Merge pull request #4066 from nasbench/nasbench-rule-devel

feat: multiple updates and fixes
2023-02-22 17:20:58 +01:00
parent bf82309e2d ae45af68ab
commit aa8c18c0a5
194 changed files with 513 additions and 328 deletions
@@ -1,12 +1,12 @@
 title: Invoke-Obfuscation RUNDLL LAUNCHER
 id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555
-status: test
+status: deprecated
 description: Detects Obfuscated Powershell via RUNDLL LAUNCHER
 references:
    - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23)
 author: Timur Zinniatullin, oscd.community
 date: 2020/10/18
-modified: 2022/03/07
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1027
@@ -1,12 +1,12 @@
 title: New Service Creation
 id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab
-status: test
+status: deprecated
 description: Detects creation of a new service.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
 author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
-modified: 2022/07/14
+modified: 2023/02/20
 tags:
    - attack.persistence
    - attack.privilege_escalation
@@ -1,15 +1,15 @@
-title: Accesschk Usage To Check Privileges
+title: Permission Check Via Accesschk.EXE
 id: c625d754-6a3d-4f65-9c9a-536aea960d37
 status: test
-description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges
+description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43
    - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW
    - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat
    - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat
-author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified)
+author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2020/10/13
-modified: 2022/10/20
+modified: 2023/02/20
 tags:
    - attack.discovery
    - attack.t1069.001
@@ -1,14 +1,17 @@
-title: Suspicious AdFind Enumeration
+title: Suspicious ActiveDirectory Enumeration Via AdFind.EXE
 id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
+related:
+    - id: 9a132afa-654e-11eb-ae93-0242ac130002
+      type: similar
 status: experimental
-description: Detects the execution of a AdFind for enumeration based on it's commadline flags
+description: Detects active directory enumeration activity using known AdFind CLI flags
 references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md
 author: frack113
 date: 2021/12/13
-modified: 2022/08/12
+modified: 2023/02/21
 tags:
    - attack.discovery
    - attack.t1087.002
@@ -16,7 +19,7 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection_password: #Listing password policy
+    selection_password: # Listing password policy
        CommandLine|contains:
            - lockoutduration
            - lockoutthreshold
@@ -26,11 +29,11 @@ detection:
            - minpwdlength
            - pwdhistorylength
            - pwdproperties
-    selection_enum_ad: #Enumerate Active Directory Admins
+    selection_enum_ad: # Enumerate Active Directory Admins
        CommandLine|contains: '-sc admincountdmp'
-    selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects
+    selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects
        CommandLine|contains: '-sc exchaddresses'
    condition: 1 of selection_*
 falsepositives:
-    - Administrative activity
+    - Authorized administrative activity
 level: high
@@ -1,10 +1,12 @@
-title: AdFind Usage Detection
+title: AdFind Suspicious Execution
 id: 9a132afa-654e-11eb-ae93-0242ac130002
 related:
+    - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b
+      type: similar
    - id: 75df3b17-8bcc-4565-b89b-c9898acef911
      type: obsoletes
 status: test
-description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain.
+description: Detects AdFind execution with common flags seen used during attacks
 references:
    - https://www.joeware.net/freetools/tools/adfind/
    - https://thedfirreport.com/2020/05/08/adfind-recon/
@@ -14,7 +16,7 @@ references:
    - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md
 author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community
 date: 2021/02/02
-modified: 2022/08/12
+modified: 2023/02/21
 tags:
    - attack.discovery
    - attack.t1018
@@ -1,14 +1,17 @@
-title: Suspicious NT Resource Kit Auditpol Usage
+title: Audit Policy Tampering Via NT Resource Kit Auditpol
 id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
+related:
+    - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version
+      type: similar
 status: test
 description: |
    Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability.
    This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
 references:
    - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
-author: Nasreddine Bencherchali @nas_bench
+author: Nasreddine Bencherchali (Nextron Systems)
 date: 2021/12/18
-modified: 2022/12/25
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1562.002
@@ -1,5 +1,8 @@
-title: Suspicious Auditpol Usage
+title: Audit Policy Tampering Via Auditpol
 id: 0a13e132-651d-11eb-ae93-0242ac130002
+related:
+    - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol
+      type: similar
 status: test
 description: |
  Threat actors can use auditpol binary to change audit policy configuration to impair detection capability.
@@ -8,7 +11,7 @@ references:
    - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
 author: Janantha Marasinghe (https://github.com/blueteam0ps)
 date: 2021/02/02
-modified: 2022/10/09
+modified: 2023/02/22
 tags:
    - attack.defense_evasion
    - attack.t1562.002
@@ -16,15 +19,16 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_auditpol_binary:
-        Image|endswith: '\auditpol.exe'
-    selection_auditpol_command:
+    selection_img:
+        - Image|endswith: '\auditpol.exe'
+        - OriginalFileName: 'AUDITPOL.EXE'
+    selection_cli:
        CommandLine|contains:
            - 'disable' # disables a specific audit policy
            - 'clear'   # delete or clears audit policy
            - 'remove'  # removes an audit policy
            - 'restore' # restores an audit policy
-    condition: selection_auditpol_binary and selection_auditpol_command
+    condition: all of selection_*
 falsepositives:
    - Admin activity
 level: high
@@ -1,14 +1,15 @@
-title: Overwrite Deleted Data with Cipher
+title: Deleted Data Overwritten Via Cipher.EXE
 id: 4b046706-5789-4673-b111-66f25fe99534
 status: experimental
 description: |
+    Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk.
    Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
    Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive
 author: frack113
 date: 2021/12/26
-modified: 2023/01/18
+modified: 2023/02/21
 tags:
    - attack.impact
    - attack.t1485
@@ -1,13 +1,13 @@
-title: Use of CLIP
+title: Data Copied To Clipboard Via Clip.EXE
 id: ddeff553-5233-4ae9-bbab-d64d2bd634be
 status: test
-description: Adversaries may collect data stored in the clipboard from users copying information within or between applications.
+description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications.
 references:
    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md
 author: frack113
 date: 2021/07/27
-modified: 2022/10/09
+modified: 2023/02/21
 tags:
    - attack.collection
    - attack.t1115
@@ -1,4 +1,4 @@
-title: Curl Start Combination
+title: Suspicious Curl Download And Execute Combination
 id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288
 status: test
 description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later.
@@ -6,7 +6,7 @@ references:
    - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983
 author: Sreeman, Nasreddine Bencherchali
 date: 2020/01/13
-modified: 2022/08/02
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1218
@@ -1,4 +1,4 @@
-title: Suspicious Net Use Command Combo
+title: Suspicious File Execution From Internet Hosted WebDav Share
 id: f0507c0f-a3a2-40f5-acc6-7f543c334993
 status: experimental
 description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files
@@ -7,6 +7,7 @@ references:
    - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior
 author: pH-T (Nextron Systems)
 date: 2022/09/01
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1059.001
@@ -14,8 +15,9 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    image:
-        Image|contains: '\cmd.exe'
+    selection_img:
+        - Image|contains: '\cmd.exe'
+        - OriginalFileName: 'Cmd.EXE'
    selection_base:
        CommandLine|contains|all:
            - ' net use http'
@@ -28,7 +30,7 @@ detection:
            - '.bat '
            - '.vbs '
            - '.ps1 '
-    condition: image and all of selection*
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: high
@@ -1,14 +1,17 @@
-title: Curl Usage on Windows
-id: bbeaed61-1990-4773-bf57-b81dbad7db2d
+title: File Download Via Curl.EXE
+id: 9a517fca-4ba3-4629-9278-a68694697b81
 related:
-    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
+    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
      type: derived
-status: test
-description: Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server
+    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
+      type: derived
+status: experimental
+description: Detects file download using curl.exe
 references:
    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
 author: Florian Roth (Nextron Systems)
 date: 2022/07/05
+modified: 2023/02/21
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -16,14 +19,19 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_img:
        - Image|endswith: '\curl.exe'
        - Product: 'The curl executable'
-    condition: selection
+    selection_remote:
+        CommandLine|contains:
+            - ' -O'  # covers the alias for --remote-name and --output
+            - '--remote-name'
+            - '--output'
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
 falsepositives:
    - Scripts created by developers and admins
    - Administrative activity
-level: low
+level: medium
@@ -0,0 +1,30 @@
+title: Curl.EXE Execution
+id: bbeaed61-1990-4773-bf57-b81dbad7db2d
+related:
+    - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution
+      type: derived
+status: test
+description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server
+references:
+    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
+author: Florian Roth (Nextron Systems)
+date: 2022/07/05
+modified: 2023/02/21
+tags:
+    - attack.command_and_control
+    - attack.t1105
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        - Image|endswith: '\curl.exe'
+        - Product: 'The curl executable'
+    condition: selection
+fields:
+    - CommandLine
+    - ParentCommandLine
+falsepositives:
+    - Scripts created by developers and admins
+    - Administrative activity
+level: low
@@ -1,7 +1,7 @@
-title: Suspicious Curl File Upload
+title: Potential Data Exfiltration Via Curl.EXE
 id: 00bca14a-df4e-4649-9054-3f2aa676bc04
 status: test
-description: Detects a suspicious curl process start the adds a file to a web request
+description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration
 references:
    - https://twitter.com/d1r4c/status/1279042657508081664
    - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76
@@ -9,7 +9,7 @@ references:
    - https://curl.se/docs/manpage.html
 author: Florian Roth (Nextron Systems)
 date: 2020/07/03
-modified: 2022/09/15
+modified: 2023/02/21
 tags:
    - attack.exfiltration
    - attack.t1567
@@ -30,7 +30,7 @@ detection:
            - ' -d '
            - ' --data '
            - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode"
-    condition: all of selection*
+    condition: all of selection_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -1,8 +1,10 @@
-title: Suspicious Curl Usage on Windows
+title: Suspicious Curl.EXE Download
 id: e218595b-bbe7-4ee5-8a96-f32a24ad3468
 related:
-    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d
+    - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution
      type: derived
+    - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download
+      type: similar
 status: experimental
 description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file
 references:
@@ -10,9 +12,9 @@ references:
    - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464
    - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt
    - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/
-author: Florian Roth (Nextron Systems), Nasreddine Bencherchali
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
 date: 2020/07/03
-modified: 2023/01/11
+modified: 2023/02/21
 tags:
    - attack.command_and_control
    - attack.t1105
@@ -25,29 +27,29 @@ detection:
        - Product: 'The curl executable'
    selection_susp_locations:
        CommandLine|contains:
-            - '\AppData\'
-            - '\Users\Public\'
-            - '\Temp\'
            - '%AppData%'
+            - '%Public%'
            - '%Temp%'
            - '%tmp%'
-            - '%Public%'
+            - '\AppData\'
            - '\Desktop\'
+            - '\Temp\'
+            - '\Users\Public\'
            - 'C:\PerfLogs\'
+            - 'C:\ProgramData\'
+            - 'C:\Windows\Temp\'
    selection_susp_extensions:
        CommandLine|endswith:
-            - '.jpg'
-            - '.jpeg'
-            - '.png'
+            - '.dll'
            - '.gif'
-            - '.tmp'
+            - '.jpeg'
+            - '.jpg'
+            - '.png'
            - '.temp'
+            - '.tmp'
            - '.txt'
-    selection_susp_remote_name_or_output:
-        CommandLine|contains:
-            - ' -O'  # covers the alias for --remote-name and --output
-            - '--remote-name'
-            - '--output'
+            - '.vbe'
+            - '.vbs'
    filter_git_windows:
        # Example FP
        # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt
@@ -56,7 +58,8 @@ detection:
        CommandLine|contains|all:
            - '--silent --show-error --output '
            - 'gfw-httpget-'
-    condition: selection_curl and 1 of selection_susp* and not 1 of filter_*
+            - 'AppData'
+    condition: selection_curl and 1 of selection_susp_* and not 1 of filter_*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -1,12 +1,13 @@
-title: Suspicious Curl Change User Agents
+title: Curl.EXE Execution With Custom UserAgent
 id: 3286d37a-00fd-41c2-a624-a672dcd34e60
 status: test
-description: Detects a suspicious curl process start on Windows with set useragent options
+description: Detects execution of curl.exe with custom useragent options
 references:
    - https://curl.se/docs/manpage.html
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd
 author: frack113
 date: 2022/01/23
+modified: 2023/02/21
 tags:
    - attack.command_and_control
    - attack.t1071.001
@@ -1,12 +1,13 @@
-title: Dllhost Process With No CommandLine
+title: Dllhost.EXE Execution Anomaly
 id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9
 status: experimental
-description: Detects a "dllhost" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes
+description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes.
 references:
    - https://redcanary.com/blog/child-processes/
    - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/06/27
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1055
@@ -20,5 +20,5 @@ detection:
        - Image|contains: '\dnscat2'
    condition: selection
 falsepositives:
-    - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely)
+    - Unlikely
 level: high
@@ -1,4 +1,4 @@
-title: Covenant Launcher Indicators
+title: HackTool - Covenant PowerShell Launcher
 id: c260b6db-48ba-4b4a-a76f-2f67644e99d2
 status: test
 description: Detects suspicious command lines used in Covenant luanchers
@@ -6,7 +6,7 @@ references:
    - https://posts.specterops.io/covenant-v0-5-eee0507b85ba
 author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community
 date: 2020/06/04
-modified: 2021/11/27
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.defense_evasion
@@ -16,7 +16,7 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
+    selection_1:
        CommandLine|contains|all:
            - '-Sta'
            - '-Nop'
@@ -25,11 +25,11 @@ detection:
        CommandLine|contains:
            - '-Command'
            - '-EncodedCommand'
-    selection2:
+    selection_2:
        CommandLine|contains:
            - 'sv o (New-Object IO.MemorySteam);sv d '
            - 'mshta file.hta'
            - 'GruntHTTP'
            - '-EncodedCommand cwB2ACAAbwAgA'
-    condition: selection or selection2
+    condition: 1 of selection_*
 level: high
@@ -1,11 +1,12 @@
-title: CrackMapExec Command Execution
+title: HackTool - CrackMapExec Execution Patterns
 id: 058f4380-962d-40a5-afce-50207d36d7e2
 status: stable
-description: Detect various execution methods of the CrackMapExec pentesting framework
+description: Detects various execution patterns of the CrackMapExec pentesting framework
 references:
    - https://github.com/byt3bl33d3r/CrackMapExec
 author: Thomas Patzke
 date: 2020/05/22
+modified: 2023/02/22
 tags:
    - attack.execution
    - attack.t1047
@@ -1,4 +1,4 @@
-title: CrackMapExec PowerShell Obfuscation
+title: HackTool - CrackMapExec PowerShell Obfuscation
 id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf
 status: test
 description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule.
@@ -7,7 +7,7 @@ references:
    - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242
 author: Thomas Patzke
 date: 2020/05/22
-modified: 2021/11/27
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1059.001
@@ -17,11 +17,14 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    powershell_execution:
-        CommandLine|contains:
-            - 'powershell.exe'
-            - 'pwsh.exe'
-    snippets:
+    selection_img:
+        - Image|endswith:
+            - '\powershell.exe'
+            - '\pwsh.exe'
+        - OriginalFileName:
+            - 'PowerShell.EXE'
+            - 'pwsh.dll'
+    selection_cli:
        CommandLine|contains:
            - 'join*split'
            # Line 343ff
@@ -30,7 +33,7 @@ detection:
            - '( $env:Public[13]+$env:Public[5]+''x'')'
            - '( $env:ComSpec[4,*,25]-Join'''')'
            - '[1,3]+''x''-Join'''')'
-    condition: powershell_execution and snippets
+    condition: all of selection_*
 fields:
    - ComputerName
    - User
@@ -1,4 +1,4 @@
-title: Empire PowerShell Launch Parameters
+title: HackTool - Empire PowerShell Launch Parameters
 id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581
 status: test
 description: Detects suspicious powershell command line parameters used in Empire
@@ -9,7 +9,7 @@ references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64
 author: Florian Roth (Nextron Systems)
 date: 2019/04/20
-modified: 2021/11/27
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1059.001
@@ -1,4 +1,4 @@
-title: Empire PowerShell UAC Bypass
+title: HackTool - Empire PowerShell UAC Bypass
 id: 3268b746-88d8-4cd3-bffc-30077d02c787
 status: stable
 description: Detects some Empire PowerShell UAC bypass methods
@@ -7,7 +7,7 @@ references:
    - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64
 author: Ecco
 date: 2019/08/30
-modified: 2022/08/13
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.privilege_escalation
@@ -1,4 +1,4 @@
-title: Potential Impacket Lateral Movement Activity
+title: HackTool - Potential Impacket Lateral Movement Activity
 id: 10c14723-61c7-4c75-92ca-9af245723ad2
 related:
    - id: e31f89f7-36fb-4697-8ab6-48823708353b
@@ -13,7 +13,7 @@ references:
    - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html
 author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch
 date: 2019/09/03
-modified: 2023/01/19
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1047
@@ -1,13 +1,13 @@
-title: Jlaive Usage For Assembly Execution In-Memory
+title: HackTool - Jlaive In-Memory Assembly Execution
 id: 0a99eb3e-1617-41bd-b095-13dc767f3def
 status: experimental
-description: Detect the use of Jlaive to execute assemblies in a copied PowerShell
+description: Detects the use of Jlaive to execute assemblies in a copied PowerShell
 references:
    - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool
-    - https://github.com/ch2sh/Jlaive
+    - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive
 author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk)
 date: 2022/05/24
-modified: 2022/07/14
+modified: 2023/02/22
 tags:
    - attack.execution
    - attack.t1059.003
@@ -0,0 +1,54 @@
+title: HackTool - Mimikatz Execution
+id: a642964e-bead-4bed-8910-1bb4d63e3b4d
+status: test
+description: Detection well-known mimikatz command line arguments
+references:
+    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
+    - https://tools.thehacker.recipes/mimikatz/modules
+author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
+date: 2019/10/22
+modified: 2023/02/21
+tags:
+    - attack.credential_access
+    - attack.t1003.001
+    - attack.t1003.002
+    - attack.t1003.004
+    - attack.t1003.005
+    - attack.t1003.006
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_tools_name:
+        CommandLine|contains:
+            - 'DumpCreds'
+            - 'mimikatz'
+    selection_function_names: # To cover functions from modules that are not in module_names
+        CommandLine|contains:
+            - '::aadcookie' #misc module
+            - '::detours' #misc module
+            - '::memssp' #misc module
+            - '::mflt' #misc module
+            - '::ncroutemon' #misc module
+            - '::ngcsign' #misc module
+            - '::printnightmare' #misc module
+            - '::skeleton' #misc module
+            - '::preshutdown'  #service module
+            - '::mstsc'  #ts module
+            - '::multirdp'  #ts module
+    selection_module_names:
+        CommandLine|contains:
+            - 'rpc::'
+            - 'token::'
+            - 'crypto::'
+            - 'dpapi::'
+            - 'sekurlsa::'
+            - 'kerberos::'
+            - 'lsadump::'
+            - 'privilege::'
+            - 'process::'
+            - 'vault::'
+    condition: 1 of selection_*
+falsepositives:
+    - Unlikely
+level: high
@@ -1,4 +1,4 @@
-title: Detecting Fake Instances Of Hxtsr.exe
+title: Fake Instance Of Hxtsr.exe
 id: 4e762605-34a8-406d-b72e-c1a089313320
 status: test
 description: |
@@ -8,7 +8,7 @@ description: |
    Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe
 author: Sreeman
 date: 2020/04/17
-modified: 2022/03/06
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1036
@@ -1,13 +1,13 @@
-title: Disable or Delete Windows Eventlog
+title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE
 id: cd1f961e-0b96-436b-b7c6-38da4583ec00
 status: test
-description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility
+description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions
 references:
    - https://twitter.com/0gtweet/status/1359039665232306183?s=21
    - https://ss64.com/nt/logman.html
 author: Florian Roth (Nextron Systems)
 date: 2021/02/11
-modified: 2022/12/25
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1562.001
@@ -16,14 +16,19 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection_tools:
-        CommandLine|contains: 'logman '
+    selection_img:
+        - Image|endswith: '\logman.exe'
+        - OriginalFileName: 'Logman.exe'
    selection_action:
        CommandLine|contains:
            - 'stop '
            - 'delete '
    selection_service:
-        CommandLine|contains: EventLog-System
+        CommandLine|contains:
+            - 'Circular Kernel Context Logger'
+            - 'EventLog-' # Cover multiple traces starting with EventLog-*
+            - 'SYSMON TRACE'
+            - 'SysmonDnsEtwSession'
    condition: all of selection*
 falsepositives:
    - Legitimate deactivation by administrative staff
@@ -14,7 +14,6 @@ tags:
 logsource:
    category: process_creation
    product: windows
-    definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events'
 detection:
    selection:
        Image|endswith: '\diskshadow.exe'
@@ -18,7 +18,7 @@ detection:
        Image|endswith: '\GfxDownloadWrapper.exe'
    filter:
        CommandLine|contains: 'gameplayapi.intel.com'
-        ParentImage|endswith: 
+        ParentImage|endswith:
            - '\GfxDownloadWrapper.exe'
            - '\igfxEM.exe'
    condition: image_path and not filter
@@ -1,4 +1,4 @@
-title: Emotet RunDLL32 Process Creation
+title: Potential Emotet Rundll32 Execution
 id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9
 status: test
 description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL
@@ -7,7 +7,7 @@ references:
    - https://cyber.wtf/2021/11/15/guess-whos-back/
 author: FPT.EagleEye
 date: 2020/12/25
-modified: 2021/11/17
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1218.011
@@ -1,64 +0,0 @@
-title: Mimikatz Command Line
-id: a642964e-bead-4bed-8910-1bb4d63e3b4d
-status: test
-description: Detection well-known mimikatz command line arguments
-references:
-    - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
-    - https://tools.thehacker.recipes/mimikatz/modules
-author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton
-date: 2019/10/22
-modified: 2022/10/07
-tags:
-    - attack.credential_access
-    - attack.t1003.001
-    - attack.t1003.002
-    - attack.t1003.004
-    - attack.t1003.005
-    - attack.t1003.006
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    selection_1:
-        CommandLine|contains:
-            - DumpCreds
-            - invoke-mimikatz
-    module_names:
-        CommandLine|contains:
-            - rpc
-            - token
-            - crypto
-            - dpapi
-            - sekurlsa
-            - kerberos
-            - lsadump
-            - privilege
-            - process
-            - vault
-    mimikatz_separator:
-        CommandLine|contains: '::'
-    function_names: # To cover functions from modules that are not in module_names (likely too generic)
-        CommandLine|contains:
-            - 'aadcookie' #misc module
-            - 'detours' #misc module
-            - 'memssp' #misc module
-            - 'mflt' #misc module
-            - 'ncroutemon' #misc module
-            - 'ngcsign' #misc module
-            - 'printnightmare' #misc module
-            - 'skeleton' #misc module
-            - 'preshutdown'  #service module
-            - 'mstsc'  #ts module
-            - 'multirdp'  #ts module
-    filter_1:
-        CommandLine|contains: 'function Convert-GuidToCompressedGuid'
-    filter_vscode:
-        # This FP could occur when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above
-        ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP
-        CommandLine|contains|all:
-            - '/d /s /c '
-            - 'checkfilenameiocs --ioc-path '
-    condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter*
-falsepositives:
-    - Legitimate Administrator using tool for password recovery
-level: medium
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
-modified: 2022/09/13
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1218
@@ -20,7 +20,8 @@ logsource:
    product: windows
 detection:
    selection_img:
-        Image|endswith: '\mofcomp.exe'
+        - Image|endswith: '\mofcomp.exe'
+        - OriginalFileName: 'mofcomp.exe'
    selection_case:
        - ParentImage|endswith:
            - '\cmd.exe'
@@ -0,0 +1,54 @@
+title: Suspicious Mshta.EXE Execution Patterns
+id: e32f92d1-523e-49c3-9374-bdb13b46a3ba
+status: experimental
+description: Detects suspicious mshta process execution patterns
+references:
+    - https://en.wikipedia.org/wiki/HTML_Application
+    - https://www.echotrail.io/insights/search/mshta.exe
+    - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/
+author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems)
+date: 2021/07/17
+modified: 2023/02/21
+tags:
+    - attack.execution
+    - attack.t1106
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith: '\mshta.exe'
+        - OriginalFileName: 'MSHTA.EXE'
+    selection_susp:
+        # Suspicious parents
+        ParentImage|endswith:
+            - '\cmd.exe'
+            - '\cscript.exe'
+            - '\powershell.exe'
+            - '\pwsh.exe'
+            - '\regsvr32.exe'
+            - '\rundll32.exe'
+            - '\wscript.exe'
+        # Suspicious folders
+        CommandLine|contains:
+            - '\AppData\Local\'
+            - 'C:\ProgramData\'
+            - 'C:\Users\Public\'
+            - 'C:\Windows\Temp\'
+    filter_img:
+        # Filter legit Locations
+        - Image|startswith:
+            - 'C:\Windows\System32\'
+            - 'C:\Windows\SysWOW64\'
+        # Suspicious extensions
+        - CommandLine|contains:
+            - '.htm'
+            - '.hta'
+        # Filter simple execution
+        - CommandLine|endswith:
+            - 'mshta.exe'
+            - 'mshta'
+    condition: all of selection_* or (selection_img and not filter_img)
+falsepositives:
+    - Unknown
+level: high
@@ -1,14 +1,14 @@
-title: Suspicious Msiexec Load DLL
+title: DllUnregisterServer Function Call Via Msiexec.EXE
 id: 84f52741-8834-4a8c-a413-2eb2269aa6c8
 status: experimental
 description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md
-    - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
+    - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
    - https://twitter.com/_st0pp3r_/status/1583914515996897281
 author: frack113
 date: 2022/04/24
-modified: 2022/10/23
+modified: 2023/02/22
 tags:
    - attack.defense_evasion
    - attack.t1218.007
@@ -16,8 +16,10 @@ logsource:
    product: windows
    category: process_creation
 detection:
-    selection_msi:
-        Image|endswith: '\msiexec.exe'
+    selection_img:
+        - Image|endswith: '\msiexec.exe'
+        - OriginalFileName: '\msiexec.exe'
+    selection_flag:
        CommandLine|contains:
            - ' /z '
            - ' -z '
@@ -1,12 +1,12 @@
-title: Suspicious MsiExec Directory
+title: Potential MsiExec Masquerading
 id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144
 status: test
-description: Detects execution of msiexec from an uncommon directory
+description: Detects the execution of msiexec.exe from an uncommon directory
 references:
    - https://twitter.com/200_okay_/status/1194765831911215104
 author: Florian Roth (Nextron Systems)
 date: 2019/11/14
-modified: 2021/11/27
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1036.005
@@ -15,7 +15,8 @@ logsource:
    product: windows
 detection:
    selection:
-        Image|endswith: '\msiexec.exe'
+        - Image|endswith: '\msiexec.exe'
+        - OriginalFileName: '\msiexec.exe'
    filter:
        Image|startswith:
            - 'C:\Windows\System32\'
@@ -1,7 +1,7 @@
 title: Potential Process Injection Via Msra.EXE
 id: 744a188b-0415-4792-896f-11ddb0588dbc
 status: experimental
-description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe). It has been a target used by many threat actors and used for discovery and persistence tactics
+description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics
 references:
    - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/
    - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf
@@ -1,4 +1,4 @@
-title: Suspicious Manipulation Of Default Accounts
+title: Suspicious Manipulation Of Default Accounts Via Net.EXE
 id: 5b768e71-86f2-4879-b448-81061cbae951
 status: experimental
 description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc
@@ -8,7 +8,7 @@ references:
    - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/09/01
-modified: 2022/09/09
+modified: 2023/02/21
 tags:
    - attack.collection
    - attack.t1560.001
@@ -17,9 +17,12 @@ logsource:
    product: windows
 detection:
    selection_img:
-        Image|endswith:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
    selection_user_option:
        CommandLine|contains: ' user '
    selection_username:
@@ -1,4 +1,4 @@
-title: Suspicious Listing of Network Connections
+title: System Network Connections Discovery Via Net.EXE
 id: 1c67a717-32ba-409b-a45d-0fb704a73a81
 status: experimental
 description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery
 author: frack113
 date: 2021/12/10
-modified: 2022/07/14
+modified: 2023/02/21
 tags:
    - attack.discovery
    - attack.t1049
@@ -14,18 +14,21 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    netstat:
-        CommandLine|contains: netstat
-    net_cmd:
-        CommandLine|contains: 'net '
-    net_opt:
+    selection_img:
+        - Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        - CommandLine|endswith:
            - ' use'
            - ' sessions'
        - CommandLine|contains:
            - ' use '
            - ' sessions '
-    condition: netstat or all of net_*
+    condition: all of selection_*
 falsepositives:
    - Unknown
 level: low
@@ -7,7 +7,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md
 author: Endgame, JHasenbusch (ported for oscd.community)
 date: 2018/10/30
-modified: 2023/02/01
+modified: 2023/02/21
 tags:
    - attack.discovery
    - attack.t1018
@@ -15,14 +15,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains: 'view'
    filter:
        CommandLine|contains: '\\\\'
-    condition: selection and not filter
+    condition: all of selection_* and not filter
 fields:
    - ComputerName
    - User
@@ -1,12 +1,12 @@
-title: Mounted Share Deleted
+title: Unmount Share Via Net.EXE
 id: cb7c4a03-2871-43c0-9bbb-18bbdb079896
 status: test
 description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md
-author: 'oscd.community, @redcanary, Zach Stanford @svch0st'
+author: oscd.community, @redcanary, Zach Stanford @svch0st
 date: 2020/10/08
-modified: 2022/07/11
+modified: 2023/02/21
 tags:
    - attack.defense_evasion
    - attack.t1070.005
@@ -6,7 +6,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md
 author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
 date: 2019/10/21
-modified: 2023/02/01
+modified: 2023/02/21
 tags:
    - attack.execution
    - attack.t1569.002
@@ -14,12 +14,16 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains: ' start '     # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Legitimate administrator or user executes a service for legitimate reasons.
 level: low
@@ -1,4 +1,4 @@
-title: Windows Admin Share Mounted Via Net.EXE
+title: Windows Admin Share Mount Via Net.EXE
 id: 3abd6094-7027-475f-9630-8ab9be7b9725
 related:
    - id: f117933c-980c-4f78-b384-e3d838111165
@@ -7,9 +7,9 @@ status: test
 description: Detects when an admin share is mounted using net.exe
 references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
-author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga'
+author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga
 date: 2020/10/05
-modified: 2023/02/01
+modified: 2023/02/21
 tags:
    - attack.lateral_movement
    - attack.t1021.002
@@ -17,14 +17,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains|all:
            - ' use '
            - ' \\\\*\\*$'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Administrators
 level: medium
@@ -0,0 +1,30 @@
+title: Windows Internet Hosted WebDav Share Mount Via Net.EXE
+id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0
+status: experimental
+description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility
+references:
+    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
+author: Nasreddine Bencherchali (Nextron Systems)
+date: 2023/02/21
+tags:
+    - attack.lateral_movement
+    - attack.t1021.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
+        CommandLine|contains:
+            - ' use '
+            - ' http'
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high
@@ -1,4 +1,4 @@
-title: Windows Share Mounted Via Net.EXE
+title: Windows Share Mount Via Net.EXE
 id: f117933c-980c-4f78-b384-e3d838111165
 related:
    - id: 3abd6094-7027-475f-9630-8ab9be7b9725
@@ -9,6 +9,7 @@ references:
    - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2023/02/02
+modified: 2023/02/21
 tags:
    - attack.lateral_movement
    - attack.t1021.002
@@ -16,14 +17,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains:
            - ' use '
            - ' \\\\'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Legitimate activity by administrators and scripts
 level: low
@@ -1,4 +1,4 @@
-title: Password Provided In Command Line Of Net.exe
+title: Password Provided In Command Line Of Net.EXE
 id: d4498716-1d52-438f-8084-4a603157d131
 status: test
 description: Detects a when net.exe is called with a password in the command line
@@ -6,22 +6,26 @@ references:
    - Internal Research
 author: Tim Shelton (HAWK.IO)
 date: 2021/12/09
-modified: 2022/12/25
+modified: 2023/02/21
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection1:
-        Image: C:\Windows\System32\net.exe
-    selection2:
+    selection_img:
+        - Image|endswith:
+            - '\net.exe'
+            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains|all:
-            - 'net'
            - ' use '
            - ':*\\'
            - '/USER:* *'
-    filter:
+    filter_empty:
        CommandLine|endswith: ' '
-    condition: all of selection* and not 1 of filter*
+    condition: all of selection_* and not 1 of filter*
 falsepositives:
    - Unknown
 level: medium
@@ -10,7 +10,7 @@ references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md
 author: Endgame, JHasenbusch (adapted to Sigma for oscd.community)
 date: 2018/10/30
-modified: 2023/02/02
+modified: 2023/02/21
 tags:
    - attack.persistence
    - attack.t1136.001
@@ -18,14 +18,18 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains|all:
            - 'user'
            - 'add'
-    condition: selection
+    condition: all of selection_*
 fields:
    - ComputerName
    - User
@@ -9,7 +9,7 @@ references:
    - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/
 author: Nasreddine Bencherchali (Nextron Systems)
 date: 2022/07/12
-modified: 2023/02/01
+modified: 2023/02/21
 tags:
    - attack.persistence
    - attack.t1136.001
@@ -17,15 +17,19 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith:
+    selection_img:
+        - Image|endswith:
            - '\net.exe'
            - '\net1.exe'
+        - OriginalFileName:
+            - 'net.exe'
+            - 'net1.exe'
+    selection_cli:
        CommandLine|contains|all:
            - 'user'
            - 'add'
            - 'expires:never'
-    condition: selection
+    condition: all of selection_*
 falsepositives:
    - Unlikely
 level: high
@@ -2,14 +2,14 @@ title: Potential Network Sniffing Activity Using Network Tools
 id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5
 status: test
 description: |
-    Detects potential network sniffing via use of network tools such as "tshark", "windump" or "netsh".
+    Detects potential network sniffing via use of network tools such as "tshark", "windump".
    Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection.
    An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md
 author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems)
 date: 2019/10/21
-modified: 2023/02/01
+modified: 2023/02/20
 tags:
    - attack.credential_access
    - attack.discovery
@@ -23,13 +23,6 @@ detection:
        CommandLine|contains: '-i'
    selection_windump:
        Image|endswith: '\windump.exe'
-    selection_netsh:
-        Image|endswith: '\netsh.exe'
-        CommandLine|contains|all:
-            - ' trace '
-            - ' start '
-            - ' capture'
-            - 'yes'
    condition: 1 of selection_*
 falsepositives:
    - Legitimate administration activity to troubleshoot network issues
@@ -14,22 +14,20 @@ logsource:
    category: process_creation
    product: windows
 detection:
-    exec_selection:
+    selection_cli:
+        CommandLine|contains: 'UserInitMprLogonScript'
+    selection_parent:
        ParentImage|endswith: '\userinit.exe'
-    exec_exclusion1:
-        Image|endswith:
-            - '\explorer.exe'
-            - '\proquota.exe'
-    exec_exclusion2:
-        CommandLine|contains:
+    filter_parent:
+        - CommandLine|contains:
            - 'netlogon*.bat'
            - 'UsrLogon.cmd'
            - 'C:\WINDOWS\Explorer.EXE'
-    exec_exclusion3:
-        Image|endswith: '\Citrix\System32\icast.exe'
-    create_keywords_cli:
-        CommandLine|contains: 'UserInitMprLogonScript'
-    condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli
+        - Image|endswith:
+            - '\explorer.exe'
+            - '\proquota.exe'
+            - '\Citrix\System32\icast.exe'
+    condition: selection_cli or (selection_parent and not filter_parent)
 falsepositives:
    - Exclude legitimate logon scripts
 level: high
@@ -0,0 +1,28 @@
+title: New Service Creation Using PowerShell
+id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2
+related:
+    - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE
+      type: similar
+status: test
+description: Detects the creation of a new service using powershell.
+references:
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md
+author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community
+date: 2023/02/20
+tags:
+    - attack.persistence
+    - attack.privilege_escalation
+    - attack.t1543.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        CommandLine|contains|all:
+            - 'New-Service'
+            - '-BinaryPathName'
+    condition: selection
+falsepositives:
+    - Legitimate administrator or user creates a service for legitimate reasons.
+    - Software installation
+level: low
--- a/Show More
+++ b/Show More