From aec95b6d651c99ec0c138fe312e5ced6fe8d5331 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Thu, 7 Jul 2022 20:13:45 +0100 Subject: [PATCH] Update selections and indentation --- .../firewall_cleartext_protocols.yml | 2 +- rules/linux/builtin/lnx_setgid_setuid.yml | 24 +++---- .../builtin/lnx_space_after_filename_.yml | 2 +- rules/linux/builtin/lnx_susp_jexboss.yml | 4 +- ...proc_creation_lnx_clipboard_collection.yml | 2 +- .../proc_creation_lnx_dd_file_overwrite.yml | 3 +- ...c_creation_macos_change_file_time_attr.yml | 2 +- rules/web/web_cve_2020_0688_msexchange.yml | 30 ++++----- ...ve_2021_22893_pulse_secure_rce_exploit.yml | 3 +- .../application/win_vul_cve_2020_0688.yml | 2 +- .../create_remote_thread_win_ttdinjec.yml | 18 ++--- .../sysmon_createremotethread_loadlibrary.yml | 20 +++--- .../sysmon_powershell_code_injection.yml | 20 +++--- .../posh_ps_cl_invocation_lolscript_count.yml | 8 +-- ...h_ps_cl_mutexverifiers_lolscript_count.yml | 8 +-- .../posh_ps_winlogon_helper_dll.yml | 6 +- .../proc_creation_win_apt_sofacy.yml | 4 +- ...eation_win_apt_turla_commands_critical.yml | 14 ++-- .../proc_creation_win_bootconf_mod.yml | 44 ++++++------- ...roc_creation_win_exploit_cve_2020_1048.yml | 34 +++++----- .../proc_creation_win_hack_hydra.yml | 34 +++++----- ...proc_creation_win_lolbin_cl_invocation.yml | 12 ++-- ...tion_win_lolbin_susp_mpcmdrun_download.yml | 2 +- ...n_lolbins_with_wmiprvse_parent_process.yml | 26 ++++---- .../proc_creation_win_netsh_fw_add.yml | 36 +++++----- .../proc_creation_win_non_priv_reg_or_ps.yml | 64 +++++++++--------- ...from_proxy_executing_regsvr32_payload2.yml | 4 +- ...on_win_office_spawning_wmi_commandline.yml | 34 +++++----- ...oc_creation_win_powershell_amsi_bypass.yml | 24 +++---- ..._creation_win_powershell_b64_shellcode.yml | 28 ++++---- ...eation_win_powersploit_empire_schtasks.yml | 66 +++++++++---------- .../proc_creation_win_renamed_paexec.yml | 50 +++++++------- .../proc_creation_win_schtasks_reg_loader.yml | 46 ++++++------- .../proc_creation_win_susp_print.yml | 34 +++++----- .../proc_creation_win_susp_ps_appdata.yml | 2 +- ...tion_win_susp_registration_via_cscript.yml | 18 ++--- .../proc_creation_win_susp_rundll32_sys.yml | 2 +- .../proc_creation_win_task_folder_evasion.yml | 2 +- 38 files changed, 368 insertions(+), 366 deletions(-) diff --git a/rules/compliance/firewall_cleartext_protocols.yml b/rules/compliance/firewall_cleartext_protocols.yml index 1a1f3d7e9..78b5e9d5d 100644 --- a/rules/compliance/firewall_cleartext_protocols.yml +++ b/rules/compliance/firewall_cleartext_protocols.yml @@ -36,7 +36,7 @@ detection: - forward - accept - 2 - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: low diff --git a/rules/linux/builtin/lnx_setgid_setuid.yml b/rules/linux/builtin/lnx_setgid_setuid.yml index 9db67ea9f..836a45c03 100644 --- a/rules/linux/builtin/lnx_setgid_setuid.yml +++ b/rules/linux/builtin/lnx_setgid_setuid.yml @@ -4,22 +4,22 @@ status: test description: Detects suspicious change of file privileges with chown and chmod commands author: Ömer Günal references: - - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md - - https://attack.mitre.org/techniques/T1548/001/ + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1548.001/T1548.001.md + - https://attack.mitre.org/techniques/T1548/001/ date: 2020/06/16 modified: 2021/11/27 logsource: - product: linux + product: linux detection: - selection1: - - '*chown root*' - selection2: - - '* chmod u+s*' - selection3: - - '* chmod g+s*' - condition: (selection1 and selection2) or (selection1 and selection3) + selection1: + - '*chown root*' + selection2: + - '* chmod u+s*' + selection3: + - '* chmod g+s*' + condition: (selection1 and selection2) or (selection1 and selection3) falsepositives: - - Legitimate administration activities + - Legitimate administration activities level: low tags: - - attack.persistence + - attack.persistence diff --git a/rules/linux/builtin/lnx_space_after_filename_.yml b/rules/linux/builtin/lnx_space_after_filename_.yml index c963868b7..d88b2b441 100644 --- a/rules/linux/builtin/lnx_space_after_filename_.yml +++ b/rules/linux/builtin/lnx_space_after_filename_.yml @@ -14,7 +14,7 @@ detection: - 'echo "*" > * && chmod +x *' selection2: - 'mv * "* "' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Typos level: low diff --git a/rules/linux/builtin/lnx_susp_jexboss.yml b/rules/linux/builtin/lnx_susp_jexboss.yml index 118ed0cd3..ebdc32c1a 100644 --- a/rules/linux/builtin/lnx_susp_jexboss.yml +++ b/rules/linux/builtin/lnx_susp_jexboss.yml @@ -6,7 +6,7 @@ author: Florian Roth references: - https://www.us-cert.gov/ncas/analysis-reports/AR18-312A date: 2017/08/24 -modified: 2021/11/27 +modified: 2022/07/07 logsource: product: linux detection: @@ -14,7 +14,7 @@ detection: - 'bash -c /bin/bash' selection2: - '&/dev/tcp/' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml index 7e493edf7..8295856a4 100644 --- a/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml +++ b/rules/linux/process_creation/proc_creation_lnx_clipboard_collection.yml @@ -26,7 +26,7 @@ detection: - 'clip' selection4: CommandLine|contains: '-o' - condition: selection1 and selection2 and selection3 and selection4 + condition: all of selection* falsepositives: - Legitimate usage of xclip tools. level: low diff --git a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml index 3a9f5bbe4..478c1008f 100644 --- a/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml +++ b/rules/linux/process_creation/proc_creation_lnx_dd_file_overwrite.yml @@ -3,6 +3,7 @@ id: 2953194b-e33c-4859-b9e8-05948c167447 status: experimental description: Detects potential overwriting and deletion of a file using DD. date: 2021/10/15 +modified: 2022/07/07 author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research), MSTIC tags: - attack.impact @@ -23,7 +24,7 @@ detection: CommandLine|contains: - 'if=/dev/zero' - 'if=/dev/null' - condition: selection1 and selection2 and selection3 + condition: all of selection* falsepositives: - Any user deleting files that way. level: low diff --git a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml index 508f26f03..ea20d305f 100644 --- a/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml +++ b/rules/macos/process_creation/proc_creation_macos_change_file_time_attr.yml @@ -19,7 +19,7 @@ detection: - '-acmr' - '-d' - '-r' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/web/web_cve_2020_0688_msexchange.yml b/rules/web/web_cve_2020_0688_msexchange.yml index 4f5c9c8ba..0c84efe6b 100644 --- a/rules/web/web_cve_2020_0688_msexchange.yml +++ b/rules/web/web_cve_2020_0688_msexchange.yml @@ -4,26 +4,26 @@ status: test description: Detects the exploitation of Microsoft Exchange vulnerability as described in CVE-2020-0688 author: Florian Roth references: - - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ + - https://www.trustedsec.com/blog/detecting-cve-20200688-remote-code-execution-vulnerability-on-microsoft-exchange-server/ date: 2020/02/29 modified: 2021/11/27 logsource: - category: webserver + category: webserver detection: - selection1: - cs-method: 'GET' - c-uri|contains: - - '/ecp/' - - '/owa/' - selection2: - c-uri|contains: '__VIEWSTATE=' - condition: selection1 and selection2 + selection1: + cs-method: 'GET' + c-uri|contains: + - '/ecp/' + - '/owa/' + selection2: + c-uri|contains: '__VIEWSTATE=' + condition: all of selection* fields: - - c-ip - - c-dns + - c-ip + - c-dns falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.initial_access - - attack.t1190 + - attack.initial_access + - attack.t1190 diff --git a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml index 06da48fa3..cac64010d 100644 --- a/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml +++ b/rules/web/web_cve_2021_22893_pulse_secure_rce_exploit.yml @@ -4,6 +4,7 @@ status: stable description: This rule detects exploitation attempts using Pulse Connect Secure(PCS) vulnerability (CVE-2021-22893) author: Sittikorn S date: 2021/06/29 +modified: 2022/07/07 references: - https://www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html - https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44784 @@ -28,7 +29,7 @@ detection: - 'smb' - 'namedusers' - 'metric' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Vulnerability Scanning level: high diff --git a/rules/windows/builtin/application/win_vul_cve_2020_0688.yml b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml index 679f144f8..ba2984422 100644 --- a/rules/windows/builtin/application/win_vul_cve_2020_0688.yml +++ b/rules/windows/builtin/application/win_vul_cve_2020_0688.yml @@ -21,7 +21,7 @@ detection: Level: Error selection2: - '&__VIEWSTATE=' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml index a1f30fd0c..5a863f56b 100644 --- a/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml +++ b/rules/windows/create_remote_thread/create_remote_thread_win_ttdinjec.yml @@ -4,19 +4,19 @@ status: experimental description: Detects a remote thread creation of Ttdinject.exe used as proxy author: frack113 references: - - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ + - https://lolbas-project.github.io/lolbas/Binaries/Ttdinject/ date: 2022/05/16 modified: 2022/06/02 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - SourceImage|endswith: '\ttdinject.exe' - condition: selection + selection: + SourceImage|endswith: '\ttdinject.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1127 + - attack.defense_evasion + - attack.t1127 diff --git a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml index 37df67399..66f9b1bfb 100644 --- a/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml +++ b/rules/windows/create_remote_thread/sysmon_createremotethread_loadlibrary.yml @@ -4,20 +4,20 @@ status: test description: Detects potential use of CreateRemoteThread api and LoadLibrary function to inject DLL into a process author: Roberto Rodriguez @Cyb3rWard0g references: - - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html + - https://threathunterplaybook.com/notebooks/windows/05_defense_evasion/WIN-180719170510.html date: 2019/08/11 modified: 2021/11/27 logsource: - product: windows - category: create_remote_thread + product: windows + category: create_remote_thread detection: - selection: - StartModule|endswith: '\kernel32.dll' - StartFunction: 'LoadLibraryA' - condition: selection + selection: + StartModule|endswith: '\kernel32.dll' + StartFunction: 'LoadLibraryA' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1055.001 + - attack.defense_evasion + - attack.t1055.001 diff --git a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml index 84ab9d39e..4f72917d6 100644 --- a/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml +++ b/rules/windows/create_remote_thread/sysmon_powershell_code_injection.yml @@ -4,20 +4,20 @@ status: test description: Detecting Code injection with PowerShell in another process author: Nikita Nazarov, oscd.community references: - - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse + - https://speakerdeck.com/heirhabarov/hunting-for-powershell-abuse date: 2020/10/06 modified: 2021/11/27 logsource: - product: windows - category: create_remote_thread - definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' + product: windows + category: create_remote_thread + definition: 'Note that you have to configure logging for CreateRemoteThread in Symson config' detection: - selection: - SourceImage|endswith: '\powershell.exe' - condition: selection + selection: + SourceImage|endswith: '\powershell.exe' + condition: selection falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.t1059.001 + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml index 4a05379f0..32789b70c 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_invocation_lolscript_count.yml @@ -18,11 +18,11 @@ logsource: detection: selection: ScriptBlockText|contains: - - 'CL_Invocation.ps1' - - 'SyncInvoke' + - 'CL_Invocation.ps1' + - 'SyncInvoke' condition: selection | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 - # PS > SyncInvoke c:\Evil.exe + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1 + # PS > SyncInvoke c:\Evil.exe falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml index e449b6f6d..00903625e 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_cl_mutexverifiers_lolscript_count.yml @@ -18,11 +18,11 @@ logsource: detection: selection: ScriptBlockText|contains: - - 'CL_Mutexverifiers.ps1' - - 'runAfterCancelProcess' + - 'CL_Mutexverifiers.ps1' + - 'runAfterCancelProcess' condition: selection | count(ScriptBlockText) by Computer > 2 - # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 - # PS > runAfterCancelProcess c:\Evil.exe + # PS > Import-Module c:\Windows\diagnostics\system\Audio\CL_Mutexverifiers.ps1 + # PS > runAfterCancelProcess c:\Evil.exe falsepositives: - Unknown level: high diff --git a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml index b52c9b8a4..7d46def56 100644 --- a/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml +++ b/rules/windows/powershell/powershell_script/posh_ps_winlogon_helper_dll.yml @@ -4,9 +4,9 @@ status: experimental description: Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in HKLM\Software[Wow6432Node]Microsoft\Windows NT\CurrentVersion\Winlogon\ and HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ are used to manage additional helper programs and functionalities that support Winlogon. Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. author: Timur Zinniatullin, oscd.community date: 2019/10/21 -modified: 2021/10/16 +modified: 2022/07/07 references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1547.004/T1547.004.md + - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1547.004/T1547.004.md logsource: product: windows category: ps_script @@ -18,7 +18,7 @@ detection: ScriptBlockText|contains: - 'Set-ItemProperty' - 'New-Item' - condition: selection and selection2 + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml index 905069d60..f14da7eec 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_sofacy.yml @@ -3,7 +3,7 @@ id: ba778144-5e3d-40cf-8af9-e28fb1df1e20 author: Florian Roth, Jonhnathan Ribeiro, oscd.community status: test date: 2018/03/01 -modified: 2021/12/08 +modified: 2022/07/07 description: Detects Trojan loader activity as used by APT28 references: - https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/ @@ -30,7 +30,7 @@ detection: - '.dll",#1' - '.dll #1' - '.dll" #1' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml index 120eaa9c6..1761c0054 100755 --- a/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml +++ b/rules/windows/process_creation/proc_creation_win_apt_turla_commands_critical.yml @@ -20,12 +20,12 @@ logsource: category: process_creation product: windows detection: - selection: - CommandLine: - - 'net use \\%DomainController%\C$ "P@ssw0rd" *' - - 'dir c:\\*.doc* /s' - - 'dir %TEMP%\\*.exe' - condition: selection + selection: + CommandLine: + - 'net use \\%DomainController%\C$ "P@ssw0rd" *' + - 'dir c:\\*.doc* /s' + - 'dir %TEMP%\\*.exe' + condition: selection level: critical falsepositives: - - Unknown \ No newline at end of file + - Unknown diff --git a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml index b32198d2a..faddae2f1 100644 --- a/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml +++ b/rules/windows/process_creation/proc_creation_win_bootconf_mod.yml @@ -4,32 +4,32 @@ status: stable description: Identifies use of the bcdedit command to delete boot configuration data. This tactic is sometimes used as by malware or an attacker as a destructive technique. author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community references: - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md - - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1490/T1490.md + - https://eqllib.readthedocs.io/en/latest/analytics/c4732632-9c1d-4980-9fa8-1d98c93f918e.html date: 2019/10/24 -modified: 2021/11/27 +modified: 2022/07/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: \bcdedit.exe - CommandLine|contains: set - selection2: - - CommandLine|contains|all: - - bootstatuspolicy - - ignoreallfailures - - CommandLine|contains|all: - - recoveryenabled - - 'no' - condition: selection1 and selection2 + selection1: + Image|endswith: \bcdedit.exe + CommandLine|contains: set + selection2: + - CommandLine|contains|all: + - bootstatuspolicy + - ignoreallfailures + - CommandLine|contains|all: + - recoveryenabled + - 'no' + condition: all of selection* fields: - - ComputerName - - User - - CommandLine + - ComputerName + - User + - CommandLine falsepositives: - - Unlikely + - Unlikely level: high tags: - - attack.impact - - attack.t1490 + - attack.impact + - attack.t1490 diff --git a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml index 2baea071a..f9d90d58d 100644 --- a/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml +++ b/rules/windows/process_creation/proc_creation_win_exploit_cve_2020_1048.yml @@ -4,27 +4,27 @@ status: test description: Detects new commands that add new printer port which point to suspicious file author: EagleEye Team, Florian Roth references: - - https://windows-internals.com/printdemon-cve-2020-1048/ + - https://windows-internals.com/printdemon-cve-2020-1048/ date: 2020/05/13 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: 'Add-PrinterPort -Name' - selection2: - CommandLine|contains: - - '.exe' - - '.dll' - - '.bat' - selection3: - CommandLine|contains: 'Generic / Text Only' - condition: ( selection1 and selection2 ) or selection3 + selection1: + CommandLine|contains: 'Add-PrinterPort -Name' + selection2: + CommandLine|contains: + - '.exe' + - '.dll' + - '.bat' + selection3: + CommandLine|contains: 'Generic / Text Only' + condition: ( * ) or selection3 falsepositives: - - New printer port install on host + - New printer port install on host level: high tags: - - attack.persistence - - attack.execution - - attack.t1059.001 + - attack.persistence + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_hack_hydra.yml b/rules/windows/process_creation/proc_creation_win_hack_hydra.yml index 02fcc28e0..40f37fd15 100644 --- a/rules/windows/process_creation/proc_creation_win_hack_hydra.yml +++ b/rules/windows/process_creation/proc_creation_win_hack_hydra.yml @@ -4,27 +4,27 @@ status: test description: Detects command line parameters used by Hydra password guessing hack tool author: Vasiliy Burov references: - - https://github.com/vanhauser-thc/thc-hydra - - https://attack.mitre.org/techniques/T1110/001/ + - https://github.com/vanhauser-thc/thc-hydra + - https://attack.mitre.org/techniques/T1110/001/ date: 2020/10/05 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains|all: - - '-u ' - - '-p ' - selection2: - CommandLine|contains: - - '^USER^' - - '^PASS^' - condition: selection1 and selection2 + selection1: + CommandLine|contains|all: + - '-u ' + - '-p ' + selection2: + CommandLine|contains: + - '^USER^' + - '^PASS^' + condition: all of selection* falsepositives: - - Software that uses the caret encased keywords PASS and USER in its command line + - Software that uses the caret encased keywords PASS and USER in its command line level: high tags: - - attack.credential_access - - attack.t1110 - - attack.t1110.001 + - attack.credential_access + - attack.t1110 + - attack.t1110.001 diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml index 04a8b5dd2..8988d5c93 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cl_invocation.yml @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'CL_Invocation.ps1' - - 'SyncInvoke' - # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" + CommandLine|contains|all: + - 'CL_Invocation.ps1' + - 'SyncInvoke' + # Example Commandline: "powershell Import-Module c:\Windows\diagnostics\system\Audio\CL_Invocation.ps1; SyncInvoke c:\Evil.exe" condition: selection -falsepositives: - - Unknown +falsepositives: + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml index 0b180c0dc..a35a06348 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml @@ -18,7 +18,7 @@ detection: CommandLine|contains|all: - 'DownloadFile' - 'url' - condition: selection1 and selection2 + condition: all of selection* fields: - CommandLine falsepositives: diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml index b593a5104..35f0142ef 100644 --- a/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbins_with_wmiprvse_parent_process.yml @@ -15,20 +15,20 @@ status: experimental date: 2021/08/23 modified: 2022/06/02 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - #useful_information: add more LOLBins to the rules logic of your choice. - selection1: - Image|endswith: - - '\regsvr32' - - '\rundll32' - - '\msiexec' - - '\mshta' - - '\verclsid' - selection2: - ParentImage|endswith: \wbem\WmiPrvSE.exe - condition: selection1 and selection2 + #useful_information: add more LOLBins to the rules logic of your choice. + selection1: + Image|endswith: + - '\regsvr32' + - '\rundll32' + - '\msiexec' + - '\mshta' + - '\verclsid' + selection2: + ParentImage|endswith: \wbem\WmiPrvSE.exe + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml b/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml index 770fd31e0..0ef95a3c2 100644 --- a/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml +++ b/rules/windows/process_creation/proc_creation_win_netsh_fw_add.yml @@ -4,28 +4,28 @@ status: test description: Allow Incoming Connections by Port or Application on Windows Firewall author: Markus Neis, Sander Wiebing references: - - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) - - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf + - https://attack.mitre.org/software/S0246/ (Lazarus HARDRAIN) + - https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf date: 2019/01/29 modified: 2022/02/10 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: '\netsh.exe' - selection2: - CommandLine|contains|all: - - 'firewall' - - 'add' - filter_dropbox: - CommandLine|contains: - - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' - - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' - condition: selection1 and selection2 and not 1 of filter_* + selection1: + Image|endswith: '\netsh.exe' + selection2: + CommandLine|contains|all: + - 'firewall' + - 'add' + filter_dropbox: + CommandLine|contains: + - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files (x86)\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' + - '\netsh.exe advfirewall firewall add rule name=Dropbox dir=in action=allow "program=C:\Program Files\Dropbox\Client\Dropbox.exe" enable=yes profile=Any' + condition: all of selection* and not 1 of filter_* falsepositives: - - Legitimate administration + - Legitimate administration level: medium tags: - - attack.defense_evasion - - attack.t1562.004 + - attack.defense_evasion + - attack.t1562.004 diff --git a/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml b/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml index 05a1a7959..4c57137d4 100644 --- a/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml +++ b/rules/windows/process_creation/proc_creation_win_non_priv_reg_or_ps.yml @@ -4,43 +4,43 @@ status: test description: Search for usage of reg or Powershell by non-priveleged users to modify service configuration in registry author: Teymur Kheirkhabarov (idea), Ryan Plas (rule), oscd.community references: - - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg + - https://image.slidesharecdn.com/kheirkhabarovoffzonefinal-181117201458/95/hunting-for-privilege-escalation-in-windows-environment-20-638.jpg date: 2020/10/05 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - integrity_level: - IntegrityLevel: 'Medium' - reg: - CommandLine|contains|all: - - 'reg' - - 'add' - powershell_1: - CommandLine|contains: 'powershell' - powershell_2: - CommandLine|contains: - - 'set-itemproperty' - - ' sp ' - - 'new-itemproperty' - registry_folder: - CommandLine|contains|all: - - 'ControlSet' - - 'Services' - registry_key: - CommandLine|contains: - - 'ImagePath' - - 'FailureCommand' - - 'ServiceDLL' - condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key + integrity_level: + IntegrityLevel: 'Medium' + reg: + CommandLine|contains|all: + - 'reg' + - 'add' + powershell_1: + CommandLine|contains: 'powershell' + powershell_2: + CommandLine|contains: + - 'set-itemproperty' + - ' sp ' + - 'new-itemproperty' + registry_folder: + CommandLine|contains|all: + - 'ControlSet' + - 'Services' + registry_key: + CommandLine|contains: + - 'ImagePath' + - 'FailureCommand' + - 'ServiceDLL' + condition: integrity_level and (reg or powershell_1 and powershell_2) and registry_folder and registry_key fields: - - EventID - - IntegrityLevel - - CommandLine + - EventID + - IntegrityLevel + - CommandLine falsepositives: - - Unknown + - Unknown level: high tags: - - attack.defense_evasion - - attack.t1112 + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml index 96d8792a5..103a6a5e5 100644 --- a/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml +++ b/rules/windows/process_creation/proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml @@ -13,7 +13,7 @@ tags: - attack.defense_evasion status: experimental date: 2021/08/23 -modified: 2022/06/02 +modified: 2022/07/07 logsource: product: windows category: process_creation @@ -39,7 +39,7 @@ detection: - 'process' - 'create' - 'call' - condition: selection1 and selection2 and selection3 and selection4 + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml index 20230c4d5..2f89ec208 100644 --- a/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml +++ b/rules/windows/process_creation/proc_creation_win_office_spawning_wmi_commandline.yml @@ -15,23 +15,23 @@ status: experimental date: 2021/08/23 modified: 2022/06/16 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - #useful_information: Add more office applications to the rule logic of choice - selection1: - - Image|endswith: '\wbem\WMIC.exe' - - CommandLine|contains: 'wmic ' - selection2: - ParentImage|endswith: - - '\winword.exe' - - '\excel.exe' - - '\powerpnt.exe' - - '\msaccess.exe' - - '\mspub.exe' - - '\eqnedt32.exe' - - '\visio.exe' - condition: selection1 and selection2 + #useful_information: Add more office applications to the rule logic of choice + selection1: + - Image|endswith: '\wbem\WMIC.exe' + - CommandLine|contains: 'wmic ' + selection2: + ParentImage|endswith: + - '\winword.exe' + - '\excel.exe' + - '\powerpnt.exe' + - '\msaccess.exe' + - '\mspub.exe' + - '\eqnedt32.exe' + - '\visio.exe' + condition: all of selection* falsepositives: -- Unknown + - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml index f030d7aad..5a12f4b7d 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_amsi_bypass.yml @@ -4,22 +4,22 @@ status: test description: Detects Request to amsiInitFailed that can be used to disable AMSI Scanning author: Markus Neis references: - - https://twitter.com/mattifestation/status/735261176745988096 - - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 + - https://twitter.com/mattifestation/status/735261176745988096 + - https://www.hybrid-analysis.com/sample/0ced17419e01663a0cd836c9c2eb925e3031ffb5b18ccf35f4dea5d586d0203e?environmentId=120 date: 2018/08/17 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: 'System.Management.Automation.AmsiUtils' - selection2: - CommandLine|contains: 'amsiInitFailed' - condition: selection1 and selection2 + selection1: + CommandLine|contains: 'System.Management.Automation.AmsiUtils' + selection2: + CommandLine|contains: 'amsiInitFailed' + condition: all of selection* falsepositives: - - Potential Admin Activity + - Potential Admin Activity level: high tags: - - attack.defense_evasion - - attack.t1562.001 + - attack.defense_evasion + - attack.t1562.001 diff --git a/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml b/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml index 8739907d3..4638777a1 100644 --- a/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml +++ b/rules/windows/process_creation/proc_creation_win_powershell_b64_shellcode.yml @@ -4,23 +4,23 @@ status: stable description: Detects Base64 encoded Shellcode author: Florian Roth references: - - https://twitter.com/cyb3rops/status/1063072865992523776 + - https://twitter.com/cyb3rops/status/1063072865992523776 date: 2018/11/17 -modified: 2021/11/27 +modified: 2022/07/07 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - CommandLine|contains: 'AAAAYInlM' - selection2: - CommandLine|contains: - - 'OiCAAAAYInlM' - - 'OiJAAAAYInlM' - condition: selection1 and selection2 + selection1: + CommandLine|contains: 'AAAAYInlM' + selection2: + CommandLine|contains: + - 'OiCAAAAYInlM' + - 'OiJAAAAYInlM' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: critical tags: - - attack.defense_evasion - - attack.t1027 + - attack.defense_evasion + - attack.t1027 diff --git a/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml b/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml index 4b13c0cca..7646b72bf 100644 --- a/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml +++ b/rules/windows/process_creation/proc_creation_win_powersploit_empire_schtasks.yml @@ -4,43 +4,43 @@ status: test description: Detects the creation of a schtask via PowerSploit or Empire Default Configuration. author: Markus Neis, @Karneades references: - - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 - - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py - - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py + - https://github.com/0xdeadbeefJERKY/PowerSploit/blob/8690399ef70d2cad10213575ac67e8fa90ddf7c3/Persistence/Persistence.psm1 + - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/userland/schtasks.py + - https://github.com/EmpireProject/Empire/blob/master/lib/modules/powershell/persistence/elevated/schtasks.py date: 2018/03/06 modified: 2021/11/27 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection1: - ParentImage|endswith: '\powershell.exe' - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/Create' - - '/SC' - selection2: - CommandLine|contains: - - 'ONLOGON' - - 'DAILY' - - 'ONIDLE' - - 'Updater' - CommandLine|contains|all: - - '/TN' - - 'Updater' - - '/TR' - - 'powershell' - condition: selection1 and selection2 + selection1: + ParentImage|endswith: '\powershell.exe' + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + selection2: + CommandLine|contains: + - 'ONLOGON' + - 'DAILY' + - 'ONIDLE' + - 'Updater' + CommandLine|contains|all: + - '/TN' + - 'Updater' + - '/TR' + - 'powershell' + condition: all of selection* falsepositives: - - False positives are possible, depends on organisation and processes + - False positives are possible, depends on organisation and processes level: high tags: - - attack.execution - - attack.persistence - - attack.privilege_escalation - - attack.s0111 - - attack.g0022 - - attack.g0060 - - car.2013-08-001 - - attack.t1053.005 - - attack.t1059.001 + - attack.execution + - attack.persistence + - attack.privilege_escalation + - attack.s0111 + - attack.g0022 + - attack.g0060 + - car.2013-08-001 + - attack.t1053.005 + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml index 49b5972b0..3f069617e 100644 --- a/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml +++ b/rules/windows/process_creation/proc_creation_win_renamed_paexec.yml @@ -4,35 +4,35 @@ status: test description: Detects execution of renamed paexec via imphash and executable product string author: Jason Lynch references: - - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc - - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf + - sha256=01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc + - https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf date: 2019/04/17 modified: 2022/03/04 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Product|contains: 'PAExec' - selection2: - - Imphash: - - 11D40A7B7876288F919AB819CC2D9802 - - 6444f8a34e99b8f7d9647de66aabe516 - - dfd6aa3f7b2b1035b76b718f1ddc689f - - 1a6cca4d5460b1710a12dea39e4a592c - - Hashes|contains: - - IMPHASH=11D40A7B7876288F919AB819CC2D9802 - - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 - - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f - - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c - filter1: - Image|contains: 'paexec' - condition: (selection1 and selection2) and not filter1 + selection1: + Product|contains: 'PAExec' + selection2: + - Imphash: + - 11D40A7B7876288F919AB819CC2D9802 + - 6444f8a34e99b8f7d9647de66aabe516 + - dfd6aa3f7b2b1035b76b718f1ddc689f + - 1a6cca4d5460b1710a12dea39e4a592c + - Hashes|contains: + - IMPHASH=11D40A7B7876288F919AB819CC2D9802 + - IMPHASH=6444f8a34e99b8f7d9647de66aabe516 + - IMPHASH=dfd6aa3f7b2b1035b76b718f1ddc689f + - IMPHASH=1a6cca4d5460b1710a12dea39e4a592c + filter1: + Image|contains: 'paexec' + condition: all of selection* and not filter1 falsepositives: - - Unknown imphashes + - Unknown imphashes level: medium tags: - - attack.defense_evasion - - attack.t1036.003 - - attack.g0046 - - car.2013-05-009 + - attack.defense_evasion + - attack.t1036.003 + - attack.g0046 + - car.2013-05-009 diff --git a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml index 137c87fb9..f909a2d45 100644 --- a/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml +++ b/rules/windows/process_creation/proc_creation_win_schtasks_reg_loader.yml @@ -3,33 +3,33 @@ id: c4eeeeae-89f4-43a7-8b48-8d1bdfa66c78 status: experimental description: Detects the creation of a schtask that executes a base64 encoded payload stored in the Windows Registry using PowerShell. author: '@Kostastsale, @TheDFIRReport, slightly modified by pH-T' -references: - - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ +references: + - https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/ date: 2022/02/12 modified: 2022/03/15 logsource: - product: windows - category: process_creation + product: windows + category: process_creation detection: - selection1: - Image|endswith: '\schtasks.exe' - CommandLine|contains|all: - - '/Create' - - '/SC' - - 'FromBase64String' - - 'Get-ItemProperty' - selection2: - CommandLine|contains: - - 'HKCU:' - - 'HKLM:' - - 'registry::' - - 'HKEY_' - condition: selection1 and selection2 + selection1: + Image|endswith: '\schtasks.exe' + CommandLine|contains|all: + - '/Create' + - '/SC' + - 'FromBase64String' + - 'Get-ItemProperty' + selection2: + CommandLine|contains: + - 'HKCU:' + - 'HKLM:' + - 'registry::' + - 'HKEY_' + condition: all of selection* falsepositives: - - Unknown + - Unknown level: high tags: - - attack.execution - - attack.persistence - - attack.t1053.005 - - attack.t1059.001 + - attack.execution + - attack.persistence + - attack.t1053.005 + - attack.t1059.001 diff --git a/rules/windows/process_creation/proc_creation_win_susp_print.yml b/rules/windows/process_creation/proc_creation_win_susp_print.yml index 6bfa9327e..d3b538685 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_print.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_print.yml @@ -4,27 +4,27 @@ status: test description: Attackers can use print.exe for remote file copy author: 'Furkan CALISKAN, @caliskanfurkan_, @oscd_initiative' references: - - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml - - https://twitter.com/Oddvarmoe/status/985518877076541440 + - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Print.yml + - https://twitter.com/Oddvarmoe/status/985518877076541440 date: 2020/10/05 modified: 2021/11/27 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection1: - Image|endswith: \print.exe - CommandLine|startswith: print - selection2: - CommandLine|contains: /D - exeCondition: - CommandLine|contains: .exe - cmdExclude: - CommandLine|contains: print.exe - condition: selection1 and selection2 and exeCondition and not cmdExclude + selection1: + Image|endswith: \print.exe + CommandLine|startswith: print + selection2: + CommandLine|contains: /D + exeCondition: + CommandLine|contains: .exe + cmdExclude: + CommandLine|contains: print.exe + condition: selection1 and selection2 and exeCondition and not cmdExclude falsepositives: - - Unknown + - Unknown level: medium tags: - - attack.defense_evasion - - attack.t1218 + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml b/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml index 1a19bc555..a17f451d9 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_ps_appdata.yml @@ -26,7 +26,7 @@ detection: CommandLine|contains: - 'Local\' - 'Roaming\' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Administrative scripts level: medium diff --git a/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml b/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml index 12487b092..2d83bb6af 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_registration_via_cscript.yml @@ -4,9 +4,10 @@ description: Detects when the registration of a VSS/VDS Provider as a COM+ appli status: experimental author: Austin Songer @austinsonger date: 2021/11/05 +modified: 2022/07/07 references: -- https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 -- https://ss64.com/vb/cscript.html + - https://twitter.com/sblmsrsn/status/1456613494783160325?s=20 + - https://ss64.com/vb/cscript.html logsource: category: process_creation product: windows @@ -19,14 +20,13 @@ detection: - '\Windows Kits\10\bin\10.0.22000.0\x64' - '\Windows Kits\10\bin\10.0.19041.0\x64' - '\Windows Kits\10\bin\10.0.17763.0\x64' - condition: - selection1 and selection2 + condition: all of selection* fields: - CommandLine - ParentCommandLine -tags: -- attack.defense_evasion -- attack.t1218 -level: medium falsepositives: -- Unknown + - Unknown +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml index a59cfd3c2..c060afcb2 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml +++ b/rules/windows/process_creation/proc_creation_win_susp_rundll32_sys.yml @@ -19,7 +19,7 @@ detection: CommandLine|contains: - '.sys,' - '.sys ' - condition: selection1 and selection2 + condition: all of selection* falsepositives: - Unknown level: high diff --git a/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml b/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml index 79b05e66a..5d26633e2 100644 --- a/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml +++ b/rules/windows/process_creation/proc_creation_win_task_folder_evasion.yml @@ -27,7 +27,7 @@ detection: CommandLine|contains: - ' C:\Windows\System32\Tasks\' - ' C:\Windows\SysWow64\Tasks\' - condition: selection1 and selection2 + condition: all of selection* fields: - CommandLine - ParentProcess