diff --git a/rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lobas_aspnet_compiler.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_aspnet_compiler.yml diff --git a/rules/windows/process_creation/proc_creation_win_lobas_bash.yml b/rules/windows/process_creation/proc_creation_win_lolbin_bash.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lobas_bash.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_bash.yml diff --git a/rules/windows/process_creation/proc_creation_win_certoc_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_certoc_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_certoc_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_cl_loadassembly.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cl_loadassembly.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_cl_mutexverifiers.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cl_mutexverifiers.yml diff --git a/rules/windows/process_creation/proc_creation_win_class_exec_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_class_exec_xwizard.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_class_exec_xwizard.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml b/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml similarity index 88% rename from rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml index 829567483..813f33779 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_cmdl32_lolbas.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_cmdl32.yml @@ -12,18 +12,19 @@ tags: - attack.t1202 author: frack113 date: 2021/11/03 +modified: 2022/06/12 logsource: category: process_creation product: windows detection: - cmdl32: + selection_img: - Image|endswith: '\cmdl32.exe' - OriginalFileName: CMDL32.EXE - options: + selection_cli: CommandLine|contains|all: - '/vpn ' - '/lan ' - condition: cmdl32 and options + condition: all of selection* falsepositives: - Unknown level: medium diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml b/rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_configsecuritypolicy.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_configsecuritypolicy.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_data_exfiltration_by_using_datasvcutil.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_data_exfiltration_by_using_datasvcutil.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_diantz_ads.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_diantz_ads.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml b/rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_diantz_remote_cab.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_diantz_remote_cab.yml diff --git a/rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml similarity index 96% rename from rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml index a9102fa15..ba9184b1c 100644 --- a/rules/windows/process_creation/proc_creation_win_dll_sideload_xwizard.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_dll_sideload_xwizard.yml @@ -5,7 +5,7 @@ description: Detects the execution of Xwizard tool from the non-default director references: - https://lolbas-project.github.io/lolbas/Binaries/Xwizard/ - http://www.hexacorn.com/blog/2017/07/31/the-wizard-of-x-oppa-plugx-style/ -author: Christian Burkard +author: Christian Burkard date: 2021/09/20 tags: - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_win_lolbas_dump64.yml b/rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_win_lolbas_dump64.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_dump64.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extexport.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extexport.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extrac32.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extrac32.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml b/rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_extrac32_ads.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_extrac32_ads.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_ieexec_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_ieexec_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_ieexec_download.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_offlinescannershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_offlinescannershell.yml diff --git a/rules/windows/process_creation/proc_creation_win_indirect_cmd_compatibility_assistant.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_indirect_cmd_compatibility_assistant.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_pcwrun.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml b/rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_pubprn.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_pubprn.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml new file mode 100644 index 000000000..927e8485d --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rasautou_dll_execution.yml @@ -0,0 +1,29 @@ +title: DLL Execution via Rasautou.exe +id: cd3d1298-eb3b-476c-ac67-12847de55813 +status: test +description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. +author: Julia Fomina, oscd.community +references: + - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ + - https://github.com/fireeye/DueDLLigence + - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html +date: 2020/10/09 +logsource: + product: windows + category: process_creation + definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) +detection: + selection_img: + - Image|endswith: '\rasautou.exe' + - OriginalFileName: 'rasdlui.exe' + selection_cli: + CommandLine|contains|all: + - ' -d ' + - ' -p ' + condition: all of selection* +falsepositives: + - Unlikely +level: medium +tags: + - attack.defense_evasion + - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_replace.yml b/rules/windows/process_creation/proc_creation_win_lolbin_replace.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_replace.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_replace.yml diff --git a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml b/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml similarity index 52% rename from rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml index e3b36653f..c49116aa4 100644 --- a/rules/windows/process_creation/proc_creation_win_rundll32_installscreensaver.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_rundll32_installscreensaver.yml @@ -4,19 +4,19 @@ status: experimental description: An attacker may execute an application as a SCR File using rundll32.exe desk.cpl,InstallScreenSaver author: 'Christopher Peacock @securepeacock, SCYTHE @scythe_io, TactiKoolSec' references: - - https://lolbas-project.github.io/lolbas/Libraries/Desk/ + - https://lolbas-project.github.io/lolbas/Libraries/Desk/ date: 2022/04/28 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\rundll32.exe' - CommandLine|contains: 'InstallScreenSaver' - condition: selection + selection: + Image|endswith: '\rundll32.exe' + CommandLine|contains: 'InstallScreenSaver' + condition: selection falsepositives: - - Legitimate installation of a new screensaver + - Legitimate installation of a new screensaver level: medium tags: - - attack.t1218.011 - - attack.defense_evasion + - attack.t1218.011 + - attack.defense_evasion diff --git a/rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml similarity index 87% rename from rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml index 4d363511c..693a98743 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_acccheckconsole.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_acccheckconsole.yml @@ -15,8 +15,8 @@ logsource: product: windows detection: selection_img: - Image|endswith: '\AccCheckConsole.exe' - OriginalFileName: 'AccCheckConsole.exe' + - Image|endswith: '\AccCheckConsole.exe' + - OriginalFileName: 'AccCheckConsole.exe' selection_cli: CommandLine|contains|all: - ' -window ' diff --git a/rules/windows/process_creation/proc_creation_win_susp_atbroker.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_atbroker.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_atbroker.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml similarity index 80% rename from rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml index 202947360..1cd31bf1e 100644 --- a/rules/windows/process_creation/proc_creation_win_susp_certreq_download.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_certreq_download.yml @@ -4,20 +4,23 @@ status: experimental description: Detects a suspicious certreq execution taken from the LOLBAS examples, which can be abused to download (small) files author: Christian Burkard date: 2021/11/24 +modified: 2022/06/13 references: - https://lolbas-project.github.io/lolbas/Binaries/Certreq/ logsource: category: process_creation product: windows detection: - selection: - Image|endswith: '\certreq.exe' + selection_img: + - Image|endswith: '\certreq.exe' + - OriginalFileName: 'CertReq.exe' + selection_cli: CommandLine|contains|all: - ' -Post ' - ' -config ' - ' http' - ' C:\windows\win.ini ' - condition: selection + condition: all of selection* fields: - CommandLine - ParentCommandLine diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_susp_driver_installed_by_pnputil.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbins_susp_driver_installed_by_pnputil.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_driver_installed_by_pnputil.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_dxcap.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_dxcap.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_dxcap.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbins_susp_grpconv.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbins_susp_grpconv.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_grpconv.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml new file mode 100644 index 000000000..0b180c0dc --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_lolbin_susp_mpcmdrun_download.yml @@ -0,0 +1,31 @@ +title: Windows Defender Download Activity +id: 46123129-1024-423e-9fae-43af4a0fa9a5 +status: test +description: Detect the use of Windows Defender to download payloads +author: Matthew Matchen +references: + - https://web.archive.org/web/20200903194959/https://twitter.com/djmtshepana/status/1301608169496612866 + - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ +date: 2020/09/04 +logsource: + category: process_creation + product: windows +detection: + selection1: + - CommandLine|contains: 'MpCmdRun.exe' + - Description: 'Microsoft Malware Protection Command Line Utility' + selection2: + CommandLine|contains|all: + - 'DownloadFile' + - 'url' + condition: selection1 and selection2 +fields: + - CommandLine +falsepositives: + - Unknown +level: high +tags: + - attack.defense_evasion + - attack.t1218 + - attack.command_and_control + - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_susp_sqldumper_activity.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_sqldumper_activity.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_sqldumper_activity.yml diff --git a/rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml b/rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_susp_wsl_lolbin.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_susp_wsl.yml diff --git a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml similarity index 97% rename from rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml index 53a1dd165..f87c89905 100644 --- a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_execute_powershell.yml +++ b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_execute_psh.yml @@ -21,7 +21,7 @@ detection: selection: Image|endswith: '\SyncAppvPublishingServer.exe' CommandLine|contains: '"n; ' - condition: selection + condition: selection fields: - ComputerName - User diff --git a/rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml b/rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_syncappvpublishingserver_vbs_execute_powershell.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_syncappvpublishingserver_vbs_execute_psh.yml diff --git a/rules/windows/process_creation/proc_creation_win_tttracer_mod_load.yml b/rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_tttracer_mod_load.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_tttracer_mod_load.yml diff --git a/rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml b/rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_lolbas_utilityfunctions.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_utilityfunctions.yml diff --git a/rules/windows/process_creation/proc_creation_win_visual_basic_compiler.yml b/rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_visual_basic_compiler.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_visual_basic_compiler.yml diff --git a/rules/windows/process_creation/proc_creation_win_winword_lolbin.yml b/rules/windows/process_creation/proc_creation_win_lolbin_winword.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_winword_lolbin.yml rename to rules/windows/process_creation/proc_creation_win_lolbin_winword.yml diff --git a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml index f014392af..2f9db68c3 100644 --- a/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml +++ b/rules/windows/process_creation/proc_creation_win_msdt_susp_parent.yml @@ -1,7 +1,7 @@ title: MSDT Executed with Suspicious Parent id: 7a74da6b-ea76-47db-92cc-874ad90df734 status: experimental -description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 +description: Detects msdt.exe executed by a suspicious parent as seen in CVE-2022-30190 / Follina exploitation author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml b/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml deleted file mode 100644 index 3dc9e1ad2..000000000 --- a/rules/windows/process_creation/proc_creation_win_rasautou_dll_execution.yml +++ /dev/null @@ -1,31 +0,0 @@ -title: DLL Execution via Rasautou.exe -id: cd3d1298-eb3b-476c-ac67-12847de55813 -status: test -description: Detects using Rasautou.exe for loading arbitrary .DLL specified in -d option and executes the export specified in -p. -author: Julia Fomina, oscd.community -references: - - https://lolbas-project.github.io/lolbas/Binaries/Rasautou/ - - https://github.com/fireeye/DueDLLigence - - https://www.fireeye.com/blog/threat-research/2019/10/staying-hidden-on-the-endpoint-evading-detection-with-shellcode.html -date: 2020/10/09 -modified: 2021/11/27 -logsource: - product: windows - category: process_creation - definition: Since options '-d' and '-p' were removed in Windows 10 this rule is relevant only for Windows before 10. And as Windows 7 doesn't log command line in 4688 by default, to detect this attack you need Sysmon 1 configured or KB3004375 installed for command-line auditing (https://support.microsoft.com/en-au/help/3004375/microsoft-security-advisory-update-to-improve-windows-command-line-aud) -detection: - use_rasautou: - Image|endswith: '\rasautou.exe' - remaned_rasautou: - OriginalFileName: 'rasdlui.exe' - special_keys: - CommandLine|contains|all: - - '-d' - - '-p' - condition: (use_rasautou or remaned_rasautou) and special_keys -falsepositives: - - Unlikely -level: medium -tags: - - attack.defense_evasion - - attack.t1218 diff --git a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml index 4aead43f5..5cc19de91 100644 --- a/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml +++ b/rules/windows/process_creation/proc_creation_win_sdiagnhost_susp_child.yml @@ -1,7 +1,7 @@ title: Sdiagnhost Calling Suspicious Child Process id: f3d39c45-de1a-4486-a687-ab126124f744 status: experimental -description: Detects sdiagnhost.exe calling a suspicious child process +description: Detects sdiagnhost.exe calling a suspicious child process (e.g. used in exploits for Follina / CVE-2022-30190) author: Nextron Systems references: - https://twitter.com/nao_sec/status/1530196847679401984 diff --git a/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml b/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml deleted file mode 100644 index f5a0eb93f..000000000 --- a/rules/windows/process_creation/proc_creation_win_susp_mpcmdrun_download.yml +++ /dev/null @@ -1,32 +0,0 @@ -title: Windows Defender Download Activity -id: 46123129-1024-423e-9fae-43af4a0fa9a5 -status: test -description: Detect the use of Windows Defender to download payloads -author: Matthew Matchen -references: - - https://twitter.com/djmtshepana/status/1301608169496612866 - - https://lolbas-project.github.io/lolbas/Binaries/MpCmdRun/ -date: 2020/09/04 -modified: 2021/11/27 -logsource: - category: process_creation - product: windows -detection: - selection1: - - CommandLine|contains: 'MpCmdRun.exe' - - Description: 'Microsoft Malware Protection Command Line Utility' - selection2: - CommandLine|contains|all: - - 'DownloadFile' - - 'url' - condition: selection1 and selection2 -fields: - - CommandLine -falsepositives: - - Unknown -level: high -tags: - - attack.defense_evasion - - attack.t1218 - - attack.command_and_control - - attack.t1105 diff --git a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml index 75eae1053..ea0ad60e7 100644 --- a/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml +++ b/rules/windows/process_creation/proc_creation_win_tool_runx_as_system.yml @@ -16,7 +16,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: + CommandLine|contains|all: - ' /account=system ' - '/exec=' condition: selection diff --git a/rules/windows/process_creation/proc_creation_win_uac_cmstp.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_uac_cmstp.yml rename to rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml diff --git a/rules/windows/process_creation/proc_creation_win_uac_fodhelper.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml similarity index 100% rename from rules/windows/process_creation/proc_creation_win_uac_fodhelper.yml rename to rules/windows/process_creation/proc_creation_win_uac_bypass_fodhelper.yml diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml index 8e4707a93..9cec27839 100644 --- a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset.yml @@ -1,27 +1,25 @@ -title: UAC Bypass WSReset -id: 89a9a0e0-f61a-42e5-8957-b1479565a658 -description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config -author: Christian Burkard -date: 2021/08/23 -status: experimental +title: Bypass UAC via WSReset.exe +id: d797268e-28a9-49a7-b9a8-2f5039011c5c +status: test +description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. +author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community references: - - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ - - https://github.com/hfiref0x/UACME - - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf -tags: - - attack.defense_evasion - - attack.privilege_escalation - - attack.t1548.002 + - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html +date: 2019/10/24 +modified: 2022/05/13 logsource: - category: process_creation - product: windows + category: process_creation + product: windows detection: - selection: - Image|endswith: '\wsreset.exe' - IntegrityLevel: - - 'High' - - 'System' - condition: selection + selection: + ParentImage|endswith: '\wsreset.exe' + filter: + - Image|endswith: '\conhost.exe' + - OriginalFileName: 'CONHOST.EXE' + condition: selection and not filter falsepositives: - - Unknown + - Unknown level: high +tags: + - attack.privilege_escalation + - attack.t1548.002 diff --git a/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml new file mode 100644 index 000000000..8e4707a93 --- /dev/null +++ b/rules/windows/process_creation/proc_creation_win_uac_bypass_wsreset_integrity_level.yml @@ -0,0 +1,27 @@ +title: UAC Bypass WSReset +id: 89a9a0e0-f61a-42e5-8957-b1479565a658 +description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config +author: Christian Burkard +date: 2021/08/23 +status: experimental +references: + - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ + - https://github.com/hfiref0x/UACME + - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf +tags: + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1548.002 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\wsreset.exe' + IntegrityLevel: + - 'High' + - 'System' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml b/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml deleted file mode 100644 index 9cec27839..000000000 --- a/rules/windows/process_creation/proc_creation_win_uac_wsreset.yml +++ /dev/null @@ -1,25 +0,0 @@ -title: Bypass UAC via WSReset.exe -id: d797268e-28a9-49a7-b9a8-2f5039011c5c -status: test -description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. -author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community -references: - - https://eqllib.readthedocs.io/en/latest/analytics/532b5ed4-7930-11e9-8f5c-d46d6d62a49e.html -date: 2019/10/24 -modified: 2022/05/13 -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage|endswith: '\wsreset.exe' - filter: - - Image|endswith: '\conhost.exe' - - OriginalFileName: 'CONHOST.EXE' - condition: selection and not filter -falsepositives: - - Unknown -level: high -tags: - - attack.privilege_escalation - - attack.t1548.002 diff --git a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml index 0ccfbc260..dc54aaaae 100644 --- a/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml +++ b/rules/windows/registry/registry_set/registry_set_asep_reg_keys_modification_office.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -53,10 +53,13 @@ detection: - '\Outlook\Addins\UCAddin.UCAddin.1' - '\Outlook\Addins\UmOutlookAddin.FormRegionAddin\' filter_officeclicktorun: - Image|startswith: + Image|startswith: - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\' - 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\Updates\' Image|endswith: '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: office and office_details and not 1 of filter_* fields: - SecurityID diff --git a/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml similarity index 97% rename from rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml rename to rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml index b55d8d8af..24ad1a6f4 100644 --- a/rules/windows/registry/registry_set/registry_set_lolbas_onedrivestandaloneupdater.yml +++ b/rules/windows/registry/registry_set/registry_set_lolbin_onedrivestandaloneupdater.yml @@ -21,4 +21,4 @@ falsepositives: level: high tags: - attack.command_and_control - - attack.t1105 + - attack.t1105 diff --git a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml index 9f2d1fe8a..d3c9a0508 100644 --- a/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml +++ b/rules/windows/registry/registry_set/registry_set_office_vsto_persistence.yml @@ -7,7 +7,7 @@ references: - https://vanmieghem.io/stealth-outlook-persistence/ author: Bhabesh Raj date: 2021/01/10 -modified: 2022/03/26 +modified: 2022/06/10 logsource: category: registry_set product: windows @@ -30,6 +30,9 @@ detection: - '\winword.exe' - '\integrator.exe' - '\OfficeClickToRun.exe' + filter_avg: + Image: 'C:\Program Files\AVG\Antivirus\RegSvr.exe' + TargetObject|contains: '\Microsoft\Office\Outlook\Addins\Antivirus.AsOutExt\' condition: selection and not 1 of filter_* falsepositives: - Legitimate Addin Installation