diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 7bebef0de..9292a45c7 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -49,3 +49,4 @@ c8b00925-926c-47e3-beea-298fd563728e;Remote Access Tool Services Have Been Insta b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;msedge\.exe b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;firefox\.exe b69888d4-380c-45ce-9cf9-d9ce46e67821;Executable in ADS;7z\.exe +65236ec7-ace0-4f0c-82fd-737b04fd4dcb;EVTX Created In Uncommon Location;powershell\.exe diff --git a/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml new file mode 100644 index 000000000..23af8d1dd --- /dev/null +++ b/rules/windows/file/file_event/file_event_win_create_evtx_non_common_locations.yml @@ -0,0 +1,32 @@ +title: EVTX Created In Uncommon Location +id: 65236ec7-ace0-4f0c-82fd-737b04fd4dcb +status: experimental +description: Detects the creation of new files with the ".evtx" extension in non-common locations. Which could indicate tampering with default evtx locations in order to evade security controls +references: + - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key +author: D3F7A5105 +date: 2023/01/02 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + category: file_event + product: windows + definition: 'Requirements: The ".evtx" exntesion should be monitored via a Sysmon configuration. Example: .evtx' +detection: + selection: + TargetFilename|endswith: '.evtx' + filter_path: + TargetFilename|startswith: 'C:\Windows\System32\winevt\Logs\' + filter_baseimage: + TargetFilename|startswith: 'C:\ProgramData\Microsoft\Windows\Containers\BaseImages\' + TargetFilename|endswith: '\Windows\System32\winevt\Logs\' + filter_img: + Image: + - 'C:\Windows\explorer.exe' + - 'C:\Windows\system32\dllhost.exe' + condition: selection and not 1 of filter_* +falsepositives: + - Admin activity + - Backup activity +level: medium diff --git a/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml new file mode 100644 index 000000000..2eb8f76c9 --- /dev/null +++ b/rules/windows/registry/registry_set/registry_set_evtx_file_key_tamper.yml @@ -0,0 +1,25 @@ +title: Potential EventLog File Location Tampering +id: 0cb8d736-995d-4ce7-a31e-1e8d452a1459 +status: experimental +description: Detects tampering with EventLog service "file" key. In order to change the default location of an Evtx file. This technique is used to tamper with log collection and alerting +references: + - https://learn.microsoft.com/en-us/windows/win32/eventlog/eventlog-key +author: D3F7A5105 +date: 2023/01/02 +tags: + - attack.defense_evasion + - attack.t1562.002 +logsource: + category: registry_set + product: windows +detection: + selection: + EventType: SetValue + TargetObject|contains: '\SYSTEM\CurrentControlSet\Services\EventLog\' + TargetObject|endswith: '\File' + filter: + Details|contains: '\System32\Winevt\Logs\' + condition: selection and not filter +falsepositives: + - Unknown +level: high