From a41a73d7218bd5acbadfac58bc1dad942baf7c1c Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 12 Jul 2022 01:27:51 +0100 Subject: [PATCH 1/5] DFIR Report - SELECT XMRig FROM SQLServer --- ...eation_win_cmd_redirection_susp_folder.yml | 28 +++++++++++++ ...c_creation_win_inline_base64_mz_header.yml | 20 ++++++++++ ...creation_win_net_user_add_never_expire.yml | 30 ++++++++++++++ ...oc_creation_win_susp_mofcomp_execution.yml | 39 +++++++++++++++++++ .../registry_set_special_accounts.yml | 23 +++++++++++ 5 files changed, 140 insertions(+) create mode 100644 rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml create mode 100644 rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml create mode 100644 rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml create mode 100644 rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml create mode 100644 rules/windows/registry/registry_set/registry_set_special_accounts.yml diff --git a/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml new file mode 100644 index 000000000..f3b809227 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_cmd_redirection_susp_folder.yml @@ -0,0 +1,28 @@ +title: Suspicious CMD Shell Redirect +id: 8e0bb260-d4b2-4fff-bb8d-3f82118e6892 +status: experimental +description: Detects inline windows shell commands redirecting output via the ">" symbol to a suspicous location +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +date: 2022/07/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\cmd.exe' + CommandLine|contains|all: + # Add more suspicious locations as you find them + - ' > %USERPROFILE%\' + - ' > %APPDATA%\' + - ' > \Users\Public\' + - ' > C:\Users\Public\' + - ' > %TEMP%\' + condition: selection +falsepositives: + - Legitimate admin scripts +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml new file mode 100644 index 000000000..e40743f9b --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml @@ -0,0 +1,20 @@ +title: Base64 MZ Header In CommandLine +id: 22e58743-4ac8-4a9f-bf19-00a0428d8c5f +status: experimental +description: Detects encoded base64 MZ header in the commandline +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +date: 2022/07/12 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: 'TVqQAAMAAAAEAAAA' # MZ.......... + condition: selection +falsepositives: + - Unlikley +level: high +tags: + - attack.execution diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml new file mode 100644 index 000000000..179e21077 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -0,0 +1,30 @@ +title: Net.exe User Account Creation - Never Expire +id: b9f0e6f5-09b4-4358-bae4-08408705bd5c +related: + - id: cd219ff3-fa99-45d4-8380-a7d15116c6dc + type: derived +status: test +description: Detects creation of local users via the net.exe command with the option "never expire" +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +date: 2022/07/12 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\net.exe' + - '\net1.exe' + CommandLine|contains|all: + - 'user' + - 'add' + - 'expires:never' + condition: selection +falsepositives: + - Unlikley +level: high +tags: + - attack.persistence + - attack.t1136.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml new file mode 100644 index 000000000..156833940 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml @@ -0,0 +1,39 @@ +title: Suspicious Mofcomp Execution +id: 1dd05363-104e-4b4a-b963-196a534b03a1 +status: experimental +description: | + Detects execution of the "mofcomp" utility as a child of a suspicious shell or script running utility or by having a supsicious path in the commandline. + The "mofcomp" utility parses a file containing MOF statements and adds the classes and class instances defined in the file to the WMI repository. + Attackers abuse this utility to install malicious MOF scripts +author: Nasreddine Bencherchali +references: + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ + - https://github.com/The-DFIR-Report/Sigma-Rules/blob/75260568a7ffe61b2458ca05f6f25914efb44337/win_mofcomp_execution.yml + - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp +date: 2022/07/12 +logsource: + category: process_creation + product: windows +detection: + selection_img: + Image|endswith: '\mofcomp.exe' + selection_case: + - ParentImage|endswith: + - '\cmd.exe' + - '\powershell.exe' + - '\wsl.exe' + - '\wscript.exe' + - '\cscript.exe' + - CommandLine|contains: + - '\AppData\Local\Temp' + - '\Users\Public\' + - '\WINDOWS\Temp\' + - '%temp%' + - '%appdata%' + condition: all of selection_* +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1218 diff --git a/rules/windows/registry/registry_set/registry_set_special_accounts.yml b/rules/windows/registry/registry_set/registry_set_special_accounts.yml new file mode 100644 index 000000000..ad1d7f9b1 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_special_accounts.yml @@ -0,0 +1,23 @@ +title: Hide User Account Via Special Accounts Reg Key +id: f8aebc67-a56d-4ec9-9fbe-7b0e8b7b4efd +description: Detects when an attacker set the registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist" to "0" in order to hide user account. +author: Nasreddine Bencherchali +date: 2022/07/12 +status: experimental +references: + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList + Details: DWORD (0x00000000) + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.002 From aeecd0530d8b030359915208330e8b837f6cb4fa Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 12 Jul 2022 14:56:22 +0100 Subject: [PATCH 2/5] xp_cmdshell rules --- .../win_mssql_xp_cmdshell_audit_log.yml | 24 +++++++++++++++++++ .../win_mssql_xp_cmdshell_change.yml | 21 ++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml create mode 100644 rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml new file mode 100644 index 000000000..a8445d443 --- /dev/null +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml @@ -0,0 +1,24 @@ +title: MSSQL XPCmdshell Suspicious Execution +id: 7f103213-a04e-4d59-8261-213dddf22314 +status: experimental +description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands +author: Nasreddine Bencherchali +date: 2022/07/12 +logsource: + product: windows + service: application + definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to recieve this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) +detection: + selection: + Provider_Name: 'MSSQLSERVER' + EventID: 33205 + Data|contains|all: + # You can modify this to include specific commands + - 'object_name:xp_cmdshell' + - 'statement:EXEC' + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.execution diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml new file mode 100644 index 000000000..7b6b524b6 --- /dev/null +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml @@ -0,0 +1,21 @@ +title: MSSQL XPCmdshell Option Change +id: d08dd86f-681e-4a00-a92c-1db218754417 +status: experimental +description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed +author: Nasreddine Bencherchali +date: 2022/07/12 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'MSSQLSERVER' + EventID: 15457 + Data|contains: 'xp_cmdshell' + condition: selection +falsepositives: + - Legitimate enable/disable of the setting + - Note that since the event contain the change for both values. This means that this will trigger on both enable and disable +level: high +tags: + - attack.execution From ac76e31f95e740514b0ba5d1089839cb5b7a764d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 12 Jul 2022 16:23:42 +0100 Subject: [PATCH 3/5] Add missing references --- .../builtin/application/win_mssql_xp_cmdshell_audit_log.yml | 3 +++ .../builtin/application/win_mssql_xp_cmdshell_change.yml | 3 +++ 2 files changed, 6 insertions(+) diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml index a8445d443..278f23f9f 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml @@ -3,6 +3,9 @@ id: 7f103213-a04e-4d59-8261-213dddf22314 status: experimental description: Detects when the MSSQL "xp_cmdshell" stored procedure is used to execute commands author: Nasreddine Bencherchali +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ date: 2022/07/12 logsource: product: windows diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml index 7b6b524b6..7632844ad 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml @@ -3,6 +3,9 @@ id: d08dd86f-681e-4a00-a92c-1db218754417 status: experimental description: Detects when the MSSQL "xp_cmdshell" stored procedure setting is changed author: Nasreddine Bencherchali +references: + - https://www.netspi.com/blog/technical/network-penetration-testing/sql-server-persistence-part-1-startup-stored-procedures/ + - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ date: 2022/07/12 logsource: product: windows From 739a54289e805317377d3af473366b823c2f0e69 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 12 Jul 2022 17:33:04 +0200 Subject: [PATCH 4/5] Update proc_creation_win_inline_base64_mz_header.yml --- .../proc_creation_win_inline_base64_mz_header.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml index e40743f9b..6b6c85713 100644 --- a/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml +++ b/rules/windows/process_creation/proc_creation_win_inline_base64_mz_header.yml @@ -11,7 +11,12 @@ logsource: product: windows detection: selection: - CommandLine|contains: 'TVqQAAMAAAAEAAAA' # MZ.......... + CommandLine|contains: + - 'TVqQAAMAAAAEAAAA' # MZ.......... + - 'TVpQAAIAAAAEAA8A' + - 'TVqAAAEAAAAEABAA' + - 'TVoAAAAAAAAAAAAA' + - 'TVpTAQEAAAAEAAAA' condition: selection falsepositives: - Unlikley From 3838c4dc223808991a054e34e01056a46da6c4e8 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 12 Jul 2022 16:38:48 +0100 Subject: [PATCH 5/5] Add "warning" section --- .../builtin/application/win_mssql_xp_cmdshell_audit_log.yml | 1 + .../windows/builtin/application/win_mssql_xp_cmdshell_change.yml | 1 + 2 files changed, 2 insertions(+) diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml index 278f23f9f..0dbf7b505 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_audit_log.yml @@ -11,6 +11,7 @@ logsource: product: windows service: application definition: MSSQL audit policy to monitor for 'xp_cmdshell' must be enabled in order to recieve this event in the application log (Follow this tutorial https://dba.stackexchange.com/questions/103183/is-there-any-way-to-monitor-execution-of-xp-cmdshell-in-sql-server-2012) + warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: Provider_Name: 'MSSQLSERVER' diff --git a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml index 7632844ad..e7eacf150 100644 --- a/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml +++ b/rules/windows/builtin/application/win_mssql_xp_cmdshell_change.yml @@ -10,6 +10,7 @@ date: 2022/07/12 logsource: product: windows service: application + warning: The 'data' field used in the detection section is the container for the event data as a whole. You may have to adapt the rule for your backend accordingly detection: selection: Provider_Name: 'MSSQLSERVER'