security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into aurora-false-positive-fixing

Browse Source
This commit is contained in:
Florian Roth
2021-12-21 14:44:55 +01:00
committed by GitHub
parent 21cd791075 a471b4ea45
commit b3c7ef50f5
27 changed files with 851 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/proxy/proxy_java_class_download.yml
+19
View File
@@ -0,0 +1,19 @@
title: Java Class Proxy Download
id: 53c15703-b04c-42bb-9055-1937ddfb3392
status: experimental
description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j.
references:
- https://www.lunasec.io/docs/blog/log4j-zero-day/
author: Andreas Hunkeler (@Karneades)
date: 2021/12/21
tags:
- attack.initial_access
logsource:
category: proxy
detection:
selection:
c-uri|endswith: '.class'
condition: selection
falsepositives:
- Unknown
level: high
rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml
+36
View File
@@ -0,0 +1,36 @@
title: Exploit SamAccountName Spoofing with Kerberos
id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f
status: experimental
description: |
The attacker creates a computer object using those permissions with a password known to her.
After that she clears the attribute ServicePrincipalName on the computer object.
Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object.
references:
- https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/?utm_source=Social&utm_medium=post&utm_campaign=log4j
author: frack113
date: 2021/12/15
logsource:
product: windows
service: system
detection:
selection_1:
Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory
EventID:
- 35
- 36
- 37
- 38
selection_2:
Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory
EventID:
- 16990
- 16991
condition: selection_1 or selection_2
fields:
- samAccountName
falsepositives:
- Unknown
level: medium
tags:
- attack.credential_access
- attack.t1558.003
rules/windows/builtin/win_alert_mimikatz_keywords.yml
+181 -11
View File
@@ -2,9 +2,11 @@ title: Mimikatz Use
id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8
description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups)
status: experimental
author: Florian Roth
author: Florian Roth (rule), David ANDRE (additional keywords)
date: 2017/01/10
modified: 2021/12/01
modified: 2021/12/20
references:
- https://tools.thehacker.recipes/mimikatz/modules
tags:
- attack.s0002
- attack.t1003 # an old one
@@ -20,19 +22,187 @@ logsource:
product: windows
detection:
keywords:
- '\mimikatz'
- 'mimikatz.exe'
- '\mimilib.dll'
- '<3 eo.oe'
- 'crypto::capi'
- 'crypto::certificates'
- 'crypto::certtohw'
- 'crypto::cng'
- 'crypto::extract'
- 'crypto::hash'
- 'crypto::keys'
- 'crypto::providers'
- 'crypto::sc'
- 'crypto::scauth'
- 'crypto::stores'
- 'crypto::system'
- 'crypto::tpminfo'
- 'dpapi::blob'
- 'dpapi::cache'
- 'dpapi::capi'
- 'dpapi::chrome'
- 'dpapi::cloudapkd'
- 'dpapi::cloudapreg'
- 'dpapi::cng'
- 'dpapi::create'
- 'dpapi::cred'
- 'dpapi::credhist'
- 'dpapi::luna'
- 'dpapi::masterkey'
- 'dpapi::protect'
- 'dpapi::ps'
- 'dpapi::rdg'
- 'dpapi::sccm'
- 'dpapi::ssh'
- 'dpapi::tpm'
- 'dpapi::vault'
- 'dpapi::wifi'
- 'dpapi::wwman'
- 'eo.oe.kiwi'
- 'privilege::debug'
- 'sekurlsa::logonpasswords'
- 'lsadump::sam'
- 'mimidrv.sys'
- ' p::d '
- ' s::l '
- 'event::clear'
- 'event::drop'
- 'gentilkiwi.com'
- 'id::modify'
- 'kerberos::ask'
- 'kerberos::clist'
- 'kerberos::golden'
- 'kerberos::hash'
- 'kerberos::list'
- 'kerberos::ptc'
- 'kerberos::ptt'
- 'kerberos::purge'
- 'kerberos::tgt'
- 'Kiwi Legit Printer'
- 'lsadump::backupkeys'
- 'lsadump::cache'
- 'lsadump::changentlm'
- 'lsadump::dcshadow'
- 'lsadump::dcsync'
- 'lsadump::lsa'
- 'lsadump::mbc'
- 'lsadump::netsync'
- 'lsadump::packages'
- 'lsadump::postzerologon'
- 'lsadump::RpData'
- 'lsadump::sam'
- 'lsadump::secrets'
- 'lsadump::setntlm'
- 'lsadump::trust'
- 'lsadump::zerologon'
- 'mimidrv.sys'
- '\mimilib.dll'
- 'misc::aadcookie'
- 'misc::clip'
- 'misc::cmd'
- 'misc::compress'
- 'misc::detours'
- 'misc::efs'
- 'misc::lock'
- 'misc::memssp'
- 'misc::mflt'
- 'misc::ncroutemon'
- 'misc::ngcsign'
- 'misc::printnightmare'
- 'misc::regedit'
- 'misc::sccm'
- 'misc::shadowcopies'
- 'misc::skeleton'
- 'misc::spooler'
- 'misc::taskmgr'
- 'misc::wp'
- 'misc::xor'
- 'net::alias'
- 'net::deleg'
- 'net::group'
- 'net::if'
- 'net::serverinfo'
- 'net::session'
- 'net::share'
- 'net::stats'
- 'net::tod'
- 'net::trust'
- 'net::user'
- 'net::wsession'
- ' p::d '
- 'privilege::backup'
- 'privilege::debug'
- 'privilege::driver'
- 'privilege::id'
- 'privilege::name'
- 'privilege::restore'
- 'privilege::security'
- 'privilege::sysenv'
- 'privilege::tcb'
- 'process::exports'
- 'process::imports'
- 'process::list'
- 'process::resume'
- 'process::run'
- 'process::runp'
- 'process::start'
- 'process::stop'
- 'process::suspend'
- 'rpc::close'
- 'rpc::connect'
- 'rpc::enum'
- 'rpc::server'
- 'sekurlsa::backupkeys'
- 'sekurlsa::bootkey'
- 'sekurlsa::cloudap'
- 'sekurlsa::credman'
- 'sekurlsa::dpapi'
- 'sekurlsa::dpapisystem'
- 'sekurlsa::ekeys'
- 'sekurlsa::kerberos'
- 'sekurlsa::krbtgt'
- 'sekurlsa::livessp'
- 'sekurlsa::logonpasswords'
- 'sekurlsa::minidump'
- 'sekurlsa::msv'
- 'sekurlsa::process'
- 'sekurlsa::pth'
- 'sekurlsa::ssp'
- 'sekurlsa::tickets'
- 'sekurlsa::trust'
- 'sekurlsa::tspkg'
- 'sekurlsa::wdigest'
- 'service::me'
- 'service::preshutdown'
- 'service::remove'
- 'service::resume'
- 'service::shutdown'
- 'service::start'
- 'service::stop'
- 'service::suspend'
- 'sid::add'
- 'sid::clear'
- 'sid::lookup'
- 'sid::modify'
- 'sid::patch'
- 'sid::query'
- ' s::l '
- 'standard::answer'
- 'standard::base64'
- 'standard::cd'
- 'standard::cls'
- 'standard::coffee'
- 'standard::exit'
- 'standard::hostname'
- 'standard::localtime'
- 'standard::log'
- 'standard::sleep'
- 'standard::version'
- 'token::elevate'
- 'token::list'
- 'token::revert'
- 'token::run'
- 'token::whoami'
- 'ts::logonpasswords'
- 'ts::mstsc'
- 'ts::multirdp'
- 'ts::remote'
- 'ts::sessions'
- 'vault::cred'
- 'vault::list'
filter:
EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system)
condition: keywords and not filter
rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml
+22
View File
@@ -0,0 +1,22 @@
title: Mimikatz MemSSP Default Log File Creation
id: 034affe8-6170-11ec-844f-0f78aa0c4d66
status: experimental
description: Detects Mimikatz MemSSP default log file creation
author: David ANDRE
references:
- https://pentestlab.blog/2019/10/21/persistence-security-support-provider/
date: 2021/12/20
tags:
- attack.credential_access
- attack.t1003
logsource:
product: windows
category: file_event
detection:
mimikatz_memssp_filename:
TargetFilename|endswith:
- 'mimilsa.log'
condition: mimikatz_memssp_filename
falsepositives:
- Unlikely
level: critical
rules/windows/file_event/win_fe_access_susp_unattend_xml.yml
+23
View File
@@ -0,0 +1,23 @@
title: Suspicious Unattend.xml File Access
id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb
status: experimental
description: |
Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored.
If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
date: 2021/12/19
logsource:
product: windows
category: file_event
detection:
selection:
TargetFilename|endswith: '\unattend.xml'
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.credential_access
- attack.t1552.001
rules/windows/other/windefend/win_alert_lsass_access.yml
+6 -1
View File
@@ -20,7 +20,12 @@ detection:
selection:
EventID: 1121
Path|endswith: '\lsass.exe'
condition: selection
filter_thor:
ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\'
ProcessName|endswith:
- '\thor64.exe'
- '\thor.exe'
condition: selection and not filter_thor
falsepositives:
- Google Chrome GoogleUpdate.exe
- Some Taskmgr.exe related activity
rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml
+29
View File
@@ -0,0 +1,29 @@
title: Extracting Information with PowerShell
id: bd5971a7-626d-46ab-8176-ed643f694f68
status: experimental
author: frack113
date: 2021/12/19
description: |
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
These can be files created by users to store their own credentials, shared credential stores for a group of individuals,
configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
logsource:
product: windows
category: ps_script
definition: Script block logging must be enabled
detection:
selection:
ScriptBlockText|contains|all:
- ls
- ' -R'
- 'select-string '
- '-Pattern '
condition: selection
falsepositives:
- Unknown
level: medium
tags:
- attack.credential_access
- attack.t1552.001
rules/windows/process_creation/process_creation_advanced_ip_scanner.yml
+10 -4
View File
@@ -8,19 +8,25 @@ references:
- https://labs.f-secure.com/blog/prelude-to-ransomware-systembc
- https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
- https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer
author: '@ROxPinTeddy'
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner
author: '@ROxPinTeddy, Nasreddine Bencherchali @nas_bench'
date: 2020/05/12
modified: 2021/09/12
modified: 2021/12/18
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection:
selection1:
Image|contains: '\advanced_ip_scanner'
condition: selection
selection2:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection*
falsepositives:
- Legitimate administrative use
level: medium
rules/windows/process_creation/process_creation_advanced_port_scanner.yml
+27
View File
@@ -0,0 +1,27 @@
title: Advanced Port Scanner
id: 54773c5f-f1cc-4703-9126-2f797d96a69d
status: experimental
description: Detects the use of Advanced Port Scanner.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner
author: Nasreddine Bencherchali @nas_bench
date: 2021/12/18
tags:
- attack.discovery
- attack.t1046
- attack.t1135
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|contains: '\advanced_port_scanner'
selection2:
CommandLine|contains|all:
- '/portable'
- '/lng'
condition: 1 of selection*
falsepositives:
- Legitimate administrative use
- Tools with similar commandline (very rare)
level: medium
rules/windows/process_creation/process_creation_automated_collection.yml
+9 -4
View File
@@ -6,9 +6,7 @@ date: 2021/07/28
description: Once established within a system or network, an adversary may use automated techniques for collecting internal data.
references:
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md
tags:
- attack.collection
- attack.t1119
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md
logsource:
category: process_creation
product: windows
@@ -31,8 +29,15 @@ detection:
- ' /s '
selection_findstr:
OriginalFileName: FINDSTR.EXE
CommandLine|contains: ' /e '
CommandLine|contains:
- ' /e '
- ' /si '
condition: selection_ext and (selection_dir or selection_findstr)
falsepositives:
- Unknown
level: medium
tags:
- attack.collection
- attack.t1119
- attack.credential_access
- attack.t1552.001
rules/windows/process_creation/process_creation_cleanwipe.yml
+33
View File
@@ -0,0 +1,33 @@
title: CleanWipe Usage
id: f44800ac-38ec-471f-936e-3fa7d9c53100
status: experimental
description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus.
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe
author: Nasreddine Bencherchali @nas_bench
date: 2021/12/18
tags:
- attack.defense_evasion
- attack.t1562.001
logsource:
category: process_creation
product: windows
detection:
selection1:
Image|endswith:
- '\SepRemovalToolNative_x64.exe'
selection2:
Image|endswith: '\CATClean.exe'
CommandLine|contains: '--uninstall'
selection3:
Image|endswith: '\NetInstaller.exe'
CommandLine|contains: '-r'
selection4:
Image|endswith: '\WFPUnins.exe'
CommandLine|contains|all:
- '/uninstall'
- '/enterprise'
condition: 1 of selection*
falsepositives:
- Legitimate administrative use
level: medium
rules/windows/process_creation/process_creation_shell_spawn_by_java.yml
+24
View File
@@ -0,0 +1,24 @@
title: Shells Spawn by Java
id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0
description: Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation)
status: experimental
author: Andreas Hunkeler (@Karneades)
date: 2021/12/17
modified: 2021/12/18
tags:
- attack.initial_access
- attack.persistence
- attack.privilege_escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\cmd.exe'
condition: selection
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: medium
rules/windows/process_creation/process_creation_susp_non_exe_image.yml
+3 -1
View File
@@ -17,8 +17,10 @@ detection:
Image|endswith: '.exe'
filter_null:
Image: null
filter_msi:
filter_starts:
Image|startswith: 'C:\Windows\Installer\MSI'
filter_pstarts:
ParentImage|startswith: 'C:\ProgramData\Avira\'
filter_avira:
Image|startswith: 'C:\Windows\Temp\'
Image|endswith: '\avira_speedup_setup_update.tmp'
rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml
+42
View File
@@ -0,0 +1,42 @@
title: Suspicious Shells Spawn by Java
id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d
description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation)
status: experimental
author: Andreas Hunkeler (@Karneades), Florian Roth
date: 2021/12/17
modified: 2021/12/18
tags:
- attack.initial_access
- attack.persistence
- attack.privilege_escalation
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\java.exe'
Image|endswith:
- '\sh.exe'
- '\bash.exe'
- '\powershell.exe'
- '\schtasks.exe'
- '\certutil.exe'
- '\whoami.exe'
- '\bitsadmin.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\scrcons.exe'
- '\regsvr32.exe'
- '\hh.exe'
- '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/
- '\mshta.exe'
- '\rundll32.exe'
- '\forfiles.exe'
- '\scriptrunner.exe'
- '\mftrace.exe'
- '\AppVLP.exe'
condition: selection
falsepositives:
- Legitimate calls to system binaries
- Company specific internal usage
level: high
rules/windows/process_creation/win_mimikatz_command_line.yml
+28 -13
View File
@@ -2,11 +2,20 @@ title: Mimikatz Command Line
id: a642964e-bead-4bed-8910-1bb4d63e3b4d
status: test
description: Detection well-known mimikatz command line arguments
author: Teymur Kheirkhabarov, oscd.community
author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords)
references:
- https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment
- https://tools.thehacker.recipes/mimikatz/modules
date: 2019/10/22
modified: 2021/11/27
modified: 2021/12/20
tags:
- attack.credential_access
- attack.t1003 # an old one
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
logsource:
category: process_creation
product: windows
@@ -15,7 +24,7 @@ detection:
CommandLine|contains:
- DumpCreds
- invoke-mimikatz
selection_2:
module_names:
CommandLine|contains:
- rpc
- token
@@ -26,18 +35,24 @@ detection:
- lsadump
- privilege
- process
selection_3:
- vault
mimikatz_separator:
CommandLine|contains:
- '::'
condition: selection_1 or selection_2 and selection_3
function_names: # To cover functions from modules that are not in module_names (likely too generic)
CommandLine|contains:
- 'aadcookie' #misc module
- 'detours' #misc module
- 'memssp' #misc module
- 'mflt' #misc module
- 'ncroutemon' #misc module
- 'ngcsign' #misc module
- 'printnightmare' #misc module
- 'skeleton' #misc module
- 'preshutdown' #service module
- 'mstsc' #ts module
- 'multirdp' #ts module
condition: selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator)
falsepositives:
- Legitimate Administrator using tool for password recovery
level: medium
tags:
- attack.credential_access
- attack.t1003 # an old one
- attack.t1003.001
- attack.t1003.002
- attack.t1003.004
- attack.t1003.005
- attack.t1003.006
rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml
+27
View File
@@ -0,0 +1,27 @@
title: VeeamBackup Database Credentials Dump
id: b57ba453-b384-4ab9-9f40-1038086b4e53
status: experimental
author: frack113
date: 2021/12/20
description: Detects dump of credentials in VeeamBackup dbo
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
- https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html
tags:
- attack.collection
- attack.t1005
logsource:
category: process_creation
product: windows
detection:
selection_tools:
Image|endswith: '\sqlcmd.exe'
selection_query:
CommandLine|contains|all:
- 'SELECT'
- 'TOP'
- '[VeeamBackup].[dbo].[Credentials]'
condition: all of selection*
falsepositives:
- Unknown
level: high
rules/windows/process_creation/win_pc_susp_reg_open_command.yml
+38
View File
@@ -0,0 +1,38 @@
title: Suspicious Reg Add Open Command
id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563
status: experimental
description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key
references:
- https://thedfirreport.com/2021/12/13/diavol-ransomware/
author: frack113
date: 2021/12/20
logsource:
category: process_creation
product: windows
detection:
selection_1:
CommandLine|contains|all:
- 'reg'
- 'add'
- 'hkcu\software\classes\ms-settings\shell\open\command'
- '/ve '
- '/d'
selection_2:
CommandLine|contains|all:
- 'reg'
- 'add'
- 'hkcu\software\classes\ms-settings\shell\open\command'
- '/v'
- 'DelegateExecute'
selection_3:
CommandLine|contains|all:
- 'reg'
- 'delete'
- 'hkcu\software\classes\ms-settings'
condition: 1 of selection_*
falsepositives:
- unknown
level: medium
tags:
- attack.credential_access
- attack.t1003
rules/windows/process_creation/win_pc_susp_regsvr32_image.yml
+1
View File
@@ -4,6 +4,7 @@ status: experimental
description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file
references:
- https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
tags:
- attack.defense_evasion
- attack.t1218.010
rules/windows/process_creation/win_susp_csc_folder.yml
+1 -1
View File
@@ -35,4 +35,4 @@ detection:
falsepositives:
- https://twitter.com/gN3mes1s/status/1206874118282448897
- https://twitter.com/gabriele_pippi/status/1206907900268072962
level: high
level: medium
rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml
+28
View File
@@ -0,0 +1,28 @@
title: Suspicious NT Resource Kit Auditpol Usage
id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e
description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
status: experimental
author: Nasreddine Bencherchali @nas_bench
references:
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol
date: 2021/12/18
tags:
- attack.defense_evasion
- attack.t1562.002
level: high
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- '/logon:none'
- '/system:none'
- '/sam:none'
- '/privilege:none'
- '/object:none'
- '/process:none'
- '/policy:none'
condition: selection
falsepositives:
- Unknown
rules/windows/process_creation/win_susp_psloglist.yml
+42
View File
@@ -0,0 +1,42 @@
title: Suspicious Use of PsLogList
id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc
description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery.
status: experimental
references:
- https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
- https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
- https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList
author: Nasreddine Bencherchali @nas_bench
date: 2021/12/18
tags:
- attack.discovery
- attack.t1087
- attack.t1087.001
- attack.t1087.002
logsource:
category: process_creation
product: windows
detection:
selection1:
OriginalFileName|contains: 'psloglist'
selection2:
Image|endswith:
- '\psloglist.exe'
- '\psloglist64.exe'
flags:
CommandLine|contains:
- '-d'
- '/d'
- '-x'
- '/x'
- '-s'
- '/s'
other:
CommandLine|contains|all:
- 'security'
- 'accepteula'
condition: (1 of selection*) or (flags and other)
falsepositives:
- Another tool that uses the command line switches of PsLogList
- Legitimate use of PsLogList by an administrator
level: medium
rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml → rules/windows/process_creation/win_susp_shell_spawn_from_winrm.yml
View File
rules/windows/process_creation/win_susp_system_user_anomaly.yml
+176 -3
View File
@@ -4,8 +4,9 @@ status: experimental
description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter)
references:
- Internal Research
author: Florian Roth
date: 2021/12/08
- https://tools.thehacker.recipes/mimikatz/modules
author: Florian Roth (rule), David ANDRE (additional keywords)
date: 2021/12/20
logsource:
category: process_creation
product: windows
@@ -46,7 +47,179 @@ detection:
- '.downloadstring(' # PowerShell download command
- '.downloadfile(' # PowerShell download command
- ' /ticket:' # Rubeus
- ' sekurlsa' # Mimikatz
- 'sekurlsa::logonpasswords' #Mimikatz
- 'crypto::capi' #Mimikatz
- 'crypto::certificates' #Mimikatz
- 'crypto::certtohw' #Mimikatz
- 'crypto::cng' #Mimikatz
- 'crypto::extract' #Mimikatz
- 'crypto::hash' #Mimikatz
- 'crypto::keys' #Mimikatz
- 'crypto::providers' #Mimikatz
- 'crypto::sc' #Mimikatz
- 'crypto::scauth' #Mimikatz
- 'crypto::stores' #Mimikatz
- 'crypto::system' #Mimikatz
- 'crypto::tpminfo' #Mimikatz
- 'dpapi::blob' #Mimikatz
- 'dpapi::cache' #Mimikatz
- 'dpapi::capi' #Mimikatz
- 'dpapi::chrome' #Mimikatz
- 'dpapi::cloudapkd' #Mimikatz
- 'dpapi::cloudapreg' #Mimikatz
- 'dpapi::cng' #Mimikatz
- 'dpapi::create' #Mimikatz
- 'dpapi::cred' #Mimikatz
- 'dpapi::credhist' #Mimikatz
- 'dpapi::luna' #Mimikatz
- 'dpapi::masterkey' #Mimikatz
- 'dpapi::protect' #Mimikatz
- 'dpapi::ps' #Mimikatz
- 'dpapi::rdg' #Mimikatz
- 'dpapi::sccm' #Mimikatz
- 'dpapi::ssh' #Mimikatz
- 'dpapi::tpm' #Mimikatz
- 'dpapi::vault' #Mimikatz
- 'dpapi::wifi' #Mimikatz
- 'dpapi::wwman' #Mimikatz
- 'event::clear' #Mimikatz
- 'event::drop' #Mimikatz
- 'id::modify' #Mimikatz
- 'kerberos::ask' #Mimikatz
- 'kerberos::clist' #Mimikatz
- 'kerberos::golden' #Mimikatz
- 'kerberos::hash' #Mimikatz
- 'kerberos::list' #Mimikatz
- 'kerberos::ptc' #Mimikatz
- 'kerberos::ptt' #Mimikatz
- 'kerberos::purge' #Mimikatz
- 'kerberos::tgt' #Mimikatz
- 'lsadump::backupkeys' #Mimikatz
- 'lsadump::cache' #Mimikatz
- 'lsadump::changentlm' #Mimikatz
- 'lsadump::dcshadow' #Mimikatz
- 'lsadump::dcsync' #Mimikatz
- 'lsadump::lsa' #Mimikatz
- 'lsadump::mbc' #Mimikatz
- 'lsadump::netsync' #Mimikatz
- 'lsadump::packages' #Mimikatz
- 'lsadump::postzerologon' #Mimikatz
- 'lsadump::RpData' #Mimikatz
- 'lsadump::sam' #Mimikatz
- 'lsadump::secrets' #Mimikatz
- 'lsadump::setntlm' #Mimikatz
- 'lsadump::trust' #Mimikatz
- 'lsadump::zerologon' #Mimikatz
- 'misc::aadcookie' #Mimikatz
- 'misc::clip' #Mimikatz
- 'misc::cmd' #Mimikatz
- 'misc::compress' #Mimikatz
- 'misc::detours' #Mimikatz
- 'misc::efs' #Mimikatz
- 'misc::lock' #Mimikatz
- 'misc::memssp' #Mimikatz
- 'misc::mflt' #Mimikatz
- 'misc::ncroutemon' #Mimikatz
- 'misc::ngcsign' #Mimikatz
- 'misc::printnightmare' #Mimikatz
- 'misc::regedit' #Mimikatz
- 'misc::sccm' #Mimikatz
- 'misc::shadowcopies' #Mimikatz
- 'misc::skeleton' #Mimikatz
- 'misc::spooler' #Mimikatz
- 'misc::taskmgr' #Mimikatz
- 'misc::wp' #Mimikatz
- 'misc::xor' #Mimikatz
- 'net::alias' #Mimikatz
- 'net::deleg' #Mimikatz
- 'net::group' #Mimikatz
- 'net::if' #Mimikatz
- 'net::serverinfo' #Mimikatz
- 'net::session' #Mimikatz
- 'net::share' #Mimikatz
- 'net::stats' #Mimikatz
- 'net::tod' #Mimikatz
- 'net::trust' #Mimikatz
- 'net::user' #Mimikatz
- 'net::wsession' #Mimikatz
- 'privilege::backup' #Mimikatz
- 'privilege::debug' #Mimikatz
- 'privilege::driver' #Mimikatz
- 'privilege::id' #Mimikatz
- 'privilege::name' #Mimikatz
- 'privilege::restore' #Mimikatz
- 'privilege::security' #Mimikatz
- 'privilege::sysenv' #Mimikatz
- 'privilege::tcb' #Mimikatz
- 'process::exports' #Mimikatz
- 'process::imports' #Mimikatz
- 'process::list' #Mimikatz
- 'process::resume' #Mimikatz
- 'process::run' #Mimikatz
- 'process::runp' #Mimikatz
- 'process::start' #Mimikatz
- 'process::stop' #Mimikatz
- 'process::suspend' #Mimikatz
- 'rpc::close' #Mimikatz
- 'rpc::connect' #Mimikatz
- 'rpc::enum' #Mimikatz
- 'rpc::server' #Mimikatz
- 'sekurlsa::backupkeys' #Mimikatz
- 'sekurlsa::bootkey' #Mimikatz
- 'sekurlsa::cloudap' #Mimikatz
- 'sekurlsa::credman' #Mimikatz
- 'sekurlsa::dpapi' #Mimikatz
- 'sekurlsa::dpapisystem' #Mimikatz
- 'sekurlsa::ekeys' #Mimikatz
- 'sekurlsa::kerberos' #Mimikatz
- 'sekurlsa::krbtgt' #Mimikatz
- 'sekurlsa::livessp' #Mimikatz
- 'sekurlsa::minidump' #Mimikatz
- 'sekurlsa::msv' #Mimikatz
- 'sekurlsa::process' #Mimikatz
- 'sekurlsa::pth' #Mimikatz
- 'sekurlsa::ssp' #Mimikatz
- 'sekurlsa::tickets' #Mimikatz
- 'sekurlsa::trust' #Mimikatz
- 'sekurlsa::tspkg' #Mimikatz
- 'sekurlsa::wdigest' #Mimikatz
- 'service::me' #Mimikatz
- 'service::preshutdown' #Mimikatz
- 'service::remove' #Mimikatz
- 'service::resume' #Mimikatz
- 'service::shutdown' #Mimikatz
- 'service::start' #Mimikatz
- 'service::stop' #Mimikatz
- 'service::suspend' #Mimikatz
- 'sid::add' #Mimikatz
- 'sid::clear' #Mimikatz
- 'sid::lookup' #Mimikatz
- 'sid::modify' #Mimikatz
- 'sid::patch' #Mimikatz
- 'sid::query' #Mimikatz
- 'standard::answer' #Mimikatz
- 'standard::base64' #Mimikatz
- 'standard::cd' #Mimikatz
- 'standard::cls' #Mimikatz
- 'standard::coffee' #Mimikatz
- 'standard::exit' #Mimikatz
- 'standard::hostname' #Mimikatz
- 'standard::localtime' #Mimikatz
- 'standard::log' #Mimikatz
- 'standard::sleep' #Mimikatz
- 'standard::version' #Mimikatz
- 'token::elevate' #Mimikatz
- 'token::list' #Mimikatz
- 'token::revert' #Mimikatz
- 'token::run' #Mimikatz
- 'token::whoami' #Mimikatz
- 'ts::logonpasswords' #Mimikatz
- 'ts::mstsc' #Mimikatz
- 'ts::multirdp' #Mimikatz
- 'ts::remote' #Mimikatz
- 'ts::sessions' #Mimikatz
- 'vault::cred' #Mimikatz
- 'vault::list' #Mimikatz
- ' p::d ' # Mimikatz
- ';iex(' # PowerShell IEX
- 'MiniDump' # Process dumping method apart from procdump
rules/windows/process_creation/win_using_sc_to_hide_sevices.yml
+28
View File
@@ -0,0 +1,28 @@
title: Abuse of Service Permissions to Hide Services in Tools
id: a537cfc3-4297-4789-92b5-345bfd845ad0
status: experimental
description: Detection of sc.exe utility adding a new service with special permission which hides that service.
author: Andreas Hunkeler (@Karneades)
references:
- https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html
- https://www.sans.org/blog/red-team-tactics-hiding-windows-services/
date: 2021/12/20
logsource:
category: process_creation
product: windows
detection:
sc:
Image|endswith: '\sc.exe'
cli:
CommandLine|contains|all:
- 'sdset'
- 'DCLCWPDTSD'
condition: sc and cli
falsepositives:
- Intended use of hidden services
level: high
tags:
- attack.persistence
- attack.defense_evasion
- attack.privilege_escalation
- attack.t1574.011
rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml
+7 -3
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2021/12/18
modified: 2021/12/19
logsource:
category: registry_event
product: windows
@@ -36,13 +36,17 @@ detection:
- '\Authentication\PLAP Providers'
- '\Authentication\Credential Providers'
- '\Authentication\Credential Provider Filters'
filter:
filter_all:
- Details: '(Empty)'
- TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount'
- Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe
- Image:
- 'C:\WINDOWS\system32\devicecensus.exe'
condition: current_version_base and current_version and not filter
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: current_version_base and current_version and not 1 of filter_*
fields:
- SecurityID
- ObjectName
rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml
+7 -3
View File
@@ -11,7 +11,7 @@ references:
- https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns
- https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys
date: 2019/10/25
modified: 2021/12/05
modified: 2021/12/19
logsource:
category: registry_event
product: windows
@@ -27,9 +27,13 @@ detection:
- '\Explorer\ShellExecuteHooks'
- '\Explorer\SharedTaskScheduler'
- '\Explorer\Browser Helper Objects'
filter:
filter_empty:
Details: '(Empty)'
condition: wow_current_version_base and wow_current_version and not filter
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: wow_current_version_base and wow_current_version and not 1 of filter_*
fields:
- SecurityID
- ObjectName
rules/windows/registry_event/sysmon_registry_persistence_search_order.yml
+4
View File
@@ -51,6 +51,10 @@ detection:
filter_nvidia:
Details|contains:
- '\FileRepository\nvmdi.inf'
filter_edge:
Image|contains|all:
- 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{'
- '\setup.exe'
condition: selection and not 1 of filter*
falsepositives:
- Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level