From aaafef29b4aa53e8ebb5cd488dbf873865402dcc Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Mon, 4 Apr 2022 10:57:23 +0200 Subject: [PATCH] Redcannary --- .../windows/dns_query/dns_query_win_ammyy.yml | 24 ++++++++++++++ .../posh_ps_suspicious_get_current_user.yml | 26 +++++++++++++++ ...stry_set_add_load_service_in_safe_mode.yml | 26 +++++++++++++++ .../registry_set_disable_system_restore.yml | 27 +++++++++++++++ ...stry_set_install_root_or_ca_certificat.yml | 33 +++++++++++++++++++ 5 files changed, 136 insertions(+) create mode 100644 rules/windows/dns_query/dns_query_win_ammyy.yml create mode 100644 rules/windows/powershell/powershell_script/posh_ps_suspicious_get_current_user.yml create mode 100644 rules/windows/registry_set/registry_set_add_load_service_in_safe_mode.yml create mode 100644 rules/windows/registry_set/registry_set_disable_system_restore.yml create mode 100644 rules/windows/registry_set/registry_set_install_root_or_ca_certificat.yml diff --git a/rules/windows/dns_query/dns_query_win_ammyy.yml b/rules/windows/dns_query/dns_query_win_ammyy.yml new file mode 100644 index 000000000..893f21290 --- /dev/null +++ b/rules/windows/dns_query/dns_query_win_ammyy.yml @@ -0,0 +1,24 @@ +title: Query to Ammyy Remote Access Software Domain +id: 71ba22cb-8a01-42e2-a6dd-5bf9b547498f +status: experimental +description: | + An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. + These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. + Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land) +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-6---ammyy-admin-software-execution +author: frack113 +date: 2022/04/04 +logsource: + product: windows + category: dns_query +detection: + selection: + QueryName|endswith: '.ammyy.com' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/posh_ps_suspicious_get_current_user.yml b/rules/windows/powershell/powershell_script/posh_ps_suspicious_get_current_user.yml new file mode 100644 index 000000000..2eebfabfe --- /dev/null +++ b/rules/windows/powershell/powershell_script/posh_ps_suspicious_get_current_user.yml @@ -0,0 +1,26 @@ +title: Suspicious Get Current User +id: 4096a49c-7de4-4da0-a230-c66ccd56ea5a +status: experimental +description: Use the PowerShell to identify the current logged user. +date: 2022/04/04 +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-4---user-discovery-with-env-vars-powershell-script + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.md#atomic-test-5---getcurrent-user-with-powershell-script +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains: + - '[System.Environment]::UserName' + - '$env:UserName' + - '[System.Security.Principal.WindowsIdentity]::GetCurrent()' + condition: selection +falsepositives: + - Legitimate PowerShell scripts +level: low +tags: + - attack.discovery + - attack.t1033 diff --git a/rules/windows/registry_set/registry_set_add_load_service_in_safe_mode.yml b/rules/windows/registry_set/registry_set_add_load_service_in_safe_mode.yml new file mode 100644 index 000000000..cd1794299 --- /dev/null +++ b/rules/windows/registry_set/registry_set_add_load_service_in_safe_mode.yml @@ -0,0 +1,26 @@ +title: Add Registry Value to Load Service in Safe Mode +id: 1547e27c-3974-43e2-a7d7-7f484fb928ec +description: Modify the registry to allow a driver, service, to persist in Safe Mode. +author: frack113 +date: 2022/04/04 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-33---windows-add-registry-value-to-load-service-in-safe-mode-without-network + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-34---windows-add-registry-value-to-load-service-in-safe-mode-with-network +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|startswith: + - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\' + - 'HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\' + TargetObject|endswith: '\(Default)' + Details: Service + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1564.001 diff --git a/rules/windows/registry_set/registry_set_disable_system_restore.yml b/rules/windows/registry_set/registry_set_disable_system_restore.yml new file mode 100644 index 000000000..d5ab48b01 --- /dev/null +++ b/rules/windows/registry_set/registry_set_disable_system_restore.yml @@ -0,0 +1,27 @@ +title: Disable System Restore Through Registry +id: 5de03871-5d46-4539-a82d-3aa992a69a83 +description: Modify the registry to disable system restore on the computer +author: frack113 +date: 2022/04/04 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md#atomic-test-9---disable-system-restore-through-registry +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|startswith: + - 'HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore' + - 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore' + TargetObject|endswith: + - DisableConfig + - DisableSR + Details: 'DWORD (0x00000001)' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact + - attack.t1490 diff --git a/rules/windows/registry_set/registry_set_install_root_or_ca_certificat.yml b/rules/windows/registry_set/registry_set_install_root_or_ca_certificat.yml new file mode 100644 index 000000000..925320110 --- /dev/null +++ b/rules/windows/registry_set/registry_set_install_root_or_ca_certificat.yml @@ -0,0 +1,33 @@ +title: Add Root or CA or AuthRoot Certificate to Certificate Store +id: d223b46b-5621-4037-88fe-fda32eead684 +description: Modify the registry to disable system restore on the computer +author: frack113 +date: 2022/04/04 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1553.004/T1553.004.md#atomic-test-6---add-root-certificate-to-currentuser-certificate-store + - https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec +logsource: + category: registry_set + product: windows +detection: + selection: + TargetObject|contains: + - '\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\' + - '\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\' + - '\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\' + - '\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\' + - '\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates\' + - '\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates\' + - '\Software\Microsoft\SystemCertificates\AuthRoot\Certificates\' + - '\SOFTWARE\Policies\Microsoft\SystemCertificates\AuthRoot\Certificates\' + - '\SOFTWARE\Microsoft\EnterpriseCertificates\AuthRoot\Certificates\' + TargetObject|endswith: '\Blob' + Details: 'Binary Data' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.impact + - attack.t1490