diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml b/rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml similarity index 94% rename from rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml rename to rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml index b0db61419..8e66a927e 100644 --- a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_via_rundll.yml +++ b/rules-deprecated/windows/proc_creation_win_invoke_obfuscation_via_rundll.yml @@ -1,12 +1,12 @@ title: Invoke-Obfuscation RUNDLL LAUNCHER id: 056a7ee1-4853-4e67-86a0-3fd9ceed7555 -status: test +status: deprecated description: Detects Obfuscated Powershell via RUNDLL LAUNCHER references: - https://github.com/SigmaHQ/sigma/issues/1009 #(Task 23) author: Timur Zinniatullin, oscd.community date: 2020/10/18 -modified: 2022/03/07 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_new_service_creation.yml b/rules-deprecated/windows/proc_creation_win_new_service_creation.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_new_service_creation.yml rename to rules-deprecated/windows/proc_creation_win_new_service_creation.yml index e9085666a..b6231ce88 100644 --- a/rules/windows/process_creation/proc_creation_win_new_service_creation.yml +++ b/rules-deprecated/windows/proc_creation_win_new_service_creation.yml @@ -1,12 +1,12 @@ title: New Service Creation id: 7fe71fc9-de3b-432a-8d57-8c809efc10ab -status: test +status: deprecated description: Detects creation of a new service. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 -modified: 2022/07/14 +modified: 2023/02/20 tags: - attack.persistence - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml index eb7dcadc3..2b58991b7 100644 --- a/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml +++ b/rules/windows/process_creation/proc_creation_win_accesschk_usage_after_priv_escalation.yml @@ -1,15 +1,15 @@ -title: Accesschk Usage To Check Privileges +title: Permission Check Via Accesschk.EXE id: c625d754-6a3d-4f65-9c9a-536aea960d37 status: test -description: Accesschk is an access and privilege audit tool developed by SysInternal and often being used by attacker to verify privileges +description: Detects the usage of the "Accesschk" utility, an access and privilege audit tool developed by SysInternal and often being abused by attacker to verify process privileges references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment?slide=43 - https://www.youtube.com/watch?v=JGs-aKf2OtU&ab_channel=OFFZONEMOSCOW - https://github.com/carlospolop/PEASS-ng/blob/fa0f2e17fbc1d86f1fd66338a40e665e7182501d/winPEAS/winPEASbat/winPEAS.bat - https://github.com/gladiatx0r/Powerless/blob/04f553bbc0c65baf4e57344deff84e3f016e6b51/Powerless.bat -author: Teymur Kheirkhabarov (idea), Mangatas Tondang (rule), oscd.community, Nasreddine Bencherchali (modified) +author: Teymur Kheirkhabarov (idea), Mangatas Tondang, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2020/10/13 -modified: 2022/10/20 +modified: 2023/02/20 tags: - attack.discovery - attack.t1069.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml b/rules/windows/process_creation/proc_creation_win_adfind_enumeration.yml similarity index 66% rename from rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml rename to rules/windows/process_creation/proc_creation_win_adfind_enumeration.yml index e512b3283..efcb3034b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind_enumeration.yml +++ b/rules/windows/process_creation/proc_creation_win_adfind_enumeration.yml @@ -1,14 +1,17 @@ -title: Suspicious AdFind Enumeration +title: Suspicious ActiveDirectory Enumeration Via AdFind.EXE id: 455b9d50-15a1-4b99-853f-8d37655a4c1b +related: + - id: 9a132afa-654e-11eb-ae93-0242ac130002 + type: similar status: experimental -description: Detects the execution of a AdFind for enumeration based on it's commadline flags +description: Detects active directory enumeration activity using known AdFind CLI flags references: - https://www.joeware.net/freetools/tools/adfind/ - https://social.technet.microsoft.com/wiki/contents/articles/7535.adfind-command-examples.aspx - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1087.002/T1087.002.md author: frack113 date: 2021/12/13 -modified: 2022/08/12 +modified: 2023/02/21 tags: - attack.discovery - attack.t1087.002 @@ -16,7 +19,7 @@ logsource: product: windows category: process_creation detection: - selection_password: #Listing password policy + selection_password: # Listing password policy CommandLine|contains: - lockoutduration - lockoutthreshold @@ -26,11 +29,11 @@ detection: - minpwdlength - pwdhistorylength - pwdproperties - selection_enum_ad: #Enumerate Active Directory Admins + selection_enum_ad: # Enumerate Active Directory Admins CommandLine|contains: '-sc admincountdmp' - selection_enum_exchange: #Enumerate Active Directory Exchange AD Objects + selection_enum_exchange: # Enumerate Active Directory Exchange AD Objects CommandLine|contains: '-sc exchaddresses' condition: 1 of selection_* falsepositives: - - Administrative activity + - Authorized administrative activity level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml b/rules/windows/process_creation/proc_creation_win_adfind_susp_usage.yml similarity index 89% rename from rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml rename to rules/windows/process_creation/proc_creation_win_adfind_susp_usage.yml index cc3ae37ef..5bc774ee1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adfind_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_adfind_susp_usage.yml @@ -1,10 +1,12 @@ -title: AdFind Usage Detection +title: AdFind Suspicious Execution id: 9a132afa-654e-11eb-ae93-0242ac130002 related: + - id: 455b9d50-15a1-4b99-853f-8d37655a4c1b + type: similar - id: 75df3b17-8bcc-4565-b89b-c9898acef911 type: obsoletes status: test -description: AdFind continues to be seen across majority of breaches. It is used to domain trust discovery to plan out subsequent steps in the attack chain. +description: Detects AdFind execution with common flags seen used during attacks references: - https://www.joeware.net/freetools/tools/adfind/ - https://thedfirreport.com/2020/05/08/adfind-recon/ @@ -14,7 +16,7 @@ references: - https://github.com/center-for-threat-informed-defense/adversary_emulation_library/blob/bf62ece1c679b07b5fb49c4bae947fe24c81811f/fin6/Emulation_Plan/Phase1.md author: Janantha Marasinghe (https://github.com/blueteam0ps), FPT.EagleEye Team, omkar72, oscd.community date: 2021/02/02 -modified: 2022/08/12 +modified: 2023/02/21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_interactive_at.yml b/rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_interactive_at.yml rename to rules/windows/process_creation/proc_creation_win_at_interactive_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml similarity index 81% rename from rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml rename to rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml index 78a6aa8d1..c11f0ccf7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_nt_resource_kit_auditpol_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_nt_resource_kit_usage.yml @@ -1,14 +1,17 @@ -title: Suspicious NT Resource Kit Auditpol Usage +title: Audit Policy Tampering Via NT Resource Kit Auditpol id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e +related: + - id: 0a13e132-651d-11eb-ae93-0242ac130002 # New auditpol version + type: similar status: test description: | Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. references: - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol -author: Nasreddine Bencherchali @nas_bench +author: Nasreddine Bencherchali (Nextron Systems) date: 2021/12/18 -modified: 2022/12/25 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1562.002 diff --git a/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml similarity index 76% rename from rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml rename to rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml index 4eb522edd..63a3059cc 100644 --- a/rules/windows/process_creation/proc_creation_win_sus_auditpol_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_auditpol_susp_execution.yml @@ -1,5 +1,8 @@ -title: Suspicious Auditpol Usage +title: Audit Policy Tampering Via Auditpol id: 0a13e132-651d-11eb-ae93-0242ac130002 +related: + - id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e # Old auditpol + type: similar status: test description: | Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. @@ -8,7 +11,7 @@ references: - https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/ author: Janantha Marasinghe (https://github.com/blueteam0ps) date: 2021/02/02 -modified: 2022/10/09 +modified: 2023/02/22 tags: - attack.defense_evasion - attack.t1562.002 @@ -16,15 +19,16 @@ logsource: category: process_creation product: windows detection: - selection_auditpol_binary: - Image|endswith: '\auditpol.exe' - selection_auditpol_command: + selection_img: + - Image|endswith: '\auditpol.exe' + - OriginalFileName: 'AUDITPOL.EXE' + selection_cli: CommandLine|contains: - 'disable' # disables a specific audit policy - 'clear' # delete or clears audit policy - 'remove' # removes an audit policy - 'restore' # restores an audit policy - condition: selection_auditpol_binary and selection_auditpol_command + condition: all of selection_* falsepositives: - Admin activity level: high diff --git a/rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml b/rules/windows/process_creation/proc_creation_win_browser_chromium_headless_file_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_headless_browser_file_download.yml rename to rules/windows/process_creation/proc_creation_win_browser_chromium_headless_file_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml b/rules/windows/process_creation/proc_creation_win_browsers_msedge_minimized_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_msedge_minimized_download.yml rename to rules/windows/process_creation/proc_creation_win_browsers_msedge_minimized_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_susp_cipher.yml rename to rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml index b6ecc2436..34f6f66a2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cipher.yml +++ b/rules/windows/process_creation/proc_creation_win_cipher_overwrite_deleted_data.yml @@ -1,14 +1,15 @@ -title: Overwrite Deleted Data with Cipher +title: Deleted Data Overwritten Via Cipher.EXE id: 4b046706-5789-4673-b111-66f25fe99534 status: experimental description: | + Detects usage of the "cipher" built-in utility in order to overwrite deleted data from disk. Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1485/T1485.md#atomic-test-3---overwrite-deleted-data-on-c-drive author: frack113 date: 2021/12/26 -modified: 2023/01/18 +modified: 2023/02/21 tags: - attack.impact - attack.t1485 diff --git a/rules/windows/process_creation/proc_creation_win_clip.yml b/rules/windows/process_creation/proc_creation_win_clip_execution.yml similarity index 68% rename from rules/windows/process_creation/proc_creation_win_clip.yml rename to rules/windows/process_creation/proc_creation_win_clip_execution.yml index 87c81db09..74accce3a 100644 --- a/rules/windows/process_creation/proc_creation_win_clip.yml +++ b/rules/windows/process_creation/proc_creation_win_clip_execution.yml @@ -1,13 +1,13 @@ -title: Use of CLIP +title: Data Copied To Clipboard Via Clip.EXE id: ddeff553-5233-4ae9-bbab-d64d2bd634be status: test -description: Adversaries may collect data stored in the clipboard from users copying information within or between applications. +description: Detects the execution of clip.exe in order to copy data to the clipboard. Adversaries may collect data stored in the clipboard from users copying information within or between applications. references: - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/clip - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1115/T1115.md author: frack113 date: 2021/07/27 -modified: 2022/10/09 +modified: 2023/02/21 tags: - attack.collection - attack.t1115 diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_and_start_combo.yml similarity index 91% rename from rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml rename to rules/windows/process_creation/proc_creation_win_cmd_curl_download_and_start_combo.yml index b65cfb72b..5d043166d 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_start_combo.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_curl_download_and_start_combo.yml @@ -1,4 +1,4 @@ -title: Curl Start Combination +title: Suspicious Curl Download And Execute Combination id: 21dd6d38-2b18-4453-9404-a0fe4a0cc288 status: test description: Adversaries can use curl to download payloads remotely and execute them. Curl is included by default in Windows 10 build 17063 and later. @@ -6,7 +6,7 @@ references: - https://medium.com/@reegun/curl-exe-is-the-new-rundll32-exe-lolbin-3f79c5f35983 author: Sreeman, Nasreddine Bencherchali date: 2020/01/13 -modified: 2022/08/02 +modified: 2023/02/21 tags: - attack.execution - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml b/rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_cmd_http_appdata.yml rename to rules/windows/process_creation/proc_creation_win_cmd_http_appdata.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml similarity index 80% rename from rules/windows/process_creation/proc_creation_win_susp_net_use.yml rename to rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml index 734806c6c..ef17f1a57 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_net_use.yml +++ b/rules/windows/process_creation/proc_creation_win_cmd_net_use_and_exec_combo.yml @@ -1,4 +1,4 @@ -title: Suspicious Net Use Command Combo +title: Suspicious File Execution From Internet Hosted WebDav Share id: f0507c0f-a3a2-40f5-acc6-7f543c334993 status: experimental description: Detects net use command combo which executes files from WebDAV server; seen in malicious LNK files @@ -7,6 +7,7 @@ references: - https://www.virustotal.com/gui/file/a63376ee1dba76361df73338928e528ca5b20171ea74c24581605366dcaa0104/behavior author: pH-T (Nextron Systems) date: 2022/09/01 +modified: 2023/02/21 tags: - attack.execution - attack.t1059.001 @@ -14,8 +15,9 @@ logsource: category: process_creation product: windows detection: - image: - Image|contains: '\cmd.exe' + selection_img: + - Image|contains: '\cmd.exe' + - OriginalFileName: 'Cmd.EXE' selection_base: CommandLine|contains|all: - ' net use http' @@ -28,7 +30,7 @@ detection: - '.bat ' - '.vbs ' - '.ps1 ' - condition: image and all of selection* + condition: all of selection_* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml b/rules/windows/process_creation/proc_creation_win_cmd_redirect_to_stream.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_redirect_to_stream.yml rename to rules/windows/process_creation/proc_creation_win_cmd_redirect_to_stream.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml b/rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_cmd_shadowcopy_access.yml rename to rules/windows/process_creation/proc_creation_win_cmd_shadowcopy_access.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml b/rules/windows/process_creation/proc_creation_win_correlation_apt_silence_downloader_v3.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_silence_downloader_v3.yml rename to rules/windows/process_creation/proc_creation_win_correlation_apt_silence_downloader_v3.yml diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml b/rules/windows/process_creation/proc_creation_win_correlation_apt_turla_commands_medium.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_apt_turla_commands_medium.yml rename to rules/windows/process_creation/proc_creation_win_correlation_apt_turla_commands_medium.yml diff --git a/rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml b/rules/windows/process_creation/proc_creation_win_correlation_dnscat2_powershell_implementation.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_dnscat2_powershell_implementation.yml rename to rules/windows/process_creation/proc_creation_win_correlation_dnscat2_powershell_implementation.yml diff --git a/rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml b/rules/windows/process_creation/proc_creation_win_correlation_multiple_susp_cli.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_multiple_susp_cli.yml rename to rules/windows/process_creation/proc_creation_win_correlation_multiple_susp_cli.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml b/rules/windows/process_creation/proc_creation_win_correlation_susp_builtin_commands_recon.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_builtin_commands_recon.yml rename to rules/windows/process_creation/proc_creation_win_correlation_susp_builtin_commands_recon.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_csc_folder.yml rename to rules/windows/process_creation/proc_creation_win_csc_susp_folder.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_csc.yml b/rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_csc.yml rename to rules/windows/process_creation/proc_creation_win_csc_susp_parent.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml b/rules/windows/process_creation/proc_creation_win_cscript_vbs.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_cscript_vbs.yml rename to rules/windows/process_creation/proc_creation_win_cscript_vbs.yml diff --git a/rules/windows/process_creation/proc_creation_win_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_download.yml index 6656215af..5a95de695 100644 --- a/rules/windows/process_creation/proc_creation_win_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_download.yml @@ -1,14 +1,17 @@ -title: Curl Usage on Windows -id: bbeaed61-1990-4773-bf57-b81dbad7db2d +title: File Download Via Curl.EXE +id: 9a517fca-4ba3-4629-9278-a68694697b81 related: - - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution type: derived -status: test -description: Detects a curl process start on Windows, which indicates a file download from a remote location or a simple web request to a remote server + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived +status: experimental +description: Detects file download using curl.exe references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 author: Florian Roth (Nextron Systems) date: 2022/07/05 +modified: 2023/02/21 tags: - attack.command_and_control - attack.t1105 @@ -16,14 +19,19 @@ logsource: category: process_creation product: windows detection: - selection: + selection_img: - Image|endswith: '\curl.exe' - Product: 'The curl executable' - condition: selection + selection_remote: + CommandLine|contains: + - ' -O' # covers the alias for --remote-name and --output + - '--remote-name' + - '--output' + condition: all of selection_* fields: - CommandLine - ParentCommandLine falsepositives: - Scripts created by developers and admins - Administrative activity -level: low +level: medium diff --git a/rules/windows/process_creation/proc_creation_win_curl_execution.yml b/rules/windows/process_creation/proc_creation_win_curl_execution.yml new file mode 100644 index 000000000..169ba7efb --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_curl_execution.yml @@ -0,0 +1,30 @@ +title: Curl.EXE Execution +id: bbeaed61-1990-4773-bf57-b81dbad7db2d +related: + - id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 # Suspicious curl execution + type: derived +status: test +description: Detects a curl process start on Windows, which could indicates a file download from a remote location or a simple web request to a remote server +references: + - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 +author: Florian Roth (Nextron Systems) +date: 2022/07/05 +modified: 2023/02/21 +tags: + - attack.command_and_control + - attack.t1105 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\curl.exe' + - Product: 'The curl executable' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml b/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml similarity index 83% rename from rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml rename to rules/windows/process_creation/proc_creation_win_curl_fileupload.yml index ecaea4286..ecdc3c4db 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_fileupload.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_fileupload.yml @@ -1,7 +1,7 @@ -title: Suspicious Curl File Upload +title: Potential Data Exfiltration Via Curl.EXE id: 00bca14a-df4e-4649-9054-3f2aa676bc04 status: test -description: Detects a suspicious curl process start the adds a file to a web request +description: Detects the execution of the "curl" process with "upload" flags. Which might indicate potential data exfiltration references: - https://twitter.com/d1r4c/status/1279042657508081664 - https://medium.com/@petehouston/upload-files-with-curl-93064dcccc76 @@ -9,7 +9,7 @@ references: - https://curl.se/docs/manpage.html author: Florian Roth (Nextron Systems) date: 2020/07/03 -modified: 2022/09/15 +modified: 2023/02/21 tags: - attack.exfiltration - attack.t1567 @@ -30,7 +30,7 @@ detection: - ' -d ' - ' --data ' - ' --data-' # For flags like: "--data-ascii", "--data-binary", "--data-raw", "--data-urlencode" - condition: all of selection* + condition: all of selection_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml similarity index 78% rename from rules/windows/process_creation/proc_creation_win_susp_curl_download.yml rename to rules/windows/process_creation/proc_creation_win_curl_susp_download.yml index 8540c76fc..5767ef5a2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_download.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_susp_download.yml @@ -1,8 +1,10 @@ -title: Suspicious Curl Usage on Windows +title: Suspicious Curl.EXE Download id: e218595b-bbe7-4ee5-8a96-f32a24ad3468 related: - - id: bbeaed61-1990-4773-bf57-b81dbad7db2d + - id: bbeaed61-1990-4773-bf57-b81dbad7db2d # Basic curl execution type: derived + - id: 9a517fca-4ba3-4629-9278-a68694697b81 # Curl download + type: similar status: experimental description: Detects a suspicious curl process start on Windows and outputs the requested document to a local file references: @@ -10,9 +12,9 @@ references: - https://web.archive.org/web/20200128160046/https://twitter.com/reegun21/status/1222093798009790464 - https://github.com/pr0xylife/Qakbot/blob/4f0795d79dabee5bc9dd69f17a626b48852e7869/Qakbot_AA_23.06.2022.txt - https://www.volexity.com/blog/2022/07/28/sharptongue-deploys-clever-mail-stealing-browser-extension-sharpext/ -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2020/07/03 -modified: 2023/01/11 +modified: 2023/02/21 tags: - attack.command_and_control - attack.t1105 @@ -25,29 +27,29 @@ detection: - Product: 'The curl executable' selection_susp_locations: CommandLine|contains: - - '\AppData\' - - '\Users\Public\' - - '\Temp\' - '%AppData%' + - '%Public%' - '%Temp%' - '%tmp%' - - '%Public%' + - '\AppData\' - '\Desktop\' + - '\Temp\' + - '\Users\Public\' - 'C:\PerfLogs\' + - 'C:\ProgramData\' + - 'C:\Windows\Temp\' selection_susp_extensions: CommandLine|endswith: - - '.jpg' - - '.jpeg' - - '.png' + - '.dll' - '.gif' - - '.tmp' + - '.jpeg' + - '.jpg' + - '.png' - '.temp' + - '.tmp' - '.txt' - selection_susp_remote_name_or_output: - CommandLine|contains: - - ' -O' # covers the alias for --remote-name and --output - - '--remote-name' - - '--output' + - '.vbe' + - '.vbs' filter_git_windows: # Example FP # CommandLine: "C:\Program Files\Git\mingw64\bin\curl.exe" --silent --show-error --output C:/Users/test/AppData/Local/Temp/gfw-httpget-jVOEoxbS.txt --write-out %{http_code} https://gitforwindows.org/latest-tag.txt @@ -56,7 +58,8 @@ detection: CommandLine|contains|all: - '--silent --show-error --output ' - 'gfw-httpget-' - condition: selection_curl and 1 of selection_susp* and not 1 of filter_* + - 'AppData' + condition: selection_curl and 1 of selection_susp_* and not 1 of filter_* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml b/rules/windows/process_creation/proc_creation_win_curl_useragent.yml similarity index 85% rename from rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml rename to rules/windows/process_creation/proc_creation_win_curl_useragent.yml index dd80e3688..338105f84 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_curl_useragent.yml +++ b/rules/windows/process_creation/proc_creation_win_curl_useragent.yml @@ -1,12 +1,13 @@ -title: Suspicious Curl Change User Agents +title: Curl.EXE Execution With Custom UserAgent id: 3286d37a-00fd-41c2-a624-a672dcd34e60 status: test -description: Detects a suspicious curl process start on Windows with set useragent options +description: Detects execution of curl.exe with custom useragent options references: - https://curl.se/docs/manpage.html - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1071.001/T1071.001.md#atomic-test-2---malicious-user-agents---cmd author: frack113 date: 2022/01/23 +modified: 2023/02/21 tags: - attack.command_and_control - attack.t1071.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml similarity index 78% rename from rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml rename to rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml index 3d6705937..c4934380b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_dllhost_no_cli.yml +++ b/rules/windows/process_creation/proc_creation_win_dllhost_no_cli_execution.yml @@ -1,12 +1,13 @@ -title: Dllhost Process With No CommandLine +title: Dllhost.EXE Execution Anomaly id: e7888eb1-13b0-4616-bd99-4bc0c2b054b9 status: experimental -description: Detects a "dllhost" spawning with no commandline arguments which is a very rare thing to happen and could indicate process injection activity or malware mimicking similar system processes +description: Detects a "dllhost" process spawning with no commandline arguments which is very rare to happen and could indicate process injection activity or malware mimicking similar system processes. references: - https://redcanary.com/blog/child-processes/ - https://nasbench.medium.com/what-is-the-dllhost-exe-process-actually-running-ef9fe4c19c08 author: Nasreddine Bencherchali (Nextron Systems) date: 2022/06/27 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1055 diff --git a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml index 20b20b5fc..0aa75b634 100644 --- a/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_dns_exfiltration_tools_execution.yml @@ -20,5 +20,5 @@ detection: - Image|contains: '\dnscat2' condition: selection falsepositives: - - Legitimate usage of iodine or dnscat2 — DNS Exfiltration tools (unlikely) + - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml b/rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_dtrace_kernel_dump.yml rename to rules/windows/process_creation/proc_creation_win_dtrace_kernel_dump.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml b/rules/windows/process_creation/proc_creation_win_esentutl_params.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_esentutl_params.yml rename to rules/windows/process_creation/proc_creation_win_esentutl_params.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_expand_cabinet_files.yml b/rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_expand_cabinet_files.yml rename to rules/windows/process_creation/proc_creation_win_expand_cabinet_files.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml b/rules/windows/process_creation/proc_creation_win_findstr_lnk.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_findstr_lnk.yml rename to rules/windows/process_creation/proc_creation_win_findstr_lnk.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml b/rules/windows/process_creation/proc_creation_win_finger_usage.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_finger_usage.yml rename to rules/windows/process_creation/proc_creation_win_finger_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_fsutil_usage.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_fsutil_usage.yml rename to rules/windows/process_creation/proc_creation_win_fsutil_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_git_clone.yml b/rules/windows/process_creation/proc_creation_win_git_susp_clone.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_git_clone.yml rename to rules/windows/process_creation/proc_creation_win_git_susp_clone.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_gpresult.yml b/rules/windows/process_creation/proc_creation_win_gpresult_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_gpresult.yml rename to rules/windows/process_creation/proc_creation_win_gpresult_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_covenant.yml b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml similarity index 86% rename from rules/windows/process_creation/proc_creation_win_susp_covenant.yml rename to rules/windows/process_creation/proc_creation_win_hktl_covenant.yml index 530549687..5ec08dd58 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_covenant.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_covenant.yml @@ -1,4 +1,4 @@ -title: Covenant Launcher Indicators +title: HackTool - Covenant PowerShell Launcher id: c260b6db-48ba-4b4a-a76f-2f67644e99d2 status: test description: Detects suspicious command lines used in Covenant luanchers @@ -6,7 +6,7 @@ references: - https://posts.specterops.io/covenant-v0-5-eee0507b85ba author: Florian Roth (Nextron Systems), Jonhnathan Ribeiro, oscd.community date: 2020/06/04 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.execution - attack.defense_evasion @@ -16,7 +16,7 @@ logsource: category: process_creation product: windows detection: - selection: + selection_1: CommandLine|contains|all: - '-Sta' - '-Nop' @@ -25,11 +25,11 @@ detection: CommandLine|contains: - '-Command' - '-EncodedCommand' - selection2: + selection_2: CommandLine|contains: - 'sv o (New-Object IO.MemorySteam);sv d ' - 'mshta file.hta' - 'GruntHTTP' - '-EncodedCommand cwB2ACAAbwAgA' - condition: selection or selection2 + condition: 1 of selection_* level: high diff --git a/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_hktl_crackmapexec.yml rename to rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml similarity index 88% rename from rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml rename to rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml index 7808a9ef3..71e6da99a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_execution_patterns.yml @@ -1,11 +1,12 @@ -title: CrackMapExec Command Execution +title: HackTool - CrackMapExec Execution Patterns id: 058f4380-962d-40a5-afce-50207d36d7e2 status: stable -description: Detect various execution methods of the CrackMapExec pentesting framework +description: Detects various execution patterns of the CrackMapExec pentesting framework references: - https://github.com/byt3bl33d3r/CrackMapExec author: Thomas Patzke date: 2020/05/22 +modified: 2023/02/22 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml similarity index 76% rename from rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml rename to rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml index 8d2d372b0..d15da8c8a 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_crackmapexec_powershell_obfuscation.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_crackmapexec_powershell_obfuscation.yml @@ -1,4 +1,4 @@ -title: CrackMapExec PowerShell Obfuscation +title: HackTool - CrackMapExec PowerShell Obfuscation id: 6f8b3439-a203-45dc-a88b-abf57ea15ccf status: test description: The CrachMapExec pentesting framework implements a PowerShell obfuscation with some static strings detected by this rule. @@ -7,7 +7,7 @@ references: - https://github.com/byt3bl33d3r/CrackMapExec/blob/0a49f75347b625e81ee6aa8c33d3970b5515ea9e/cme/helpers/powershell.py#L242 author: Thomas Patzke date: 2020/05/22 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.execution - attack.t1059.001 @@ -17,11 +17,14 @@ logsource: category: process_creation product: windows detection: - powershell_execution: - CommandLine|contains: - - 'powershell.exe' - - 'pwsh.exe' - snippets: + selection_img: + - Image|endswith: + - '\powershell.exe' + - '\pwsh.exe' + - OriginalFileName: + - 'PowerShell.EXE' + - 'pwsh.dll' + selection_cli: CommandLine|contains: - 'join*split' # Line 343ff @@ -30,7 +33,7 @@ detection: - '( $env:Public[13]+$env:Public[5]+''x'')' - '( $env:ComSpec[4,*,25]-Join'''')' - '[1,3]+''x''-Join'''')' - condition: powershell_execution and snippets + condition: all of selection_* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml similarity index 94% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml rename to rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml index bde271965..dc3e5cb39 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_launch.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_launch.yml @@ -1,4 +1,4 @@ -title: Empire PowerShell Launch Parameters +title: HackTool - Empire PowerShell Launch Parameters id: 79f4ede3-402e-41c8-bc3e-ebbf5f162581 status: test description: Detects suspicious powershell command line parameters used in Empire @@ -9,7 +9,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-EventVwrBypass.ps1#L64 author: Florian Roth (Nextron Systems) date: 2019/04/20 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.execution - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml rename to rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml index aa62c3665..15dcf5b4b 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_powershell_empire_uac_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_empire_powershell_uac_bypass.yml @@ -1,4 +1,4 @@ -title: Empire PowerShell UAC Bypass +title: HackTool - Empire PowerShell UAC Bypass id: 3268b746-88d8-4cd3-bffc-30077d02c787 status: stable description: Detects some Empire PowerShell UAC bypass methods @@ -7,7 +7,7 @@ references: - https://github.com/EmpireProject/Empire/blob/e37fb2eef8ff8f5a0a689f1589f424906fe13055/data/module_source/privesc/Invoke-FodHelperBypass.ps1#L64 author: Ecco date: 2019/08/30 -modified: 2022/08/13 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.privilege_escalation diff --git a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml rename to rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml index 31a0b0df6..9dce5f864 100644 --- a/rules/windows/process_creation/proc_creation_win_impacket_lateralization.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_impacket_lateral_movement.yml @@ -1,4 +1,4 @@ -title: Potential Impacket Lateral Movement Activity +title: HackTool - Potential Impacket Lateral Movement Activity id: 10c14723-61c7-4c75-92ca-9af245723ad2 related: - id: e31f89f7-36fb-4697-8ab6-48823708353b @@ -13,7 +13,7 @@ references: - https://www.elastic.co/guide/en/security/current/suspicious-cmd-execution-via-wmi.html author: Ecco, oscd.community, Jonhnathan Ribeiro, Tim Rauch date: 2019/09/03 -modified: 2023/01/19 +modified: 2023/02/21 tags: - attack.execution - attack.t1047 diff --git a/rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml b/rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_invoke_obfuscation_clip.yml rename to rules/windows/process_creation/proc_creation_win_hktl_invoke_obfuscation_clip.yml diff --git a/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml similarity index 80% rename from rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml rename to rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml index abf02394e..ec9edd293 100644 --- a/rules/windows/process_creation/proc_creation_win_jlaive_batch_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_hktl_jlaive_batch_execution.yml @@ -1,13 +1,13 @@ -title: Jlaive Usage For Assembly Execution In-Memory +title: HackTool - Jlaive In-Memory Assembly Execution id: 0a99eb3e-1617-41bd-b095-13dc767f3def status: experimental -description: Detect the use of Jlaive to execute assemblies in a copied PowerShell +description: Detects the use of Jlaive to execute assemblies in a copied PowerShell references: - https://jstnk9.github.io/jstnk9/research/Jlaive-Antivirus-Evasion-Tool - - https://github.com/ch2sh/Jlaive + - https://web.archive.org/web/20220514073704/https://github.com/ch2sh/Jlaive author: Jose Luis Sanchez Martinez (@Joseliyo_Jstnk) date: 2022/05/24 -modified: 2022/07/14 +modified: 2023/02/22 tags: - attack.execution - attack.t1059.003 diff --git a/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml new file mode 100644 index 000000000..ffd68c88d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_hktl_mimikatz_command_line.yml @@ -0,0 +1,54 @@ +title: HackTool - Mimikatz Execution +id: a642964e-bead-4bed-8910-1bb4d63e3b4d +status: test +description: Detection well-known mimikatz command line arguments +references: + - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://tools.thehacker.recipes/mimikatz/modules +author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton +date: 2019/10/22 +modified: 2023/02/21 +tags: + - attack.credential_access + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 +logsource: + category: process_creation + product: windows +detection: + selection_tools_name: + CommandLine|contains: + - 'DumpCreds' + - 'mimikatz' + selection_function_names: # To cover functions from modules that are not in module_names + CommandLine|contains: + - '::aadcookie' #misc module + - '::detours' #misc module + - '::memssp' #misc module + - '::mflt' #misc module + - '::ncroutemon' #misc module + - '::ngcsign' #misc module + - '::printnightmare' #misc module + - '::skeleton' #misc module + - '::preshutdown' #service module + - '::mstsc' #ts module + - '::multirdp' #ts module + selection_module_names: + CommandLine|contains: + - 'rpc::' + - 'token::' + - 'crypto::' + - 'dpapi::' + - 'sekurlsa::' + - 'kerberos::' + - 'lsadump::' + - 'privilege::' + - 'process::' + - 'vault::' + condition: 1 of selection_* +falsepositives: + - Unlikely +level: high diff --git a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml rename to rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml index bbd5a645d..f3dd1379a 100644 --- a/rules/windows/process_creation/proc_creation_win_detecting_fake_instances_of_hxtsr.yml +++ b/rules/windows/process_creation/proc_creation_win_hxtsr_masquerading.yml @@ -1,4 +1,4 @@ -title: Detecting Fake Instances Of Hxtsr.exe +title: Fake Instance Of Hxtsr.exe id: 4e762605-34a8-406d-b72e-c1a089313320 status: test description: | @@ -8,7 +8,7 @@ description: | Any instances of hxtsr.exe not in this folder may be malware camouflaging itself as HxTsr.exe author: Sreeman date: 2020/04/17 -modified: 2022/03/06 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1036 diff --git a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml similarity index 58% rename from rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml rename to rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml index 4c6a03c3f..1f752593f 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_disable_eventlog.yml +++ b/rules/windows/process_creation/proc_creation_win_logman_disable_eventlog.yml @@ -1,13 +1,13 @@ -title: Disable or Delete Windows Eventlog +title: Suspicious Windows Trace ETW Session Tamper Via Logman.EXE id: cd1f961e-0b96-436b-b7c6-38da4583ec00 status: test -description: Detects command that is used to disable or delete Windows eventlog via logman Windows utility +description: Detects the execution of "logman" utility in order to disable or delete Windows trace sessions references: - https://twitter.com/0gtweet/status/1359039665232306183?s=21 - https://ss64.com/nt/logman.html author: Florian Roth (Nextron Systems) date: 2021/02/11 -modified: 2022/12/25 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1562.001 @@ -16,14 +16,19 @@ logsource: category: process_creation product: windows detection: - selection_tools: - CommandLine|contains: 'logman ' + selection_img: + - Image|endswith: '\logman.exe' + - OriginalFileName: 'Logman.exe' selection_action: CommandLine|contains: - 'stop ' - 'delete ' selection_service: - CommandLine|contains: EventLog-System + CommandLine|contains: + - 'Circular Kernel Context Logger' + - 'EventLog-' # Cover multiple traces starting with EventLog-* + - 'SYSMON TRACE' + - 'SysmonDnsEtwSession' condition: all of selection* falsepositives: - Legitimate deactivation by administrative staff diff --git a/rules/windows/process_creation/proc_creation_win_susp_bginfo.yml b/rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_bginfo.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_bginfo.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml b/rules/windows/process_creation/proc_creation_win_lolbin_devinit.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_devinit_lolbin.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_devinit.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml similarity index 86% rename from rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml index 1fd470768..22a54892e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_diskshadow.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_diskshadow.yml @@ -14,7 +14,6 @@ tags: logsource: category: process_creation product: windows - definition: 'Requirements: Sysmon ProcessCreation logging must be activated and Windows audit must Include command line in process creation events' detection: selection: Image|endswith: '\diskshadow.exe' diff --git a/rules/windows/process_creation/proc_creation_win_susp_dnx.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_dnx.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_dnx.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_format.yml b/rules/windows/process_creation/proc_creation_win_lolbin_format.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_format.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_format.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml b/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml index 98bc09e1c..77a978430 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_file_download_via_gfxdownloadwrapper.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_gfxdownloadwrapper_file_download.yml @@ -18,7 +18,7 @@ detection: Image|endswith: '\GfxDownloadWrapper.exe' filter: CommandLine|contains: 'gameplayapi.intel.com' - ParentImage|endswith: + ParentImage|endswith: - '\GfxDownloadWrapper.exe' - '\igfxEM.exe' condition: image_path and not filter diff --git a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml b/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml similarity index 95% rename from rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml rename to rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml index 396d4f9bc..ddf007714 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_emotet_rundll32_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_malware_emotet_rundll32_execution.yml @@ -1,4 +1,4 @@ -title: Emotet RunDLL32 Process Creation +title: Potential Emotet Rundll32 Execution id: 54e57ce3-0672-46eb-a402-2c0948d5e3e9 status: test description: Detecting Emotet DLL loading by looking for rundll32.exe processes with command lines ending in ,RunDLL or ,Control_RunDLL @@ -7,7 +7,7 @@ references: - https://cyber.wtf/2021/11/15/guess-whos-back/ author: FPT.EagleEye date: 2020/12/25 -modified: 2021/11/17 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1218.011 diff --git a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml b/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml deleted file mode 100644 index 97d4c40e2..000000000 --- a/rules/windows/process_creation/proc_creation_win_mimikatz_command_line.yml +++ /dev/null @@ -1,64 +0,0 @@ -title: Mimikatz Command Line -id: a642964e-bead-4bed-8910-1bb4d63e3b4d -status: test -description: Detection well-known mimikatz command line arguments -references: - - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment - - https://tools.thehacker.recipes/mimikatz/modules -author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords), Tim Shelton -date: 2019/10/22 -modified: 2022/10/07 -tags: - - attack.credential_access - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 - - attack.t1003.006 -logsource: - category: process_creation - product: windows -detection: - selection_1: - CommandLine|contains: - - DumpCreds - - invoke-mimikatz - module_names: - CommandLine|contains: - - rpc - - token - - crypto - - dpapi - - sekurlsa - - kerberos - - lsadump - - privilege - - process - - vault - mimikatz_separator: - CommandLine|contains: '::' - function_names: # To cover functions from modules that are not in module_names (likely too generic) - CommandLine|contains: - - 'aadcookie' #misc module - - 'detours' #misc module - - 'memssp' #misc module - - 'mflt' #misc module - - 'ncroutemon' #misc module - - 'ngcsign' #misc module - - 'printnightmare' #misc module - - 'skeleton' #misc module - - 'preshutdown' #service module - - 'mstsc' #ts module - - 'multirdp' #ts module - filter_1: - CommandLine|contains: 'function Convert-GuidToCompressedGuid' - filter_vscode: - # This FP could occur when VSCode is installed and a search/or string selection is made to look for one of these detections mentioned above - ParentImage|endswith: \AppData\Local\Programs\Microsoft VS Code\Code.exe # This is the default install location please add your custom one to avoid FP - CommandLine|contains|all: - - '/d /s /c ' - - 'checkfilenameiocs --ioc-path ' - condition: ( selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) ) and not 1 of filter* -falsepositives: - - Legitimate Administrator using tool for password recovery -level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml rename to rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml index b63b8bfda..a33bf5e01 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mofcomp_execution.yml +++ b/rules/windows/process_creation/proc_creation_win_mofcomp_execution.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/windows/win32/wmisdk/mofcomp author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 -modified: 2022/09/13 +modified: 2023/02/21 tags: - attack.execution - attack.t1218 @@ -20,7 +20,8 @@ logsource: product: windows detection: selection_img: - Image|endswith: '\mofcomp.exe' + - Image|endswith: '\mofcomp.exe' + - OriginalFileName: 'mofcomp.exe' selection_case: - ParentImage|endswith: - '\cmd.exe' diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml b/rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_dll_sideload_defender.yml rename to rules/windows/process_creation/proc_creation_win_mpcmdrun_dll_sideload_defender.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_mshta_execution.yml rename to rules/windows/process_creation/proc_creation_win_mshta_susp_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml new file mode 100644 index 000000000..eb22b8bdd --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_mshta_susp_pattern.yml @@ -0,0 +1,54 @@ +title: Suspicious Mshta.EXE Execution Patterns +id: e32f92d1-523e-49c3-9374-bdb13b46a3ba +status: experimental +description: Detects suspicious mshta process execution patterns +references: + - https://en.wikipedia.org/wiki/HTML_Application + - https://www.echotrail.io/insights/search/mshta.exe + - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) +date: 2021/07/17 +modified: 2023/02/21 +tags: + - attack.execution + - attack.t1106 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: '\mshta.exe' + - OriginalFileName: 'MSHTA.EXE' + selection_susp: + # Suspicious parents + ParentImage|endswith: + - '\cmd.exe' + - '\cscript.exe' + - '\powershell.exe' + - '\pwsh.exe' + - '\regsvr32.exe' + - '\rundll32.exe' + - '\wscript.exe' + # Suspicious folders + CommandLine|contains: + - '\AppData\Local\' + - 'C:\ProgramData\' + - 'C:\Users\Public\' + - 'C:\Windows\Temp\' + filter_img: + # Filter legit Locations + - Image|startswith: + - 'C:\Windows\System32\' + - 'C:\Windows\SysWOW64\' + # Suspicious extensions + - CommandLine|contains: + - '.htm' + - '.hta' + # Filter simple execution + - CommandLine|endswith: + - 'mshta.exe' + - 'mshta' + condition: all of selection_* or (selection_img and not filter_img) +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml index 138f7e2b1..e8acd7b86 100644 --- a/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_dll.yml @@ -1,14 +1,14 @@ -title: Suspicious Msiexec Load DLL +title: DllUnregisterServer Function Call Via Msiexec.EXE id: 84f52741-8834-4a8c-a413-2eb2269aa6c8 status: experimental description: Detects MsiExec loading a DLL and calling its DllUnregisterServer function references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.007/T1218.007.md - - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec + - https://lolbas-project.github.io/lolbas/Binaries/Msiexec/ - https://twitter.com/_st0pp3r_/status/1583914515996897281 author: frack113 date: 2022/04/24 -modified: 2022/10/23 +modified: 2023/02/22 tags: - attack.defense_evasion - attack.t1218.007 @@ -16,8 +16,10 @@ logsource: product: windows category: process_creation detection: - selection_msi: - Image|endswith: '\msiexec.exe' + selection_img: + - Image|endswith: '\msiexec.exe' + - OriginalFileName: '\msiexec.exe' + selection_flag: CommandLine|contains: - ' /z ' - ' -z ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml similarity index 71% rename from rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml rename to rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml index 089593502..719db6d43 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_msiexec_cwd.yml +++ b/rules/windows/process_creation/proc_creation_win_msiexec_masquerading.yml @@ -1,12 +1,12 @@ -title: Suspicious MsiExec Directory +title: Potential MsiExec Masquerading id: e22a6eb2-f8a5-44b5-8b44-a2dbd47b1144 status: test -description: Detects execution of msiexec from an uncommon directory +description: Detects the execution of msiexec.exe from an uncommon directory references: - https://twitter.com/200_okay_/status/1194765831911215104 author: Florian Roth (Nextron Systems) date: 2019/11/14 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1036.005 @@ -15,7 +15,8 @@ logsource: product: windows detection: selection: - Image|endswith: '\msiexec.exe' + - Image|endswith: '\msiexec.exe' + - OriginalFileName: '\msiexec.exe' filter: Image|startswith: - 'C:\Windows\System32\' diff --git a/rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml b/rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_msiexec_web_install.yml rename to rules/windows/process_creation/proc_creation_win_msiexec_web_install.yml diff --git a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml index 577b4ef05..5ce66281f 100644 --- a/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml +++ b/rules/windows/process_creation/proc_creation_win_msra_process_injection.yml @@ -1,7 +1,7 @@ title: Potential Process Injection Via Msra.EXE id: 744a188b-0415-4792-896f-11ddb0588dbc status: experimental -description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe). It has been a target used by many threat actors and used for discovery and persistence tactics +description: Detects potential process injection via Microsoft Remote Asssistance (Msra.exe) by looking at suspicious child processes spawned from the aforementioned process. It has been a target used by many threat actors and used for discovery and persistence tactics references: - https://www.microsoft.com/security/blog/2021/12/09/a-closer-look-at-qakbots-latest-building-blocks-and-how-to-knock-them-down/ - https://www.fortinet.com/content/dam/fortinet/assets/analyst-reports/ar-qakbot.pdf diff --git a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml index 2c9575b83..2b3dd6936 100644 --- a/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml +++ b/rules/windows/process_creation/proc_creation_win_net_default_accounts_manipulation.yml @@ -1,4 +1,4 @@ -title: Suspicious Manipulation Of Default Accounts +title: Suspicious Manipulation Of Default Accounts Via Net.EXE id: 5b768e71-86f2-4879-b448-81061cbae951 status: experimental description: Detects suspicious manipulations of default accounts such as 'administrator' and 'guest'. For example 'enable' or 'disable' accounts or change the password...etc @@ -8,7 +8,7 @@ references: - https://www.microsoft.com/security/blog/2022/09/07/profiling-dev-0270-phosphorus-ransomware-operations/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/09/01 -modified: 2022/09/09 +modified: 2023/02/21 tags: - attack.collection - attack.t1560.001 @@ -17,9 +17,12 @@ logsource: product: windows detection: selection_img: - Image|endswith: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' selection_user_option: CommandLine|contains: ' user ' selection_username: diff --git a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml similarity index 72% rename from rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml rename to rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml index 2265b3a95..2c711a409 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_network_listing_connections.yml +++ b/rules/windows/process_creation/proc_creation_win_net_network_connections_discovery.yml @@ -1,4 +1,4 @@ -title: Suspicious Listing of Network Connections +title: System Network Connections Discovery Via Net.EXE id: 1c67a717-32ba-409b-a45d-0fb704a73a81 status: experimental description: Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network. @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1049/T1049.md#atomic-test-1---system-network-connections-discovery author: frack113 date: 2021/12/10 -modified: 2022/07/14 +modified: 2023/02/21 tags: - attack.discovery - attack.t1049 @@ -14,18 +14,21 @@ logsource: category: process_creation product: windows detection: - netstat: - CommandLine|contains: netstat - net_cmd: - CommandLine|contains: 'net ' - net_opt: + selection_img: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: - CommandLine|endswith: - ' use' - ' sessions' - CommandLine|contains: - ' use ' - ' sessions ' - condition: netstat or all of net_* + condition: all of selection_* falsepositives: - Unknown level: low diff --git a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml index 7935e83cb..182c19d92 100644 --- a/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_and_sessions_enum.yml @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md author: Endgame, JHasenbusch (ported for oscd.community) date: 2018/10/30 -modified: 2023/02/01 +modified: 2023/02/21 tags: - attack.discovery - attack.t1018 @@ -15,14 +15,18 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains: 'view' filter: CommandLine|contains: '\\\\' - condition: selection and not filter + condition: all of selection_* and not filter fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml similarity index 89% rename from rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml rename to rules/windows/process_creation/proc_creation_win_net_share_unmount.yml index f4b6c9f83..4bac3edc7 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_mounted_share_deletion.yml +++ b/rules/windows/process_creation/proc_creation_win_net_share_unmount.yml @@ -1,12 +1,12 @@ -title: Mounted Share Deleted +title: Unmount Share Via Net.EXE id: cb7c4a03-2871-43c0-9bbb-18bbdb079896 status: test description: Detects when when a mounted share is removed. Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1070.005/T1070.005.md -author: 'oscd.community, @redcanary, Zach Stanford @svch0st' +author: oscd.community, @redcanary, Zach Stanford @svch0st date: 2020/10/08 -modified: 2022/07/11 +modified: 2023/02/21 tags: - attack.defense_evasion - attack.t1070.005 diff --git a/rules/windows/process_creation/proc_creation_win_net_start_service.yml b/rules/windows/process_creation/proc_creation_win_net_start_service.yml index 1b53f8c2c..b2d9c0c01 100644 --- a/rules/windows/process_creation/proc_creation_win_net_start_service.yml +++ b/rules/windows/process_creation/proc_creation_win_net_start_service.yml @@ -6,7 +6,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1569.002/T1569.002.md author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community date: 2019/10/21 -modified: 2023/02/01 +modified: 2023/02/21 tags: - attack.execution - attack.t1569.002 @@ -14,12 +14,16 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains: ' start ' # space character after the 'start' keyword indicates that a service name follows, in contrast to `net start` discovery expression - condition: selection + condition: all of selection_* falsepositives: - Legitimate administrator or user executes a service for legitimate reasons. level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_execution.yml b/rules/windows/process_creation/proc_creation_win_net_susp_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_net_execution.yml rename to rules/windows/process_creation/proc_creation_win_net_susp_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml index 816ae5a71..1335b8a55 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_admin_share.yml @@ -1,4 +1,4 @@ -title: Windows Admin Share Mounted Via Net.EXE +title: Windows Admin Share Mount Via Net.EXE id: 3abd6094-7027-475f-9630-8ab9be7b9725 related: - id: f117933c-980c-4f78-b384-e3d838111165 @@ -7,9 +7,9 @@ status: test description: Detects when an admin share is mounted using net.exe references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view -author: 'oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga' +author: oscd.community, Teymur Kheirkhabarov @HeirhabarovT, Zach Stanford @svch0st, wagga date: 2020/10/05 -modified: 2023/02/01 +modified: 2023/02/21 tags: - attack.lateral_movement - attack.t1021.002 @@ -17,14 +17,18 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains|all: - ' use ' - ' \\\\*\\*$' - condition: selection + condition: all of selection_* falsepositives: - Administrators level: medium diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml new file mode 100644 index 000000000..fcd01b866 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_internet_share.yml @@ -0,0 +1,30 @@ +title: Windows Internet Hosted WebDav Share Mount Via Net.EXE +id: 7e6237fe-3ddb-438f-9381-9bf9de5af8d0 +status: experimental +description: Detects when an internet hosted webdav share is mounted using the "net.exe" utility +references: + - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view +author: Nasreddine Bencherchali (Nextron Systems) +date: 2023/02/21 +tags: + - attack.lateral_movement + - attack.t1021.002 +logsource: + category: process_creation + product: windows +detection: + selection_img: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: + CommandLine|contains: + - ' use ' + - ' http' + condition: all of selection_* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml index 311a8a250..5de865054 100644 --- a/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_mount_share.yml @@ -1,4 +1,4 @@ -title: Windows Share Mounted Via Net.EXE +title: Windows Share Mount Via Net.EXE id: f117933c-980c-4f78-b384-e3d838111165 related: - id: 3abd6094-7027-475f-9630-8ab9be7b9725 @@ -9,6 +9,7 @@ references: - https://drive.google.com/file/d/1lKya3_mLnR3UQuCoiYruO3qgu052_iS_/view author: Nasreddine Bencherchali (Nextron Systems) date: 2023/02/02 +modified: 2023/02/21 tags: - attack.lateral_movement - attack.t1021.002 @@ -16,14 +17,18 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains: - ' use ' - ' \\\\' - condition: selection + condition: all of selection_* falsepositives: - Legitimate activity by administrators and scripts level: low diff --git a/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml similarity index 58% rename from rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml rename to rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml index e528196da..3e95a15ab 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_net_use_password_plaintext.yml +++ b/rules/windows/process_creation/proc_creation_win_net_use_password_plaintext.yml @@ -1,4 +1,4 @@ -title: Password Provided In Command Line Of Net.exe +title: Password Provided In Command Line Of Net.EXE id: d4498716-1d52-438f-8084-4a603157d131 status: test description: Detects a when net.exe is called with a password in the command line @@ -6,22 +6,26 @@ references: - Internal Research author: Tim Shelton (HAWK.IO) date: 2021/12/09 -modified: 2022/12/25 +modified: 2023/02/21 logsource: category: process_creation product: windows detection: - selection1: - Image: C:\Windows\System32\net.exe - selection2: + selection_img: + - Image|endswith: + - '\net.exe' + - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains|all: - - 'net' - ' use ' - ':*\\' - '/USER:* *' - filter: + filter_empty: CommandLine|endswith: ' ' - condition: all of selection* and not 1 of filter* + condition: all of selection_* and not 1 of filter* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add.yml b/rules/windows/process_creation/proc_creation_win_net_user_add.yml index 6a009d3b8..a314aa29c 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add.yml @@ -10,7 +10,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1136.001/T1136.001.md author: Endgame, JHasenbusch (adapted to Sigma for oscd.community) date: 2018/10/30 -modified: 2023/02/02 +modified: 2023/02/21 tags: - attack.persistence - attack.t1136.001 @@ -18,14 +18,18 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains|all: - 'user' - 'add' - condition: selection + condition: all of selection_* fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml index 7587c8d73..46eff59d7 100644 --- a/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml +++ b/rules/windows/process_creation/proc_creation_win_net_user_add_never_expire.yml @@ -9,7 +9,7 @@ references: - https://thedfirreport.com/2022/07/11/select-xmrig-from-sqlserver/ author: Nasreddine Bencherchali (Nextron Systems) date: 2022/07/12 -modified: 2023/02/01 +modified: 2023/02/21 tags: - attack.persistence - attack.t1136.001 @@ -17,15 +17,19 @@ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: + selection_img: + - Image|endswith: - '\net.exe' - '\net1.exe' + - OriginalFileName: + - 'net.exe' + - 'net1.exe' + selection_cli: CommandLine|contains|all: - 'user' - 'add' - 'expires:never' - condition: selection + condition: all of selection_* falsepositives: - Unlikely level: high diff --git a/rules/windows/process_creation/proc_creation_win_network_sniffing.yml b/rules/windows/process_creation/proc_creation_win_network_sniffing.yml index dd256d1e3..891987e60 100644 --- a/rules/windows/process_creation/proc_creation_win_network_sniffing.yml +++ b/rules/windows/process_creation/proc_creation_win_network_sniffing.yml @@ -2,14 +2,14 @@ title: Potential Network Sniffing Activity Using Network Tools id: ba1f7802-adc7-48b4-9ecb-81e227fddfd5 status: test description: | - Detects potential network sniffing via use of network tools such as "tshark", "windump" or "netsh". + Detects potential network sniffing via use of network tools such as "tshark", "windump". Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1040/T1040.md author: Timur Zinniatullin, oscd.community, Nasreddine Bencherchali (Nextron Systems) date: 2019/10/21 -modified: 2023/02/01 +modified: 2023/02/20 tags: - attack.credential_access - attack.discovery @@ -23,13 +23,6 @@ detection: CommandLine|contains: '-i' selection_windump: Image|endswith: '\windump.exe' - selection_netsh: - Image|endswith: '\netsh.exe' - CommandLine|contains|all: - - ' trace ' - - ' start ' - - ' capture' - - 'yes' condition: 1 of selection_* falsepositives: - Legitimate administration activity to troubleshoot network issues diff --git a/rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml b/rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_ntdsutil_usage.yml rename to rules/windows/process_creation/proc_creation_win_ntdsutil_susp_usage.yml diff --git a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml similarity index 73% rename from rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml rename to rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml index 49ec12676..4f73b26b8 100644 --- a/rules/windows/process_creation/proc_creation_win_logon_scripts_userinitmprlogonscript_proc.yml +++ b/rules/windows/process_creation/proc_creation_win_persistence_userinitmprlogonscript.yml @@ -14,22 +14,20 @@ logsource: category: process_creation product: windows detection: - exec_selection: + selection_cli: + CommandLine|contains: 'UserInitMprLogonScript' + selection_parent: ParentImage|endswith: '\userinit.exe' - exec_exclusion1: - Image|endswith: - - '\explorer.exe' - - '\proquota.exe' - exec_exclusion2: - CommandLine|contains: + filter_parent: + - CommandLine|contains: - 'netlogon*.bat' - 'UsrLogon.cmd' - 'C:\WINDOWS\Explorer.EXE' - exec_exclusion3: - Image|endswith: '\Citrix\System32\icast.exe' - create_keywords_cli: - CommandLine|contains: 'UserInitMprLogonScript' - condition: ( exec_selection and not 1 of exec_exclusion* ) or create_keywords_cli + - Image|endswith: + - '\explorer.exe' + - '\proquota.exe' + - '\Citrix\System32\icast.exe' + condition: selection_cli or (selection_parent and not filter_parent) falsepositives: - Exclude legitimate logon scripts level: high diff --git a/rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml b/rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_aadinternals_cmdlets_execution.yml rename to rules/windows/process_creation/proc_creation_win_powershell_aadinternals_cmdlets_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml b/rules/windows/process_creation/proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_athremotefxvgpudisablementcommand.yml rename to rules/windows/process_creation/proc_creation_win_powershell_ath_remote_fxv_gpu_disablement_command.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_base64_encoded_cmd.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_encoded_cmd.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_base64_load.yml b/rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_base64_load.yml rename to rules/windows/process_creation/proc_creation_win_powershell_base64_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml new file mode 100644 index 000000000..90af18ddf --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_powershell_create_service.yml @@ -0,0 +1,28 @@ +title: New Service Creation Using PowerShell +id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 +related: + - id: 85ff530b-261d-48c6-a441-facaa2e81e48 # Using Sc.EXE + type: similar +status: test +description: Detects the creation of a new service using powershell. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2023/02/20 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'New-Service' + - '-BinaryPathName' + condition: selection +falsepositives: + - Legitimate administrator or user creates a service for legitimate reasons. + - Software installation +level: low diff --git a/rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml b/rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_disable_defender_av_security_monitoring.yml rename to rules/windows/process_creation/proc_creation_win_powershell_disable_defender_av_security_monitoring.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_download_cradles.yml rename to rules/windows/process_creation/proc_creation_win_powershell_download_cradles.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml b/rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_download_iex.yml rename to rules/windows/process_creation/proc_creation_win_powershell_download_iex.yml diff --git a/rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml b/rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_email_exfil_via_powershell.yml rename to rules/windows/process_creation/proc_creation_win_powershell_email_exfil.yml diff --git a/rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml b/rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_enable_susp_windows_optional_feature.yml rename to rules/windows/process_creation/proc_creation_win_powershell_enable_susp_windows_optional_feature.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml b/rules/windows/process_creation/proc_creation_win_powershell_encode.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_encode.yml rename to rules/windows/process_creation/proc_creation_win_powershell_encode.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_cmd_patterns.yml rename to rules/windows/process_creation/proc_creation_win_powershell_encoded_cmd_patterns.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_obfusc.yml b/rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_encoded_obfusc.yml rename to rules/windows/process_creation/proc_creation_win_powershell_encoded_obfusc.yml diff --git a/rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml b/rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_frombase64string_archive.yml rename to rules/windows/process_creation/proc_creation_win_powershell_frombase64string_archive.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml b/rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_getprocess_lsass.yml rename to rules/windows/process_creation/proc_creation_win_powershell_getprocess_lsass.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml b/rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_hidden_b64_cmd.yml rename to rules/windows/process_creation/proc_creation_win_powershell_hidden_b64_cmd.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml b/rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_iex_patterns.yml rename to rules/windows/process_creation/proc_creation_win_powershell_iex_patterns.yml diff --git a/rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_import_cert_susp_locations.yml rename to rules/windows/process_creation/proc_creation_win_powershell_import_cert_susp_locations.yml diff --git a/rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml b/rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_import_module_susp_dirs.yml rename to rules/windows/process_creation/proc_creation_win_powershell_import_module_susp_dirs.yml diff --git a/rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml b/rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_install_unsigned_appx_packages.yml rename to rules/windows/process_creation/proc_creation_win_powershell_install_unsigned_appx_packages.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml b/rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_invocation_specific.yml rename to rules/windows/process_creation/proc_creation_win_powershell_invocation_specific.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml b/rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_invoke_webrequest_download.yml rename to rules/windows/process_creation/proc_creation_win_powershell_invoke_webrequest_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml b/rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_msexchange_transport_agent.yml rename to rules/windows/process_creation/proc_creation_win_powershell_msexchange_transport_agent.yml diff --git a/rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml b/rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_non_interactive_powershell.yml rename to rules/windows/process_creation/proc_creation_win_powershell_non_interactive_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml b/rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_obfuscation_via_utf8.yml rename to rules/windows/process_creation/proc_creation_win_powershell_obfuscation_via_utf8.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml b/rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_sam_access.yml rename to rules/windows/process_creation/proc_creation_win_powershell_sam_access.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml b/rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_script_engine_parent_.yml rename to rules/windows/process_creation/proc_creation_win_powershell_script_engine_parent.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml b/rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification_set_service.yml rename to rules/windows/process_creation/proc_creation_win_powershell_service_dacl_modification_set_service.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_sub_processes.yml rename to rules/windows/process_creation/proc_creation_win_powershell_susp_child_processes.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml rename to rules/windows/process_creation/proc_creation_win_powershell_susp_ps_appdata.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml b/rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_ps_downloadfile.yml rename to rules/windows/process_creation/proc_creation_win_powershell_susp_ps_downloadfile.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml b/rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_powershell_webclient_casing.yml rename to rules/windows/process_creation/proc_creation_win_powershell_webclient_casing.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml rename to rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml index 939b518f7..88c4ed5a5 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_3proxy_usage.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_3proxy_execution.yml @@ -1,4 +1,4 @@ -title: 3Proxy Usage +title: PUA - 3Proxy Execution id: f38a82d2-fba3-4781-b549-525efbec8506 status: experimental description: Detects the use of 3proxy, a tiny free proxy server @@ -7,7 +7,7 @@ references: - https://blog.talosintelligence.com/2022/09/lazarus-three-rats.html author: Florian Roth (Nextron Systems) date: 2022/09/13 -modified: 2023/01/05 +modified: 2023/02/21 tags: - attack.command_and_control - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml similarity index 88% rename from rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml rename to rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml index f26cae65a..2d394c13e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun.yml @@ -1,5 +1,8 @@ -title: Suspicious AdvancedRun Execution +title: PUA - AdvancedRun Execution id: d2b749ee-4225-417e-b20e-a8d2193cbb84 +related: + - id: fa00b701-44c6-4679-994d-5a18afa8a707 + type: similar status: experimental description: Detects the execution of AdvancedRun utility references: @@ -9,7 +12,7 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) date: 2022/01/20 -modified: 2022/05/13 +modified: 2023/02/21 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml similarity index 89% rename from rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml rename to rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml index 1ede7e0f2..48859f0cb 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_advancedrun_priv_user.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_advancedrun_priv_user.yml @@ -1,5 +1,8 @@ -title: Suspicious AdvancedRun Runas Priv User +title: PUA - AdvancedRun Suspicious Execution id: fa00b701-44c6-4679-994d-5a18afa8a707 +related: + - id: d2b749ee-4225-417e-b20e-a8d2193cbb84 + type: similar status: experimental description: Detects the execution of AdvancedRun utility in the context of the TrustedInstaller, SYSTEM, Local Service or Network Service accounts references: @@ -9,7 +12,7 @@ references: - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ author: Florian Roth (Nextron Systems) date: 2022/01/20 -modified: 2022/05/05 +modified: 2023/02/21 logsource: product: windows category: process_creation diff --git a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml similarity index 89% rename from rules/windows/process_creation/proc_creation_win_susp_csexec.yml rename to rules/windows/process_creation/proc_creation_win_pua_csexec.yml index bb4b1ddfe..236449fb2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_csexec.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_csexec.yml @@ -1,12 +1,13 @@ -title: CsExec Remote Execution Tool Usage +title: PUA - CsExec Execution id: d08a2711-ee8b-4323-bdec-b7d85e892b31 status: experimental -description: Detects the use of the lesser known remote execution tool named CsExec (a PsExec alternative) +description: Detects the use of the lesser known remote execution tool named CsExec a PsExec alternative references: - https://github.com/malcomvetter/CSExec - https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ author: Florian Roth (Nextron Systems) date: 2022/08/22 +modified: 2023/02/21 tags: - attack.resource_development - attack.t1587.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml similarity index 61% rename from rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml rename to rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml index 96870bbc3..237a0f8b1 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ditsnap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ditsnap.yml @@ -1,13 +1,13 @@ -title: DIT Snapshot Viewer Use +title: PUA - DIT Snapshot Viewer id: d3b70aad-097e-409c-9df2-450f80dc476b status: test -description: Detects the use of Ditsnap tool. Seems to be a tool for ransomware groups. +description: Detects the use of Ditsnap tool, an inspection tool for Active Directory database, ntds.dit. references: - https://thedfirreport.com/2020/06/21/snatch-ransomware/ - - https://github.com/yosqueoy/ditsnap -author: 'Furkan Caliskan (@caliskanfurkan_)' + - https://web.archive.org/web/20201124182207/https://github.com/yosqueoy/ditsnap +author: Furkan Caliskan (@caliskanfurkan_) date: 2020/07/04 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.credential_access - attack.t1003.003 diff --git a/rules/windows/process_creation/proc_creation_win_mouse_lock.yml b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_mouse_lock.yml rename to rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml index 708c08be9..3334eddd9 100644 --- a/rules/windows/process_creation/proc_creation_win_mouse_lock.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_mouselock_execution.yml @@ -1,4 +1,4 @@ -title: Mouse Lock Credential Gathering +title: PUA - Mouse Lock Execution id: c9192ad9-75e5-43eb-8647-82a0a5b493e3 status: test description: In Kaspersky's 2020 Incident Response Analyst Report they listed legitimate tool "Mouse Lock" as being used for both credential access and collection in security incidents. @@ -7,7 +7,7 @@ references: - https://sourceforge.net/projects/mouselock/ author: Cian Heasley date: 2020/08/13 -modified: 2021/11/27 +modified: 2023/02/21 tags: - attack.credential_access - attack.collection diff --git a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml rename to rules/windows/process_creation/proc_creation_win_pua_ngrok.yml index be4acb8e6..1f26b339e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ngrok_pua.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_ngrok.yml @@ -1,4 +1,4 @@ -title: Ngrok Usage +title: PUA - Ngrok Execution id: ee37eb7c-a4e7-4cd5-8fa4-efa27f1c3f31 status: test description: | @@ -14,7 +14,7 @@ references: - https://www.softwaretestinghelp.com/how-to-use-ngrok/ author: Florian Roth (Nextron Systems) date: 2021/05/14 -modified: 2022/12/02 +modified: 2023/02/21 tags: - attack.command_and_control - attack.t1572 diff --git a/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml rename to rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml index 87c2ea2e7..78593fc5d 100644 --- a/rules/windows/process_creation/proc_creation_win_nmap_zenmap.yml +++ b/rules/windows/process_creation/proc_creation_win_pua_nmap_zenmap.yml @@ -1,4 +1,4 @@ -title: Nmap/Zenmap Execution +title: PUA - Nmap/Zenmap Execution id: f6ecd1cf-19b8-4488-97f6-00f0924991a3 status: test description: Detects usage of namp/zenmap. Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation @@ -7,7 +7,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1046/T1046.md#atomic-test-3---port-scan-nmap-for-windows author: frack113 date: 2021/12/10 -modified: 2022/12/30 +modified: 2023/02/20 tags: - attack.discovery - attack.t1046 diff --git a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml similarity index 93% rename from rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml rename to rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml index da5ef4615..8420fca22 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_adidnsdump.yml +++ b/rules/windows/process_creation/proc_creation_win_python_adidnsdump.yml @@ -1,4 +1,4 @@ -title: Suspicious Execution of Adidnsdump +title: PUA - Adidnsdump Execution id: 26d3f0a2-f514-4a3f-a8a7-e7e48a8d9160 status: test description: | @@ -8,6 +8,7 @@ references: - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1018/T1018.md#atomic-test-9---remote-system-discovery---adidnsdump author: frack113 date: 2022/01/01 +modified: 2023/02/21 tags: - attack.discovery - attack.t1018 diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml b/rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_reg_bitlocker.yml rename to rules/windows/process_creation/proc_creation_win_reg_bitlocker.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml b/rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_direct_asep_reg_keys_modification.yml rename to rules/windows/process_creation/proc_creation_win_reg_direct_asep_registry_keys_modification.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml b/rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_reg_disable_sec_services.yml rename to rules/windows/process_creation/proc_creation_win_reg_disable_sec_services.yml diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml b/rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_in_registry.yml rename to rules/windows/process_creation/proc_creation_win_reg_enumeration_for_credentials_in_registry.yml diff --git a/rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml b/rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lsa_disablerestrictedadmin.yml rename to rules/windows/process_creation/proc_creation_win_reg_lsa_disable_restricted_admin.yml diff --git a/rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml b/rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_modify_group_policy_settings.yml rename to rules/windows/process_creation/proc_creation_win_reg_modify_group_policy_settings.yml diff --git a/rules/windows/process_creation/proc_creation_win_new_network_provider.yml b/rules/windows/process_creation/proc_creation_win_reg_new_network_provider.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_new_network_provider.yml rename to rules/windows/process_creation/proc_creation_win_reg_new_network_provider.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml b/rules/windows/process_creation/proc_creation_win_reg_open_command.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_reg_open_command.yml rename to rules/windows/process_creation/proc_creation_win_reg_open_command.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_reg_add.yml b/rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_reg_add.yml rename to rules/windows/process_creation/proc_creation_win_reg_susp_paths.yml diff --git a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml index c2e032a48..05488e704 100644 --- a/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml +++ b/rules/windows/process_creation/proc_creation_win_regedit_export_critical_keys.yml @@ -20,7 +20,7 @@ logsource: detection: selection_img: - Image|endswith: '\regedit.exe' - - OriginalFileName: 'REGEDIT.EXE' + - OriginalFileName: 'REGEDIT.EXE' selection_cli_1: CommandLine|contains: - ' /E ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml b/rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regedit_trustedinstaller.yml rename to rules/windows/process_creation/proc_creation_win_regedit_trustedinstaller.yml diff --git a/rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml b/rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_enumeration_for_credentials_cli.yml rename to rules/windows/process_creation/proc_creation_win_registry_enumeration_for_credentials_cli.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_anomalies.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_anomalies.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_flags_anomaly.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_flags_anomaly.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_http_pattern.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_http_pattern.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_image.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_image.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_image.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_no_dll.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_no_dll.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_registration_via_cscript.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_remote_share.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_remote_share.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_regsvr32_spawn_explorer.yml rename to rules/windows/process_creation/proc_creation_win_regsvr32_spawn_explorer.yml diff --git a/rules/windows/process_creation/proc_creation_win_gotoopener.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_gotoopener.yml rename to rules/windows/process_creation/proc_creation_win_remote_access_tools_gotoopener.yml diff --git a/rules/windows/process_creation/proc_creation_win_logmein.yml b/rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_logmein.yml rename to rules/windows/process_creation/proc_creation_win_remote_access_tools_logmein.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_renamed_paexec.yml rename to rules/windows/process_creation/proc_creation_win_renamed_paexec.yml diff --git a/rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml b/rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_ads_stored_dll_execution_rundll32.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_ads_stored_dll_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml b/rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_by_ordinal.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_by_ordinal.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml b/rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_inline_vbs.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_inline_vbs.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_js_runhtmlapplication.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_js_runhtmlapplication.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml b/rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_keymgr.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_keymgr.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml b/rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_mshtml_runhtmlapplication.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_mshtml_runhtmlapplication.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml b/rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_no_params.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_no_params.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_run_locations.yml b/rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_run_locations.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_run_locations.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml b/rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_script_run.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_script_run.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml b/rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_setupapi_installhinfsection.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml b/rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_spawn_explorer.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_spawn_explorer.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_activity.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_susp_activity.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml b/rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_shimcache_flush.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_susp_shimcache_flush.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_rundll32_sys.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_sys.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml b/rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_rundll32_user32_dll.yml rename to rules/windows/process_creation/proc_creation_win_rundll32_user32_dll.yml diff --git a/rules/windows/process_creation/proc_creation_win_sc_create_service.yml b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml new file mode 100644 index 000000000..02ba32dc5 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_sc_create_service.yml @@ -0,0 +1,29 @@ +title: New Service Creation Using Sc.EXE +id: 85ff530b-261d-48c6-a441-facaa2e81e48 +related: + - id: c02e96b7-c63a-4c47-bd83-4a9f74afcfb2 # Using PowerShell + type: similar +status: test +description: Detects the creation of a new service using the "sc.exe" utility. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1543.003/T1543.003.md +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2023/02/20 +tags: + - attack.persistence + - attack.privilege_escalation + - attack.t1543.003 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\sc.exe' + CommandLine|contains|all: + - 'create' + - 'binPath' + condition: selection +falsepositives: + - Legitimate administrator or user creates a service for legitimate reasons. + - Software installation +level: low diff --git a/rules/windows/process_creation/proc_creation_win_disable_service.yml b/rules/windows/process_creation/proc_creation_win_sc_disable_service.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_disable_service.yml rename to rules/windows/process_creation/proc_creation_win_sc_disable_service.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml b/rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_new_kernel_driver_via_sc.yml rename to rules/windows/process_creation/proc_creation_win_sc_new_kernel_driver.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_service_dacl_modification.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_service_dacl_modification.yml rename to rules/windows/process_creation/proc_creation_win_sc_service_dacl_modification.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml b/rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_service_path_modification.yml rename to rules/windows/process_creation/proc_creation_win_sc_service_path_modification.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml b/rules/windows/process_creation/proc_creation_win_schtask_creation_temp_folder.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtask_creation_temp_folder.yml rename to rules/windows/process_creation/proc_creation_win_schtask_creation_temp_folder.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml b/rules/windows/process_creation/proc_creation_win_schtasks_change.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_change.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_change.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml b/rules/windows/process_creation/proc_creation_win_schtasks_creation.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtask_creation.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_creation.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_delete.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_delete.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml b/rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_delete_all.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_delete_all.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml b/rules/windows/process_creation/proc_creation_win_schtasks_disable.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_disable.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_disable.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml b/rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_env_folder.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_env_folder.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml b/rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_folder_combos.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_folder_combos.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml b/rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_guid_task_name.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_guid_task_name.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml b/rules/windows/process_creation/proc_creation_win_schtasks_parent.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_parent.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_parent.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_schedule_type.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml b/rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_schedule_type_system.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_schedule_type_system.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml b/rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_pattern.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_susp_pattern.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml b/rules/windows/process_creation/proc_creation_win_schtasks_user_temp.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_schtasks_user_temp.yml rename to rules/windows/process_creation/proc_creation_win_schtasks_user_temp.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_secedit.yml b/rules/windows/process_creation/proc_creation_win_secedit_execution.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_secedit.yml rename to rules/windows/process_creation/proc_creation_win_secedit_execution.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml index ba86d4eae..d03ad8117 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_add_local_admin.yml @@ -7,7 +7,7 @@ status: experimental description: Detects suspicious command line that adds an account to the local administrators/administrateurs group references: - https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html?m=1 -author: Florian Roth (Nextron Systems), Nasreddine Bencherchali +author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems) date: 2022/08/12 modified: 2022/09/09 tags: diff --git a/rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml b/rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_alternate_data_streams.yml rename to rules/windows/process_creation/proc_creation_win_susp_alternate_data_streams.yml diff --git a/rules/windows/process_creation/proc_creation_win_automated_collection.yml b/rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_automated_collection.yml rename to rules/windows/process_creation/proc_creation_win_susp_automated_collection.yml diff --git a/rules/windows/process_creation/proc_creation_win_double_ext_parent.yml b/rules/windows/process_creation/proc_creation_win_susp_double_ext_parent.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_double_ext_parent.yml rename to rules/windows/process_creation/proc_creation_win_susp_double_ext_parent.yml diff --git a/rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml b/rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_embed_exe_lnk.yml rename to rules/windows/process_creation/proc_creation_win_susp_embed_exe_lnk.yml diff --git a/rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_etw_modification_cmdline.yml rename to rules/windows/process_creation/proc_creation_win_susp_etw_modification_cmdline.yml diff --git a/rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml b/rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_etw_trace_evasion.yml rename to rules/windows/process_creation/proc_creation_win_susp_etw_trace_evasion.yml diff --git a/rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml b/rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_file_permission_modifications.yml rename to rules/windows/process_creation/proc_creation_win_susp_file_permission_modifications.yml diff --git a/rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml b/rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_hiding_malware_in_fonts_folder.yml rename to rules/windows/process_creation/proc_creation_win_susp_hiding_malware_in_fonts_folder.yml diff --git a/rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_local_system_owner_account_discovery.yml rename to rules/windows/process_creation/proc_creation_win_susp_local_system_owner_account_discovery.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml b/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml deleted file mode 100644 index 1977da4f9..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_mshta_pattern.yml +++ /dev/null @@ -1,50 +0,0 @@ -title: Suspicious MSHTA Process Patterns -id: e32f92d1-523e-49c3-9374-bdb13b46a3ba -status: experimental -description: Detects suspicious mshta process patterns -references: - - https://en.wikipedia.org/wiki/HTML_Application - - https://www.echotrail.io/insights/search/mshta.exe - - https://app.any.run/tasks/34221348-072d-4b70-93f3-aa71f6ebecad/ -author: Florian Roth (Nextron Systems) -date: 2021/07/17 -modified: 2022/11/07 -tags: - - attack.execution - - attack.t1106 -logsource: - category: process_creation - product: windows -detection: - # Binary Selector - selection_base: - Image|endswith: '\mshta.exe' - # Suspicious parents - selection1: - ParentImage|endswith: - - '\cmd.exe' - - '\powershell.exe' - - '\pwsh.exe' - # Suspicious folders - selection2: - CommandLine|contains: - - '\AppData\Local' - - 'C:\Windows\Temp' - - 'C:\Users\Public' - # Suspicious Execution Locations - filter3: - Image|startswith: - - 'C:\Windows\System32' - - 'C:\Windows\SysWOW64' - # Suspicious extensions - filter4: - CommandLine|contains: - - '.htm' - - '.hta' - CommandLine|endswith: - - 'mshta.exe' - - 'mshta' - condition: ( selection_base and ( selection1 or selection2 ) ) or ( selection_base and not 1 of filter* ) -falsepositives: - - Unknown -level: high diff --git a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml b/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml rename to rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml index 44c2f65dc..267eba7f4 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_tasklist_command.yml +++ b/rules/windows/process_creation/proc_creation_win_tasklist_basic_execution.yml @@ -21,4 +21,4 @@ detection: condition: selection falsepositives: - Administrator, hotline ask to user -level: low +level: informational