diff --git a/rules/proxy/proxy_java_class_download.yml b/rules/proxy/proxy_java_class_download.yml new file mode 100644 index 000000000..66c3ff4bd --- /dev/null +++ b/rules/proxy/proxy_java_class_download.yml @@ -0,0 +1,19 @@ +title: Java Class Proxy Download +id: 53c15703-b04c-42bb-9055-1937ddfb3392 +status: experimental +description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j. +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ +author: Andreas Hunkeler (@Karneades) +date: 2021/12/21 +tags: + - attack.initial_access +logsource: + category: proxy +detection: + selection: + c-uri|endswith: '.class' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml new file mode 100644 index 000000000..fe76fdee3 --- /dev/null +++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml @@ -0,0 +1,36 @@ +title: Exploit SamAccountName Spoofing with Kerberos +id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f +status: experimental +description: | + The attacker creates a computer object using those permissions with a password known to her. + After that she clears the attribute ServicePrincipalName on the computer object. + Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. +references: + - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/?utm_source=Social&utm_medium=post&utm_campaign=log4j +author: frack113 +date: 2021/12/15 +logsource: + product: windows + service: system +detection: + selection_1: + Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory + EventID: + - 35 + - 36 + - 37 + - 38 + selection_2: + Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory + EventID: + - 16990 + - 16991 + condition: selection_1 or selection_2 +fields: + - samAccountName +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1558.003 diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 7ea757e5a..94c353e36 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -2,9 +2,11 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) status: experimental -author: Florian Roth +author: Florian Roth (rule), David ANDRE (additional keywords) date: 2017/01/10 -modified: 2021/12/01 +modified: 2021/12/20 +references: + - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - attack.t1003 # an old one @@ -20,19 +22,187 @@ logsource: product: windows detection: keywords: - - '\mimikatz' - - 'mimikatz.exe' - - '\mimilib.dll' - '<3 eo.oe' + - 'crypto::capi' + - 'crypto::certificates' + - 'crypto::certtohw' + - 'crypto::cng' + - 'crypto::extract' + - 'crypto::hash' + - 'crypto::keys' + - 'crypto::providers' + - 'crypto::sc' + - 'crypto::scauth' + - 'crypto::stores' + - 'crypto::system' + - 'crypto::tpminfo' + - 'dpapi::blob' + - 'dpapi::cache' + - 'dpapi::capi' + - 'dpapi::chrome' + - 'dpapi::cloudapkd' + - 'dpapi::cloudapreg' + - 'dpapi::cng' + - 'dpapi::create' + - 'dpapi::cred' + - 'dpapi::credhist' + - 'dpapi::luna' + - 'dpapi::masterkey' + - 'dpapi::protect' + - 'dpapi::ps' + - 'dpapi::rdg' + - 'dpapi::sccm' + - 'dpapi::ssh' + - 'dpapi::tpm' + - 'dpapi::vault' + - 'dpapi::wifi' + - 'dpapi::wwman' - 'eo.oe.kiwi' - - 'privilege::debug' - - 'sekurlsa::logonpasswords' - - 'lsadump::sam' - - 'mimidrv.sys' - - ' p::d ' - - ' s::l ' + - 'event::clear' + - 'event::drop' - 'gentilkiwi.com' + - 'id::modify' + - 'kerberos::ask' + - 'kerberos::clist' + - 'kerberos::golden' + - 'kerberos::hash' + - 'kerberos::list' + - 'kerberos::ptc' + - 'kerberos::ptt' + - 'kerberos::purge' + - 'kerberos::tgt' - 'Kiwi Legit Printer' + - 'lsadump::backupkeys' + - 'lsadump::cache' + - 'lsadump::changentlm' + - 'lsadump::dcshadow' + - 'lsadump::dcsync' + - 'lsadump::lsa' + - 'lsadump::mbc' + - 'lsadump::netsync' + - 'lsadump::packages' + - 'lsadump::postzerologon' + - 'lsadump::RpData' + - 'lsadump::sam' + - 'lsadump::secrets' + - 'lsadump::setntlm' + - 'lsadump::trust' + - 'lsadump::zerologon' + - 'mimidrv.sys' + - '\mimilib.dll' + - 'misc::aadcookie' + - 'misc::clip' + - 'misc::cmd' + - 'misc::compress' + - 'misc::detours' + - 'misc::efs' + - 'misc::lock' + - 'misc::memssp' + - 'misc::mflt' + - 'misc::ncroutemon' + - 'misc::ngcsign' + - 'misc::printnightmare' + - 'misc::regedit' + - 'misc::sccm' + - 'misc::shadowcopies' + - 'misc::skeleton' + - 'misc::spooler' + - 'misc::taskmgr' + - 'misc::wp' + - 'misc::xor' + - 'net::alias' + - 'net::deleg' + - 'net::group' + - 'net::if' + - 'net::serverinfo' + - 'net::session' + - 'net::share' + - 'net::stats' + - 'net::tod' + - 'net::trust' + - 'net::user' + - 'net::wsession' + - ' p::d ' + - 'privilege::backup' + - 'privilege::debug' + - 'privilege::driver' + - 'privilege::id' + - 'privilege::name' + - 'privilege::restore' + - 'privilege::security' + - 'privilege::sysenv' + - 'privilege::tcb' + - 'process::exports' + - 'process::imports' + - 'process::list' + - 'process::resume' + - 'process::run' + - 'process::runp' + - 'process::start' + - 'process::stop' + - 'process::suspend' + - 'rpc::close' + - 'rpc::connect' + - 'rpc::enum' + - 'rpc::server' + - 'sekurlsa::backupkeys' + - 'sekurlsa::bootkey' + - 'sekurlsa::cloudap' + - 'sekurlsa::credman' + - 'sekurlsa::dpapi' + - 'sekurlsa::dpapisystem' + - 'sekurlsa::ekeys' + - 'sekurlsa::kerberos' + - 'sekurlsa::krbtgt' + - 'sekurlsa::livessp' + - 'sekurlsa::logonpasswords' + - 'sekurlsa::minidump' + - 'sekurlsa::msv' + - 'sekurlsa::process' + - 'sekurlsa::pth' + - 'sekurlsa::ssp' + - 'sekurlsa::tickets' + - 'sekurlsa::trust' + - 'sekurlsa::tspkg' + - 'sekurlsa::wdigest' + - 'service::me' + - 'service::preshutdown' + - 'service::remove' + - 'service::resume' + - 'service::shutdown' + - 'service::start' + - 'service::stop' + - 'service::suspend' + - 'sid::add' + - 'sid::clear' + - 'sid::lookup' + - 'sid::modify' + - 'sid::patch' + - 'sid::query' + - ' s::l ' + - 'standard::answer' + - 'standard::base64' + - 'standard::cd' + - 'standard::cls' + - 'standard::coffee' + - 'standard::exit' + - 'standard::hostname' + - 'standard::localtime' + - 'standard::log' + - 'standard::sleep' + - 'standard::version' + - 'token::elevate' + - 'token::list' + - 'token::revert' + - 'token::run' + - 'token::whoami' + - 'ts::logonpasswords' + - 'ts::mstsc' + - 'ts::multirdp' + - 'ts::remote' + - 'ts::sessions' + - 'vault::cred' + - 'vault::list' filter: EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system) condition: keywords and not filter diff --git a/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml new file mode 100644 index 000000000..526903249 --- /dev/null +++ b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml @@ -0,0 +1,22 @@ +title: Mimikatz MemSSP Default Log File Creation +id: 034affe8-6170-11ec-844f-0f78aa0c4d66 +status: experimental +description: Detects Mimikatz MemSSP default log file creation +author: David ANDRE +references: + - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ +date: 2021/12/20 +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + category: file_event +detection: + mimikatz_memssp_filename: + TargetFilename|endswith: + - 'mimilsa.log' + condition: mimikatz_memssp_filename +falsepositives: + - Unlikely +level: critical diff --git a/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml b/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml new file mode 100644 index 000000000..6b9909cfe --- /dev/null +++ b/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml @@ -0,0 +1,23 @@ +title: Suspicious Unattend.xml File Access +id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb +status: experimental +description: | + Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. + If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2021/12/19 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\unattend.xml' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml index 90269aed6..0aef6a5d1 100644 --- a/rules/windows/other/windefend/win_alert_lsass_access.yml +++ b/rules/windows/other/windefend/win_alert_lsass_access.yml @@ -20,7 +20,12 @@ detection: selection: EventID: 1121 Path|endswith: '\lsass.exe' - condition: selection + filter_thor: + ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\' + ProcessName|endswith: + - '\thor64.exe' + - '\thor.exe' + condition: selection and not filter_thor falsepositives: - Google Chrome GoogleUpdate.exe - Some Taskmgr.exe related activity diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml new file mode 100644 index 000000000..b8be6f52d --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml @@ -0,0 +1,29 @@ +title: Extracting Information with PowerShell +id: bd5971a7-626d-46ab-8176-ed643f694f68 +status: experimental +author: frack113 +date: 2021/12/19 +description: | + Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. + These can be files created by users to store their own credentials, shared credential stores for a group of individuals, + configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - ls + - ' -R' + - 'select-string ' + - '-Pattern ' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1552.001 \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml index 36e07720e..7951cf4e1 100644 --- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -8,19 +8,25 @@ references: - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer -author: '@ROxPinTeddy' + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner +author: '@ROxPinTeddy, Nasreddine Bencherchali @nas_bench' date: 2020/05/12 -modified: 2021/09/12 +modified: 2021/12/18 tags: - attack.discovery - attack.t1046 + - attack.t1135 logsource: category: process_creation product: windows detection: - selection: + selection1: Image|contains: '\advanced_ip_scanner' - condition: selection + selection2: + CommandLine|contains|all: + - '/portable' + - '/lng' + condition: 1 of selection* falsepositives: - Legitimate administrative use level: medium diff --git a/rules/windows/process_creation/process_creation_advanced_port_scanner.yml b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml new file mode 100644 index 000000000..e99b5dc3d --- /dev/null +++ b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml @@ -0,0 +1,27 @@ +title: Advanced Port Scanner +id: 54773c5f-f1cc-4703-9126-2f797d96a69d +status: experimental +description: Detects the use of Advanced Port Scanner. +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.discovery + - attack.t1046 + - attack.t1135 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|contains: '\advanced_port_scanner' + selection2: + CommandLine|contains|all: + - '/portable' + - '/lng' + condition: 1 of selection* +falsepositives: + - Legitimate administrative use + - Tools with similar commandline (very rare) +level: medium diff --git a/rules/windows/process_creation/process_creation_automated_collection.yml b/rules/windows/process_creation/process_creation_automated_collection.yml index ab979f738..05550d6de 100644 --- a/rules/windows/process_creation/process_creation_automated_collection.yml +++ b/rules/windows/process_creation/process_creation_automated_collection.yml @@ -6,9 +6,7 @@ date: 2021/07/28 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md -tags: - - attack.collection - - attack.t1119 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md logsource: category: process_creation product: windows @@ -31,8 +29,15 @@ detection: - ' /s ' selection_findstr: OriginalFileName: FINDSTR.EXE - CommandLine|contains: ' /e ' + CommandLine|contains: + - ' /e ' + - ' /si ' condition: selection_ext and (selection_dir or selection_findstr) falsepositives: - Unknown level: medium +tags: + - attack.collection + - attack.t1119 + - attack.credential_access + - attack.t1552.001 \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_cleanwipe.yml b/rules/windows/process_creation/process_creation_cleanwipe.yml new file mode 100644 index 000000000..01a59704d --- /dev/null +++ b/rules/windows/process_creation/process_creation_cleanwipe.yml @@ -0,0 +1,33 @@ +title: CleanWipe Usage +id: f44800ac-38ec-471f-936e-3fa7d9c53100 +status: experimental +description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\SepRemovalToolNative_x64.exe' + selection2: + Image|endswith: '\CATClean.exe' + CommandLine|contains: '--uninstall' + selection3: + Image|endswith: '\NetInstaller.exe' + CommandLine|contains: '-r' + selection4: + Image|endswith: '\WFPUnins.exe' + CommandLine|contains|all: + - '/uninstall' + - '/enterprise' + condition: 1 of selection* +falsepositives: + - Legitimate administrative use +level: medium diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml new file mode 100644 index 000000000..9adb6d3c1 --- /dev/null +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -0,0 +1,24 @@ +title: Shells Spawn by Java +id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 +description: Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation) +status: experimental +author: Andreas Hunkeler (@Karneades) +date: 2021/12/17 +modified: 2021/12/18 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\java.exe' + Image|endswith: + - '\cmd.exe' + condition: selection +falsepositives: + - Legitimate calls to system binaries + - Company specific internal usage +level: medium diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 34e5ea5c1..9d0b32c5b 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -17,8 +17,10 @@ detection: Image|endswith: '.exe' filter_null: Image: null - filter_msi: + filter_starts: Image|startswith: 'C:\Windows\Installer\MSI' + filter_pstarts: + ParentImage|startswith: 'C:\ProgramData\Avira\' filter_avira: Image|startswith: 'C:\Windows\Temp\' Image|endswith: '\avira_speedup_setup_update.tmp' diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml new file mode 100644 index 000000000..cdd6211d3 --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml @@ -0,0 +1,42 @@ +title: Suspicious Shells Spawn by Java +id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d +description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation) +status: experimental +author: Andreas Hunkeler (@Karneades), Florian Roth +date: 2021/12/17 +modified: 2021/12/18 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\java.exe' + Image|endswith: + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\schtasks.exe' + - '\certutil.exe' + - '\whoami.exe' + - '\bitsadmin.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\scrcons.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + condition: selection +falsepositives: + - Legitimate calls to system binaries + - Company specific internal usage +level: high diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 6a3664a42..c876678d4 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -2,11 +2,20 @@ title: Mimikatz Command Line id: a642964e-bead-4bed-8910-1bb4d63e3b4d status: test description: Detection well-known mimikatz command line arguments -author: Teymur Kheirkhabarov, oscd.community +author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords) references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://tools.thehacker.recipes/mimikatz/modules date: 2019/10/22 -modified: 2021/11/27 +modified: 2021/12/20 +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 logsource: category: process_creation product: windows @@ -15,7 +24,7 @@ detection: CommandLine|contains: - DumpCreds - invoke-mimikatz - selection_2: + module_names: CommandLine|contains: - rpc - token @@ -26,18 +35,24 @@ detection: - lsadump - privilege - process - selection_3: + - vault + mimikatz_separator: CommandLine|contains: - '::' - condition: selection_1 or selection_2 and selection_3 + function_names: # To cover functions from modules that are not in module_names (likely too generic) + CommandLine|contains: + - 'aadcookie' #misc module + - 'detours' #misc module + - 'memssp' #misc module + - 'mflt' #misc module + - 'ncroutemon' #misc module + - 'ngcsign' #misc module + - 'printnightmare' #misc module + - 'skeleton' #misc module + - 'preshutdown' #service module + - 'mstsc' #ts module + - 'multirdp' #ts module + condition: selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) falsepositives: - Legitimate Administrator using tool for password recovery level: medium -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 - - attack.t1003.006 diff --git a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml new file mode 100644 index 000000000..897fde0bb --- /dev/null +++ b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml @@ -0,0 +1,27 @@ +title: VeeamBackup Database Credentials Dump +id: b57ba453-b384-4ab9-9f40-1038086b4e53 +status: experimental +author: frack113 +date: 2021/12/20 +description: Detects dump of credentials in VeeamBackup dbo +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ + - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html +tags: + - attack.collection + - attack.t1005 +logsource: + category: process_creation + product: windows +detection: + selection_tools: + Image|endswith: '\sqlcmd.exe' + selection_query: + CommandLine|contains|all: + - 'SELECT' + - 'TOP' + - '[VeeamBackup].[dbo].[Credentials]' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_pc_susp_reg_open_command.yml b/rules/windows/process_creation/win_pc_susp_reg_open_command.yml new file mode 100644 index 000000000..d189fee78 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_reg_open_command.yml @@ -0,0 +1,38 @@ +title: Suspicious Reg Add Open Command +id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563 +status: experimental +description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: frack113 +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains|all: + - 'reg' + - 'add' + - 'hkcu\software\classes\ms-settings\shell\open\command' + - '/ve ' + - '/d' + selection_2: + CommandLine|contains|all: + - 'reg' + - 'add' + - 'hkcu\software\classes\ms-settings\shell\open\command' + - '/v' + - 'DelegateExecute' + selection_3: + CommandLine|contains|all: + - 'reg' + - 'delete' + - 'hkcu\software\classes\ms-settings' + condition: 1 of selection_* +falsepositives: + - unknown +level: medium +tags: + - attack.credential_access + - attack.t1003 diff --git a/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml index dc43c5d12..4f232b8ce 100644 --- a/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml +++ b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml @@ -4,6 +4,7 @@ status: experimental description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html tags: - attack.defense_evasion - attack.t1218.010 diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 108e06b1f..96ff5178b 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -35,4 +35,4 @@ detection: falsepositives: - https://twitter.com/gN3mes1s/status/1206874118282448897 - https://twitter.com/gabriele_pippi/status/1206907900268072962 -level: high +level: medium diff --git a/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml b/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml new file mode 100644 index 000000000..fbb423399 --- /dev/null +++ b/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml @@ -0,0 +1,28 @@ +title: Suspicious NT Resource Kit Auditpol Usage +id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e +description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +status: experimental +author: Nasreddine Bencherchali @nas_bench +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol +date: 2021/12/18 +tags: + - attack.defense_evasion + - attack.t1562.002 +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '/logon:none' + - '/system:none' + - '/sam:none' + - '/privilege:none' + - '/object:none' + - '/process:none' + - '/policy:none' + condition: selection +falsepositives: + - Unknown diff --git a/rules/windows/process_creation/win_susp_psloglist.yml b/rules/windows/process_creation/win_susp_psloglist.yml new file mode 100644 index 000000000..01fe56869 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psloglist.yml @@ -0,0 +1,42 @@ +title: Suspicious Use of PsLogList +id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc +description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery. +status: experimental +references: + - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ + - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.discovery + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 +logsource: + category: process_creation + product: windows +detection: + selection1: + OriginalFileName|contains: 'psloglist' + selection2: + Image|endswith: + - '\psloglist.exe' + - '\psloglist64.exe' + flags: + CommandLine|contains: + - '-d' + - '/d' + - '-x' + - '/x' + - '-s' + - '/s' + other: + CommandLine|contains|all: + - 'security' + - 'accepteula' + condition: (1 of selection*) or (flags and other) +falsepositives: + - Another tool that uses the command line switches of PsLogList + - Legitimate use of PsLogList by an administrator +level: medium diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_winrm.yml similarity index 100% rename from rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml rename to rules/windows/process_creation/win_susp_shell_spawn_from_winrm.yml diff --git a/rules/windows/process_creation/win_susp_system_user_anomaly.yml b/rules/windows/process_creation/win_susp_system_user_anomaly.yml index 1e4297287..630cb6612 100644 --- a/rules/windows/process_creation/win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/win_susp_system_user_anomaly.yml @@ -4,8 +4,9 @@ status: experimental description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) references: - Internal Research -author: Florian Roth -date: 2021/12/08 + - https://tools.thehacker.recipes/mimikatz/modules +author: Florian Roth (rule), David ANDRE (additional keywords) +date: 2021/12/20 logsource: category: process_creation product: windows @@ -46,7 +47,179 @@ detection: - '.downloadstring(' # PowerShell download command - '.downloadfile(' # PowerShell download command - ' /ticket:' # Rubeus - - ' sekurlsa' # Mimikatz + - 'sekurlsa::logonpasswords' #Mimikatz + - 'crypto::capi' #Mimikatz + - 'crypto::certificates' #Mimikatz + - 'crypto::certtohw' #Mimikatz + - 'crypto::cng' #Mimikatz + - 'crypto::extract' #Mimikatz + - 'crypto::hash' #Mimikatz + - 'crypto::keys' #Mimikatz + - 'crypto::providers' #Mimikatz + - 'crypto::sc' #Mimikatz + - 'crypto::scauth' #Mimikatz + - 'crypto::stores' #Mimikatz + - 'crypto::system' #Mimikatz + - 'crypto::tpminfo' #Mimikatz + - 'dpapi::blob' #Mimikatz + - 'dpapi::cache' #Mimikatz + - 'dpapi::capi' #Mimikatz + - 'dpapi::chrome' #Mimikatz + - 'dpapi::cloudapkd' #Mimikatz + - 'dpapi::cloudapreg' #Mimikatz + - 'dpapi::cng' #Mimikatz + - 'dpapi::create' #Mimikatz + - 'dpapi::cred' #Mimikatz + - 'dpapi::credhist' #Mimikatz + - 'dpapi::luna' #Mimikatz + - 'dpapi::masterkey' #Mimikatz + - 'dpapi::protect' #Mimikatz + - 'dpapi::ps' #Mimikatz + - 'dpapi::rdg' #Mimikatz + - 'dpapi::sccm' #Mimikatz + - 'dpapi::ssh' #Mimikatz + - 'dpapi::tpm' #Mimikatz + - 'dpapi::vault' #Mimikatz + - 'dpapi::wifi' #Mimikatz + - 'dpapi::wwman' #Mimikatz + - 'event::clear' #Mimikatz + - 'event::drop' #Mimikatz + - 'id::modify' #Mimikatz + - 'kerberos::ask' #Mimikatz + - 'kerberos::clist' #Mimikatz + - 'kerberos::golden' #Mimikatz + - 'kerberos::hash' #Mimikatz + - 'kerberos::list' #Mimikatz + - 'kerberos::ptc' #Mimikatz + - 'kerberos::ptt' #Mimikatz + - 'kerberos::purge' #Mimikatz + - 'kerberos::tgt' #Mimikatz + - 'lsadump::backupkeys' #Mimikatz + - 'lsadump::cache' #Mimikatz + - 'lsadump::changentlm' #Mimikatz + - 'lsadump::dcshadow' #Mimikatz + - 'lsadump::dcsync' #Mimikatz + - 'lsadump::lsa' #Mimikatz + - 'lsadump::mbc' #Mimikatz + - 'lsadump::netsync' #Mimikatz + - 'lsadump::packages' #Mimikatz + - 'lsadump::postzerologon' #Mimikatz + - 'lsadump::RpData' #Mimikatz + - 'lsadump::sam' #Mimikatz + - 'lsadump::secrets' #Mimikatz + - 'lsadump::setntlm' #Mimikatz + - 'lsadump::trust' #Mimikatz + - 'lsadump::zerologon' #Mimikatz + - 'misc::aadcookie' #Mimikatz + - 'misc::clip' #Mimikatz + - 'misc::cmd' #Mimikatz + - 'misc::compress' #Mimikatz + - 'misc::detours' #Mimikatz + - 'misc::efs' #Mimikatz + - 'misc::lock' #Mimikatz + - 'misc::memssp' #Mimikatz + - 'misc::mflt' #Mimikatz + - 'misc::ncroutemon' #Mimikatz + - 'misc::ngcsign' #Mimikatz + - 'misc::printnightmare' #Mimikatz + - 'misc::regedit' #Mimikatz + - 'misc::sccm' #Mimikatz + - 'misc::shadowcopies' #Mimikatz + - 'misc::skeleton' #Mimikatz + - 'misc::spooler' #Mimikatz + - 'misc::taskmgr' #Mimikatz + - 'misc::wp' #Mimikatz + - 'misc::xor' #Mimikatz + - 'net::alias' #Mimikatz + - 'net::deleg' #Mimikatz + - 'net::group' #Mimikatz + - 'net::if' #Mimikatz + - 'net::serverinfo' #Mimikatz + - 'net::session' #Mimikatz + - 'net::share' #Mimikatz + - 'net::stats' #Mimikatz + - 'net::tod' #Mimikatz + - 'net::trust' #Mimikatz + - 'net::user' #Mimikatz + - 'net::wsession' #Mimikatz + - 'privilege::backup' #Mimikatz + - 'privilege::debug' #Mimikatz + - 'privilege::driver' #Mimikatz + - 'privilege::id' #Mimikatz + - 'privilege::name' #Mimikatz + - 'privilege::restore' #Mimikatz + - 'privilege::security' #Mimikatz + - 'privilege::sysenv' #Mimikatz + - 'privilege::tcb' #Mimikatz + - 'process::exports' #Mimikatz + - 'process::imports' #Mimikatz + - 'process::list' #Mimikatz + - 'process::resume' #Mimikatz + - 'process::run' #Mimikatz + - 'process::runp' #Mimikatz + - 'process::start' #Mimikatz + - 'process::stop' #Mimikatz + - 'process::suspend' #Mimikatz + - 'rpc::close' #Mimikatz + - 'rpc::connect' #Mimikatz + - 'rpc::enum' #Mimikatz + - 'rpc::server' #Mimikatz + - 'sekurlsa::backupkeys' #Mimikatz + - 'sekurlsa::bootkey' #Mimikatz + - 'sekurlsa::cloudap' #Mimikatz + - 'sekurlsa::credman' #Mimikatz + - 'sekurlsa::dpapi' #Mimikatz + - 'sekurlsa::dpapisystem' #Mimikatz + - 'sekurlsa::ekeys' #Mimikatz + - 'sekurlsa::kerberos' #Mimikatz + - 'sekurlsa::krbtgt' #Mimikatz + - 'sekurlsa::livessp' #Mimikatz + - 'sekurlsa::minidump' #Mimikatz + - 'sekurlsa::msv' #Mimikatz + - 'sekurlsa::process' #Mimikatz + - 'sekurlsa::pth' #Mimikatz + - 'sekurlsa::ssp' #Mimikatz + - 'sekurlsa::tickets' #Mimikatz + - 'sekurlsa::trust' #Mimikatz + - 'sekurlsa::tspkg' #Mimikatz + - 'sekurlsa::wdigest' #Mimikatz + - 'service::me' #Mimikatz + - 'service::preshutdown' #Mimikatz + - 'service::remove' #Mimikatz + - 'service::resume' #Mimikatz + - 'service::shutdown' #Mimikatz + - 'service::start' #Mimikatz + - 'service::stop' #Mimikatz + - 'service::suspend' #Mimikatz + - 'sid::add' #Mimikatz + - 'sid::clear' #Mimikatz + - 'sid::lookup' #Mimikatz + - 'sid::modify' #Mimikatz + - 'sid::patch' #Mimikatz + - 'sid::query' #Mimikatz + - 'standard::answer' #Mimikatz + - 'standard::base64' #Mimikatz + - 'standard::cd' #Mimikatz + - 'standard::cls' #Mimikatz + - 'standard::coffee' #Mimikatz + - 'standard::exit' #Mimikatz + - 'standard::hostname' #Mimikatz + - 'standard::localtime' #Mimikatz + - 'standard::log' #Mimikatz + - 'standard::sleep' #Mimikatz + - 'standard::version' #Mimikatz + - 'token::elevate' #Mimikatz + - 'token::list' #Mimikatz + - 'token::revert' #Mimikatz + - 'token::run' #Mimikatz + - 'token::whoami' #Mimikatz + - 'ts::logonpasswords' #Mimikatz + - 'ts::mstsc' #Mimikatz + - 'ts::multirdp' #Mimikatz + - 'ts::remote' #Mimikatz + - 'ts::sessions' #Mimikatz + - 'vault::cred' #Mimikatz + - 'vault::list' #Mimikatz - ' p::d ' # Mimikatz - ';iex(' # PowerShell IEX - 'MiniDump' # Process dumping method apart from procdump diff --git a/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml new file mode 100644 index 000000000..ebc8bf7af --- /dev/null +++ b/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml @@ -0,0 +1,28 @@ +title: Abuse of Service Permissions to Hide Services in Tools +id: a537cfc3-4297-4789-92b5-345bfd845ad0 +status: experimental +description: Detection of sc.exe utility adding a new service with special permission which hides that service. +author: Andreas Hunkeler (@Karneades) +references: + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + sc: + Image|endswith: '\sc.exe' + cli: + CommandLine|contains|all: + - 'sdset' + - 'DCLCWPDTSD' + condition: sc and cli +falsepositives: + - Intended use of hidden services +level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 16f392ac1..574c513c8 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/18 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -36,13 +36,17 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' - filter: + filter_all: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - Image: - 'C:\WINDOWS\system32\devicecensus.exe' - condition: current_version_base and current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: current_version_base and current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index dd255205a..e7d956008 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -27,9 +27,13 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' - filter: + filter_empty: Details: '(Empty)' - condition: wow_current_version_base and wow_current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 5ddd4b648..fae7e7a86 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -51,6 +51,10 @@ detection: filter_nvidia: Details|contains: - '\FileRepository\nvmdi.inf' + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level