From d14784510fd9941ebf04a19fa3a85fbbd801c35a Mon Sep 17 00:00:00 2001 From: Bhabesh Date: Fri, 4 Mar 2022 15:40:33 +0545 Subject: [PATCH 01/11] Added rule for Gamaredon UltraVNC Execution --- ...rocess_creation_apt_gamaredon_ultravnc.yml | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml diff --git a/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml new file mode 100644 index 000000000..168a56166 --- /dev/null +++ b/rules/windows/process_creation/process_creation_apt_gamaredon_ultravnc.yml @@ -0,0 +1,26 @@ +title: Gamaredon UltraVNC Execution +id: 871b9555-69ca-4993-99d3-35a59f9f3599 +status: experimental +author: Bhabesh Raj +date: 2022/03/04 +description: Gamaredon is known to use UltraVNC via command line for gaining remote access. +references: + - https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf + - https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution +tags: + - attack.lateral_movement + - attack.g0047 + - attack.t1021.005 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - '-autoreconnect ' + - '-connect ' + - '-id:' + condition: selection +falsepositives: + - Unknown +level: high \ No newline at end of file From 324dca618b430f86b3cd6d63778f2e96436c106c Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 3 Mar 2022 10:14:28 +0100 Subject: [PATCH 02/11] fix: filter variant with double quotes --- .../proc_creation_win_susp_control_cve_2021_40444.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml index 1d9edc2f7..94bf351a0 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_control_cve_2021_40444.yml @@ -8,7 +8,7 @@ references: - https://www.joesandbox.com/analysis/476188/1/iochtml author: '@neonprimetime, Florian Roth' date: 2021/09/08 -modified: 2021/09/09 +modified: 2022/03/03 logsource: category: process_creation product: windows @@ -20,7 +20,9 @@ detection: - '\powerpnt.exe' - '\excel.exe' filter: - CommandLine|endswith: '\control.exe input.dll' + CommandLine|endswith: + - '\control.exe input.dll' + - '\control.exe" input.dll' condition: selection and not filter falsepositives: - Unknown From df48b60cb47e9ca868ae4e7703f227500b6ad5da Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 3 Mar 2022 13:15:46 +0100 Subject: [PATCH 03/11] fix: FP with Datev SQL Server --- .../proc_creation_win_susp_shell_spawn_from_mssql.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml index 8217e0459..6f54a977e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_shell_spawn_from_mssql.yml @@ -4,7 +4,7 @@ description: Detects suspicious shell spawn from MSSQL process, this might be si status: experimental author: FPT.EagleEye Team, wagga date: 2020/12/11 -modified: 2021/06/27 +modified: 2022/03/03 tags: - attack.t1505.003 - attack.t1190 @@ -23,5 +23,10 @@ detection: - '\bash.exe' - '\powershell.exe' - '\bitsadmin.exe' + filter_datev: + ParentImage|startswith: 'C:\Program Files\Microsoft SQL Server\' + ParentImage|endswith: 'DATEV_DBENGINE\MSSQL\Binn\sqlservr.exe' + Image: 'C:\Windows\System32\cmd.exe' + CommandLine|startswith: '"C:\Windows\system32\cmd.exe" ' condition: selection level: critical From 4823d7943f9bc6ae9a0ed91b549d2fa129f3fec9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Thu, 3 Mar 2022 13:34:23 +0100 Subject: [PATCH 04/11] fix: exclude hotpotatoes FP --- .../proc_creation_win_tools_relay_attacks.yml | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml index a795b9874..2450ceea1 100644 --- a/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml +++ b/rules/windows/process_creation/proc_creation_win_tools_relay_attacks.yml @@ -4,7 +4,7 @@ id: 5589ab4f-a767-433c-961d-c91f3f704db1 description: Detects different hacktools used for relay attacks on Windows for privilege escalation author: Florian Roth date: 2021/07/24 -modified: 2021/07/26 +modified: 2022/03/03 references: - https://attack.mitre.org/techniques/T1557/001/ - https://foxglovesecurity.com/2016/09/26/rotten-potato-privilege-escalation-from-service-accounts-to-system/ @@ -41,7 +41,15 @@ detection: - 'cme smb ' - ' /ntlm:NTLMhash ' - 'Invoke-PetitPotam' - condition: selection_pe or selection_script + filter_hotpotatoes: # known goodware https://hotpot.uvic.ca/ + Image|contains: + - 'HotPotatoes6' + - 'HotPotatoes 6' + - 'HotPotatoes7' + - 'HotPotatoes 7' + - 'HotPotatoes Help' + - 'HotPotatoes Tutorial' + condition: 1 of selection_* and not 1 of filter_* falsepositives: - Legitimate files with these rare hacktool names level: critical From e7edae7a9aece940908c1cede1b5e2049d9e98eb Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 4 Mar 2022 14:02:17 +0100 Subject: [PATCH 05/11] tests: add 1st commandline argument for rules directory selection --- tests/check-baseline-local.sh | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/tests/check-baseline-local.sh b/tests/check-baseline-local.sh index f3b199046..86a5c5ae9 100755 --- a/tests/check-baseline-local.sh +++ b/tests/check-baseline-local.sh @@ -27,6 +27,16 @@ if [[ "${OS}" != "Linux" && "${OS}" != "Darwin" ]]; then exit 1 fi +SCRIPT="$(realpath $0)" +TOOLS="${SCRIPT%/*}" +SIGMA="${TOOLS%/*}" + +if [[ -n "$1" && -d "$1" && -r "$1" ]]; then + RULES="$1" +else + RULES="${SIGMA}"/rules +fi + TMP=$(mktemp -d) if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then >2& echo "Error: Created temporary directory ${TMP} is not writable." @@ -34,15 +44,12 @@ if [[ -z "${TMP}" || ! -d "${TMP}" || ! -w "${TMP}" ]]; then exit 1 fi -SCRIPT="$(realpath $0)" -TOOLS="${SCRIPT%/*}" -SIGMA="${TOOLS%/*}" cd "${TMP}" echo echo "Copy rules from ${SIGMA} to ${TMP}" -cp -r "${SIGMA}"/rules/windows . +cp -r "${RULES}"/windows . echo echo "Download evtx-sigma-checker" if [[ "${OS}" == "Linux" ]]; then From 6c4d0c601b5d4f728e59d3d5fa2734017120f5d9 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 4 Mar 2022 14:07:12 +0100 Subject: [PATCH 06/11] fix: FP with Windows Defender ATP --- ...ion_win_powershell_cmdline_special_characters.yml | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml index bb18b360e..55a117e59 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_cmdline_special_characters.yml @@ -6,7 +6,7 @@ author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim S references: - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse?slide=64 date: 2020/10/15 -modified: 2021/12/06 +modified: 2022/03/04 logsource: category: process_creation product: windows @@ -26,13 +26,15 @@ detection: selection5: Image|endswith: '\powershell.exe' CommandLine|re: '.*`.*`.*`.*`.*`.*' - filter: - ParentImage: - - C:\Program Files\Amazon\SSM\ssm-document-worker.exe - condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter + filter_amazonSSM: + ParentImage: C:\Program Files\Amazon\SSM\ssm-document-worker.exe + filter_windef_atp: + CommandLine|contains: 'new EventSource("Microsoft.Windows.Sense.Client.Management"' + condition: (selection1 or selection2 or selection3 or selection4 or selection5) and not filter_amazonSSM and not (selection3 and filter_windef_atp) falsepositives: - Unlikely - Amazon SSM Document Worker # fp example: powershell " [Console]::OutputEncoding = [System.Text.Encoding]::UTF8 $keyExists = Test-Path "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $jsonObj = @() if ($keyExists) { $key = Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents" $valueNames = $key.GetValueNames(); foreach ($valueName in $valueNames) { $value = $key.GetValue($valueName); if ($value -gt 0) { $installed = "True" } else { $installed = "False" } $jsonObj += @" {"Name": "$valueName", "Installed": "$installed"} "@ } } $result = $jsonObj -join "," $result = "[" + $result + "]" [Console]::WriteLine($result) + - Windows Defender ATP level: high tags: - attack.defense_evasion From 7922becd0bfd3ea2263a6d836d20f1f937bb3ce1 Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 4 Mar 2022 16:53:30 +0100 Subject: [PATCH 07/11] Fix FP new install --- ..._access_win_in_memory_assembly_execution.yml | 5 ++++- ..._event_asep_reg_keys_modification_common.yml | 17 +++++++++++------ ...sep_reg_keys_modification_currentversion.yml | 2 ++ ...event_removal_com_hijacking_registry_key.yml | 5 ++++- .../registry_event_vbs_payload_stored.yml | 7 +++++-- 5 files changed, 26 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml index b59501d85..f36c47731 100644 --- a/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml +++ b/rules/windows/process_access/proc_access_win_in_memory_assembly_execution.yml @@ -3,7 +3,7 @@ id: 5f113a8f-8b61-41ca-b90f-d374fa7e4a39 description: Detects the access to processes by other suspicious processes which have reflectively loaded libraries in their memory space. An example is SilentTrinity C2 behaviour. Generally speaking, when Sysmon EventID 10 cannot reference a stack call to a dll loaded from disk (the standard way), it will display "UNKNOWN" as the module name. Usually this means the stack call points to a module that was reflectively loaded in memory. Adding to this, it is not common to see such few calls in the stack (ntdll.dll --> kernelbase.dll --> unknown) which essentially means that most of the functions required by the process to execute certain routines are already present in memory, not requiring any calls to external libraries. The latter should also be considered suspicious. status: experimental date: 2019/10/27 -modified: 2022/02/16 +modified: 2022/03/04 author: Perez Diego (@darkquassar), oscd.community, Jonhnathan Ribeiro references: - https://azure.microsoft.com/en-ca/blog/detecting-in-memory-attacks-with-sysmon-and-azure-security-center/ @@ -86,6 +86,9 @@ detection: - '\jre\bin\java.dll' - '|C:\Windows\SYSTEM32\windows.storage.dll+' - '\configuration\org.eclipse.osgi\' + filter_openwith: + SourceImage: 'C:\Windows\system32\OpenWith.exe' + TargetImage: 'C:\Windows\Explorer.EXE' condition: ( selection1 or selection2 or selection3 ) and not 1 of filter* fields: - ComputerName diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml index d3ae977cb..3a53b7b64 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/04 logsource: category: registry_event product: windows @@ -44,13 +44,18 @@ detection: - '\Office\ClickToRun\REGISTRY\MACHINE\Software\Classes\PROTOCOLS\Handler\' - '\ClickToRunStore\HKMU\SOFTWARE\Classes\PROTOCOLS\Handler\' - Details: - - '{314111c7-a502-11d2-bbca-00c04f8ec294}' - - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' - - '{42089D2D-912D-4018-9087-2B87803E93FB}' - - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' - - '{807583E5-5146-11D5-A672-00B0D022E945}' + - '{314111c7-a502-11d2-bbca-00c04f8ec294}' + - '{3459B272-CC19-4448-86C9-DDC3B4B2FAD3}' + - '{42089D2D-912D-4018-9087-2B87803E93FB}' + - '{5504BE45-A83B-4808-900A-3A5C36E7F77A}' + - '{807583E5-5146-11D5-A672-00B0D022E945}' filter_chrome: TargetObject|contains: '\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\' + filter_image: + Image: + - 'C:\Windows\System32\poqexec.exe' + - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe' condition: main_selection and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml index ffd5555a4..366ae4f66 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_currentversion.yml @@ -94,6 +94,8 @@ detection: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_defender: + Image: 'C:\Program Files\Windows Defender\MsMpEng.exe' condition: current_version_base and current_version and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml index 88e4b60a8..ab781a734 100644 --- a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/03 +modified: 2022/03/04 logsource: product: windows category: registry_event @@ -23,6 +23,9 @@ detection: filter_office: Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_dropbox: + Image|endswith: '\Dropbox.exe' + TargetObject|startswith: 'HKCR\Dropbox.' condition: selection and not 1 of filter_* falsepositives: - unknown diff --git a/rules/windows/registry_event/registry_event_vbs_payload_stored.yml b/rules/windows/registry_event/registry_event_vbs_payload_stored.yml index 3ac8cc252..0b9e1d609 100644 --- a/rules/windows/registry_event/registry_event_vbs_payload_stored.yml +++ b/rules/windows/registry_event/registry_event_vbs_payload_stored.yml @@ -3,7 +3,7 @@ id: 46490193-1b22-4c29-bdd6-5bf63907216f description: Detects VBScript content stored into registry keys as seen being used by UNC2452 group status: experimental date: 2021/03/05 -modified: 2022/02/09 +modified: 2022/03/04 author: Florian Roth references: - https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/ @@ -31,10 +31,13 @@ detection: Details|contains: - '\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll' - '<\Microsoft.mshtml,fileVersion=' + - 'FL_Microsoft_mshtml_dll_____X86.' + - 'Microsoft_mshtml_dll_1_____X86.' + - '<\Microsoft.mshtml,culture=' condition: selection and not 1 of filter* falsepositives: - Unknown level: high tags: - attack.persistence - - attack.t1547.001 \ No newline at end of file + - attack.t1547.001 From b4de14486233d543cacebc135b5b5dff9613938b Mon Sep 17 00:00:00 2001 From: frack113 Date: Sat, 5 Mar 2022 11:09:27 +0100 Subject: [PATCH 08/11] Office Installation FP --- .../registry_event_asep_reg_keys_modification_common.yml | 8 ++++++-- ...stry_event_asep_reg_keys_modification_wow6432node.yml | 7 ++++++- .../registry_event_outlook_registry_todaypage.yml | 9 +++++++-- .../registry_event_persistence_search_order.yml | 7 ++++--- ...registry_event_removal_com_hijacking_registry_key.yml | 8 ++++++-- 5 files changed, 29 insertions(+), 10 deletions(-) diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml index 3a53b7b64..7cc36d92f 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_common.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/04 +modified: 2022/03/05 logsource: category: registry_event product: windows @@ -55,7 +55,11 @@ detection: Image: - 'C:\Windows\System32\poqexec.exe' - 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' - - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' condition: main_selection and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml index bc694d939..35fc7f36d 100644 --- a/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/registry_event_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/02/16 +modified: 2022/03/05 logsource: category: registry_event product: windows @@ -61,6 +61,11 @@ detection: - '"C:\ProgramData\Package Cache\{7037b699-7382-448c-89a7-4765961d2537}\windowsdesktop-runtime-' - '"C:\ProgramData\Package Cache\{e2d1ae32-dd1d-4ad7-a298-10e42e7840fc}\windowsdesktop-runtime-' Details|endswith: '.exe" /burn.runonce' + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml index 089a8cc53..8513edd9e 100644 --- a/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml +++ b/rules/windows/registry_event/registry_event_outlook_registry_todaypage.yml @@ -6,7 +6,7 @@ references: - https://speakerdeck.com/heirhabarov/hunting-for-persistence-via-microsoft-exchange-server-or-outlook?slide=70 author: Tobias Michalski date: 2021/06/10 -modified: 2022/01/13 +modified: 2022/03/05 tags: - attack.persistence - attack.t1112 @@ -24,7 +24,12 @@ detection: Details: DWORD (0x00000001) selectionUserDefined: TargetObject|endswith: UserDefinedUrl - condition: selection1 and (selectionStamp or selectionUserDefined) + filter_office: + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|endswith: '\OfficeClickToRun.exe' + condition: selection1 and (selectionStamp or selectionUserDefined) and not 1 of filter_* fields: - Details falsepositives: diff --git a/rules/windows/registry_event/registry_event_persistence_search_order.yml b/rules/windows/registry_event/registry_event_persistence_search_order.yml index 2f5a52513..90b5760e4 100644 --- a/rules/windows/registry_event/registry_event_persistence_search_order.yml +++ b/rules/windows/registry_event/registry_event_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2022/02/25 +modified: 2022/03/05 tags: - attack.persistence - attack.t1546.015 @@ -46,9 +46,10 @@ detection: - C:\WINDOWS\system32\wuauclt.exe - C:\WINDOWS\system32\svchost.exe filter_defender: - Image|contains|all: + Image|contains|startswith: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - - '\MsMpEng.exe' + - 'C:\Program Files\Windows Defender\' + Image|contains|endswith: '\MsMpEng.exe' filter_nvidia: Details|contains: - '\FileRepository\nvmdi.inf' diff --git a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml index ab781a734..c28567261 100644 --- a/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml +++ b/rules/windows/registry_event/registry_event_removal_com_hijacking_registry_key.yml @@ -10,7 +10,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/api/shobjidl_core/nn-shobjidl_core-iexecutecommand - https://docs.microsoft.com/en-us/windows/win32/shell/shell-and-managed-code date: 2020/05/02 -modified: 2022/03/04 +modified: 2022/03/05 logsource: product: windows category: registry_event @@ -21,8 +21,12 @@ detection: filter_svchost: Image: 'C:\Windows\system32\svchost.exe' filter_office: - Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' + Image|startswith: + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' + - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_integrator: + Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe' filter_dropbox: Image|endswith: '\Dropbox.exe' TargetObject|startswith: 'HKCR\Dropbox.' From 335ed247517ea3b1a9cff2f572555c12228f4b13 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 5 Mar 2022 11:21:00 +0100 Subject: [PATCH 09/11] fix: wrong channel prefix --- tools/config/winlogbeat-modules-enabled.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/config/winlogbeat-modules-enabled.yml b/tools/config/winlogbeat-modules-enabled.yml index 978294b00..7d8bc71ae 100644 --- a/tools/config/winlogbeat-modules-enabled.yml +++ b/tools/config/winlogbeat-modules-enabled.yml @@ -119,7 +119,7 @@ logsources: product: windows service: bits-client conditions: - winlog.channel: 'WinEventlog:Microsoft-Windows-Bits-Client/Operational' + winlog.channel: 'Microsoft-Windows-Bits-Client/Operational' defaultindex: winlogbeat-* # Extract all field names with yq: # yq -r '.detection | del(.condition) | map(keys) | .[][]' $(find sigma/rules/windows -name '*.yml') | sort -u | grep -v ^EventID$ | sed 's/^\(.*\)/ \1: winlog.event_data.\1/g' @@ -572,4 +572,4 @@ fieldmappings: ApplicationPath: winlog.event_data.ApplicationPath ModifyingApplication: winlog.event_data.ModifyingApplication Action: winlog.event_data.Action - \ No newline at end of file + From a6ed1a3fb89600cea587659e1f320552d7b537ce Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 5 Mar 2022 11:24:46 +0100 Subject: [PATCH 10/11] fix: missing level --- sigma-schema.rx.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sigma-schema.rx.yml b/sigma-schema.rx.yml index 142c35278..20048eb4d 100644 --- a/sigma-schema.rx.yml +++ b/sigma-schema.rx.yml @@ -72,6 +72,8 @@ optional: level: type: //any of: + - type: //str + value: informational - type: //str value: low - type: //str From 87a0bed0ecb2ffafff6422ff7dba2ffb85fcbc41 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 5 Mar 2022 11:35:49 +0100 Subject: [PATCH 11/11] Add missing WinEventLog prefix --- tools/config/splunk-windows.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tools/config/splunk-windows.yml b/tools/config/splunk-windows.yml index d97c89690..32844030b 100644 --- a/tools/config/splunk-windows.yml +++ b/tools/config/splunk-windows.yml @@ -111,7 +111,7 @@ logsources: product: windows service: codeintegrity-operational conditions: - source: 'Microsoft-Windows-CodeIntegrity/Operational' + source: 'WinEventLog:Microsoft-Windows-CodeIntegrity/Operational' windows-smbclient-security: product: windows service: smbclient-security @@ -126,11 +126,11 @@ logsources: product: windows service: firewall-as conditions: - source: 'Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' + source: 'WinEventLog:Microsoft-Windows-Windows Firewall With Advanced Security/Firewall' windows-bits-client: product: windows service: bits-client conditions: - source: 'Microsoft-Windows-Bits-Client/Operational' + source: 'WinEventLog:Microsoft-Windows-Bits-Client/Operational' fieldmappings: EventID: EventCode