diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml index b59501d85..f36c47731 100644 --- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml @@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2022/02/16 +modified: 2022/03/04 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -86,6 +86,9 @@ detection: - '\jre\bin\java.dll' - '|C:\Windows\SYSTEM32\windows.storage.dll+' - '\configuration\org.eclipse.osgi\' + filter_openwith: + SourceImage: 'C:\Windows\system32\OpenWith.exe' + TargetImage: 'C:\Windows\Explorer.EXE' condition: ( selection1 or selection2 or selection3 ) and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index bb18b360e..55a117e59 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 date: 2020/10/15 -modified: 2021/12/06 +modified: 2022/03/04 logsource: category: process_creation product: windows @@ -26,13 +26,15 @@ detection: selection5: Image|endswith: '\powershell.exe' CommandLine|re: '.*`.*`.*`.*`.*`.*' - filter: - ParentImage: - - C:\Program Files\Amazon\SSM\ssm-document-worker.exe - condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter + filter_amazonSSM: + ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe + filter_windef_atp: + CommandLine|contains: 'new EventSource("Microsoft.Windows.Sense.Client.Management"' + condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter_amazonSSM and not (selection3 and filter_windef_atp) falsepositives: - Unlikely - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) + - Windows Defender ATP level: high tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml index 1d9edc2f7..94bf351a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml @@ -8,7 +8,7 @@ references: - https://www.joesandbox.com/analysis/476188/1/iochtml author: '@neonprimetime, Florian Roth' date: 2021/09/08 -modified: 2021/09/09 +modified: 2022/03/03 logsource: category: process_creation product: windows @@ -20,7 +20,9 @@ detection: - '\powerpnt.exe' - '\excel.exe' filter: - CommandLine|endswith: '\control.exe input.dll' + CommandLine|endswith: + - '\control.exe input.dll' + - '\control.exe" input.dll' condition: selection and not filter falsepositives: - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml index 8217e0459..6f54a977e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml @@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from MSSQL process, this might be si status: experimental author: FPT.EagleEye Team, wagga date: 2020/12/11 -modified: 2021/06/27 +modified: 2022/03/03 tags: - attack.t1505.003 - attack.t1190 @@ -23,5 +23,10 @@ detection: - '\bash.exe' - '\powershell.exe' - '\bitsadmin.exe' + filter_datev: + ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\' + ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe' + Image: 'C:\Windows\System32\cmd.exe' + CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' condition: selection level: critical diff --git a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml index a795b9874..2450ceea1 100644 --- a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml @@ -4,7 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1 description: Detects different hacktools used for relay attacks on Windows for privilege escalation author: Florian Roth date: 2021/07/24 -modified: 2021/07/26 +modified: 2022/03/03 references: - https://attack.mitre.org/techniques/T1557/001/ - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ @@ -41,7 +41,15 @@ detection: - 'cme smb ' - ' /ntlm:NTLMhash ' - 'Invoke-PetitPotam' - condition: selection_pe or selection_script + filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/ + Image|contains: + - 'HotPotatoes6' + - 'HotPotatoes 6' + - 'HotPotatoes7' + - 'HotPotatoes 7' + - 'HotPotatoes Help' + - 'HotPotatoes Tutorial' + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Legitimate files with these rare hacktool names level: critical diff --git a/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml new file mode 100644 index 000000000..168a56166 --- /dev/null +++ b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml @@ -0,0 +1,26 @@ +title: Gamaredon UltraVNC Execution +id: 871b9555-69ca-4993-99d3-35a59f9f3599 +status: experimental +author: Bhabesh Raj +date: 2022/03/04 +description: Gamaredon is known to use UltraVNC via command line for gaining remote access. +references: + - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf + - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution +tags: + - attack.lateral_movement + - attack.g0047 + - attack.t1021.005 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-autoreconnect ' + - '-connect ' + - '-id:' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml index d3ae977cb..7cc36d92f 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/05 logsource: category: registry_event product: windows @@ -44,13 +44,22 @@ detection: - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\' - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\' - Details: - - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - - '{42089D2D-912D-4018-9087-2B87803E93FB}' - - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - - '{807583E5-5146-11D5-A672-00B0D022E945}' + - '{314111c7-a502-11d2-bbca-00c04f8ec294}' + - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' + - '{42089D2D-912D-4018-9087-2B87803E93FB}' + - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' + - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' + filter_image: + Image: + - 'C:\Windows\System32\poqexec.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' condition: main_selection and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml index ffd5555a4..366ae4f66 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml @@ -94,6 +94,8 @@ detection: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_defender: + Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' condition: current_version_base and current_version and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml index bc694d939..35fc7f36d 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/05 logsource: category: registry_event product: windows @@ -61,6 +61,11 @@ detection: - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-' - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' Details|endswith: '.exe" /burn.runonce' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml index 089a8cc53..8513edd9e 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 -modified: 2022/01/13 +modified: 2022/03/05 tags: - attack.persistence - attack.t1112 @@ -24,7 +24,12 @@ detection: Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl - condition: selection1 and (selectionStamp or selectionUserDefined) + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_* fields: - Details falsepositives: diff --git a/rules/windows/registry_event/registry_event_persistence_search_order.yml b/rules/windows/registry_event/registry_event_persistence_search_order.yml index 2f5a52513..90b5760e4 100644 --- a/rules/windows/registry_event/registry_event_persistence_search_order.yml +++ b/rules/windows/registry_event/registry_event_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/02/25 +modified: 2022/03/05 tags: - attack.persistence - attack.t1546.015 @@ -46,9 +46,10 @@ detection: - C:\WINDOWS\system32\wuauclt.exe - C:\WINDOWS\system32\svchost.exe filter_defender: - Image|contains|all: + Image|contains|startswith: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - - '\MsMpEng.exe' + - 'C:\Program Files\Windows Defender\' + Image|contains|endswith: '\MsMpEng.exe' filter_nvidia: Details|contains: - '\FileRepository\nvmdi.inf' diff --git a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml index 88e4b60a8..c28567261 100644 --- a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/03 +modified: 2022/03/05 logsource: product: windows category: registry_event @@ -21,8 +21,15 @@ detection: filter_svchost: Image: 'C:\Windows\system32\svchost.exe' filter_office: - Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_integrator: + Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + filter_dropbox: + Image|endswith: '\Dropbox.exe' + TargetObject|startswith: 'HKCR\Dropbox.' condition: selection and not 1 of filter_* falsepositives: - unknown diff --git a/rules/windows/registry_event/registry_event_vbs_payload_stored.yml b/rules/windows/registry_event/registry_event_vbs_payload_stored.yml index 3ac8cc252..0b9e1d609 100644 --- a/rules/windows/registry_event/registry_event_vbs_payload_stored.yml +++ b/rules/windows/registry_event/registry_event_vbs_payload_stored.yml @@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/02/09 +modified: 2022/03/04 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -31,10 +31,13 @@ detection: Details|contains: - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' - '<\Microsoft.mshtml,fileVersion=' + - 'FL_Microsoft_mshtml_dll_____X86.' + - 'Microsoft_mshtml_dll_1_____X86.' + - '<\Microsoft.mshtml,culture=' condition: selection and not 1 of filter* falsepositives: - Unknown level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 diff --git a/sigma-schema.rx.yml b/sigma-schema.rx.yml index 142c35278..20048eb4d 100644 --- a/sigma-schema.rx.yml +++ b/sigma-schema.rx.yml @@ -72,6 +72,8 @@ optional: level: type: //any of: + - type: //str + value: informational - type: //str value: low - type: //str diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index f3b199046..86a5c5ae9 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -27,6 +27,16 @@ if [[ "${OS}" != "Linux" && "${OS}" != "Darwin" ]]; then exit 1 fi +SCRIPT="$(realpath $0)" +TOOLS="${SCRIPT%/*}" +SIGMA="${TOOLS%/*}" + +if [[ -n "$1" && -d "$1" && -r "$1" ]]; then + RULES="$1" +else + RULES="${SIGMA}"/rules +fi + TMP=$(mktemp -d) if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then >2& echo "Error: Created temporary directory ${TMP} is not writable." @@ -34,15 +44,12 @@ if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then exit 1 fi -SCRIPT="$(realpath $0)" -TOOLS="${SCRIPT%/*}" -SIGMA="${TOOLS%/*}" cd "${TMP}" echo echo "Copy rules from ${SIGMA} to ${TMP}" -cp -r "${SIGMA}"/rules/windows . +cp -r "${RULES}"/windows . echo echo "Download evtx-sigma-checker" if [[ "${OS}" == "Linux" ]]; then diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index d97c89690..32844030b 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -111,7 +111,7 @@ logsources: product: windows service: codeintegrity-operational conditions: - source: 'Microsoft-Windows-CodeIntegrity/Operational' + source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security @@ -126,11 +126,11 @@ logsources: product: windows service: firewall-as conditions: - source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' windows-bits-client: product: windows service: bits-client conditions: - source: 'Microsoft-Windows-Bits-Client/Operational' + source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' fieldmappings: EventID: EventCode diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 978294b00..7d8bc71ae 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -119,7 +119,7 @@ logsources: product: windows service: bits-client conditions: - winlog.channel: 'WinEventlog:Microsoft-Windows-Bits-Client/Operational' + winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' @@ -572,4 +572,4 @@ fieldmappings: ApplicationPath: winlog.event_data.ApplicationPath ModifyingApplication: winlog.event_data.ModifyingApplication Action: winlog.event_data.Action - \ No newline at end of file +