From 73c8c9d0a7b3191f6a523116dfb03caf57dfe4ce Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 12:30:29 +0200 Subject: [PATCH 1/8] fix: rule using old wildcard char --- .../proc_access_win_susp_proc_access_lsass.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml index 8232cc898..ce6493fc3 100644 --- a/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml +++ b/rules/windows/process_access/proc_access_win_susp_proc_access_lsass.yml @@ -13,7 +13,7 @@ references: - http://security-research.dyndns.org/pub/slides/FIRST2017/FIRST-2017_Tom-Ueltschi_Sysmon_FINAL_notes.pdf author: Florian Roth (Nextron Systems) date: 2021/11/22 -modified: 2023/03/22 +modified: 2023/05/17 tags: - attack.credential_access - attack.t1003.001 @@ -57,7 +57,6 @@ detection: - 'C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe' - 'C:\PROGRAMDATA\MALWAREBYTES\MBAMSERVICE\ctlrupdate\mbupdatr.exe' - 'C:\WINDOWS\system32\taskhostw.exe' - - 'C:\Users\\*\AppData\Local\Programs\Microsoft VS Code\Code.exe' - 'C:\Program Files\Windows Defender\MsMpEng.exe' - 'C:\Windows\SysWOW64\msiexec.exe' - 'C:\Windows\System32\msiexec.exe' @@ -66,6 +65,10 @@ detection: - 'C:\Windows\System32\MRT.exe' - 'C:\Program Files\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe' - 'C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\vpnagent.exe' + # VSCode + filter_vscode: + SourceImage|startswith: 'C:\Users\' + SourceImage|endswith: '\AppData\Local\Programs\Microsoft VS Code\Code.exe' # Windows Defender filter_windefend_1: SourceImage|startswith: 'C:\ProgramData\Microsoft\Windows Defender\' From c2e322a2531d0837cd0d7c7b9c3a7eb4d4a0403c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 12:30:42 +0200 Subject: [PATCH 2/8] more LSASS dump outputs --- rules/windows/file/file_event/file_event_win_lsass_dump.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index 5ea1eb271..ac5d93f5a 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -11,9 +11,10 @@ references: - https://github.com/elastic/detection-rules/blob/c76a39796972ecde44cb1da6df47f1b6562c9770/rules/windows/credential_access_lsass_memdump_file_created.toml - https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/ - https://github.com/helpsystems/nanodump + - https://github.com/CCob/MirrorDump author: Florian Roth (Nextron Systems) date: 2021/11/15 -modified: 2022/06/27 +modified: 2023/05/17 tags: - attack.credential_access - attack.t1003.001 @@ -26,9 +27,10 @@ detection: - '\lsass.dmp' - '\lsass.zip' - '\lsass.rar' - - '\Temp\dumpert.dmp' + - '\Temp\dumpert.dmp' # https://github.com/outflanknl/Dumpert/blob/master/Dumpert-Aggressor/Outflank-Dumpert.cna - '\Andrew.dmp' - '\Coredump.dmp' + - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump selection2: TargetFilename|contains: - '\lsass_2' # default format of procdump v9.0 is lsass_YYMMDD_HHmmss.dmp From 4b695a3cc9e56f541c0af396c00f39f55d1f04f9 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 14:39:35 +0200 Subject: [PATCH 3/8] refactor: adding .zip domain to suspicious list --- .../web/proxy_generic/proxy_download_susp_tlds_blacklist.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 4fd49897b..2cb375e79 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -12,7 +12,7 @@ references: - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ author: Florian Roth (Nextron Systems) date: 2017/11/07 -modified: 2023/01/09 +modified: 2023/05/18 tags: - attack.initial_access - attack.t1566 @@ -109,6 +109,8 @@ detection: - '.ga' # Custom - '.pw' + # Zip https://twitter.com/cyb3rops/status/1659175181695287297?s=20 + - '.zip' condition: selection fields: - ClientIP From 8bad6f0ebc897a4bc4f63d6037eb7a072948e7d1 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 14:54:43 +0200 Subject: [PATCH 4/8] .zip domain stream hash - file type download --- ...haring_domains_download_susp_extension.yml | 3 +- ...ing_domains_download_unusual_extension.yml | 1 - .../create_stream_hash_zip_tld_download.yml | 45 +++++++++++++++++++ 3 files changed, 47 insertions(+), 2 deletions(-) create mode 100644 rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index 37db2b043..d27a6c887 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -8,6 +8,7 @@ description: Detects the download of suspicious file type from a well-known file references: - https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90015 - https://www.cisa.gov/uscert/ncas/alerts/aa22-321a + - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ author: Florian Roth (Nextron Systems) date: 2022/08/24 modified: 2023/02/09 @@ -18,7 +19,7 @@ tags: logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' + definition: 'Requirements: Sysmon config - FileCreateStreamHash events have to be included' detection: selection_domain: Contents|contains: diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml index 3996600ca..4ed3d8803 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_unusual_extension.yml @@ -18,7 +18,6 @@ tags: logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config with Imphash logging activated' detection: selection_domain: Contents|contains: diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml new file mode 100644 index 000000000..f4f26fffa --- /dev/null +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -0,0 +1,45 @@ +title: Unusual File Download From File ZIP Domain +id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe +status: experimental +description: Detects the download of a relevant file type from a .zip domain +references: + - https://twitter.com/cyb3rops/status/1659175181695287297 +author: Florian Roth (Nextron Systems) +date: 2023/05/18 +tags: + - attack.defense_evasion + - attack.s0139 + - attack.t1564.004 +logsource: + product: windows + category: create_stream_hash + definition: 'Requirements: Sysmon config - FileCreateStreamHash events have to be included' +detection: + selection_domain: + Contents|contains: '.zip/' + selection_extension: + TargetFilename|contains: + - '.exe:Zone' + - '.vbs:Zone' + - '.bat:Zone' + - '.rar:Zone' + - '.ps1:Zone' + - '.doc:Zone' + - '.docm:Zone' + - '.xls:Zone' + - '.xlsm:Zone' + - '.pptm:Zone' + - '.rtf:Zone' + - '.hta:Zone' + - '.dll:Zone' + - '.ws:Zone' + - '.wsf:Zone' + - '.sct:Zone' + - '.zip:Zone' + condition: all of selection* +fields: + - TargetFilename + - Image +falsepositives: + - Legitimate file downloads from a web service that uses the new .zip domain +level: high From 11069e87c6ce158e703f342905ede737fe07f86c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 14:58:44 +0200 Subject: [PATCH 5/8] docs: add url --- .../create_stream_hash/create_stream_hash_zip_tld_download.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index f4f26fffa..4cc0d993f 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -4,6 +4,7 @@ status: experimental description: Detects the download of a relevant file type from a .zip domain references: - https://twitter.com/cyb3rops/status/1659175181695287297 + - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ author: Florian Roth (Nextron Systems) date: 2023/05/18 tags: From b9230390152234259643091ebb54519cca149a3a Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Thu, 18 May 2023 16:08:48 +0200 Subject: [PATCH 6/8] fix: duplicate --- rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 2cb375e79..17b4a0f74 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -109,8 +109,6 @@ detection: - '.ga' # Custom - '.pw' - # Zip https://twitter.com/cyb3rops/status/1659175181695287297?s=20 - - '.zip' condition: selection fields: - ClientIP From 9ebec1c6e33e986951b56703ec86c89de8afaa3f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 18 May 2023 22:54:53 +0200 Subject: [PATCH 7/8] fix: apply suggestions from code review --- rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml | 2 +- ...stream_hash_file_sharing_domains_download_susp_extension.yml | 1 - rules/windows/file/file_event/file_event_win_lsass_dump.yml | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml index 17b4a0f74..4fd49897b 100644 --- a/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml +++ b/rules/web/proxy_generic/proxy_download_susp_tlds_blacklist.yml @@ -12,7 +12,7 @@ references: - https://krebsonsecurity.com/2018/06/bad-men-at-work-please-dont-click/ author: Florian Roth (Nextron Systems) date: 2017/11/07 -modified: 2023/05/18 +modified: 2023/01/09 tags: - attack.initial_access - attack.t1566 diff --git a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml index d27a6c887..1366b4940 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_file_sharing_domains_download_susp_extension.yml @@ -19,7 +19,6 @@ tags: logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config - FileCreateStreamHash events have to be included' detection: selection_domain: Contents|contains: diff --git a/rules/windows/file/file_event/file_event_win_lsass_dump.yml b/rules/windows/file/file_event/file_event_win_lsass_dump.yml index ac5d93f5a..a16e60360 100644 --- a/rules/windows/file/file_event/file_event_win_lsass_dump.yml +++ b/rules/windows/file/file_event/file_event_win_lsass_dump.yml @@ -27,7 +27,6 @@ detection: - '\lsass.dmp' - '\lsass.zip' - '\lsass.rar' - - '\Temp\dumpert.dmp' # https://github.com/outflanknl/Dumpert/blob/master/Dumpert-Aggressor/Outflank-Dumpert.cna - '\Andrew.dmp' - '\Coredump.dmp' - '\NotLSASS.zip' # https://github.com/CCob/MirrorDump From d468c2fb330b051bb75a58fc44d663b895acbfe4 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 18 May 2023 22:55:18 +0200 Subject: [PATCH 8/8] feat: add more extensions and fix metadata --- .../create_stream_hash_zip_tld_download.yml | 40 +++++++++---------- 1 file changed, 18 insertions(+), 22 deletions(-) diff --git a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml index 4cc0d993f..637738567 100644 --- a/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml +++ b/rules/windows/create_stream_hash/create_stream_hash_zip_tld_download.yml @@ -1,7 +1,7 @@ -title: Unusual File Download From File ZIP Domain +title: Potentially Suspicious File Download From ZIP TLD id: 0bb4bbeb-fe52-4044-b40c-430a04577ebe status: experimental -description: Detects the download of a relevant file type from a .zip domain +description: Detects the download of a file with a potentially suspicious extension from a .zip top level domain. references: - https://twitter.com/cyb3rops/status/1659175181695287297 - https://fabian-voith.de/2020/06/25/sysmon-v11-1-reads-alternate-data-streams/ @@ -9,38 +9,34 @@ author: Florian Roth (Nextron Systems) date: 2023/05/18 tags: - attack.defense_evasion - - attack.s0139 - - attack.t1564.004 logsource: product: windows category: create_stream_hash - definition: 'Requirements: Sysmon config - FileCreateStreamHash events have to be included' detection: - selection_domain: + selection: Contents|contains: '.zip/' - selection_extension: TargetFilename|contains: - - '.exe:Zone' - - '.vbs:Zone' - '.bat:Zone' - - '.rar:Zone' - - '.ps1:Zone' + - '.dat:Zone' + - '.dll:Zone' - '.doc:Zone' - '.docm:Zone' - - '.xls:Zone' - - '.xlsm:Zone' - - '.pptm:Zone' - - '.rtf:Zone' + - '.exe:Zone' - '.hta:Zone' - - '.dll:Zone' + - '.pptm:Zone' + - '.ps1:Zone' + - '.rar:Zone' + - '.rtf:Zone' + - '.sct:Zone' + - '.vbe:Zone' + - '.vbs:Zone' - '.ws:Zone' - '.wsf:Zone' - - '.sct:Zone' + - '.xll:Zone' + - '.xls:Zone' + - '.xlsm:Zone' - '.zip:Zone' - condition: all of selection* -fields: - - TargetFilename - - Image + condition: selection falsepositives: - - Legitimate file downloads from a web service that uses the new .zip domain + - Legitimate file downloads from a websites and web services that uses the ".zip" top level domain. level: high