From a77d3bae4bbe6eae5b9fae7b598bf9c7734424bc Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali Date: Wed, 29 Oct 2025 11:45:19 +0100 Subject: [PATCH] Merge PR #5708 from @nasbench - Multiple updates and issue fixes fix: Turla Group Commands May 2020 - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Dtrack RAT Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Data Exfiltration Activity Via CommandLine Tools - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious Network Command - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Suspicious SYSTEM User Process Creation - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Snatch Ransomware Activity - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Potential Devil Bait Malware Reconnaissance - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - AsperaFaspex Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. fix: Mint Sandstorm - ManageEngine Suspicious Process Execution - Change the commandline to regex to account for additional spaces when ingesting non XML version of logs from the eventlog. update: Powershell Token Obfuscation - Powershell - Move to the TH folder in order to set the right FP expectations. fix: Kerberoasting Activity - Initial Query - Fix issue with filter names and logic chore: add sorting to the rule archiver script --------- Thanks: KingKDot Thanks: zambomarcell Thanks: Koifman Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...oc_creation_win_apt_turla_comrat_may20.yml | 7 +++-- .../proc_creation_win_malware_dtrack.yml | 16 +++++------ ...creation_win_malware_snatch_ransomware.yml | 11 +++----- ...win_malware_devil_bait_output_redirect.yml | 15 ++++++----- ...storm_aspera_faspex_susp_child_process.yml | 11 ++++---- ...storm_manage_engine_susp_child_process.yml | 8 +++--- .../posh_ps_token_obfuscation.yml | 12 ++++++--- .../win_security_kerberoasting_activity.yml | 4 ++- ...ion_win_susp_data_exfiltration_via_cli.yml | 7 ++--- ...proc_creation_win_susp_network_command.yml | 16 +++++------ ..._creation_win_susp_system_user_anomaly.yml | 4 +-- tests/reference-archiver.py | 27 ++++++++++++++++++- 12 files changed, 81 insertions(+), 57 deletions(-) rename {rules => rules-threat-hunting}/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml (80%) diff --git a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml index 99dbbe1af..fb31f4de1 100644 --- a/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml +++ b/rules-emerging-threats/2014/TA/Turla/proc_creation_win_apt_turla_comrat_may20.yml @@ -6,7 +6,7 @@ references: - https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf author: Florian Roth (Nextron Systems) date: 2020-05-26 -modified: 2021-11-27 +modified: 2025-10-19 tags: - attack.privilege-escalation - attack.persistence @@ -27,9 +27,8 @@ detection: - '.WSqmCons))|iex;' - 'Fr`omBa`se6`4Str`ing' selection_cli_2: - CommandLine|contains|all: - - 'net use https://docs.live.net' - - '@aol.co.uk' + CommandLine|re: 'net\s+use\s+https://docs.live.net' + CommandLine|contains: '@aol.co.uk' condition: 1 of selection_* falsepositives: - Unknown diff --git a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml index 108fd86e6..96b9f220b 100644 --- a/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml +++ b/rules-emerging-threats/2019/Malware/Dtrack-RAT/proc_creation_win_malware_dtrack.yml @@ -10,7 +10,7 @@ references: - https://app.any.run/tasks/ce4deab5-3263-494f-93e3-afb2b9d79f14/ author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2019-10-30 -modified: 2023-02-03 +modified: 2025-10-19 tags: - attack.impact - attack.t1490 @@ -20,21 +20,17 @@ logsource: product: windows detection: selection_ping: - CommandLine|contains|all: - - 'ping -n ' - - ' echo EEEE > ' + CommandLine|re: + - 'ping\s+-n ' + - ' echo EEEE\s?>\s?' selection_ipconfig: - CommandLine|contains|all: - - 'ipconfig /all' - - '\temp\res.ip' + CommandLine|re: 'ipconfig\s+/all' + CommandLine|contains: '\temp\res.ip' selection_netsh: CommandLine|contains|all: - 'interface ip show config' - '\temp\netsh.res' condition: 1 of selection_* -fields: - - CommandLine - - ParentCommandLine falsepositives: - Unlikely level: critical diff --git a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml index faea3df8b..24eb304d1 100644 --- a/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml +++ b/rules-emerging-threats/2019/Malware/Snatch/proc_creation_win_malware_snatch_ransomware.yml @@ -6,7 +6,7 @@ references: - https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/ author: Florian Roth (Nextron Systems) date: 2020-08-26 -modified: 2023-02-13 +modified: 2025-10-19 tags: - attack.execution - attack.t1204 @@ -16,14 +16,9 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - 'shutdown /r /f /t 00' # Shutdown in safe mode immediately - - 'net stop SuperBackupMan' + - CommandLine|re: 'shutdown\s+/r /f /t 00' # Shutdown in safe mode immediately + - CommandLine|re: 'net\s+stop SuperBackupMan' condition: selection -fields: - - ComputerName - - User - - Image falsepositives: - Scripts that shutdown the system immediately and reboot them in safe mode are unlikely level: high diff --git a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml index d7c890483..d980b7a18 100644 --- a/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml +++ b/rules-emerging-threats/2021/Malware/Devil-Bait/proc_creation_win_malware_devil_bait_output_redirect.yml @@ -10,6 +10,7 @@ references: - https://www.virustotal.com/gui/file/fa71eee906a7849ba3f4bab74edb577bd1f1f8397ca428591b4a9872ce1f1e9b/behavior author: Nasreddine Bencherchali (Nextron Systems), NCSC (Idea) date: 2023-05-15 +modified: 2025-10-19 tags: - attack.defense-evasion - attack.t1218 @@ -26,13 +27,13 @@ detection: - '.xml' - '.txt' selection_recon_cmd: - CommandLine|contains: - # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 - # If you find samples using other commands please add them - - 'dir' - - 'ipconfig /all' - - 'systeminfo' - - 'tasklist' + - CommandLine|re: 'ipconfig\s+/all' + - CommandLine|contains: + # Taken from a6f9043627f8be2452153b5dbf6278e9b91763c3b5c2aea537a859e0c8c6b504 + # If you find samples using other commands please add them + - 'dir' + - 'systeminfo' + - 'tasklist' condition: all of selection_* falsepositives: - Unlikely diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml index e5b7683d9..a1f9e964b 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_aspera_faspex_susp_child_process.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) date: 2023-04-20 -modified: 2023-04-25 +modified: 2025-10-19 tags: - attack.execution - detection.emerging-threats @@ -43,10 +43,7 @@ detection: - 'Invoke-Expression' - 'Invoke-WebRequest' - 'localgroup administrators' - - 'net group' - - 'net user' - 'o365accountconfiguration' - - 'query session' - 'samaccountname=' - 'set-MpPreference' - 'svhost.exe' @@ -55,7 +52,11 @@ detection: - 'usoprivate' - 'usoshared' - 'whoami' - - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' + - CommandLine|re: + - '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' + - 'net\s+user' + - 'net\s+group' + - 'query\s+session' selection_special_child_lsass_1: CommandLine|contains: 'lsass' selection_special_child_lsass_2: diff --git a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml index 80939e29e..226b4f5c7 100644 --- a/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml +++ b/rules-emerging-threats/2023/TA/Mint-Sandstorm/proc_creation_win_apt_mint_sandstorm_manage_engine_susp_child_process.yml @@ -6,7 +6,7 @@ references: - https://www.microsoft.com/en-us/security/blog/2023/04/18/nation-state-threat-actor-mint-sandstorm-refines-tradecraft-to-attack-high-value-targets/ author: Nasreddine Bencherchali (Nextron Systems), MSTIC (idea) date: 2023-04-20 -modified: 2023-04-25 +modified: 2025-10-19 tags: - attack.execution - detection.emerging-threats @@ -45,10 +45,7 @@ detection: - 'Invoke-Expression' - 'Invoke-WebRequest' - 'localgroup administrators' - - 'net group' - - 'net user' - 'o365accountconfiguration' - - 'query session' - 'samaccountname=' - 'set-MpPreference' - 'svhost.exe' @@ -58,6 +55,9 @@ detection: - 'usoshared' - 'whoami' - CommandLine|re: '[-/–][Ee^]{1,2}[ncodema^]*\s[A-Za-z0-9+/=]{15,}' + - CommandLine|re: 'net\s+user' + - CommandLine|re: 'net\s+group' + - CommandLine|re: 'query\ssession' selection_special_child_lsass_1: CommandLine|contains: 'lsass' selection_special_child_lsass_2: diff --git a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml similarity index 80% rename from rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml rename to rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml index a24ba072e..0703f49b7 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml +++ b/rules-threat-hunting/windows/powershell/powershell_script/posh_ps_token_obfuscation.yml @@ -4,15 +4,19 @@ related: - id: deb9b646-a508-44ee-b7c9-d8965921c6b6 type: similar status: test -description: Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation +description: | + Detects TOKEN OBFUSCATION technique from Invoke-Obfuscation in Powershell scripts. + Use this rule as a threat-hunting baseline to find obfuscated scripts in your environment. + Once tested and tuned, consider deploying a production detection rule based on this hunting rule. references: - https://github.com/danielbohannon/Invoke-Obfuscation author: frack113 date: 2022-12-27 -modified: 2023-03-24 +modified: 2025-10-19 tags: - attack.defense-evasion - attack.t1027.009 + - detection.threat-hunting logsource: product: windows category: ps_script @@ -40,5 +44,5 @@ detection: ScriptBlockText|contains: '`r`n' condition: selection and not 1 of filter_* falsepositives: - - Unknown -level: high + - Edge case might be possible with heavy use of string formatting or obfuscation in legitimate scripts. +level: medium diff --git a/rules/windows/builtin/security/win_security_kerberoasting_activity.yml b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml index 6f6e09b98..ef9d0ba17 100644 --- a/rules/windows/builtin/security/win_security_kerberoasting_activity.yml +++ b/rules/windows/builtin/security/win_security_kerberoasting_activity.yml @@ -10,6 +10,7 @@ references: - https://adsecurity.org/?p=3513 author: '@kostastsale' date: 2022-01-21 +modified: 2025-10-19 tags: - attack.credential-access - attack.t1558.003 @@ -21,10 +22,11 @@ detection: EventID: 4769 Status: '0x0' # Translated as status from failure code field. Query only for successes TicketEncryptionType: '0x17' # RC4 ticket encryption type - filter_main_: + filter_main_krbtgt: ServiceName|endswith: - 'krbtgt' # Ignore requests for the krbtgt service - '$' # Ignore requests from service names that end with $ which are associated with genuine kerberos traffic + filter_main_machine_accounts: TargetUserName|contains: '$@' # Ignore requests from machines condition: selection and not 1 of filter_main_* falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml index ab64735f0..13b47e522 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_data_exfiltration_via_cli.yml @@ -6,7 +6,7 @@ references: - https://www.sentinelone.com/blog/living-off-windows-defender-lockbit-ransomware-sideloads-cobalt-strike-through-microsoft-security-tool/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022-08-02 -modified: 2025-07-18 +modified: 2025-10-19 tags: - attack.execution - attack.t1059.001 @@ -45,17 +45,18 @@ detection: - '--post-data' - '--post-file' payloads: + - CommandLine|re: + - 'net\s+view' + - 'sc\s+query' - CommandLine|contains: - 'Get-Content' - 'GetBytes' - 'hostname' - 'ifconfig' - 'ipconfig' - - 'net view' - 'netstat' - 'nltest' - 'qprocess' - - 'sc query' - 'systeminfo' - 'tasklist' - 'ToBase64String' diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml index ed3b80e4a..a37e8bba8 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_command.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_network_command.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1016/T1016.md#atomic-test-1---system-network-configuration-discovery-on-windows author: frack113, Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' date: 2021-12-07 -modified: 2022-04-11 +modified: 2025-10-19 tags: - attack.discovery - attack.t1016 @@ -15,13 +15,13 @@ logsource: product: windows detection: selection: - CommandLine|contains: - - 'ipconfig /all' - - 'netsh interface show interface' - - 'arp -a' - - 'nbtstat -n' - - 'net config' - - 'route print' + CommandLine|re: + - 'ipconfig\s+/all' + - 'netsh\s+interface show interface' + - 'arp\s+-a' + - 'nbtstat\s+-n' + - 'net\s+config' + - 'route\s+print' condition: selection falsepositives: - Administrator, hotline ask to user diff --git a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml index 8ddc25709..cf63d7c1a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_system_user_anomaly.yml @@ -7,7 +7,7 @@ references: - https://tools.thehacker.recipes/mimikatz/modules author: Florian Roth (Nextron Systems), David ANDRE (additional keywords) date: 2021-12-20 -modified: 2024-12-01 +modified: 2025-10-19 tags: - attack.credential-access - attack.defense-evasion @@ -35,6 +35,7 @@ detection: - '\mshta.exe' - '\ping.exe' - '\wscript.exe' + - CommandLine|re: 'net\s+user\s+' - CommandLine|contains: # - 'sc stop ' # stops a system service # causes FPs - ' -NoP ' # Often used in malicious PowerShell commands @@ -74,7 +75,6 @@ detection: - ' p::d ' # Mimikatz - ';iex(' # PowerShell IEX - 'MiniDump' # Process dumping method apart from procdump - - 'net user ' filter_main_ping: CommandLine|contains|all: - 'ping' diff --git a/tests/reference-archiver.py b/tests/reference-archiver.py index 8bf0ffed0..b068d5de7 100644 --- a/tests/reference-archiver.py +++ b/tests/reference-archiver.py @@ -9,6 +9,7 @@ import requests import yaml import os from datetime import datetime +from typing import Generator WEB_ARCHIVE_SAVE_URL = "https://web.archive.org/save/" @@ -27,7 +28,7 @@ path_to_rules = [ # Helper functions -def yield_next_rule_file_path(path_to_rules: list) -> str: +def yield_next_rule_file_path(path_to_rules: list) -> Generator[str, None, None]: for path_ in path_to_rules: for root, _, files in os.walk(path_): for file in files: @@ -103,6 +104,26 @@ def archive_references(ref_list): return already_archived, newly_archived_references, error_archiving +def sort_references(file_path: str): + """Sort the references in the rule-references.txt file alphabetically.""" + try: + with open(file_path, "r") as f: + references = [line.strip() for line in f.readlines() if line.strip()] + + # Sort references alphabetically (case-insensitive) + references.sort(key=str.lower) + + # Write the sorted references back to the file + with open(file_path, "w") as f: + for ref in references: + f.write(ref + "\n") + + print("References sorted successfully.") + + except Exception as e: + print(f"Error sorting references: {e}") + + if __name__ == "__main__": print("Archiving references ...\n") @@ -124,6 +145,10 @@ if __name__ == "__main__": f.write(ref) f.write("\n") + # Sort the references alphabetically at the end + print("Sorting references...") + sort_references("tests/rule-references.txt") + # Write markdown output to open the issue with open(".github/latest_archiver_output.md", "w") as f: f.write(f"# Reference Archiver Results\n\n")