From 9a2ee48ef839c40f3e413f69fdb17ed093364ca9 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 18 Apr 2023 18:08:08 +0200 Subject: [PATCH] feat: update multiple rules --- .../net_connection_win_binary_github_com.yml | 4 +- .../net_connection_win_binary_susp_com.yml | 55 +++-- ...ion_win_certutil_initiated_connection.yml} | 12 +- .../net_connection_win_crypto_mining.yml | 43 ---- ...net_connection_win_crypto_mining_pools.yml | 219 ++++++++++++++++++ ..._rdp_outbound_over_non_standard_tools.yml} | 74 +++--- ...c_creation_win_mstsc_remote_connection.yml | 5 +- ..._rundll32_executable_invalid_extension.yml | 2 +- 8 files changed, 308 insertions(+), 106 deletions(-) rename {rules/windows/network_connection => rules-deprecated/windows}/net_connection_win_binary_github_com.yml (96%) mode change 100755 => 100644 rename rules/windows/network_connection/{net_connection_win_certutil.yml => net_connection_win_certutil_initiated_connection.yml} (67%) delete mode 100644 rules/windows/network_connection/net_connection_win_crypto_mining.yml create mode 100644 rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml rename rules/windows/network_connection/{net_connection_win_susp_rdp.yml => net_connection_win_rdp_outbound_over_non_standard_tools.yml} (52%) mode change 100755 => 100644 diff --git a/rules/windows/network_connection/net_connection_win_binary_github_com.yml b/rules-deprecated/windows/net_connection_win_binary_github_com.yml old mode 100755 new mode 100644 similarity index 96% rename from rules/windows/network_connection/net_connection_win_binary_github_com.yml rename to rules-deprecated/windows/net_connection_win_binary_github_com.yml index a5da3843e..cb8c86031 --- a/rules/windows/network_connection/net_connection_win_binary_github_com.yml +++ b/rules-deprecated/windows/net_connection_win_binary_github_com.yml @@ -1,6 +1,6 @@ title: Microsoft Binary Github Communication id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 -status: test +status: deprecated description: Detects an executable in the Windows folder accessing github.com references: - https://twitter.com/M_haggis/status/900741347035889665 @@ -8,7 +8,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 author: Michael Haag (idea), Florian Roth (Nextron Systems) date: 2017/08/24 -modified: 2021/11/27 +modified: 2023/04/18 tags: - attack.lateral_movement - attack.t1105 diff --git a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml index 7d2049433..e1f932b0b 100755 --- a/rules/windows/network_connection/net_connection_win_binary_susp_com.yml +++ b/rules/windows/network_connection/net_connection_win_binary_susp_com.yml @@ -1,5 +1,8 @@ title: Microsoft Binary Suspicious Communication Endpoint id: e0f8ab85-0ac9-423b-a73a-81b3c7b1aa97 +related: + - id: 635dbb88-67b3-4b41-9ea5-a3af2dd88153 + type: obsoletes status: test description: Detects an executable in the Windows folder accessing suspicious domains references: @@ -7,9 +10,12 @@ references: - https://twitter.com/M_haggis/status/1032799638213066752 - https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-hive-conti-avoslocker - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a -author: Florian Roth (Nextron Systems) + - https://twitter.com/M_haggis/status/900741347035889665 + - https://twitter.com/M_haggis/status/1032799638213066752 + - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/exfil/Invoke-ExfilDataToGitHub.ps1 +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2018/08/30 -modified: 2023/01/19 +modified: 2023/04/18 tags: - attack.lateral_movement - attack.t1105 @@ -17,33 +23,38 @@ logsource: category: network_connection product: windows detection: - selection: + selection_paths: + - Image|startswith: + - 'C:\PerfLogs' + - 'C:\Temp\' + - 'C:\Users\Public\' + - 'C:\Windows\' + - Image|contains: '\AppData\Temp\' + selection_domains: Initiated: 'true' DestinationHostname|endswith: - - 'dl.dropboxusercontent.com' + - '.ghostbin.co/' + - '.githubusercontent.com' # Includes both gists and github repositories / Michael Haag (idea) + - '.hastebin.com/raw/' + - '.paste.ee' - '.pastebin.com' - - '.githubusercontent.com' # includes both gists and github repositories + - 'anonfiles.com' - 'cdn.discordapp.com/attachments/' + - 'ddns.net' + - 'dl.dropboxusercontent.com' - 'mediafire.com' - 'mega.nz' - - 'ddns.net' - - '.paste.ee' - - '.hastebin.com/raw/' - - '.ghostbin.co/' - - 'ufile.io' - - 'anonfiles.com' - - 'send.exploit.in' - - 'transfer.sh' - - 'privatlab.net' - - 'privatlab.com' - - 'sendspace.com' - - 'pastetext.net' - - 'pastebin.pl' - 'paste.ee' - Image|startswith: - - 'C:\Windows\' - - 'C:\Users\Public\' - condition: selection + - 'pastebin.pl' + - 'pastetext.net' + - 'privatlab.com' + - 'privatlab.net' + - 'send.exploit.in' + - 'sendspace.com' + - 'transfer.sh' + - 'ufile.io' + condition: all of selection_* falsepositives: - Unknown + - '@subTee in your network' level: high diff --git a/rules/windows/network_connection/net_connection_win_certutil.yml b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml similarity index 67% rename from rules/windows/network_connection/net_connection_win_certutil.yml rename to rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml index ac97ef262..465f43edf 100644 --- a/rules/windows/network_connection/net_connection_win_certutil.yml +++ b/rules/windows/network_connection/net_connection_win_certutil_initiated_connection.yml @@ -1,10 +1,12 @@ -title: Certutil Initiated Connection +title: Connection Initiated Via Certutil.EXE id: 0dba975d-a193-4ed1-a067-424df57570d1 status: experimental -description: Detects a network connection intitiated by the certutil.exe tool. Attackers can abuse `certutil.exe` to download malware or offensive security tools. +description: | + Detects a network connection initiated by the certutil.exe tool. + Attackers can abuse the utility in order to download malware or additional payloads. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/certutil -author: frack113, Florian Roth +author: frack113, Florian Roth (Nextron Systems) date: 2022/09/02 modified: 2022/10/04 tags: @@ -19,10 +21,10 @@ detection: Initiated: 'true' DestinationPort: - 80 - - 443 - 135 + - 443 - 445 condition: selection falsepositives: - - Legitimate certutil network connection + - Unknown level: high diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining.yml b/rules/windows/network_connection/net_connection_win_crypto_mining.yml deleted file mode 100644 index 3b6617e47..000000000 --- a/rules/windows/network_connection/net_connection_win_crypto_mining.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: Windows Crypto Mining Pool Connections -id: fa5b1358-b040-4403-9868-15f7d9ab6329 -status: stable -description: Detects process connections to a Monero crypto mining pool -references: - - https://www.poolwatch.io/coin/monero -author: Florian Roth (Nextron Systems) -date: 2021/10/26 -tags: - - attack.impact - - attack.t1496 -logsource: - category: network_connection - product: windows -detection: - selection: - DestinationHostname: - - 'pool.minexmr.com' - - 'fr.minexmr.com' - - 'de.minexmr.com' - - 'sg.minexmr.com' - - 'ca.minexmr.com' - - 'us-west.minexmr.com' - - 'pool.supportxmr.com' - - 'mine.c3pool.com' - - 'xmr-eu1.nanopool.org' - - 'xmr-eu2.nanopool.org' - - 'xmr-us-east1.nanopool.org' - - 'xmr-us-west1.nanopool.org' - - 'xmr-asia1.nanopool.org' - - 'xmr-jp1.nanopool.org' - - 'xmr-au1.nanopool.org' - - 'xmr.2miners.com' - - 'xmr.hashcity.org' - - 'xmr.f2pool.com' - - 'xmrpool.eu' - - 'pool.hashvault.pro' - - 'moneroocean.stream' - - 'monerocean.stream' - condition: selection -falsepositives: - - Legitimate use of crypto miners -level: high diff --git a/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml b/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml new file mode 100644 index 000000000..d3ee272f5 --- /dev/null +++ b/rules/windows/network_connection/net_connection_win_crypto_mining_pools.yml @@ -0,0 +1,219 @@ +title: Network Communication With Crypto Mining Pool +id: fa5b1358-b040-4403-9868-15f7d9ab6329 +status: stable +description: Detects initiated network connections to crypto mining pools +references: + - https://www.poolwatch.io/coin/monero + - https://github.com/stamparm/maltrail/blob/3ea70459b9559134449423c0a7d8b965ac5c40ea/trails/static/suspicious/crypto_mining.txt +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2021/10/26 +modified: 2023/04/18 +tags: + - attack.impact + - attack.t1496 +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationHostname: + - 'alimabi.cn' + - 'ap.luckpool.net' + - 'bcn.pool.minergate.com' + - 'bcn.vip.pool.minergate.com' + - 'bohemianpool.com' + - 'ca.minexmr.com' + - 'ca.monero.herominers.com' + - 'cbd.monerpool.org' + - 'cbdv2.monerpool.org' + - 'cryptmonero.com' + - 'crypto-pool.fr' + - 'crypto-pool.info' + - 'cryptonight-hub.miningpoolhub.com' + - 'd1pool.ddns.net' + - 'd5pool.us' + - 'daili01.monerpool.org' + - 'de.minexmr.com' + - 'dl.nbminer.com' + - 'donate.graef.in' + - 'donate.ssl.xmrig.com' + - 'donate.v2.xmrig.com' + - 'donate.xmrig.com' + - 'donate2.graef.in' + - 'drill.moneroworld.com' + - 'dwarfpool.com' + - 'emercoin.com' + - 'emercoin.net' + - 'emergate.net' + - 'ethereumpool.co' + - 'eu.luckpool.net' + - 'eu.minerpool.pw' + - 'fcn-xmr.pool.minergate.com' + - 'fee.xmrig.com' + - 'fr.minexmr.com' + - 'hellominer.com' + - 'herominers.com' + - 'huadong1-aeon.ppxxmr.com' + - 'iwanttoearn.money' + - 'jw-js1.ppxxmr.com' + - 'koto-pool.work' + - 'lhr.nbminer.com' + - 'lhr3.nbminer.com' + - 'linux.monerpool.org' + - 'lokiturtle.herominers.com' + - 'luckpool.net' + - 'masari.miner.rocks' + - 'mine.c3pool.com' + - 'mine.moneropool.com' + - 'mine.ppxxmr.com' + - 'mine.zpool.ca' + - 'mine1.ppxxmr.com' + - 'minemonero.gq' + - 'miner.ppxxmr.com' + - 'miner.rocks' + - 'minercircle.com' + - 'minergate.com' + - 'minerpool.pw' + - 'minerrocks.com' + - 'miners.pro' + - 'minerxmr.ru' + - 'minexmr.cn' + - 'minexmr.com' + - 'mining-help.ru' + - 'miningpoolhub.com' + - 'mixpools.org' + - 'moner.monerpool.org' + - 'moner1min.monerpool.org' + - 'monero-master.crypto-pool.fr' + - 'monero.crypto-pool.fr' + - 'monero.hashvault.pro' + - 'monero.herominers.com' + - 'monero.lindon-pool.win' + - 'monero.miners.pro' + - 'monero.riefly.id' + - 'monero.us.to' + - 'monerocean.stream' + - 'monerogb.com' + - 'monerohash.com' + - 'moneroocean.stream' + - 'moneropool.com' + - 'moneropool.nl' + - 'monerorx.com' + - 'monerpool.org' + - 'moriaxmr.com' + - 'mro.pool.minergate.com' + - 'multipool.us' + - 'myxmr.pw' + - 'na.luckpool.net' + - 'nanopool.org' + - 'nbminer.com' + - 'node3.luckpool.net' + - 'noobxmr.com' + - 'pangolinminer.comgandalph3000.com' + - 'pool.4i7i.com' + - 'pool.armornetwork.org' + - 'pool.cortins.tk' + - 'pool.gntl.co.uk' + - 'pool.hashvault.pro' + - 'pool.minergate.com' + - 'pool.minexmr.com' + - 'pool.monero.hashvault.pro' + - 'pool.ppxxmr.com' + - 'pool.somec.cc' + - 'pool.support' + - 'pool.supportxmr.com' + - 'pool.usa-138.com' + - 'pool.xmr.pt' + - 'pool.xmrfast.com' + - 'pool2.armornetwork.org' + - 'poolchange.ppxxmr.com' + - 'pooldd.com' + - 'poolmining.org' + - 'poolto.be' + - 'ppxvip1.ppxxmr.com' + - 'ppxxmr.com' + - 'prohash.net' + - 'r.twotouchauthentication.online' + - 'randomx.xmrig.com' + - 'ratchetmining.com' + - 'seed.emercoin.com' + - 'seed.emercoin.net' + - 'seed.emergate.net' + - 'seed1.joulecoin.org' + - 'seed2.joulecoin.org' + - 'seed3.joulecoin.org' + - 'seed4.joulecoin.org' + - 'seed5.joulecoin.org' + - 'seed6.joulecoin.org' + - 'seed7.joulecoin.org' + - 'seed8.joulecoin.org' + - 'sg.minexmr.com' + - 'sheepman.mine.bz' + - 'siamining.com' + - 'sumokoin.minerrocks.com' + - 'supportxmr.com' + - 'suprnova.cc' + - 'teracycle.net' + - 'trtl.cnpool.cc' + - 'trtl.pool.mine2gether.com' + - 'turtle.miner.rocks' + - 'us-west.minexmr.com' + - 'usxmrpool.com' + - 'viaxmr.com' + - 'webservicepag.webhop.net' + - 'xiazai.monerpool.org' + - 'xiazai1.monerpool.org' + - 'xmc.pool.minergate.com' + - 'xmo.pool.minergate.com' + - 'xmr-asia1.nanopool.org' + - 'xmr-au1.nanopool.org' + - 'xmr-eu1.nanopool.org' + - 'xmr-eu2.nanopool.org' + - 'xmr-jp1.nanopool.org' + - 'xmr-us-east1.nanopool.org' + - 'xmr-us-west1.nanopool.org' + - 'xmr-us.suprnova.cc' + - 'xmr-usa.dwarfpool.com' + - 'xmr.2miners.com' + - 'xmr.5b6b7b.ru' + - 'xmr.alimabi.cn' + - 'xmr.bohemianpool.com' + - 'xmr.crypto-pool.fr' + - 'xmr.crypto-pool.info' + - 'xmr.f2pool.com' + - 'xmr.hashcity.org' + - 'xmr.hex7e4.ru' + - 'xmr.ip28.net' + - 'xmr.monerpool.org' + - 'xmr.mypool.online' + - 'xmr.nanopool.org' + - 'xmr.pool.gntl.co.uk' + - 'xmr.pool.minergate.com' + - 'xmr.poolto.be' + - 'xmr.ppxxmr.com' + - 'xmr.prohash.net' + - 'xmr.simka.pw' + - 'xmr.somec.cc' + - 'xmr.suprnova.cc' + - 'xmr.usa-138.com' + - 'xmr.vip.pool.minergate.com' + - 'xmr1min.monerpool.org' + - 'xmrf.520fjh.org' + - 'xmrf.fjhan.club' + - 'xmrfast.com' + - 'xmrigcc.graef.in' + - 'xmrminer.cc' + - 'xmrpool.de' + - 'xmrpool.eu' + - 'xmrpool.me' + - 'xmrpool.net' + - 'xmrpool.xyz' + - 'xx11m.monerpool.org' + - 'xx11mv2.monerpool.org' + - 'xxx.hex7e4.ru' + - 'zarabotaibitok.ru' + - 'zer0day.ru' + condition: selection +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/network_connection/net_connection_win_susp_rdp.yml b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml old mode 100755 new mode 100644 similarity index 52% rename from rules/windows/network_connection/net_connection_win_susp_rdp.yml rename to rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml index efd9f3e77..a547323a2 --- a/rules/windows/network_connection/net_connection_win_susp_rdp.yml +++ b/rules/windows/network_connection/net_connection_win_rdp_outbound_over_non_standard_tools.yml @@ -1,4 +1,4 @@ -title: Suspicious Outbound RDP Connections +title: Outbound RDP Connections Over Non-Standard Tools id: ed74fe75-7594-4b4b-ae38-e38e3fd2eb23 status: test description: Detects Non-Standard Tools Connecting to TCP port 3389 indicating possible lateral movement @@ -6,7 +6,7 @@ references: - https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708 author: Markus Neis date: 2019/05/15 -modified: 2023/03/21 +modified: 2023/04/18 tags: - attack.lateral_movement - attack.t1021.001 @@ -18,40 +18,54 @@ detection: selection: DestinationPort: 3389 Initiated: 'true' - filter_generic: - - Image|endswith: - - '\mstsc.exe' - - '\RTSApp.exe' - - '\RTS2App.exe' - - '\RDCMan.exe' - - '\ws_TunnelService.exe' - - '\RSSensor.exe' - - '\RemoteDesktopManagerFree.exe' + filter_main_mstsc: + Image: + - 'C:\Windows\System32\mstsc.exe' + - 'C:\Windows\SysWOW64\mstsc.exe' + filter_optional_dns: + # https://github.com/SigmaHQ/sigma/pull/2249 + Image: 'C:\Windows\System32\dns.exe' + SourcePort: 53 + Protocol: 'udp' + filter_optional_avast: + Image|endswith: + - '\Avast Software\Avast\AvastSvc.exe' + - '\Avast\AvastSvc.exe' + filter_optional_sysinternals_rdcman: + Image|endswith: '\RDCMan.exe' + filter_optional_chrome: + Image: 'C:\Program Files\Google\Chrome\Application\chrome.exe' + filter_optional_third_party: + - '\FSAssessment.exe' + - '\FSDiscovery.exe' + - '\MobaRTE.exe' + - '\mRemote.exe' + - '\mRemoteNG.exe' + - '\Passwordstate.exe' - '\RemoteDesktopManager.exe' - '\RemoteDesktopManager64.exe' - - '\mRemoteNG.exe' - - '\mRemote.exe' - - '\Terminals.exe' + - '\RemoteDesktopManagerFree.exe' + - '\RSSensor.exe' + - '\RTS2App.exe' + - '\RTSApp.exe' - '\spiceworks-finder.exe' - - '\FSDiscovery.exe' - - '\FSAssessment.exe' - - '\MobaRTE.exe' - - '\chrome.exe' - - '\System32\dns.exe' + - '\Terminals.exe' + - '\ws_TunnelService.exe' + filter_optional_thor: + Image|endswith: - '\thor.exe' - '\thor64.exe' - - '\Passwordstate.exe' - - '\Avast Software\Avast\AvastSvc.exe' - - '\Ranger\SentinelRanger.exe' # sentinel one - - '\Avast\AvastSvc.exe' - - Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\' - - Image: 'C:\Program Files\Mozilla Firefox\firefox.exe' - filter_null: + filter_optional_splunk: + Image|startswith: 'C:\Program Files\SplunkUniversalForwarder\bin\' + filter_optional_sentinel_one: + Image|endswith: '\Ranger\SentinelRanger.exe' + filter_optional_firefox: + Image: 'C:\Program Files\Mozilla Firefox\firefox.exe' + filter_optional_null: Image: null - filter_empty: + filter_optional_empty: Image: '' - condition: selection and not 1 of filter_* + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* falsepositives: - - Other Remote Desktop RDP tools - - Domain controller using dns.exe + - Third party RDP tools level: high diff --git a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml index 5d8db0247..96dfaa215 100644 --- a/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml +++ b/rules/windows/process_creation/proc_creation_win_mstsc_remote_connection.yml @@ -22,12 +22,11 @@ detection: - OriginalFileName: 'mstsc.exe' selection_cli: CommandLine|contains: ' /v:' - filter_wsl: + filter_optional_wsl: # Example: mstsc.exe /v:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /hvsocketserviceid:XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX /silent /wslg /plugin:WSLDVC /wslgsharedmemorypath:WSL\XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX\wslg C:\ProgramData\Microsoft\WSL\wslg.rdp ParentImage: 'C:\Windows\System32\lxss\wslhost.exe' CommandLine|contains: 'C:\ProgramData\Microsoft\WSL\wslg.rdp' - condition: all of selection_* and not 1 of filter_* + condition: all of selection_* and not 1 of filter_optional_* falsepositives: - WSL (Windows Sub System For Linux) - - Other currently unknown software level: medium diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml index df7a17554..2c0d5561e 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml +++ b/rules/windows/process_creation/proc_creation_win_rundll32_executable_invalid_extension.yml @@ -21,7 +21,7 @@ detection: - CommandLine: '' filter_parent_null: CommandLine|startswith: 'C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess' - filter_iexplorer: + filter_iexplore: ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' CommandLine|contains: '.cpl' filter_msiexec_syswow64: