diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 37db2b043..1366b4940 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -8,6 +8,7 @@ description: Detects the download of suspicious file type from a well-known file references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a + - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ author: Florian Roth (Nextron Systems) date: 2022/08/24 modified: 2023/02/09 @@ -18,7 +19,6 @@ tags: logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection_domain: Contents|contains: diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 3996600ca..4ed3d8803 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -18,7 +18,6 @@ tags: logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection_domain: Contents|contains: diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml new file mode 100644 index 000000000..637738567 --- /dev/null +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -0,0 +1,42 @@ +title: Potentially Suspicious File Download From ZIP TLD +id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe +status: experimental +description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. +references: + - https://twitter.com/cyb3rops/status/1659175181695287297 + - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ +author: Florian Roth (Nextron Systems) +date: 2023/05/18 +tags: + - attack.defense_evasion +logsource: + product: windows + category: create_stream_hash +detection: + selection: + Contents|contains: '.zip/' + TargetFilename|contains: + - '.bat:Zone' + - '.dat:Zone' + - '.dll:Zone' + - '.doc:Zone' + - '.docm:Zone' + - '.exe:Zone' + - '.hta:Zone' + - '.pptm:Zone' + - '.ps1:Zone' + - '.rar:Zone' + - '.rtf:Zone' + - '.sct:Zone' + - '.vbe:Zone' + - '.vbs:Zone' + - '.ws:Zone' + - '.wsf:Zone' + - '.xll:Zone' + - '.xls:Zone' + - '.xlsm:Zone' + - '.zip:Zone' + condition: selection +falsepositives: + - Legitimate file downloads from a websites and web services that uses the ".zip" top level domain. +level: high diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index 5ea1eb271..a16e60360 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -11,9 +11,10 @@ references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump + - https://github.com/CCob/MirrorDump author: Florian Roth (Nextron Systems) date: 2021/11/15 -modified: 2022/06/27 +modified: 2023/05/17 tags: - attack.credential_access - attack.t1003.001 @@ -26,9 +27,9 @@ detection: - '\lsass.dmp' - '\lsass.zip' - '\lsass.rar' - - '\Temp\dumpert.dmp' - '\Andrew.dmp' - '\Coredump.dmp' + - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump selection2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index 8232cc898..ce6493fc3 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -13,7 +13,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2021/11/22 -modified: 2023/03/22 +modified: 2023/05/17 tags: - attack.credential_access - attack.t1003.001 @@ -57,7 +57,6 @@ detection: - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe' - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' @@ -66,6 +65,10 @@ detection: - 'C:\Windows\System32\MRT.exe' - 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe' - 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe' + # VSCode + filter_vscode: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' # Windows Defender filter_windefend_1: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\'