Merge branch 'master' into msdt-rules

2022-06-13 22:55:40 +02:00
parent 0e0f44fc0c 2a4e6d8ebe
commit afce3ffcae
51 changed files with 144 additions and 137 deletions
@@ -12,18 +12,19 @@ tags:
    - attack.t1202
 author: frack113
 date: 2021/11/03
+modified: 2022/06/12
 logsource:
    category: process_creation
    product: windows
 detection:
-    cmdl32:
+    selection_img:
        - Image|endswith: '\cmdl32.exe'
        - OriginalFileName: CMDL32.EXE
-    options:
+    selection_cli:
        CommandLine|contains|all:
            - '/vpn '
            - '/lan '
-    condition: cmdl32 and options
+    condition: all of selection*
 falsepositives:
    - Unknown
 level: medium
@@ -5,7 +5,7 @@ description: Detects the execution of Xwizard tool from the non-default director
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/
    - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/
-author: Christian Burkard 
+author: Christian Burkard
 date: 2021/09/20
 tags:
    - attack.defense_evasion
@@ -0,0 +1,29 @@
+title: DLL Execution via Rasautou.exe
+id: cd3d1298-eb3b-476c-ac67-12847de55813
+status: test
+description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
+author: Julia Fomina, oscd.community
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
+    - https://github.com/fireeye/DueDLLigence
+    - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
+date: 2020/10/09
+logsource:
+    product: windows
+    category: process_creation
+    definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
+detection:
+    selection_img:
+        - Image|endswith: '\rasautou.exe'
+        - OriginalFileName: 'rasdlui.exe'
+    selection_cli:
+        CommandLine|contains|all:
+            - ' -d '
+            - ' -p '
+    condition: all of selection*
+falsepositives:
+    - Unlikely
+level: medium
+tags:
+    - attack.defense_evasion
+    - attack.t1218
@@ -4,19 +4,19 @@ status: experimental
 description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver
 author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec'
 references:
-  - https://lolbas-project.github.io/lolbas/Libraries/Desk/ 
+    - https://lolbas-project.github.io/lolbas/Libraries/Desk/
 date: 2022/04/28
 logsource:
-  category: process_creation
-  product: windows
+    category: process_creation
+    product: windows
 detection:
-  selection:
-    Image|endswith: '\rundll32.exe'
-    CommandLine|contains: 'InstallScreenSaver'
-  condition: selection
+    selection:
+        Image|endswith: '\rundll32.exe'
+        CommandLine|contains: 'InstallScreenSaver'
+    condition: selection
 falsepositives:
-  - Legitimate installation of a new screensaver
+    - Legitimate installation of a new screensaver
 level: medium
 tags:
-  - attack.t1218.011
-  - attack.defense_evasion
+    - attack.t1218.011
+    - attack.defense_evasion
@@ -15,8 +15,8 @@ logsource:
    product: windows
 detection:
    selection_img:
-        Image|endswith: '\AccCheckConsole.exe'
-        OriginalFileName: 'AccCheckConsole.exe'
+        - Image|endswith: '\AccCheckConsole.exe'
+        - OriginalFileName: 'AccCheckConsole.exe'
    selection_cli:
        CommandLine|contains|all:
            - ' -window '
@@ -4,20 +4,23 @@ status: experimental
 description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files
 author: Christian Burkard
 date: 2021/11/24
+modified: 2022/06/13
 references:
    - https://lolbas-project.github.io/lolbas/Binaries/Certreq/
 logsource:
    category: process_creation
    product: windows
 detection:
-    selection:
-        Image|endswith: '\certreq.exe'
+    selection_img:
+        - Image|endswith: '\certreq.exe'
+        - OriginalFileName: 'CertReq.exe'
+    selection_cli:
        CommandLine|contains|all:
            - ' -Post '
            - ' -config '
            - ' http'
            - ' C:\windows\win.ini '
-    condition: selection
+    condition: all of selection*
 fields:
    - CommandLine
    - ParentCommandLine
@@ -0,0 +1,31 @@
+title: Windows Defender Download Activity
+id: 46123129-1024-423e-9fae-43af4a0fa9a5
+status: test
+description: Detect the use of Windows Defender to download payloads
+author: Matthew Matchen
+references:
+    - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866
+    - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
+date: 2020/09/04
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection1:
+        - CommandLine|contains: 'MpCmdRun.exe'
+        - Description: 'Microsoft Malware Protection Command Line Utility'
+    selection2:
+        CommandLine|contains|all:
+            - 'DownloadFile'
+            - 'url'
+    condition: selection1 and selection2
+fields:
+    - CommandLine
+falsepositives:
+    - Unknown
+level: high
+tags:
+    - attack.defense_evasion
+    - attack.t1218
+    - attack.command_and_control
+    - attack.t1105
@@ -21,7 +21,7 @@ detection:
    selection:
        Image|endswith: '\SyncAppvPublishingServer.exe'
        CommandLine|contains: '"n; '
-    condition: selection 
+    condition: selection
 fields:
    - ComputerName
    - User
@@ -1,7 +1,7 @@
 title: MSDT Executed with Suspicious Parent
 id: 7a74da6b-ea76-47db-92cc-874ad90df734
 status: experimental
-description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190
+description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation
 author: Nextron Systems
 references:
  - https://twitter.com/nao_sec/status/1530196847679401984
@@ -1,31 +0,0 @@
-title: DLL Execution via Rasautou.exe
-id: cd3d1298-eb3b-476c-ac67-12847de55813
-status: test
-description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p.
-author: Julia Fomina, oscd.community
-references:
-  - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/
-  - https://github.com/fireeye/DueDLLigence
-  - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html
-date: 2020/10/09
-modified: 2021/11/27
-logsource:
-  product: windows
-  category: process_creation
-  definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud)
-detection:
-  use_rasautou:
-    Image|endswith: '\rasautou.exe'
-  remaned_rasautou:
-    OriginalFileName: 'rasdlui.exe'
-  special_keys:
-    CommandLine|contains|all:
-      - '-d'
-      - '-p'
-  condition: (use_rasautou or remaned_rasautou) and special_keys
-falsepositives:
-  - Unlikely
-level: medium
-tags:
-  - attack.defense_evasion
-  - attack.t1218
@@ -1,7 +1,7 @@
 title: Sdiagnhost Calling Suspicious Child Process
 id: f3d39c45-de1a-4486-a687-ab126124f744
 status: experimental
-description: Detects sdiagnhost.exe calling a suspicious child process
+description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190)
 author: Nextron Systems
 references:
  - https://twitter.com/nao_sec/status/1530196847679401984
@@ -1,32 +0,0 @@
-title: Windows Defender Download Activity
-id: 46123129-1024-423e-9fae-43af4a0fa9a5
-status: test
-description: Detect the use of Windows Defender to download payloads
-author: Matthew Matchen
-references:
-  - https://twitter.com/djmtshepana/status/1301608169496612866
-  - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/
-date: 2020/09/04
-modified: 2021/11/27
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  selection1:
-    - CommandLine|contains: 'MpCmdRun.exe'
-    - Description: 'Microsoft Malware Protection Command Line Utility'
-  selection2:
-    CommandLine|contains|all:
-      - 'DownloadFile'
-      - 'url'
-  condition: selection1 and selection2
-fields:
-  - CommandLine
-falsepositives:
-  - Unknown
-level: high
-tags:
-  - attack.defense_evasion
-  - attack.t1218
-  - attack.command_and_control
-  - attack.t1105
@@ -16,7 +16,7 @@ logsource:
    product: windows
 detection:
    selection:
-        CommandLine|contains|all: 
+        CommandLine|contains|all:
            - ' /account=system '
            - '/exec='
    condition: selection
@@ -1,27 +1,25 @@
-title: UAC Bypass WSReset
-id: 89a9a0e0-f61a-42e5-8957-b1479565a658
-description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
-author: Christian Burkard
-date: 2021/08/23
-status: experimental
+title: Bypass UAC via WSReset.exe
+id: d797268e-28a9-49a7-b9a8-2f5039011c5c
+status: test
+description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
+author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
 references:
-    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
-    - https://github.com/hfiref0x/UACME
-    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
-tags:
-    - attack.defense_evasion
-    - attack.privilege_escalation
-    - attack.t1548.002
+  - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
+date: 2019/10/24
+modified: 2022/05/13
 logsource:
-    category: process_creation
-    product: windows
+  category: process_creation
+  product: windows
 detection:
-    selection:
-        Image|endswith: '\wsreset.exe'
-        IntegrityLevel:
-          - 'High'
-          - 'System'
-    condition: selection
+  selection:
+    ParentImage|endswith: '\wsreset.exe'
+  filter:
+    - Image|endswith: '\conhost.exe'
+    - OriginalFileName: 'CONHOST.EXE'
+  condition: selection and not filter
 falsepositives:
-    - Unknown
+  - Unknown
 level: high
+tags:
+  - attack.privilege_escalation
+  - attack.t1548.002
@@ -0,0 +1,27 @@
+title: UAC Bypass WSReset
+id: 89a9a0e0-f61a-42e5-8957-b1479565a658
+description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config
+author: Christian Burkard
+date: 2021/08/23
+status: experimental
+references:
+    - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/
+    - https://github.com/hfiref0x/UACME
+    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
+tags:
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.t1548.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection:
+        Image|endswith: '\wsreset.exe'
+        IntegrityLevel:
+          - 'High'
+          - 'System'
+    condition: selection
+falsepositives:
+    - Unknown
+level: high
@@ -1,25 +0,0 @@
-title: Bypass UAC via WSReset.exe
-id: d797268e-28a9-49a7-b9a8-2f5039011c5c
-status: test
-description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes.
-author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community
-references:
-  - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html
-date: 2019/10/24
-modified: 2022/05/13
-logsource:
-  category: process_creation
-  product: windows
-detection:
-  selection:
-    ParentImage|endswith: '\wsreset.exe'
-  filter:
-    - Image|endswith: '\conhost.exe'
-    - OriginalFileName: 'CONHOST.EXE'
-  condition: selection and not filter
-falsepositives:
-  - Unknown
-level: high
-tags:
-  - attack.privilege_escalation
-  - attack.t1548.002
@@ -11,7 +11,7 @@ references:
    - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
    - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
 date: 2019/10/25
-modified: 2022/03/26
+modified: 2022/06/10
 logsource:
    category: registry_set
    product: windows
@@ -53,10 +53,13 @@ detection:
            - '\Outlook\Addins\UCAddin.UCAddin.1'
            - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\'
    filter_officeclicktorun:
-        Image|startswith: 
+        Image|startswith:
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
            - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\'
        Image|endswith: '\OfficeClickToRun.exe'
+    filter_avg:
+            Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+            TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    condition: office and office_details and not 1 of filter_*
 fields:
    - SecurityID
@@ -21,4 +21,4 @@ falsepositives:
 level: high
 tags:
  - attack.command_and_control
-  - attack.t1105 
+  - attack.t1105
@@ -7,7 +7,7 @@ references:
    - https://vanmieghem.io/stealth-outlook-persistence/
 author: Bhabesh Raj
 date: 2021/01/10
-modified: 2022/03/26
+modified: 2022/06/10
 logsource:
    category: registry_set
    product: windows
@@ -30,6 +30,9 @@ detection:
            - '\winword.exe'
            - '\integrator.exe'
            - '\OfficeClickToRun.exe'
+    filter_avg:
+        Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe'
+        TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\'
    condition: selection and not 1 of filter_*
 falsepositives:
  - Legitimate Addin Installation