From d48b6beaf5351d66b6b04c1fe592c240e96700d7 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 9 Feb 2022 20:24:59 +0000 Subject: [PATCH 1/7] Filtering fp of dynatrace behavior --- .../win_file_permission_modifications.yml | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 6d031b2cd..2030873a2 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -19,14 +19,21 @@ detection: CommandLine|contains: '/grant' - Image|endswith: '\attrib.exe' CommandLine|contains: '-r' - condition: selection + filter_1: + - CommandLine: + - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' + - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' + condition: selection and not 1 of filter* fields: - ComputerName - User - CommandLine falsepositives: - Users interacting with the files on their own (unlikely unless privileged users). + - Dynatrace app level: medium tags: - attack.defense_evasion - - attack.t1222.001 \ No newline at end of file + - attack.t1222.001 From ae2c0f0a7f83d154cef5ee52b7cd41d4fad20079 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 9 Feb 2022 21:26:43 +0000 Subject: [PATCH 2/7] fixing test --- .../process_creation/win_file_permission_modifications.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 2030873a2..69e3c3cf0 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -19,13 +19,13 @@ detection: CommandLine|contains: '/grant' - Image|endswith: '\attrib.exe' CommandLine|contains: '-r' - filter_1: + filter: - CommandLine: - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - condition: selection and not 1 of filter* + condition: selection and not filter fields: - ComputerName - User From 11af922740a53d1cf00adba96b6a5f7c46b7b8f6 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 9 Feb 2022 23:17:32 +0100 Subject: [PATCH 3/7] Update win_file_permission_modifications.yml --- .../win_file_permission_modifications.yml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 69e3c3cf0..f6bc59ab9 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -6,7 +6,7 @@ author: Jakob Weinzettl, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md date: 2019/10/23 -modified: 2021/11/27 +modified: 2022/02/09 logsource: category: process_creation product: windows @@ -20,12 +20,15 @@ detection: - Image|endswith: '\attrib.exe' CommandLine|contains: '-r' filter: - - CommandLine: - - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - condition: selection and not filter + CommandLine: + - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' + filter_grant: + CommandLine|contains: + - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' + CommandLine|contains|all: 'S-1-5-19:F' + condition: selection and not 1 of filter* fields: - ComputerName - User From 2ce7d60729053bba4726f6fafc7bed685478ab74 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Wed, 9 Feb 2022 23:46:07 +0000 Subject: [PATCH 4/7] splitting up filters --- .../win_file_permission_modifications.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 69e3c3cf0..e3a76dc2e 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -19,13 +19,14 @@ detection: CommandLine|contains: '/grant' - Image|endswith: '\attrib.exe' CommandLine|contains: '-r' - filter: + filter_1: - CommandLine: - - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r *S-1-5-19:F' - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - condition: selection and not filter + filter_2: + - CommandLine|contains|all: + - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r' + condition: selection and not 1 of filter* fields: - ComputerName - User From bc4016044409dfed005dcd9c486f504b150ae7ea Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 10 Feb 2022 00:00:03 +0000 Subject: [PATCH 5/7] fixing more yaml lint complaints --- .../process_creation/win_file_permission_modifications.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 56f95a94e..c40dbbf3a 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -16,9 +16,10 @@ detection: - '\takeown.exe' - '\cacls.exe' - '\icacls.exe' - CommandLine|contains: '/grant' - Image|endswith: '\attrib.exe' - CommandLine|contains: '-r' + - '\attrib.exe' + CommandLine|contains: + - '/grant' + - '-r' filter: CommandLine: - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' From 330450cae6a25c57cfe6f74560368a913c3588d2 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 10 Feb 2022 00:01:55 +0000 Subject: [PATCH 6/7] fixing error --- .../win_file_permission_modifications.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index c40dbbf3a..4a8dbf5cd 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -16,10 +16,10 @@ detection: - '\takeown.exe' - '\cacls.exe' - '\icacls.exe' - - '\attrib.exe' - CommandLine|contains: - - '/grant' - - '-r' + CommandLine|contains: '/grant' + selection2: + Image|endswith: '\attrib.exe' + CommandLine|contains: '-r' filter: CommandLine: - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' @@ -28,7 +28,7 @@ detection: CommandLine|contains: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' CommandLine|contains|all: 'S-1-5-19:F' - condition: selection and not 1 of filter* + condition: selection or selection2 and not 1 of filter* fields: - ComputerName - User From 6d27058ce000c00ecb7a9a52419b69fe89171f78 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Fri, 11 Feb 2022 16:12:43 +0000 Subject: [PATCH 7/7] updating, with suggestions --- .../win_file_permission_modifications.yml | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/rules/windows/process_creation/win_file_permission_modifications.yml b/rules/windows/process_creation/win_file_permission_modifications.yml index 4a8dbf5cd..d4bce635d 100644 --- a/rules/windows/process_creation/win_file_permission_modifications.yml +++ b/rules/windows/process_creation/win_file_permission_modifications.yml @@ -6,7 +6,7 @@ author: Jakob Weinzettl, oscd.community references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md date: 2019/10/23 -modified: 2022/02/09 +modified: 2022/02/11 logsource: category: process_creation product: windows @@ -20,14 +20,12 @@ detection: selection2: Image|endswith: '\attrib.exe' CommandLine|contains: '-r' - filter: - CommandLine: - - 'C:\Windows\system32\cmd.exe /C ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' - - 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' + filter_reset: + CommandLine|endswith: 'ICACLS C:\ProgramData\dynatrace\gateway\config\connectivity.history /reset' filter_grant: - CommandLine|contains: + CommandLine|contains|all: - 'ICACLS C:\ProgramData\dynatrace\gateway\config\config.properties /grant :r ' - CommandLine|contains|all: 'S-1-5-19:F' + - 'S-1-5-19:F' condition: selection or selection2 and not 1 of filter* fields: - ComputerName