*' + condition: selection and not exclusion +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - unknown +level: medium diff --git a/rules/windows/process_creation/win_webshell_detection.yml b/rules/windows/process_creation/win_webshell_detection.yml new file mode 100644 index 000000000..466ca9a02 --- /dev/null +++ b/rules/windows/process_creation/win_webshell_detection.yml @@ -0,0 +1,31 @@ +title: Webshell Detection With Command Line Keywords +description: Detects certain command line parameters often used during reconnaissance activity via web shells +author: Florian Roth +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\apache*' + - '*\tomcat*' + - '*\w3wp.exe' + - '*\php-cgi.exe' + - '*\nginx.exe' + - '*\httpd.exe' + CommandLine: + - whoami + - net user + - ping -n + - systeminfo + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1100 +falsepositives: + - unknown +level: high diff --git a/rules/windows/process_creation/win_webshell_spawn.yml b/rules/windows/process_creation/win_webshell_spawn.yml new file mode 100644 index 000000000..bf6569a19 --- /dev/null +++ b/rules/windows/process_creation/win_webshell_spawn.yml @@ -0,0 +1,30 @@ +title: Shells Spawned by Web Servers +status: experimental +description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack +author: Thomas Patzke +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: + - '*\w3wp.exe' + - '*\httpd.exe' + - '*\nginx.exe' + - '*\php-cgi.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +tags: + - attack.privilege_escalation + - attack.persistence + - attack.t1100 +falsepositives: + - Particular web applications may spawn a shell process legitimately +level: high diff --git a/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml new file mode 100644 index 000000000..3f90fbed6 --- /dev/null +++ b/rules/windows/process_creation/win_wmi_persistence_script_event_consumer.yml @@ -0,0 +1,22 @@ +title: WMI Persistence - Script Event Consumer +status: experimental +description: Detects WMI script event consumers +references: + - https://www.eideon.com/2018-03-02-THL03-WMIBackdoors/ +author: Thomas Patzke +date: 2018/03/07 +tags: + - attack.execution + - attack.persistence + - attack.t1047 +logsource: + category: process_creation + product: windows +detection: + selection: + Image: C:\WINDOWS\system32\wbem\scrcons.exe + ParentImage: C:\Windows\System32\svchost.exe + condition: selection +falsepositives: + - Legitimate event consumers +level: high diff --git a/rules/windows/process_creation/win_workflow_compiler.yml b/rules/windows/process_creation/win_workflow_compiler.yml new file mode 100644 index 000000000..ae2ea8844 --- /dev/null +++ b/rules/windows/process_creation/win_workflow_compiler.yml @@ -0,0 +1,22 @@ +title: Microsoft Workflow Compiler +status: experimental +description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. +tags: + - attack.defense_evasion + - attack.execution +author: Nik Seetharaman +references: + - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb +logsource: + category: process_creation + product: windows +detection: + selection: + Image: '*\Microsoft.Workflow.Compiler.exe' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate MWC use (unlikely in modern enterprise environments) +level: high diff --git a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml b/rules/windows/sysmon/sysmon_attrib_hiding_files.yml deleted file mode 100644 index 8bba17482..000000000 --- a/rules/windows/sysmon/sysmon_attrib_hiding_files.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Hiding files with attrib.exe -status: experimental -description: Detects usage of attrib.exe to hide files from users. -author: Sami Ruohonen -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\attrib.exe' - CommandLine: '* +h *' - ini: - CommandLine: '*\desktop.ini *' - intel: - ParentImage: '*\cmd.exe' - CommandLine: '+R +H +S +A \*.cui' - ParentCommandLine: 'C:\WINDOWS\system32\\*.bat' - condition: selection and not (ini or intel) -fields: - - CommandLine - - ParentCommandLine - - User -tags: - - attack.defense_evasion - - attack.persistence - - attack.t1158 -falsepositives: - - igfxCUIService.exe hiding *.cui files via .bat script (attrib.exe a child of cmd.exe and igfxCUIService.exe is the parent of the cmd.exe) - - msiexec.exe hiding desktop.ini -level: low diff --git a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml b/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml deleted file mode 100644 index bb312f204..000000000 --- a/rules/windows/sysmon/sysmon_bypass_squiblytwo.yml +++ /dev/null @@ -1,36 +0,0 @@ -title: SquiblyTwo -status: experimental -description: Detects WMI SquiblyTwo Attack with possible renamed WMI by looking for imphash -references: - - https://subt0x11.blogspot.ch/2018/04/wmicexe-whitelisting-bypass-hacking.html - - https://twitter.com/mattifestation/status/986280382042595328 -tags: - - attack.defense_evasion - - attack.t1047 -author: Markus Neis / Florian Roth -falsepositives: - - Unknown -level: medium -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\wmic.exe' - CommandLine: - - 'wmic * *format:\"http*' - - "wmic * /format:'http" - - 'wmic * /format:http*' - selection2: - EventID: 1 - Imphash: - - '1B1A3F43BF37B5BFE60751F2EE2F326E' - - '37777A96245A3C74EB217308F3546F4C' - - '9D87C9D67CE724033C0B40CC4CA1B206' - CommandLine: - - '* *format:\"http*' - - "* /format:'http" - - '* /format:http*' - condition: 1 of them diff --git a/rules/windows/sysmon/sysmon_cmdkey_recon.yml b/rules/windows/sysmon/sysmon_cmdkey_recon.yml deleted file mode 100644 index 6f1e4c664..000000000 --- a/rules/windows/sysmon/sysmon_cmdkey_recon.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Cmdkey Cached Credentials Recon -status: experimental -description: Detects usage of cmdkey to look for cached credentials -references: - - https://www.peew.pw/blog/2017/11/26/exploring-cmdkey-an-edge-case-for-privilege-escalation - - https://technet.microsoft.com/en-us/library/cc754243(v=ws.11).aspx -author: jmallette -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\cmdkey.exe' - CommandLine: '* /list *' - condition: selection -fields: - - CommandLine - - ParentCommandLine - - User -falsepositives: - - Legitimate administrative tasks. -level: low diff --git a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml b/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml deleted file mode 100644 index f535868aa..000000000 --- a/rules/windows/sysmon/sysmon_cmstp_com_object_access.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: CMSTP UAC Bypass via COM Object Access -status: stable -description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.execution - - attack.t1088 - - attack.t1191 - - attack.g0069 -author: Nik Seetharaman -references: - - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ - - https://twitter.com/hFireF0X/status/897640081053364225 -logsource: - product: windows - service: sysmon -detection: - # CMSTP Spawning Child Process - selection1: - EventID: 1 - ParentCommandLine: '*\DllHost.exe' - selection2: - ParentCommandLine: - - '*\{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' #CMSTPLUA - - '*\{3E000D72-A845-4CD9-BD83-80C07C3B881F}' #CMLUAUTIL, see https://twitter.com/hFireF0X/status/897640081053364225 - condition: selection1 and selection2 -fields: - - CommandLine - - ParentCommandLine - - Hashes -falsepositives: - - Legitimate CMSTP use (unlikely in modern enterprise environments) -level: high diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml deleted file mode 100644 index 258254ccf..000000000 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_0261.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: Exploit for CVE-2017-0261 -status: experimental -description: Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262 -references: - - https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html -author: Florian Roth -date: 2018/02/22 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\WINWORD.EXE' - Image: '*\FLTLDR.exe*' - condition: selection -falsepositives: - - Several false positives identified, check for suspicious file names or locations (e.g. Temp folders) -level: medium diff --git a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml b/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml deleted file mode 100644 index ad2eff251..000000000 --- a/rules/windows/sysmon/sysmon_exploit_cve_2017_11882.yml +++ /dev/null @@ -1,21 +0,0 @@ -title: Droppers exploiting CVE-2017-11882 -status: experimental -description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe -references: - - https://www.hybrid-analysis.com/sample/2a4ae284c76f868fc51d3bb65da8caa6efacb707f265b25c30f34250b76b7507?environmentId=100 - - https://www.google.com/url?hl=en&q=https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about&source=gmail&ust=1511481120837000&usg=AFQjCNGdL7gVwLXaNSl2Td8ylDYbSJFmPw -author: Florian Roth -date: 2017/11/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\EQNEDT32.EXE' - condition: selection -fields: - - CommandLine -falsepositives: - - unknown -level: critical diff --git a/rules/windows/sysmon/sysmon_lethalhta.yml b/rules/windows/sysmon/sysmon_lethalhta.yml deleted file mode 100644 index 5669721a8..000000000 --- a/rules/windows/sysmon/sysmon_lethalhta.yml +++ /dev/null @@ -1,19 +0,0 @@ -title: MSHTA spwaned by SVCHOST as seen in LethalHTA -status: experimental -description: Detects MSHTA.EXE spwaned by SVCHOST described in report -references: - - https://codewhitesec.blogspot.com/2018/07/lethalhta.html -author: Markus Neis -date: 2018/06/07 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\svchost.exe' - Image: '*\mshta.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_malware_script_dropper.yml b/rules/windows/sysmon/sysmon_malware_script_dropper.yml deleted file mode 100644 index 95b29fd80..000000000 --- a/rules/windows/sysmon/sysmon_malware_script_dropper.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: WScript or CScript Dropper -status: experimental -description: Detects wscript/cscript executions of scripts located in user directories -author: Margaritis Dimitrios (idea), Florian Roth (rule) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '* C:\Users\*.jse *' - - '* C:\Users\*.vbe *' - - '* C:\Users\*.js *' - - '* C:\Users\*.vba *' - - '* C:\Users\*.vbs *' - - '* C:\ProgramData\*.jse *' - - '* C:\ProgramData\*.vbe *' - - '* C:\ProgramData\*.js *' - - '* C:\ProgramData\*.vba *' - - '* C:\ProgramData\*.vbs *' - falsepositive: - ParentImage: '*\winzip*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Winzip - - Other self-extractors -level: high diff --git a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml b/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml deleted file mode 100644 index ddb298fa1..000000000 --- a/rules/windows/sysmon/sysmon_mshta_spawn_shell.yml +++ /dev/null @@ -1,39 +0,0 @@ -title: MSHTA Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from MSHTA. -references: - - https://www.trustedsec.com/july-2015/malicious-htas/ -author: Michael Haag -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\mshta.exe' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\reg.exe' - - '*\regsvr32.exe' - - '*\BITSADMIN*' - filter: - CommandLine: - - '*/HP/HP*' - - '*\HP\HP*' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.execution - - attack.t1170 -falsepositives: - - Printer software / driver installations -level: high - diff --git a/rules/windows/sysmon/sysmon_office_shell.yml b/rules/windows/sysmon/sysmon_office_shell.yml deleted file mode 100644 index c226ffe44..000000000 --- a/rules/windows/sysmon/sysmon_office_shell.yml +++ /dev/null @@ -1,53 +0,0 @@ -title: Microsoft Office Product Spawning Windows Shell -status: experimental -description: Detects a Windows command line executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. -references: - - https://www.hybrid-analysis.com/sample/465aabe132ccb949e75b8ab9c5bda36d80cf2fd503d52b8bad54e295f28bbc21?environmentId=100 - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - https://www2.cybereason.com/asset/60:research-cobalt-kitty-attack-lifecycle -tags: - - attack.execution - - attack.defense_evasion - - attack.t1059 - - attack.T1202 -author: Michael Haag, Florian Roth, Markus Neis -date: 2018/04/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\WINWORD.EXE' - - '*\EXCEL.EXE' - - '*\POWERPNT.exe' - - '*\MSPUB.exe' - - '*\VISIO.exe' - - '*\OUTLOOK.EXE' - Image: - - '*\cmd.exe' - - '*\powershell.exe' - - '*\wscript.exe' - - '*\cscript.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\scrcons.exe' - - '*\schtasks.exe' # see https://www.hybrid-analysis.com/sample/b409538c99f99b94a5035d9fa44a506b41be0feb23e89b7e4d272ba791aa6002?environmentId=100 - - '*\regsvr32.exe' # see https://twitter.com/subTee/status/899283365647458305 - - '*\hh.exe' # see https://www.hybrid-analysis.com/sample/6abc2b63f1865a847ff7f5a9d49bb944397b36f5503b9718d6f91f93d60f7cd7?environmentId=100 - - '*\wmic.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\mshta.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\rundll32.exe' # see https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html - - '*\msiexec.exe' # see https://twitter.com/DissectMalware/status/984252467474026497 - - '*\forfiles.exe' # see https://twitter.com/danielhbohannon/status/896057910123347969?lang=en - - '*\scriptrunner.exe' # see https://twitter.com/KyleHanslovan/status/914800377580503040 - - '*\mftrace.exe' # see https://github.com/api0cradle/LOLBAS/blob/763d0b115cd702780ca042a8beb6ee684ef7823f/OtherMSBinaries/Mftrace.md - - '*\AppVLP.exe' # see https://twitter.com/moo_hax/status/892388990686347264 - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml b/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml deleted file mode 100644 index 59f5821a2..000000000 --- a/rules/windows/sysmon/sysmon_plugx_susp_exe_locations.yml +++ /dev/null @@ -1,147 +0,0 @@ -title: Executable used by PlugX in Uncommon Location - Sysmon Version -status: experimental -description: Detects the execution of an executable that is typically used by PlugX for DLL side loading started from an uncommon location -references: - - 'http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/' - - 'https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/' -author: Florian Roth -date: 2017/06/12 -logsource: - product: windows - service: sysmon -detection: - - # CamMute - selection_cammute: - EventID: 1 - Image: '*\CamMute.exe' - filter_cammute: - EventID: 1 - Image: '*\Lenovo\Communication Utility\*' - - # Chrome Frame Helper - selection_chrome_frame: - EventID: 1 - Image: '*\chrome_frame_helper.exe' - filter_chrome_frame: - EventID: 1 - Image: '*\Google\Chrome\application\*' - - # Microsoft Device Emulator - selection_devemu: - EventID: 1 - Image: '*\dvcemumanager.exe' - filter_devemu: - EventID: 1 - Image: '*\Microsoft Device Emulator\*' - - # Windows Media Player Gadget - selection_gadget: - EventID: 1 - Image: '*\Gadget.exe' - filter_gadget: - EventID: 1 - Image: '*\Windows Media Player\*' - - # HTML Help Workshop - selection_hcc: - EventID: 1 - Image: '*\hcc.exe' - filter_hcc: - EventID: 1 - Image: '*\HTML Help Workshop\*' - - # Hotkey Command Module for Intel Graphics Contollers - selection_hkcmd: - EventID: 1 - Image: '*\hkcmd.exe' - filter_hkcmd: - EventID: 1 - Image: - - '*\System32\*' - - '*\SysNative\*' - - '*\SysWowo64\*' - - # McAfee component - selection_mc: - EventID: 1 - Image: '*\Mc.exe' - filter_mc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - # MsMpEng - Microsoft Malware Protection Engine - selection_msmpeng: - EventID: 1 - Image: '*\MsMpEng.exe' - filter_msmpeng: - EventID: 1 - Image: - - '*\Microsoft Security Client\*' - - '*\Windows Defender\*' - - '*\AntiMalware\*' - - # Microsoft Security Center - selection_msseces: - EventID: 1 - Image: '*\msseces.exe' - filter_msseces: - EventID: 1 - Image: '*\Microsoft Security Center\*' - - # Microsoft Office 2003 OInfo - selection_oinfo: - EventID: 1 - Image: '*\OInfoP11.exe' - filter_oinfo: - EventID: 1 - Image: '*\Common Files\Microsoft Shared\*' - - # OLE View - selection_oleview: - EventID: 1 - Image: '*\OleView.exe' - filter_oleview: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - # RC - selection_rc: - EventID: 1 - Image: '*\rc.exe' - filter_rc: - EventID: 1 - Image: - - '*\Microsoft Visual Studio*' - - '*\Microsoft SDK*' - - '*\Windows Kit*' - - '*\Windows Resource Kit\*' - - '*\Microsoft.NET\*' - - condition: ( selection_cammute and not filter_cammute ) or - ( selection_chrome_frame and not filter_chrome_frame ) or - ( selection_devemu and not filter_devemu ) or - ( selection_gadget and not filter_gadget ) or - ( selection_hcc and not filter_hcc ) or - ( selection_hkcmd and not filter_hkcmd ) or - ( selection_mc and not filter_mc ) or - ( selection_msmpeng and not filter_msmpeng ) or - ( selection_msseces and not filter_msseces ) or - ( selection_oinfo and not filter_oinfo ) or - ( selection_oleview and not filter_oleview ) or - ( selection_rc and not filter_rc ) -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml b/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml deleted file mode 100644 index c78da8db6..000000000 --- a/rules/windows/sysmon/sysmon_powershell_amsi_bypass.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Powershell AMSI Bypass via .NET Reflection -status: experimental -description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning -references: - - https://twitter.com/mattifestation/status/735261176745988096 - - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 -tags: - - attack.execution - - attack.t1086 -author: Markus Neis -date: 2018/08/17 -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - CommandLine: - - '*System.Management.Automation.AmsiUtils*' - selection2: - CommandLine: - - '*amsiInitFailed*' - condition: selection1 and selection2 - falsepositives: - - Potential Admin Activity -level: high - diff --git a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml b/rules/windows/sysmon/sysmon_powershell_dll_execution.yml deleted file mode 100644 index 940c75a4b..000000000 --- a/rules/windows/sysmon/sysmon_powershell_dll_execution.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Detection of PowerShell Execution via DLL -status: experimental -description: Detects PowerShell Strings applied to rundllas seen in PowerShdll.dll -references: - - https://github.com/p3nt4/PowerShdll/blob/master/README.md -tags: - - attack.execution - - attack.t1086 -author: Markus Neis -date: 2018/08/25 -logsource: - product: windows - service: sysmon -detection: - selection1: - EventID: 1 - Image: - - '*\rundll32.exe' - selection2: - EventID: 1 - Description: - - '*Windows-Hostprozess (Rundll32)*' - selection3: - EventID: 1 - CommandLine: - - '*Default.GetString*' - - '*FromBase64String*' - condition: (selection1 or selection2) and selection3 -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_powershell_download.yml b/rules/windows/sysmon/sysmon_powershell_download.yml deleted file mode 100644 index f5b875d6d..000000000 --- a/rules/windows/sysmon/sysmon_powershell_download.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: PowerShell Download from URL -status: experimental -description: Detects a Powershell process that contains download commands in its command line string -author: Florian Roth -tags: - - attack.t1086 - - attack.execution -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\powershell.exe' - CommandLine: - - '*new-object system.net.webclient).downloadstring(*' - - '*new-object system.net.webclient).downloadfile(*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium - diff --git a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml b/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml deleted file mode 100644 index dce9e3751..000000000 --- a/rules/windows/sysmon/sysmon_powershell_renamed_ps.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Renamed Powershell.exe -status: experimental -description: Detects copying and renaming of powershell.exe before execution (RETEFE malware DOC/macro starting Sept 2018) -references: - - https://attack.mitre.org/techniques/T1086/ - - https://isc.sans.edu/forums/diary/Maldoc+Duplicating+PowerShell+Prior+to+Use/24254/ -tags: - - attack.t1086 - - attack.execution -author: Tom Ueltschi (@c_APT_ure) -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Description: Windows PowerShell - exclusion_1: - Image: - - powershell.exe - - powershell_ise.exe - exclusion_2: - Description: Windows PowerShell ISE - condition: all of selection and not (1 of exclusion_*) -falsepositives: - - penetration tests, red teaming -level: high diff --git a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml b/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml deleted file mode 100644 index ed6d68eeb..000000000 --- a/rules/windows/sysmon/sysmon_powershell_suspicious_parameter_variation.yml +++ /dev/null @@ -1,62 +0,0 @@ -title: Suspicious PowerShell Parameter Substring -status: experimental -description: Detects suspicious PowerShell invocation with a parameter substring -references: - - http://www.danielbohannon.com/blog-1/2017/3/12/powershell-execution-argument-obfuscation-how-it-can-make-detection-easier -tags: - - attack.execution - - attack.t1086 -author: Florian Roth (rule), Daniel Bohannon (idea), Roberto Rodriguez (Fix) -logsource: - product: windows - service: sysmon -detection: - selection: - Image: - - '*\Powershell.exe' - EventID: 1 - CommandLine: - - ' -windowstyle h ' - - ' -windowstyl h' - - ' -windowsty h' - - ' -windowst h' - - ' -windows h' - - ' -windo h' - - ' -wind h' - - ' -win h' - - ' -wi h' - - ' -win h ' - - ' -win hi ' - - ' -win hid ' - - ' -win hidd ' - - ' -win hidde ' - - ' -NoPr ' - - ' -NoPro ' - - ' -NoProf ' - - ' -NoProfi ' - - ' -NoProfil ' - - ' -nonin ' - - ' -nonint ' - - ' -noninte ' - - ' -noninter ' - - ' -nonintera ' - - ' -noninterac ' - - ' -noninteract ' - - ' -noninteracti ' - - ' -noninteractiv ' - - ' -ec ' - - ' -encodedComman ' - - ' -encodedComma ' - - ' -encodedComm ' - - ' -encodedCom ' - - ' -encodedCo ' - - ' -encodedC ' - - ' -encoded ' - - ' -encode ' - - ' -encod ' - - ' -enco ' - - ' -en ' - condition: selection -falsepositives: - - Penetration tests -level: high diff --git a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml b/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml deleted file mode 100644 index cea5c5ba8..000000000 --- a/rules/windows/sysmon/sysmon_sdbinst_shim_persistence.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Possible Shim Database Persistence via sdbinst.exe -status: experimental -description: Detects execution of sdbinst writing to default shim database path C:\Windows\AppPatch\* -references: - - https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html -tags: - - attack.persistence - - attack.t1138 -author: Markus Neis -date: 2018-08-03 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\sdbinst.exe' - CommandLine: - - '*\AppPatch\*}.sdb*' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml b/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml deleted file mode 100644 index d1af4a536..000000000 --- a/rules/windows/sysmon/sysmon_shell_spawn_susp_program.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Windows Shell Spawning Suspicious Program -status: experimental -description: Detects a suspicious child process of a Windows shell -references: - - https://mgreen27.github.io/posts/2018/04/02/DownloadCradle.html -author: Florian Roth -date: 2018/04/06 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\mshta.exe' - - '*\powershell.exe' - - '*\cmd.exe' - - '*\rundll32.exe' - - '*\cscript.exe' - - '*\wscript.exe' - - '*\wmiprvse.exe' - Image: - - '*\schtasks.exe' - - '*\nslookup.exe' - - '*\certutil.exe' - - '*\bitsadmin.exe' - - '*\mshta.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Administrative scripts -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_certutil_command.yml b/rules/windows/sysmon/sysmon_susp_certutil_command.yml deleted file mode 100644 index b6cdcfab4..000000000 --- a/rules/windows/sysmon/sysmon_susp_certutil_command.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -action: global -title: Suspicious Certutil Command -status: experimental -description: Detects a suspicious Microsoft certutil execution with sub commands like 'decode' sub command, which is sometimes used to decode malicious code with the built-in certutil utility -author: Florian Roth, juju4 -modified: 2018/12/11 -references: - - https://twitter.com/JohnLaTwC/status/835149808817991680 - - https://twitter.com/subTee/status/888102593838362624 - - https://twitter.com/subTee/status/888071631528235010 - - https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ - - https://www.trustedsec.com/2017/07/new-tool-release-nps_payload/ -detection: - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion - - attack.t1140 - - attack.s0189 - - attack.g0007 -falsepositives: - - False positives depend on scripts and administrative tools used in the monitored environment -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: - - '*certutil * -decode *' - - '*certutil * -decodehex *' - - '*certutil *-urlcache* http*' - - '*certutil *-urlcache* ftp*' - - '*certutil *-URL*' - - '*certutil *-ping*' - - '*certutil.exe * -decode *' - - '*certutil.exe * -decodehex *' - - '*certutil.exe *-urlcache* http*' - - '*certutil.exe *-urlcache* ftp*' - - '*certutil.exe *-URL*' - - '*certutil.exe *-ping*' diff --git a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml b/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml deleted file mode 100644 index f8ef570a7..000000000 --- a/rules/windows/sysmon/sysmon_susp_cmd_http_appdata.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Command Line Execution with suspicious URL and AppData Strings -status: experimental -description: Detects a suspicious command line execution that includes an URL and AppData string in the command line parameters as used by several droppers (js/vbs > powershell) -references: - - 'https://www.hybrid-analysis.com/sample/3a1f01206684410dbe8f1900bbeaaa543adfcd07368ba646b499fa5274b9edf6?environmentId=100' - - 'https://www.hybrid-analysis.com/sample/f16c729aad5c74f19784a24257236a8bbe27f7cdc4a89806031ec7f1bebbd475?environmentId=100' -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'cmd.exe /c *http://*%AppData%' - - 'cmd.exe /c *https://*%AppData%' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - High -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml b/rules/windows/sysmon/sysmon_susp_control_dll_load.yml deleted file mode 100644 index f2a069d1a..000000000 --- a/rules/windows/sysmon/sysmon_susp_control_dll_load.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Control Panel DLL Load -status: experimental -description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits -author: Florian Roth -date: 2017/04/15 -references: - - https://twitter.com/rikvduijn/status/853251879320662017 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\System32\control.exe' - CommandLine: '*\rundll32.exe *' - filter: - CommandLine: '*Shell32.dll*' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_exec_folder.yml b/rules/windows/sysmon/sysmon_susp_exec_folder.yml deleted file mode 100644 index 02a9eb35e..000000000 --- a/rules/windows/sysmon/sysmon_susp_exec_folder.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Executables Started in Suspicious Folder -status: experimental -description: Detects process starts of binaries from a suspicious folder -author: Florian Roth -date: 2017/10/14 -references: - - https://github.com/mbevilacqua/appcompatprocessor/blob/master/AppCompatSearch.txt - - https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - 'C:\PerfLogs\*' - - 'C:\$Recycle.bin\*' - - 'C:\Intel\Logs\*' - - 'C:\Users\Default\*' - - 'C:\Users\Public\*' - - 'C:\Users\NetworkService\*' - - 'C:\Windows\Fonts\*' - - 'C:\Windows\Debug\*' - - 'C:\Windows\Media\*' - - 'C:\Windows\Help\*' - - 'C:\Windows\addins\*' - - 'C:\Windows\repair\*' - - 'C:\Windows\security\*' - - '*\RSA\MachineKeys\*' - - 'C:\Windows\system32\config\systemprofile\*' - condition: selection -falsepositives: - - Unknown -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_execution_path.yml b/rules/windows/sysmon/sysmon_susp_execution_path.yml deleted file mode 100644 index d1f06b220..000000000 --- a/rules/windows/sysmon/sysmon_susp_execution_path.yml +++ /dev/null @@ -1,27 +0,0 @@ -title: Execution in Non-Executable Folder -status: experimental -description: Detects a suspicious exection from an uncommon folder -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\$Recycle.bin' - - '*\Users\All Users\*' - - '*\Users\Default\*' - - '*\Users\Public\*' - - 'C:\Perflogs\*' - - '*\config\systemprofile\*' - - '*\Windows\Fonts\*' - - '*\Windows\IME\*' - - '*\Windows\addins\*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml b/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml deleted file mode 100644 index 017d726cf..000000000 --- a/rules/windows/sysmon/sysmon_susp_execution_path_webserver.yml +++ /dev/null @@ -1,29 +0,0 @@ -title: Execution in Webserver Root Folder -status: experimental -description: Detects a suspicious program execution in a web service root folder (filter out false positives) -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wwwroot\*' - - '*\wmpub\*' - - '*\htdocs\*' - filter: - Image: - - '*bin\*' - - '*\Tools\*' - - '*\SMSComponent\*' - ParentImage: - - '*\services.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Various applications - - Tools that include ping or nslookup command invocations -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_mmc_source.yml b/rules/windows/sysmon/sysmon_susp_mmc_source.yml deleted file mode 100644 index 7cbc0c82e..000000000 --- a/rules/windows/sysmon/sysmon_susp_mmc_source.yml +++ /dev/null @@ -1,22 +0,0 @@ -title: Processes created by MMC -status: experimental -description: Processes started by MMC could be a sign of lateral movement using MMC application COM object -references: - - https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/ -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\mmc.exe' - Image: '*\cmd.exe' - exclusion: - CommandLine: '*\RunCmd.cmd' - condition: selection and not exclusion -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_net_execution.yml b/rules/windows/sysmon/sysmon_susp_net_execution.yml deleted file mode 100644 index c4889af6a..000000000 --- a/rules/windows/sysmon/sysmon_susp_net_execution.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: Net.exe Execution -status: experimental -description: Detects execution of Net.exe, whether suspicious or benign. -references: - - https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/ -author: Michael Haag, Mark Woan (improvements) -tags: - - attack.s0039 - - attack.lateral_movement - - attack.discovery - -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\net.exe' - - '*\net1.exe' - CommandLine: - - '* group*' - - '* localgroup*' - - '* user*' - - '* view*' - - '* share' - - '* accounts*' - - '* use*' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Will need to be tuned. If using Splunk, I recommend | stats count by Computer,CommandLine following the search for easy hunting by computer/CommandLine. -level: low diff --git a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml b/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml deleted file mode 100644 index 1215805e1..000000000 --- a/rules/windows/sysmon/sysmon_susp_ping_hex_ip.yml +++ /dev/null @@ -1,23 +0,0 @@ -title: Ping Hex IP -description: Detects a ping command that uses a hex encoded IP address -references: - - https://github.com/vysec/Aggressor-VYSEC/blob/master/ping.cna - - https://twitter.com/vysecurity/status/977198418354491392 -author: Florian Roth -date: 2018/03/23 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - '*\ping.exe 0x*' - - '*\ping 0x*' - condition: selection -fields: - - ParentCommandLine -falsepositives: - - Unlikely, because no sane admin pings IP addresses in a hexadecimal form -level: high - diff --git a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml b/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml deleted file mode 100644 index 6c6c893d9..000000000 --- a/rules/windows/sysmon/sysmon_susp_powershell_parent_combo.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious PowerShell Invocation based on Parent Process -status: experimental -description: Detects suspicious powershell invocations from interpreters or unusual programs -author: Florian Roth -references: - - https://www.carbonblack.com/2017/03/15/attackers-leverage-excel-powershell-dns-latest-non-malware-attack/ -tags: - - attack.execution - - attack.t1086 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\wscript.exe' - - '*\cscript.exe' - Image: - - '*\powershell.exe' - falsepositive: - CurrentDirectory: '*\Health Service State\*' - condition: selection and not falsepositive -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Microsoft Operations Manager (MOM) - - Other scripts -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_recon_activity.yml b/rules/windows/sysmon/sysmon_susp_recon_activity.yml deleted file mode 100644 index 00f385f4e..000000000 --- a/rules/windows/sysmon/sysmon_susp_recon_activity.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Suspicious Reconnaissance Activity -status: experimental -description: Detects suspicious command line activity on Windows systems -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - - 'net group "domain admins" /domain' - - 'net localgroup administrators' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Inventory tool runs - - Penetration tests - - Administrative activity -analysis: - recommendation: Check if the user that executed the commands is suspicious (e.g. service accounts, LOCAL_SYSTEM) -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml b/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml deleted file mode 100644 index 2ed6e2de2..000000000 --- a/rules/windows/sysmon/sysmon_susp_regsvr32_anomalies.yml +++ /dev/null @@ -1,51 +0,0 @@ -title: Regsvr32 Anomaly -status: experimental -description: Detects various anomalies in relation to regsvr32.exe -author: Florian Roth -references: - - https://subt0x10.blogspot.de/2017/04/bypass-application-whitelisting-script.html -tags: - - attack.t1117 - - attack.defense_evasion - - attack.execution -logsource: - product: windows - service: sysmon -detection: - # Loads from Temp folder - selection1: - EventID: 1 - Image: '*\regsvr32.exe' - CommandLine: '*\Temp\*' - # Loaded by powershell - selection2: - EventID: 1 - Image: '*\regsvr32.exe' - ParentImage: '*\powershell.exe' - # Regsvr32.exe used with http(s) address - selection3: - EventID: 1 - Image: '*\regsvr32.exe' - CommandLine: - - '*/i:http* scrobj.dll' - - '*/i:ftp* scrobj.dll' - # Regsvr32.exe spawned wscript.exe process - indicator of COM scriptlet - # https://www.hybrid-analysis.com/sample/f34da6d84a9663928606894fbc494cd9bf2f03c98cf0c775462802558d3a50ef?environmentId=100 - selection4: - EventID: 1 - Image: '*\wscript.exe' - ParentImage: '*\regsvr32.exe' - # https://twitter.com/danielhbohannon/status/974321840385531904 - selection5: - EventID: 1 - Image: '*\EXCEL.EXE' - CommandLine: '*..\..\..\Windows\System32\regsvr32.exe *' - condition: 1 of them -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Unknown -level: high - - diff --git a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml b/rules/windows/sysmon/sysmon_susp_schtask_creation.yml deleted file mode 100644 index 0183aeca7..000000000 --- a/rules/windows/sysmon/sysmon_susp_schtask_creation.yml +++ /dev/null @@ -1,28 +0,0 @@ -title: Scheduled Task Creation -status: experimental -description: Detects the creation of scheduled tasks in user session -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\schtasks.exe' - CommandLine: '* /create *' - filter: - User: 'NT AUTHORITY\SYSTEM' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.persistence - - attack.privelege_escalation - - attack.t1053 - - attack.s0111 -falsepositives: - - Administrative activity - - Software installation -level: low diff --git a/rules/windows/sysmon/sysmon_susp_script_execution.yml b/rules/windows/sysmon/sysmon_susp_script_execution.yml deleted file mode 100644 index 0f76b1360..000000000 --- a/rules/windows/sysmon/sysmon_susp_script_execution.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: WSF/JSE/JS/VBA/VBE File Execution -status: experimental -description: Detects suspicious file execution by wscript and cscript -author: Michael Haag -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wscript.exe' - - '*\cscript.exe' - CommandLine: - - '*.jse' - - '*.vbe' - - '*.js' - - '*.vba' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Will need to be tuned. I recommend adding the user profile path in CommandLine if it is getting too noisy. -level: medium diff --git a/rules/windows/sysmon/sysmon_susp_svchost.yml b/rules/windows/sysmon/sysmon_susp_svchost.yml deleted file mode 100644 index da69e381c..000000000 --- a/rules/windows/sysmon/sysmon_susp_svchost.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Suspicious Svchost Process -status: experimental -description: Detects a suspicious svchost process start -author: Florian Roth -date: 2017/08/15 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: '*\svchost.exe' - filter: - ParentImage: - - '*\services.exe' - - '*\MsMpEng.exe' - condition: selection and not filter -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.defense_evasion -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml b/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml deleted file mode 100644 index b01239bbb..000000000 --- a/rules/windows/sysmon/sysmon_susp_taskmgr_parent.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Taskmgr as Parent -status: experimental -description: Detects the creation of a process from Windows task manager -author: Florian Roth -date: 2018/03/13 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: '*\taskmgr.exe' - filter: - Image: - - 'resmon.exe' - - 'mmc.exe' - condition: selection and not filter -fields: - - Image - - CommandLine - - ParentCommandLine -falsepositives: - - Administrative activity -level: low diff --git a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml b/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml deleted file mode 100644 index d700b9324..000000000 --- a/rules/windows/sysmon/sysmon_susp_tscon_localsystem.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Suspicious TSCON Start -status: experimental -description: Detects a tscon.exe start as LOCAL SYSTEM -references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -author: Florian Roth -date: 2018/03/17 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - User: 'NT AUTHORITY\SYSTEM' - Image: '*\tscon.exe' - condition: selection -falsepositives: - - Unknown -level: high diff --git a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml b/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml deleted file mode 100644 index ec7b0788d..000000000 --- a/rules/windows/sysmon/sysmon_susp_tscon_rdp_redirect.yml +++ /dev/null @@ -1,33 +0,0 @@ ---- -action: global -title: Suspicious RDP Redirect Using TSCON -status: experimental -description: Detects a suspicious RDP session redirect using tscon.exe -references: - - http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html - - https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6 -author: Florian Roth -date: 2018/03/17 -modified: 2018/12/11 -detection: - condition: selection -falsepositives: - - Unknown -level: high ---- -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '* /dest:rdp-tcp:*' ---- -logsource: - product: windows - service: security - definition: 'Requirements: Audit Policy : Detailed Tracking > Audit Process creation, Group Policy : Administrative Templates\System\Audit Process Creation' -detection: - selection: - EventID: 4688 - ProcessCommandLine: '* /dest:rdp-tcp:*' \ No newline at end of file diff --git a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml b/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml deleted file mode 100644 index ad4a0db3c..000000000 --- a/rules/windows/sysmon/sysmon_susp_vssadmin_ntds_activity.yml +++ /dev/null @@ -1,34 +0,0 @@ -title: Activity Related to NTDS.dit Domain Hash Retrieval -status: experimental -description: Detects suspicious commands that could be related to activity that uses volume shadow copy to steal and retrieve hashes from the NTDS.dit file remotely -author: Florian Roth, Michael Haag -references: - - https://www.swordshield.com/2015/07/getting-hashes-from-ntds-dit-file/ - - https://room362.com/post/2013/2013-06-10-volume-shadow-copy-ntdsdit-domain-hashes-remotely-part-1/ - - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/ - - https://securingtomorrow.mcafee.com/mcafee-labs/new-teslacrypt-ransomware-arrives-via-spam/ -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: - # Ransomware - - 'vssadmin.exe Delete Shadows' - # Hacking - - 'vssadmin create shadow /for=C:' - - 'copy \\?\GLOBALROOT\Device\*\windows\ntds\ntds.dit' - - 'copy \\?\GLOBALROOT\Device\*\config\SAM' - - 'vssadmin delete shadows /for=C:' - - 'reg SAVE HKLM\SYSTEM ' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.credential_access - - attack.t1003 -falsepositives: - - Administrative activity -level: high diff --git a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml b/rules/windows/sysmon/sysmon_susp_wmi_execution.yml deleted file mode 100644 index d0fb1e5c1..000000000 --- a/rules/windows/sysmon/sysmon_susp_wmi_execution.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Suspicious WMI execution -status: experimental -description: Detects WMI executing suspicious commands -references: - - https://digital-forensics.sans.org/blog/2010/06/04/wmic-draft/ - - https://www.hybrid-analysis.com/sample/4be06ecd234e2110bd615649fe4a6fa95403979acf889d7e45a78985eb50acf9?environmentId=1 - - https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/ -author: Michael Haag, Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\wmic.exe' - CommandLine: - - '*/NODE:*process call create *' - - '* path AntiVirusProduct get *' - - '* path FirewallProduct get *' - - '* shadowcopy delete *' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.execution - - attack.t1047 -falsepositives: - - Will need to be tuned - - If using Splunk, I recommend | stats count by Computer,CommandLine following for easy hunting by Computer/CommandLine. -level: medium diff --git a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml b/rules/windows/sysmon/sysmon_system_exe_anomaly.yml deleted file mode 100644 index 4a568ec4f..000000000 --- a/rules/windows/sysmon/sysmon_system_exe_anomaly.yml +++ /dev/null @@ -1,35 +0,0 @@ -title: System File Execution Location Anomaly -status: experimental -description: Detects a Windows program executable started in a suspicious folder -references: - - https://twitter.com/GelosSnake/status/934900723426439170 -author: Florian Roth -date: 2017/11/27 -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - Image: - - '*\svchost.exe' - - '*\rundll32.exe' - - '*\services.exe' - - '*\powershell.exe' - - '*\regsvr32.exe' - - '*\spoolsv.exe' - - '*\lsass.exe' - - '*\smss.exe' - - '*\csrss.exe' - - '*\conhost.exe' - filter: - Image: - - '*\System32\*' - - '*\SysWow64\*' - condition: selection and not filter -tags: - - attack.defense_evasion -falsepositives: - - Exotic software -level: high - diff --git a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml b/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml deleted file mode 100644 index a3288802b..000000000 --- a/rules/windows/sysmon/sysmon_vul_java_remote_debugging.yml +++ /dev/null @@ -1,20 +0,0 @@ -title: Java Running with Remote Debugging -description: Detects a JAVA process running with remote debugging allowing more than just localhost to connect -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - CommandLine: '*transport=dt_socket,address=*' - exclusion: - - CommandLine: '*address=127.0.0.1*' - - CommandLine: '*address=localhost*' - condition: selection and not exclusion -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - unknown -level: medium diff --git a/rules/windows/sysmon/sysmon_webshell_detection.yml b/rules/windows/sysmon/sysmon_webshell_detection.yml deleted file mode 100644 index be67266ec..000000000 --- a/rules/windows/sysmon/sysmon_webshell_detection.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Webshell Detection With Command Line Keywords -description: Detects certain command line parameters often used during reconnaissance activity via web shells -author: Florian Roth -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\apache*' - - '*\tomcat*' - - '*\w3wp.exe' - - '*\php-cgi.exe' - - '*\nginx.exe' - - '*\httpd.exe' - CommandLine: - - 'whoami' - - 'net user' - - 'ping -n' - - 'systeminfo' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 -falsepositives: - - unknown -level: high diff --git a/rules/windows/sysmon/sysmon_webshell_spawn.yml b/rules/windows/sysmon/sysmon_webshell_spawn.yml deleted file mode 100644 index d9faf6c8a..000000000 --- a/rules/windows/sysmon/sysmon_webshell_spawn.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: Shells Spawned by Web Servers -status: experimental -description: Web servers that spawn shell processes could be the result of a successfully placed web shell or an other attack -author: Thomas Patzke -logsource: - product: windows - service: sysmon -detection: - selection: - EventID: 1 - ParentImage: - - '*\w3wp.exe' - - '*\httpd.exe' - - '*\nginx.exe' - - '*\php-cgi.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -tags: - - attack.privilege_escalation - - attack.persistence - - attack.t1100 -falsepositives: - - Particular web applications may spawn a shell process legitimately -level: high diff --git a/rules/windows/sysmon/sysmon_workflow_compiler.yml b/rules/windows/sysmon/sysmon_workflow_compiler.yml deleted file mode 100644 index 433464ec8..000000000 --- a/rules/windows/sysmon/sysmon_workflow_compiler.yml +++ /dev/null @@ -1,24 +0,0 @@ -title: Microsoft Workflow Compiler -status: experimental -description: Detects invocation of Microsoft Workflow Compiler, which may permit the execution of arbitrary unsigned code. -tags: - - attack.defense_evasion - - attack.execution -author: Nik Seetharaman -references: - - https://posts.specterops.io/arbitrary-unsigned-code-execution-vector-in-microsoft-workflow-compiler-exe-3d9294bc5efb -logsource: - product: windows - service: sysmon -detection: - # Description contains MWC even if file has been renamed. - selection: - EventID: 1 - Image: '*\Microsoft.Workflow.Compiler.exe' - condition: selection -fields: - - CommandLine - - ParentCommandLine -falsepositives: - - Legitimate MWC use (unlikely in modern enterprise environments) -level: high