diff --git a/.github/workflows/known-FPs.csv b/.github/workflows/known-FPs.csv index 53c439b9a..2970a47e2 100644 --- a/.github/workflows/known-FPs.csv +++ b/.github/workflows/known-FPs.csv @@ -75,3 +75,4 @@ c7da8edc-49ae-45a2-9e61-9fd860e4e73d;PUA - Sysinternals Tools Execution - Regist dcff7e85-d01f-4eb5-badd-84e2e6be8294;Windows Default Domain GPO Modification via GPME;Computer: WIN-FPV0DSIC9O6.sigma.fr 416bc4a2-7217-4519-8dc7-c3271817f1d5;Suspicious Loading of Dbgcore/Dbghelp DLLs from Uncommon Location;procexp64\.exe 5a6b7c8d-9e0f-1a2b-3c4d-5e6f7a8b9c0d;Cmd Launched with Hidden Start Flags to Suspicious Targets;xampp +558eebe5-f2ba-4104-b339-36f7902bcc1a;File Creation Date Changed to Another Year;(\\target\.exe|thm\.wxl|\\AppData\\Local\\Temp\\) diff --git a/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml b/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml new file mode 100644 index 000000000..4e9efc4c6 --- /dev/null +++ b/rules-threat-hunting/windows/file/file_change/file_change_win_date_changed_to_another_year.yml @@ -0,0 +1,60 @@ +title: File Creation Date Changed to Another Year +id: 558eebe5-f2ba-4104-b339-36f7902bcc1a +status: test +description: | + Detects when the file creation time is changed to a year before 2020. + Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. + Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. + In order to use this rule in production, it is recommended first baseline normal behavior in your environment and then tune the rule accordingly. + Hunting Recommendation: Focus on files with creation times set to years significantly before the current date, especially those in user-writable directories. + Correlate with process execution logs to identify the source of the modification and investigate any unsigned or suspicious binaries involved. +references: + - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html +author: frack113, Florian Roth (Nextron Systems) +date: 2022-08-12 +modified: 2026-01-20 +tags: + - attack.t1070.006 + - attack.defense-evasion + - detection.threat-hunting +logsource: + category: file_change + product: windows +detection: + selection: + PreviousCreationUtcTime|startswith: '202' + filter_main_creation_time: + CreationUtcTime|startswith: '202' + filter_main_program_files: + - TargetFilename|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + - Image|startswith: + - 'C:\Program Files\' + - 'C:\Program Files (x86)\' + filter_optional_updates: + - Image: + - 'C:\Windows\system32\ProvTool.exe' + - 'C:\Windows\System32\usocoreworker.exe' + - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' + - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' + - TargetFilename|endswith: + - '.tmp' + - '.temp' + filter_optional_cab: + Image|startswith: 'C:\WINDOWS\System32\' + Image|endswith: + - '\TiWorker.exe' + - '\svchost.exe' + - '\sihclient.exe' + TargetFilename|endswith: '.cab' + filter_optional_msiexec: + Image: 'C:\Windows\system32\msiexec.exe' + filter_optional_vcredist: + Image|startswith: 'C:\Windows\Temp\' + Image|endswith: '\VCREDI~1.EXE' + condition: selection and not 1 of filter_main_* and not 1 of filter_optional_* +falsepositives: + - Changes made to or by the local NTP service + - Software installations and updates +level: low diff --git a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml b/rules/windows/file/file_change/file_change_win_2022_timestomping.yml deleted file mode 100644 index e5630978c..000000000 --- a/rules/windows/file/file_change/file_change_win_2022_timestomping.yml +++ /dev/null @@ -1,43 +0,0 @@ -title: File Creation Date Changed to Another Year -id: 558eebe5-f2ba-4104-b339-36f7902bcc1a -status: test -description: | - Attackers may change the file creation time of a backdoor to make it look like it was installed with the operating system. - Note that many processes legitimately change the creation time of a file; it does not necessarily indicate malicious activity. -references: - - https://www.inversecos.com/2022/04/defence-evasion-technique-timestomping.html -author: frack113, Florian Roth (Nextron Systems) -date: 2022-08-12 -modified: 2022-10-25 -tags: - - attack.t1070.006 - - attack.defense-evasion -logsource: - category: file_change - product: windows -detection: - selection1: - PreviousCreationUtcTime|startswith: '2022' - filter1: - CreationUtcTime|startswith: '2022' - selection2: - PreviousCreationUtcTime|startswith: '202' - filter2: - CreationUtcTime|startswith: '202' - gen_filter_updates: - - Image: - - 'C:\Windows\system32\ProvTool.exe' - - 'C:\Windows\System32\usocoreworker.exe' - - 'C:\Windows\ImmersiveControlPanel\SystemSettings.exe' - - TargetFilename|startswith: 'C:\ProgramData\USOPrivate\UpdateStore\' - - TargetFilename|endswith: - - '.tmp' - - '.temp' - gen_filter_tiworker: - Image|startswith: 'C:\WINDOWS\' - Image|endswith: '\TiWorker.exe' - TargetFilename|endswith: '.cab' - condition: (( selection1 and not filter1 ) or ( selection2 and not filter2 )) and not 1 of gen_filter* -falsepositives: - - Changes made to or by the local NTP service -level: high diff --git a/tests/thor.yml b/tests/thor.yml index d1572c849..ce4112cf3 100644 --- a/tests/thor.yml +++ b/tests/thor.yml @@ -25,6 +25,14 @@ logsources: fieldmappings: Image: NewProcessName ParentImage: ParentProcessName + file_change: + category: file_change + product: windows + conditions: + EventID: 2 + rewrite: + product: windows + service: sysmon network_connection: category: network_connection product: windows