From af99c7578572be0f4d30ca4da7ac25f0eb3ffa74 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 8 Jan 2022 09:17:56 +0100 Subject: [PATCH] Windows Redcannary --- .../win_nc_susp_outbound_smtp_connections.yml | 33 +++++++++++++++++++ .../powershell_ps_enable_psremoting.yml | 23 +++++++++++++ .../powershell_ps_invoke_command_remote.yml | 25 ++++++++++++++ .../powershell_ps_invoke_dnsexfiltration.yml | 29 ++++++++++++++++ .../powershell_ps_remote_session_creation.yml | 26 +++++++++++++++ .../powershell_ps_send_mailmessage.yml | 26 +++++++++++++++ .../powershell_ps_upload.yml | 31 +++++++++++++++++ .../process_creation/win_pc_evil_winrm.yml | 26 +++++++++++++++ .../windows/process_creation/win_pc_mstsc.yml | 29 ++++++++++++++++ ...re_bypass_uac_using_silentcleanup_task.yml | 25 ++++++++++++++ 10 files changed, 273 insertions(+) create mode 100644 rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_ps_upload.yml create mode 100644 rules/windows/process_creation/win_pc_evil_winrm.yml create mode 100644 rules/windows/process_creation/win_pc_mstsc.yml create mode 100644 rules/windows/registry_event/win_re_bypass_uac_using_silentcleanup_task.yml diff --git a/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml b/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml new file mode 100644 index 000000000..35e9261d0 --- /dev/null +++ b/rules/windows/network_connection/win_nc_susp_outbound_smtp_connections.yml @@ -0,0 +1,33 @@ +title: Suspicious Outbound SMTP Connections +id: 9976fa64-2804-423c-8a5b-646ade840773 +status: experimental +description: | + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp + - https://www.ietf.org/rfc/rfc2821.txt +author: frack113 +date: 2022/01/07 +logsource: + category: network_connection + product: windows +detection: + selection: + DestinationPort: + - 25 + - 587 + - 465 + - 2525 + Initiated: 'true' + filter: + Image|endswith: + - \thunderbird.exe + - \outlook.exe + condition: selection and not filter +falsepositives: + - Other SMTP tools +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 \ No newline at end of file diff --git a/rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml b/rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml new file mode 100644 index 000000000..4c96eba71 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_enable_psremoting.yml @@ -0,0 +1,23 @@ +title: Enable Windows Remote Management +id: 991a9744-f2f0-44f2-bd33-9092eba17dc3 +status: experimental +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-1---enable-windows-remote-management + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enable-psremoting?view=powershell-7.2 +author: frack113 +date: 2022/01/07 +logsource: + product: windows + category: ps_script + definition: 'Script block logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains: 'Enable-PSRemoting ' + condition: selection_cmdlet +falsepositives: + - legitim script +level: medium +tags: + - attack.lateral_movement + - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml b/rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml new file mode 100644 index 000000000..1792069a1 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_invoke_command_remote.yml @@ -0,0 +1,25 @@ +title: Execute Invoke-command on Remote Host +id: 7b836d7f-179c-4ba4-90a7-a7e60afb48e6 +status: experimental +description: Adversaries may use Valid Accounts to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-2---invoke-command + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/invoke-command?view=powershell-7.2 +author: frack113 +date: 2022/01/07 +logsource: + product: windows + category: ps_script + definition: 'Script block logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains|all: + - 'invoke-command ' + - ' -ComputerName ' + condition: selection_cmdlet +falsepositives: + - legitim script +level: medium +tags: + - attack.lateral_movement + - attack.t1021.006 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml b/rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml new file mode 100644 index 000000000..feeebdf19 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_invoke_dnsexfiltration.yml @@ -0,0 +1,29 @@ +title: Powershell DNSExfiltration +id: d59d7842-9a21-4bc6-ba98-64bfe0091355 +status: experimental +description: DNSExfiltrator allows for transfering (exfiltrate) a file over a DNS request covert channel +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048/T1048.md#atomic-test-3---dnsexfiltration-doh + - https://github.com/Arno0x/DNSExfiltrator +author: frack113 +date: 2022/01/07 +logsource: + product: windows + category: ps_script + definition: 'Script block logging must be enabled' +detection: + selection_cmdlet: + - ScriptBlockText|contains: Invoke-DNSExfiltrator + - ScriptBlockText|contains|all: + - ' -i ' + - ' -d ' + - ' -p ' + - ' -doh ' + - ' -t ' + condition: selection_cmdlet +falsepositives: + - legitim script +level: medium +tags: + - attack.exfiltration + - attack.t1048 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml b/rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml new file mode 100644 index 000000000..b02503043 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_remote_session_creation.yml @@ -0,0 +1,26 @@ +title: PowerShell Remote Session Creation +id: a0edd39f-a0c6-4c17-8141-261f958e8d8f +status: experimental +description: | + Adversaries may abuse PowerShell commands and scripts for execution. + PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1059.001/T1059.001.md#atomic-test-10---powershell-invoke-downloadcradle + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/new-pssession?view=powershell-7.2 +author: frack113 +date: 2022/01/06 +logsource: + product: windows + category: ps_script +detection: + selection: + ScriptBlockText|contains|all: + - New-PSSession + - '-ComputerName ' + condition: selection +falsepositives: + - legitimate administrative script +level: medium +tags: + - attack.execution + - attack.t1059.001 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml b/rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml new file mode 100644 index 000000000..1fad40afd --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_send_mailmessage.yml @@ -0,0 +1,26 @@ +title: Powershell Exfiltration Over SMTP +id: 9a7afa56-4762-43eb-807d-c3dc9ffe211b +status: experimental +description: | + Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. + The data may also be sent to an alternate network location from the main command and control server. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1048.003/T1048.003.md#atomic-test-5---exfiltration-over-alternative-protocol---smtp + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/send-mailmessage?view=powershell-7.2 + - https://www.ietf.org/rfc/rfc2821.txt +author: frack113 +date: 2022/01/07 +logsource: + product: windows + category: ps_script + definition: 'Script block logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains: Send-MailMessage + condition: selection_cmdlet +falsepositives: + - legitim script +level: medium +tags: + - attack.exfiltration + - attack.t1048.003 diff --git a/rules/windows/powershell/powershell_script/powershell_ps_upload.yml b/rules/windows/powershell/powershell_script/powershell_ps_upload.yml new file mode 100644 index 000000000..414698930 --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_ps_upload.yml @@ -0,0 +1,31 @@ +title: Windows PowerShell Upload Web Request +id: d2e3f2f6-7e09-4bf2-bc5d-90186809e7fb +status: experimental +description: Detects the use of various web request POST or PUT methods (including aliases) via Windows PowerShell command +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1020/T1020.md + - https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html + - https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-webrequest?view=powershell-7.2 +author: frack113 +date: 2022/01/07 +logsource: + product: windows + category: ps_script + definition: 'Script block logging must be enabled' +detection: + selection_cmdlet: + ScriptBlockText|contains: + - 'Invoke-WebRequest' + - 'iwr ' + selection_method: + ScriptBlockText|contains: '-Method ' + selection_verb: + - ' Put ' + - ' Post ' + condition: all of selection_* +falsepositives: + - legitim script +level: medium +tags: + - attack.exfiltration + - attack.t1020 diff --git a/rules/windows/process_creation/win_pc_evil_winrm.yml b/rules/windows/process_creation/win_pc_evil_winrm.yml new file mode 100644 index 000000000..eeb76a86e --- /dev/null +++ b/rules/windows/process_creation/win_pc_evil_winrm.yml @@ -0,0 +1,26 @@ +title: WinRM Access with Evil-WinRM +id: a197e378-d31b-41c0-9635-cfdf1c1bb423 +status: experimental +description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md#atomic-test-3---winrm-access-with-evil-winrm + - https://github.com/Hackplayers/evil-winrm +date: 2022/01/07 +logsource: + category: process_creation + product: windows +detection: + selection_mstsc: + Image|endswith: \ruby.exe + CommandLine|contains|all: + - '-i ' + - '-u ' + - '-p ' + condition: 1 of selection_* +falsepositives: + - Unknow +level: medium +tags: + - attack.lateral_movement + - attack.t1021.006 diff --git a/rules/windows/process_creation/win_pc_mstsc.yml b/rules/windows/process_creation/win_pc_mstsc.yml new file mode 100644 index 000000000..385f05ceb --- /dev/null +++ b/rules/windows/process_creation/win_pc_mstsc.yml @@ -0,0 +1,29 @@ +title: Remote Desktop Protocol Use Mstsc +id: 954f0af7-62dd-418f-b3df-a84bc2c7a774 +status: experimental +description: Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.001/T1021.001.md#t1021001---remote-desktop-protocol + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc +date: 2022/01/07 +logsource: + category: process_creation + product: windows +detection: + selection_mstsc: + Image|endswith: \mstsc.exe + CommandLine|contains: ' /v:' + selection_cmdkey: + Image|endswith: \cmdkey.exe + CommandLine|contains|all: + - '/generic:' + - '/user:' + - '/pass:' + condition: 1 of selection_* +falsepositives: + - Unknow +level: medium +tags: + - attack.lateral_movement + - attack.t1021.001 \ No newline at end of file diff --git a/rules/windows/registry_event/win_re_bypass_uac_using_silentcleanup_task.yml b/rules/windows/registry_event/win_re_bypass_uac_using_silentcleanup_task.yml new file mode 100644 index 000000000..c594a194c --- /dev/null +++ b/rules/windows/registry_event/win_re_bypass_uac_using_silentcleanup_task.yml @@ -0,0 +1,25 @@ +title: Bypass UAC Using SilentCleanup Task +id: 724ea201-6514-4f38-9739-e5973c34f49a +description: There is an auto-elevated task called SilentCleanup located in %windir%\system32\cleanmgr.exe This can be abused to elevate any file with Administrator privileges without prompting UAC +author: frack113 +date: 2022/01/06 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-9---bypass-uac-using-silentcleanup-task + - https://www.reddit.com/r/hacking/comments/ajtrws/bypassing_highest_uac_level_windows_810/ +logsource: + category: registry_event + product: windows +detection: + selection: + TargetObject|endswith: '\Environment\windir' + Details|contains: '&REM' + EventType: SetValue + condition: selection +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.defense_evasion + - attack.t1548.002 \ No newline at end of file