From 93c5d8b361d82c1357fabebfaa9db088626cfd3a Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 15 Dec 2021 09:24:23 +0100 Subject: [PATCH 01/40] Add win_vul_cve_2021_42278_or_cve_2021-42287 --- ...n_vul_cve_2021_42278_or_cve_2021-42287.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml new file mode 100644 index 000000000..1c27d1cd9 --- /dev/null +++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml @@ -0,0 +1,33 @@ +title: Exploit SamAccountName Spoofing with Kerberos +id: 44bbff3e-4ca3-452d-a49a-6efa4cafa06f +status: experimental +description: | + The attacker creates a computer object using those permissions with a password known to her. + After that she clears the attribute ServicePrincipalName on the computer object. + Because she created the object (CREATOR OWNER), she gets granted additional permissions and can do many changes to the object. +references: + - https://cloudbrothers.info/en/exploit-kerberos-samaccountname-spoofing/?utm_source=Social&utm_medium=post&utm_campaign=log4j +author: frack113 +date: 2021/12/15 +logsource: + product: windows + service: system +detection: + selection: + Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory + EventID: + - 35 + - 36 + - 37 + - 38 + - 16990 + - 16991 + condition: selection +fields: + - samAccountName +falsepositives: + - Unknown +level: high +tags: + - attack.credential_access + - attack.t1558.003 \ No newline at end of file From 8908c4ca8e847b8b9bfa6059f2b48a8b34f1e65e Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 15 Dec 2021 09:32:39 +0100 Subject: [PATCH 02/40] Add win_vul_cve_2021_42278_or_cve_2021_42287 --- ...021-42287.yml => win_vul_cve_2021_42278_or_cve_2021_42287.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/builtin/system/{win_vul_cve_2021_42278_or_cve_2021-42287.yml => win_vul_cve_2021_42278_or_cve_2021_42287.yml} (100%) diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml similarity index 100% rename from rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021-42287.yml rename to rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml From 4f866f8da3fdff9ff7aa50930fbc9d86591a123c Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Wed, 15 Dec 2021 10:04:37 +0100 Subject: [PATCH 03/40] fix detection --- .../system/win_vul_cve_2021_42278_or_cve_2021_42287.yml | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml index 1c27d1cd9..cef7ef843 100644 --- a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml +++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml @@ -13,16 +13,19 @@ logsource: product: windows service: system detection: - selection: + selection_1: Provider_Name: Microsoft-Windows-Kerberos-Key-Distribution-Center # Active Directory EventID: - 35 - 36 - 37 - 38 + selection_2: + Provider_Name: Microsoft-Windows-Directory-Services-SAM # Active Directory + EventID: - 16990 - 16991 - condition: selection + condition: selection_1 or selection_2 fields: - samAccountName falsepositives: From b368d036cf265ed680fe7b4a5ea2a36aa1ef36c0 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Thu, 16 Dec 2021 22:44:45 +0100 Subject: [PATCH 04/40] change level to medium --- .../system/win_vul_cve_2021_42278_or_cve_2021_42287.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml index cef7ef843..fe76fdee3 100644 --- a/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml +++ b/rules/windows/builtin/system/win_vul_cve_2021_42278_or_cve_2021_42287.yml @@ -30,7 +30,7 @@ fields: - samAccountName falsepositives: - Unknown -level: high +level: medium tags: - attack.credential_access - - attack.t1558.003 \ No newline at end of file + - attack.t1558.003 From 1c789bd0807993e8ab8db9aad3d17152557d669a Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Fri, 17 Dec 2021 09:20:21 +0100 Subject: [PATCH 05/40] fix: FP in Aviar installer --- .../process_creation_susp_non_exe_image.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml index 40798a9ef..505621821 100644 --- a/rules/windows/process_creation/process_creation_susp_non_exe_image.yml +++ b/rules/windows/process_creation/process_creation_susp_non_exe_image.yml @@ -4,7 +4,7 @@ status: experimental description: Checks whether the image specified in a process creation event doesn't refer to an .exe file (caused by process ghosting or other unorthodox methods to start a process) author: Max Altgelt date: 2021/12/09 -modified: 2021/12/14 +modified: 2021/12/17 references: - https://pentestlaboratories.com/2021/12/08/process-ghosting/ tags: @@ -16,9 +16,10 @@ detection: image_exe: Image|endswith: '.exe' filter: - Image: null - Image|startswith: 'C:\Windows\Installer\MSI' - condition: not image_exe and not 1 of filter + - Image: null + - Image|startswith: 'C:\Windows\Installer\MSI' + - ParentImage|startswith: 'C:\ProgramData\Avira\' + condition: not image_exe and not filter falsepositives: - unknown level: high From 9ecacdaeea1606d5c834ab4adac33cc0d62c58f3 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 17 Dec 2021 17:31:06 +0100 Subject: [PATCH 06/40] Move winrm rule to process creation --- .../win_susp_shell_spawn_from_winrm.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/windows/{process_access => process_creation}/win_susp_shell_spawn_from_winrm.yml (100%) diff --git a/rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml b/rules/windows/process_creation/win_susp_shell_spawn_from_winrm.yml similarity index 100% rename from rules/windows/process_access/win_susp_shell_spawn_from_winrm.yml rename to rules/windows/process_creation/win_susp_shell_spawn_from_winrm.yml From 55c83e31c2a3315c6007d5d42bcbe4a57afb3e42 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Fri, 17 Dec 2021 17:40:38 +0100 Subject: [PATCH 07/40] rule: add new rule for java spawning suspicious binaries --- ...ss_creation_susp_shell_spawn_from_java.yml | 30 +++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml new file mode 100644 index 000000000..5e3f3342d --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml @@ -0,0 +1,30 @@ +title: Suspicious Shells Spawn by Java +id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d +description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation) +status: experimental +author: Andreas Hunkeler (@Karneades) +date: 2021/12/17 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage: '*\java.exe' + Image: + - '*\cmd.exe' + - '*\sh.exe' + - '*\bash.exe' + - '*\powershell.exe' + - '*\schtasks.exe' + - '*\certutil.exe' + - '*\whoami.exe' + - '*\bitsadmin.exe' + condition: selection +falsepositives: + - Legitimate calls to system binaries + - Company specific internal usage +level: high From e20d8be164d3cd0bde6fb51cdcde09c74884054c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Dec 2021 06:39:14 +0100 Subject: [PATCH 08/40] refactor: split rule up into two, more susp sub procs --- .../process_creation_shell_spawn_by_java.yml | 24 +++++++++++ ...cess_creation_susp_shell_spawn_by_java.yml | 42 +++++++++++++++++++ ...ss_creation_susp_shell_spawn_from_java.yml | 30 ------------- 3 files changed, 66 insertions(+), 30 deletions(-) create mode 100644 rules/windows/process_creation/process_creation_shell_spawn_by_java.yml create mode 100644 rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml delete mode 100644 rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml diff --git a/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml new file mode 100644 index 000000000..9adb6d3c1 --- /dev/null +++ b/rules/windows/process_creation/process_creation_shell_spawn_by_java.yml @@ -0,0 +1,24 @@ +title: Shells Spawn by Java +id: dff1e1cc-d3fd-47c8-bfc2-aeb878a754c0 +description: Detects shell spawn from Java host process, which could a maintenance task or some kind of exploitation (e.g. log4j exploitation) +status: experimental +author: Andreas Hunkeler (@Karneades) +date: 2021/12/17 +modified: 2021/12/18 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\java.exe' + Image|endswith: + - '\cmd.exe' + condition: selection +falsepositives: + - Legitimate calls to system binaries + - Company specific internal usage +level: medium diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml new file mode 100644 index 000000000..cdd6211d3 --- /dev/null +++ b/rules/windows/process_creation/process_creation_susp_shell_spawn_by_java.yml @@ -0,0 +1,42 @@ +title: Suspicious Shells Spawn by Java +id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d +description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation) +status: experimental +author: Andreas Hunkeler (@Karneades), Florian Roth +date: 2021/12/17 +modified: 2021/12/18 +tags: + - attack.initial_access + - attack.persistence + - attack.privilege_escalation +logsource: + category: process_creation + product: windows +detection: + selection: + ParentImage|endswith: '\java.exe' + Image|endswith: + - '\sh.exe' + - '\bash.exe' + - '\powershell.exe' + - '\schtasks.exe' + - '\certutil.exe' + - '\whoami.exe' + - '\bitsadmin.exe' + - '\wscript.exe' + - '\cscript.exe' + - '\scrcons.exe' + - '\regsvr32.exe' + - '\hh.exe' + - '\wmic.exe' # https://app.any.run/tasks/c903e9c8-0350-440c-8688-3881b556b8e0/ + - '\mshta.exe' + - '\rundll32.exe' + - '\forfiles.exe' + - '\scriptrunner.exe' + - '\mftrace.exe' + - '\AppVLP.exe' + condition: selection +falsepositives: + - Legitimate calls to system binaries + - Company specific internal usage +level: high diff --git a/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml b/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml deleted file mode 100644 index 5e3f3342d..000000000 --- a/rules/windows/process_creation/process_creation_susp_shell_spawn_from_java.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: Suspicious Shells Spawn by Java -id: 0d34ed8b-1c12-4ff2-828c-16fc860b766d -description: Detects suspicious shell spawn from Java host process (e.g. log4j exploitation) -status: experimental -author: Andreas Hunkeler (@Karneades) -date: 2021/12/17 -tags: - - attack.initial_access - - attack.persistence - - attack.privilege_escalation -logsource: - category: process_creation - product: windows -detection: - selection: - ParentImage: '*\java.exe' - Image: - - '*\cmd.exe' - - '*\sh.exe' - - '*\bash.exe' - - '*\powershell.exe' - - '*\schtasks.exe' - - '*\certutil.exe' - - '*\whoami.exe' - - '*\bitsadmin.exe' - condition: selection -falsepositives: - - Legitimate calls to system binaries - - Company specific internal usage -level: high From 92e7ff882f080e5b38c3cce26107cd33d72be07f Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 18 Dec 2021 20:00:40 +0100 Subject: [PATCH 09/40] Create process_creation_advanced_port_scanner.yml --- ...process_creation_advanced_port_scanner.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_advanced_port_scanner.yml diff --git a/rules/windows/process_creation/process_creation_advanced_port_scanner.yml b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml new file mode 100644 index 000000000..e15249766 --- /dev/null +++ b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml @@ -0,0 +1,27 @@ +title: Advanced Port Scanner +id: 54773c5f-f1cc-4703-9126-2f797d96a69d +status: experimental +description: Detects the use of Advanced Port Scanner. +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20Port%20Scanner +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.discovery + - attack.t1046 + - attack.t1135 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|contains: '\advanced_port_scanner' + selection2: + CommandLine|contains|all: + - '/portable' + - '/lng' + condition: 1 of them +falsepositives: + - Legitimate administrative use + - Tools with similar commandline (very rare) +level: medium From 8401ece3d6ef06f7c0497ae65572f1a085c350b6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 18 Dec 2021 20:05:49 +0100 Subject: [PATCH 10/40] Create process_creation_cleanwipe.yml --- .../process_creation_cleanwipe.yml | 33 +++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_cleanwipe.yml diff --git a/rules/windows/process_creation/process_creation_cleanwipe.yml b/rules/windows/process_creation/process_creation_cleanwipe.yml new file mode 100644 index 000000000..1720477bb --- /dev/null +++ b/rules/windows/process_creation/process_creation_cleanwipe.yml @@ -0,0 +1,33 @@ +title: CleanWipe Usage +id: f44800ac-38ec-471f-936e-3fa7d9c53100 +status: experimental +description: Detects the use of CleanWipe a tool usually used to delete Symantec antivirus. +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/CleanWipe +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.defense_evasion + - attack.t1562.001 +logsource: + category: process_creation + product: windows +detection: + selection1: + Image|endswith: + - '\SepRemovalToolNative_x64.exe' + selection2: + Image|endswith: '\CATClean.exe' + CommandLine|contains: '--uninstall' + selection3: + Image|endswith: '\NetInstaller.exe' + CommandLine|contains: '-r' + selection4: + Image|endswith: '\WFPUnins.exe' + CommandLine|contains|all: + - '/uninstall' + - '/enterprise' + condition: 1 of them +falsepositives: + - Legitimate administrative use +level: medium From da5cb2116c3b165a154a81d952e6416a32b018ad Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 18 Dec 2021 20:08:00 +0100 Subject: [PATCH 11/40] Update process_creation_advanced_ip_scanner.yml --- .../process_creation_advanced_ip_scanner.yml | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml index 36e07720e..2d63c9044 100644 --- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -8,19 +8,25 @@ references: - https://labs.f-secure.com/blog/prelude-to-ransomware-systembc - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer -author: '@ROxPinTeddy' + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner +author: '@ROxPinTeddy', Nasreddine Bencherchali @nas_bench date: 2020/05/12 -modified: 2021/09/12 +modified: 2021/12/18 tags: - attack.discovery - attack.t1046 + - attack.t1135 logsource: category: process_creation product: windows detection: - selection: + selection1: Image|contains: '\advanced_ip_scanner' - condition: selection + selection2: + CommandLine|contains|all: + - '/portable' + - '/lng' + condition: 1 of them falsepositives: - Legitimate administrative use level: medium From 4362060da62b0cb90dc396135286ac0e33d58908 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Dec 2021 20:24:11 +0100 Subject: [PATCH 12/40] Update process_creation_advanced_ip_scanner.yml --- .../process_creation/process_creation_advanced_ip_scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml index 2d63c9044..f96d9128f 100644 --- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -9,7 +9,7 @@ references: - https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf - https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Other/Advanced%20IP%20Scanner -author: '@ROxPinTeddy', Nasreddine Bencherchali @nas_bench +author: '@ROxPinTeddy, Nasreddine Bencherchali @nas_bench' date: 2020/05/12 modified: 2021/12/18 tags: From 61ae79bcff25324c3a59d22b1312af1de122184e Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Dec 2021 20:26:12 +0100 Subject: [PATCH 13/40] Condition changed see https://github.com/SigmaHQ/sigma/wiki/Specification#condition --- .../process_creation/process_creation_advanced_ip_scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml index f96d9128f..7951cf4e1 100644 --- a/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_ip_scanner.yml @@ -26,7 +26,7 @@ detection: CommandLine|contains|all: - '/portable' - '/lng' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administrative use level: medium From 78900a7b96b29a17aee032bf4be946049e542bbe Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Dec 2021 20:26:35 +0100 Subject: [PATCH 14/40] fix condition see https://github.com/SigmaHQ/sigma/wiki/Specification#condition --- .../process_creation/process_creation_advanced_port_scanner.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_advanced_port_scanner.yml b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml index e15249766..e99b5dc3d 100644 --- a/rules/windows/process_creation/process_creation_advanced_port_scanner.yml +++ b/rules/windows/process_creation/process_creation_advanced_port_scanner.yml @@ -20,7 +20,7 @@ detection: CommandLine|contains|all: - '/portable' - '/lng' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administrative use - Tools with similar commandline (very rare) From 91b51068ea8e19e53ec4687705fdee0344f306c3 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 18 Dec 2021 20:26:57 +0100 Subject: [PATCH 15/40] fix condition https://github.com/SigmaHQ/sigma/wiki/Specification#condition --- rules/windows/process_creation/process_creation_cleanwipe.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_cleanwipe.yml b/rules/windows/process_creation/process_creation_cleanwipe.yml index 1720477bb..01a59704d 100644 --- a/rules/windows/process_creation/process_creation_cleanwipe.yml +++ b/rules/windows/process_creation/process_creation_cleanwipe.yml @@ -27,7 +27,7 @@ detection: CommandLine|contains|all: - '/uninstall' - '/enterprise' - condition: 1 of them + condition: 1 of selection* falsepositives: - Legitimate administrative use level: medium From 6f01874e0730df3e5e2c36b89c59c1d2cd5b2434 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 18 Dec 2021 21:06:46 +0100 Subject: [PATCH 16/40] Create win_susp_nt_resource_kit_auditpol_usage.yml --- ...in_susp_nt_resource_kit_auditpol_usage.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml diff --git a/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml b/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml new file mode 100644 index 000000000..fbb423399 --- /dev/null +++ b/rules/windows/process_creation/win_susp_nt_resource_kit_auditpol_usage.yml @@ -0,0 +1,28 @@ +title: Suspicious NT Resource Kit Auditpol Usage +id: c6c56ada-612b-42d1-9a29-adad3c5c2c1e +description: Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor. +status: experimental +author: Nasreddine Bencherchali @nas_bench +references: + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Windows%202000%20Resource%20Kit%20Tools/AuditPol +date: 2021/12/18 +tags: + - attack.defense_evasion + - attack.t1562.002 +level: high +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: + - '/logon:none' + - '/system:none' + - '/sam:none' + - '/privilege:none' + - '/object:none' + - '/process:none' + - '/policy:none' + condition: selection +falsepositives: + - Unknown From 70f3f4fa880b855c87d4a4501e6f98e6a1d43c2d Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Sat, 18 Dec 2021 21:52:05 +0100 Subject: [PATCH 17/40] Create win_susp_psloglist.yml - The flags can be used with both "-" and "/" characters. - This rule aims to detect any usage of psloglist, no matter if the binary is with the original name or not. This is achieved by looking for both the image name and the specific command line arguments --- .../process_creation/win_susp_psloglist.yml | 41 +++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 rules/windows/process_creation/win_susp_psloglist.yml diff --git a/rules/windows/process_creation/win_susp_psloglist.yml b/rules/windows/process_creation/win_susp_psloglist.yml new file mode 100644 index 000000000..c9da73f66 --- /dev/null +++ b/rules/windows/process_creation/win_susp_psloglist.yml @@ -0,0 +1,41 @@ +title: Suspicious Use of PsLogList +id: aae1243f-d8af-40d8-ab20-33fc6d0c55bc +description: Threat actors can use the PsLogList utility to dump event log in order to extract admin accounts and perform account discovery. +status: experimental +references: + - https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/ + - https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos + - https://github.com/3CORESec/MAL-CL/tree/master/Descriptors/Sysinternals/PsLogList +author: Nasreddine Bencherchali @nas_bench +date: 2021/12/18 +tags: + - attack.discovery + - attack.t1087 + - attack.t1087.001 + - attack.t1087.002 +logsource: + category: process_creation + product: windows +detection: + selection1: + OriginalFileName|contains: 'psloglist' + selection2: + Image|endswith: + - '\psloglist.exe' + - '\psloglist64.exe' + flags: + CommandLine|contains: + - '-d' + - '/d' + - '-x' + - '/x' + - '-s' + - '/s' + eventlog: + CommandLine|contains: + - 'security' + condition: (1 of selection*) or (flags and eventlog) +falsepositives: + - Another tool that uses the command line switches of PsLogList + - Legitimate use of PsLogList by an administrator +level: medium From f8962bec987f20514103abea44a06f7161a45541 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 19 Dec 2021 10:35:39 +0100 Subject: [PATCH 18/40] Aurora FP --- ...ysmon_asep_reg_keys_modification_currentversion.yml | 10 +++++++--- .../sysmon_asep_reg_keys_modification_wow6432node.yml | 10 +++++++--- .../sysmon_registry_persistence_search_order.yml | 6 +++++- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml index 16f392ac1..574c513c8 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_currentversion.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/18 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -36,13 +36,17 @@ detection: - '\Authentication\PLAP Providers' - '\Authentication\Credential Providers' - '\Authentication\Credential Provider Filters' - filter: + filter_all: - Details: '(Empty)' - TargetObject|endswith: '\NgcFirst\ConsecutiveSwitchCount' - Image|endswith: '\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe' # C:\Users\*\AppData\Local\Microsoft\OneDrive\Update\OneDriveSetup.exe - Image: - 'C:\WINDOWS\system32\devicecensus.exe' - condition: current_version_base and current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: current_version_base and current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml index dd255205a..e7d956008 100644 --- a/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml +++ b/rules/windows/registry_event/sysmon_asep_reg_keys_modification_wow6432node.yml @@ -11,7 +11,7 @@ references: - https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns - https://gist.github.com/GlebSukhodolskiy/0fc5fa5f482903064b448890db1eaf9d # a list with registry keys date: 2019/10/25 -modified: 2021/12/05 +modified: 2021/12/19 logsource: category: registry_event product: windows @@ -27,9 +27,13 @@ detection: - '\Explorer\ShellExecuteHooks' - '\Explorer\SharedTaskScheduler' - '\Explorer\Browser Helper Objects' - filter: + filter_empty: Details: '(Empty)' - condition: wow_current_version_base and wow_current_version and not filter + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' + condition: wow_current_version_base and wow_current_version and not 1 of filter_* fields: - SecurityID - ObjectName diff --git a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml index 0712e079b..7669904a7 100755 --- a/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml +++ b/rules/windows/registry_event/sysmon_registry_persistence_search_order.yml @@ -7,7 +7,7 @@ references: - https://attack.mitre.org/techniques/T1546/015/ author: Maxime Thiebaut (@0xThiebaut), oscd.community, Cédric Hien date: 2020/04/14 -modified: 2021/12/16 +modified: 2021/12/19 tags: - attack.persistence - attack.t1546.015 @@ -48,6 +48,10 @@ detection: Image|contains|all: - 'C:\ProgramData\Microsoft\Windows Defender\Platform\' - '\MsMpEng.exe' + filter_edge: + Image|contains|all: + - 'C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{' + - '\setup.exe' condition: selection and not 1 of filter* falsepositives: - Some installed utilities (i.e. OneDrive) may serve new COM objects at user-level From b89580488a37a80e5d10aa6edbb5c4a402eac827 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 19 Dec 2021 11:20:42 +0100 Subject: [PATCH 19/40] Windows Redcannary --- .../win_fe_access_susp_unattend_xml.yml | 23 +++++++++++++++ .../powershell_suspicious_extracting.yml | 29 +++++++++++++++++++ .../process_creation_automated_collection.yml | 13 ++++++--- 3 files changed, 61 insertions(+), 4 deletions(-) create mode 100644 rules/windows/file_event/win_fe_access_susp_unattend_xml.yml create mode 100644 rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml diff --git a/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml b/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml new file mode 100644 index 000000000..6b9909cfe --- /dev/null +++ b/rules/windows/file_event/win_fe_access_susp_unattend_xml.yml @@ -0,0 +1,23 @@ +title: Suspicious Unattend.xml File Access +id: 1a3d42dd-3763-46b9-8025-b5f17f340dfb +status: experimental +description: | + Attempts to access unattend.xml, where credentials are commonly stored, within the Panther directory where installation logs are stored. + If these files exist, their contents will be displayed. They are used to store credentials/answers during the unattended windows install process +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +date: 2021/12/19 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: '\unattend.xml' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1552.001 diff --git a/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml b/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml new file mode 100644 index 000000000..b8be6f52d --- /dev/null +++ b/rules/windows/powershell/powershell_script/powershell_suspicious_extracting.yml @@ -0,0 +1,29 @@ +title: Extracting Information with PowerShell +id: bd5971a7-626d-46ab-8176-ed643f694f68 +status: experimental +author: frack113 +date: 2021/12/19 +description: | + Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. + These can be files created by users to store their own credentials, shared credential stores for a group of individuals, + configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords. +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md +logsource: + product: windows + category: ps_script + definition: Script block logging must be enabled +detection: + selection: + ScriptBlockText|contains|all: + - ls + - ' -R' + - 'select-string ' + - '-Pattern ' + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.credential_access + - attack.t1552.001 \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_automated_collection.yml b/rules/windows/process_creation/process_creation_automated_collection.yml index ab979f738..05550d6de 100644 --- a/rules/windows/process_creation/process_creation_automated_collection.yml +++ b/rules/windows/process_creation/process_creation_automated_collection.yml @@ -6,9 +6,7 @@ date: 2021/07/28 description: Once established within a system or network, an adversary may use automated techniques for collecting internal data. references: - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1119/T1119.md -tags: - - attack.collection - - attack.t1119 + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1552.001/T1552.001.md logsource: category: process_creation product: windows @@ -31,8 +29,15 @@ detection: - ' /s ' selection_findstr: OriginalFileName: FINDSTR.EXE - CommandLine|contains: ' /e ' + CommandLine|contains: + - ' /e ' + - ' /si ' condition: selection_ext and (selection_dir or selection_findstr) falsepositives: - Unknown level: medium +tags: + - attack.collection + - attack.t1119 + - attack.credential_access + - attack.t1552.001 \ No newline at end of file From 89e1f491b34d3026918e9aec89fa8a52fcd441e7 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sun, 19 Dec 2021 19:43:37 +0100 Subject: [PATCH 20/40] refactor: add accepteula to flags --- rules/windows/process_creation/win_susp_psloglist.yml | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/rules/windows/process_creation/win_susp_psloglist.yml b/rules/windows/process_creation/win_susp_psloglist.yml index c9da73f66..01fe56869 100644 --- a/rules/windows/process_creation/win_susp_psloglist.yml +++ b/rules/windows/process_creation/win_susp_psloglist.yml @@ -31,10 +31,11 @@ detection: - '/x' - '-s' - '/s' - eventlog: - CommandLine|contains: - - 'security' - condition: (1 of selection*) or (flags and eventlog) + other: + CommandLine|contains|all: + - 'security' + - 'accepteula' + condition: (1 of selection*) or (flags and other) falsepositives: - Another tool that uses the command line switches of PsLogList - Legitimate use of PsLogList by an administrator From d2f9a9c63e56bac6ffdacf8e21ff9d3ca672f065 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Mon, 20 Dec 2021 08:56:13 +0100 Subject: [PATCH 21/40] Added mimikatz keywords from user published documentation --- .../builtin/win_alert_mimikatz_keywords.yml | 189 +++++++++++++++++- 1 file changed, 185 insertions(+), 4 deletions(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 7ea757e5a..e352a76cb 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -2,9 +2,11 @@ title: Mimikatz Use id: 06d71506-7beb-4f22-8888-e2e5e2ca7fd8 description: This method detects mimikatz keywords in different Eventlogs (some of them only appear in older Mimikatz version that are however still used by different threat groups) status: experimental -author: Florian Roth +author: Florian Roth (rule), David ANDRE (additional keywords) date: 2017/01/10 -modified: 2021/12/01 +modified: 2021/12/20 +reference: + - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - attack.t1003 # an old one @@ -25,14 +27,193 @@ detection: - '\mimilib.dll' - '<3 eo.oe' - 'eo.oe.kiwi' - - 'privilege::debug' - - 'sekurlsa::logonpasswords' - 'lsadump::sam' - 'mimidrv.sys' - ' p::d ' - ' s::l ' - 'gentilkiwi.com' - 'Kiwi Legit Printer' + - 'sekurlsa::logonpasswords' + - 'crypto::capi' + - 'crypto::certificates' + - 'crypto::certtohw' + - 'crypto::cng' + - 'crypto::extract' + - 'crypto::hash' + - 'crypto::keys' + - 'crypto::providers' + - 'crypto::sc' + - 'crypto::scauth' + - 'crypto::stores' + - 'crypto::system' + - 'crypto::tpminfo' + - 'dpapi::blob' + - 'dpapi::cache' + - 'dpapi::capi' + - 'dpapi::chrome' + - 'dpapi::cloudapkd' + - 'dpapi::cloudapreg' + - 'dpapi::cng' + - 'dpapi::create' + - 'dpapi::cred' + - 'dpapi::credhist' + - 'dpapi::luna' + - 'dpapi::masterkey' + - 'dpapi::protect' + - 'dpapi::ps' + - 'dpapi::rdg' + - 'dpapi::sccm' + - 'dpapi::ssh' + - 'dpapi::tpm' + - 'dpapi::vault' + - 'dpapi::wifi' + - 'dpapi::wwman' + - 'event::clear' + - 'event::drop' + - 'kerberos::ask' + - 'kerberos::clist' + - 'kerberos::golden' + - 'kerberos::hash' + - 'kerberos::list' + - 'sekurlsa::tickets' + - 'kerberos::ptc' + - 'kerberos::ptt' + - 'kerberos::ptt' + - 'kerberos::purge' + - 'kerberos::tgt' + - 'lsadump::backupkeys' + - 'lsadump::cache' + - 'lsadump::changentlm' + - 'lsadump::dcshadow' + - 'lsadump::dcsync' + - 'lsadump::lsa' + - 'lsadump::mbc' + - 'lsadump::netsync' + - 'lsadump::packages' + - 'lsadump::postzerologon' + - 'lsadump::RpData' + - 'lsadump::sam' + - 'lsadump::secrets' + - 'lsadump::setntlm' + - 'lsadump::trust' + - 'lsadump::zerologon' + - 'misc::aadcookie' + - 'misc::clip' + - 'misc::cmd' + - 'misc::compress' + - 'misc::detours' + - 'misc::efs' + - 'misc::lock' + - 'misc::memssp' + - 'misc::memssp' + - 'misc::mflt' + - 'misc::ncroutemon' + - 'misc::ngcsign' + - 'misc::printnightmare' + - 'misc::regedit' + - 'misc::sccm' + - 'misc::shadowcopies' + - 'misc::skeleton' + - 'misc::spooler' + - 'misc::taskmgr' + - 'misc::wp' + - 'misc::xor' + - 'net::alias' + - 'net::deleg' + - 'net::group' + - 'net::if' + - 'net::serverinfo' + - 'net::session' + - 'net::share' + - 'net::stats' + - 'net::tod' + - 'net::trust' + - 'net::user' + - 'net::wsession' + - 'privilege::backup' + - 'privilege::debug' + - 'privilege::driver' + - 'privilege::id' + - 'privilege::name' + - 'privilege::restore' + - 'privilege::security' + - 'privilege::sysenv' + - 'privilege::tcb' + - 'process::exports' + - 'process::imports' + - 'process::list' + - 'process::resume' + - 'process::run' + - 'process::runp' + - 'process::start' + - 'process::stop' + - 'process::suspend' + - 'rpc::close' + - 'rpc::connect' + - 'rpc::enum' + - 'rpc::server' + - 'sekurlsa::backupkeys' + - 'sekurlsa::bootkey' + - 'sekurlsa::cloudap' + - 'sekurlsa::credman' + - 'sekurlsa::dpapi' + - 'sekurlsa::dpapisystem' + - 'sekurlsa::ekeys' + - 'sekurlsa::kerberos' + - 'sekurlsa::krbtgt' + - 'sekurlsa::livessp' + - 'sekurlsa::logonpasswords' + - 'sekurlsa::minidump' + - 'sekurlsa::msv' + - 'sekurlsa::process' + - 'sekurlsa::minidump' + - 'sekurlsa::pth' + - 'sekurlsa::ssp' + - 'sekurlsa::tickets' + - 'kerberos::list' + - 'sekurlsa::trust' + - 'sekurlsa::tspkg' + - 'sekurlsa::wdigest' + - 'rpc::server' + - 'service::me' + - 'service::preshutdown' + - 'service::remove' + - 'service::resume' + - 'service::shutdown' + - 'service::start' + - 'service::stop' + - 'service::suspend' + - 'sid::add' + - 'sid::clear' + - 'sid::lookup' + - 'sid::modify' + - 'sid::patch' + - 'id::modify' + - 'sid::add' + - 'sid::query' + - 'standard::answer' + - 'standard::base64' + - 'standard::cd' + - 'standard::cls' + - 'standard::coffee' + - 'standard::exit' + - 'standard::hostname' + - 'standard::localtime' + - 'standard::log' + - 'standard::sleep' + - 'standard::version' + - 'token::elevate' + - 'token::list' + - 'token::revert' + - 'token::run' + - 'token::whoami' + - 'ts::logonpasswords' + - 'ts::mstsc' + - 'ts::multirdp' + - 'ts::remote' + - 'ts::sessions' + - 'vault::cred' + - 'vault::list' filter: EventID: 15 # Sysmon's FileStream Events (could cause false positives when Sigma rules get copied on/to a system) condition: keywords and not filter From 147c319bffafc88d44be59e1d7f9b3d202dad88f Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Mon, 20 Dec 2021 09:01:34 +0100 Subject: [PATCH 22/40] Added mimikatz keywords from user published documentation to win_susp_system_user_anomaly --- .../win_susp_system_user_anomaly.yml | 187 +++++++++++++++++- 1 file changed, 184 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_susp_system_user_anomaly.yml b/rules/windows/process_creation/win_susp_system_user_anomaly.yml index 1e4297287..4a429ff7d 100644 --- a/rules/windows/process_creation/win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/win_susp_system_user_anomaly.yml @@ -4,8 +4,9 @@ status: experimental description: Detects a suspicious process creation as SYSTEM user (suspicious program or command line parameter) references: - Internal Research -author: Florian Roth -date: 2021/12/08 + - https://tools.thehacker.recipes/mimikatz/modules +author: Florian Roth (rule), David ANDRE (additional keywords) +date: 2021/12/20 logsource: category: process_creation product: windows @@ -46,7 +47,187 @@ detection: - '.downloadstring(' # PowerShell download command - '.downloadfile(' # PowerShell download command - ' /ticket:' # Rubeus - - ' sekurlsa' # Mimikatz + - 'sekurlsa::logonpasswords' #Mimikatz + - 'crypto::capi' #Mimikatz + - 'crypto::certificates' #Mimikatz + - 'crypto::certtohw' #Mimikatz + - 'crypto::cng' #Mimikatz + - 'crypto::extract' #Mimikatz + - 'crypto::hash' #Mimikatz + - 'crypto::keys' #Mimikatz + - 'crypto::providers' #Mimikatz + - 'crypto::sc' #Mimikatz + - 'crypto::scauth' #Mimikatz + - 'crypto::stores' #Mimikatz + - 'crypto::system' #Mimikatz + - 'crypto::tpminfo' #Mimikatz + - 'dpapi::blob' #Mimikatz + - 'dpapi::cache' #Mimikatz + - 'dpapi::capi' #Mimikatz + - 'dpapi::chrome' #Mimikatz + - 'dpapi::cloudapkd' #Mimikatz + - 'dpapi::cloudapreg' #Mimikatz + - 'dpapi::cng' #Mimikatz + - 'dpapi::create' #Mimikatz + - 'dpapi::cred' #Mimikatz + - 'dpapi::credhist' #Mimikatz + - 'dpapi::luna' #Mimikatz + - 'dpapi::masterkey' #Mimikatz + - 'dpapi::protect' #Mimikatz + - 'dpapi::ps' #Mimikatz + - 'dpapi::rdg' #Mimikatz + - 'dpapi::sccm' #Mimikatz + - 'dpapi::ssh' #Mimikatz + - 'dpapi::tpm' #Mimikatz + - 'dpapi::vault' #Mimikatz + - 'dpapi::wifi' #Mimikatz + - 'dpapi::wwman' #Mimikatz + - 'event::clear' #Mimikatz + - 'event::drop' #Mimikatz + - 'kerberos::ask' #Mimikatz + - 'kerberos::clist' #Mimikatz + - 'kerberos::golden' #Mimikatz + - 'kerberos::hash' #Mimikatz + - 'kerberos::list' #Mimikatz + - 'sekurlsa::tickets' #Mimikatz + - 'kerberos::ptc' #Mimikatz + - 'kerberos::ptt' #Mimikatz + - 'kerberos::ptt' #Mimikatz + - 'kerberos::purge' #Mimikatz + - 'kerberos::tgt' #Mimikatz + - 'lsadump::backupkeys' #Mimikatz + - 'lsadump::cache' #Mimikatz + - 'lsadump::changentlm' #Mimikatz + - 'lsadump::dcshadow' #Mimikatz + - 'lsadump::dcsync' #Mimikatz + - 'lsadump::lsa' #Mimikatz + - 'lsadump::mbc' #Mimikatz + - 'lsadump::netsync' #Mimikatz + - 'lsadump::packages' #Mimikatz + - 'lsadump::postzerologon' #Mimikatz + - 'lsadump::RpData' #Mimikatz + - 'lsadump::sam' #Mimikatz + - 'lsadump::secrets' #Mimikatz + - 'lsadump::setntlm' #Mimikatz + - 'lsadump::trust' #Mimikatz + - 'lsadump::zerologon' #Mimikatz + - 'misc::aadcookie' #Mimikatz + - 'misc::clip' #Mimikatz + - 'misc::cmd' #Mimikatz + - 'misc::compress' #Mimikatz + - 'misc::detours' #Mimikatz + - 'misc::efs' #Mimikatz + - 'misc::lock' #Mimikatz + - 'misc::memssp' #Mimikatz + - 'misc::memssp' #Mimikatz + - 'misc::mflt' #Mimikatz + - 'misc::ncroutemon' #Mimikatz + - 'misc::ngcsign' #Mimikatz + - 'misc::printnightmare' #Mimikatz + - 'misc::regedit' #Mimikatz + - 'misc::sccm' #Mimikatz + - 'misc::shadowcopies' #Mimikatz + - 'misc::skeleton' #Mimikatz + - 'misc::spooler' #Mimikatz + - 'misc::taskmgr' #Mimikatz + - 'misc::wp' #Mimikatz + - 'misc::xor' #Mimikatz + - 'net::alias' #Mimikatz + - 'net::deleg' #Mimikatz + - 'net::group' #Mimikatz + - 'net::if' #Mimikatz + - 'net::serverinfo' #Mimikatz + - 'net::session' #Mimikatz + - 'net::share' #Mimikatz + - 'net::stats' #Mimikatz + - 'net::tod' #Mimikatz + - 'net::trust' #Mimikatz + - 'net::user' #Mimikatz + - 'net::wsession' #Mimikatz + - 'privilege::backup' #Mimikatz + - 'privilege::debug' #Mimikatz + - 'privilege::driver' #Mimikatz + - 'privilege::id' #Mimikatz + - 'privilege::name' #Mimikatz + - 'privilege::restore' #Mimikatz + - 'privilege::security' #Mimikatz + - 'privilege::sysenv' #Mimikatz + - 'privilege::tcb' #Mimikatz + - 'process::exports' #Mimikatz + - 'process::imports' #Mimikatz + - 'process::list' #Mimikatz + - 'process::resume' #Mimikatz + - 'process::run' #Mimikatz + - 'process::runp' #Mimikatz + - 'process::start' #Mimikatz + - 'process::stop' #Mimikatz + - 'process::suspend' #Mimikatz + - 'rpc::close' #Mimikatz + - 'rpc::connect' #Mimikatz + - 'rpc::enum' #Mimikatz + - 'rpc::server' #Mimikatz + - 'sekurlsa::backupkeys' #Mimikatz + - 'sekurlsa::bootkey' #Mimikatz + - 'sekurlsa::cloudap' #Mimikatz + - 'sekurlsa::credman' #Mimikatz + - 'sekurlsa::dpapi' #Mimikatz + - 'sekurlsa::dpapisystem' #Mimikatz + - 'sekurlsa::ekeys' #Mimikatz + - 'sekurlsa::kerberos' #Mimikatz + - 'sekurlsa::krbtgt' #Mimikatz + - 'sekurlsa::livessp' #Mimikatz + - 'sekurlsa::logonpasswords' #Mimikatz + - 'sekurlsa::minidump' #Mimikatz + - 'sekurlsa::msv' #Mimikatz + - 'sekurlsa::process' #Mimikatz + - 'sekurlsa::minidump' #Mimikatz + - 'sekurlsa::pth' #Mimikatz + - 'sekurlsa::ssp' #Mimikatz + - 'sekurlsa::tickets' #Mimikatz + - 'kerberos::list' #Mimikatz + - 'sekurlsa::trust' #Mimikatz + - 'sekurlsa::tspkg' #Mimikatz + - 'sekurlsa::wdigest' #Mimikatz + - 'rpc::server' #Mimikatz + - 'service::me' #Mimikatz + - 'service::preshutdown' #Mimikatz + - 'service::remove' #Mimikatz + - 'service::resume' #Mimikatz + - 'service::shutdown' #Mimikatz + - 'service::start' #Mimikatz + - 'service::stop' #Mimikatz + - 'service::suspend' #Mimikatz + - 'sid::add' #Mimikatz + - 'sid::clear' #Mimikatz + - 'sid::lookup' #Mimikatz + - 'sid::modify' #Mimikatz + - 'sid::patch' #Mimikatz + - 'id::modify' #Mimikatz + - 'sid::add' #Mimikatz + - 'sid::query' #Mimikatz + - 'standard::answer' #Mimikatz + - 'standard::base64' #Mimikatz + - 'standard::cd' #Mimikatz + - 'standard::cls' #Mimikatz + - 'standard::coffee' #Mimikatz + - 'standard::exit' #Mimikatz + - 'standard::hostname' #Mimikatz + - 'standard::localtime' #Mimikatz + - 'standard::log' #Mimikatz + - 'standard::sleep' #Mimikatz + - 'standard::version' #Mimikatz + - 'token::elevate' #Mimikatz + - 'token::list' #Mimikatz + - 'token::revert' #Mimikatz + - 'token::run' #Mimikatz + - 'token::whoami' #Mimikatz + - 'ts::logonpasswords' #Mimikatz + - 'ts::mstsc' #Mimikatz + - 'ts::multirdp' #Mimikatz + - 'ts::remote' #Mimikatz + - 'ts::sessions' #Mimikatz + - 'vault::cred' #Mimikatz + - 'vault::list' - ' p::d ' # Mimikatz - ';iex(' # PowerShell IEX - 'MiniDump' # Process dumping method apart from procdump From b0dda59d09633e44793020125a374439ebb78e41 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Mon, 20 Dec 2021 09:22:34 +0100 Subject: [PATCH 23/40] Added mimikatz keywords from user published documentation to win_mimimkatz_command_line --- .../win_mimikatz_command_line.yml | 25 +++++++++++++++---- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 6a3664a42..6f175ac0b 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -2,11 +2,12 @@ title: Mimikatz Command Line id: a642964e-bead-4bed-8910-1bb4d63e3b4d status: test description: Detection well-known mimikatz command line arguments -author: Teymur Kheirkhabarov, oscd.community +author: Teymur Kheirkhabarov, oscd.community, David ANDRE (additional keywords) references: - https://www.slideshare.net/heirhabarov/hunting-for-credentials-dumping-in-windows-environment + - https://tools.thehacker.recipes/mimikatz/modules date: 2019/10/22 -modified: 2021/11/27 +modified: 2021/12/20 logsource: category: process_creation product: windows @@ -15,7 +16,7 @@ detection: CommandLine|contains: - DumpCreds - invoke-mimikatz - selection_2: + module_names: CommandLine|contains: - rpc - token @@ -26,10 +27,24 @@ detection: - lsadump - privilege - process - selection_3: + - vault + mimikatz_separator: CommandLine|contains: - '::' - condition: selection_1 or selection_2 and selection_3 + function_names: # To cover functions from modules that are not in module_names (likely too generic) + CommandLine|contains: + - 'aadcookie' #misc module + - 'detours' #misc module + - 'memssp' #misc module + - 'mflt' #misc module + - 'ncroutemon' #misc module + - 'ngcsign' #misc module + - 'printnightmare' #misc module + - 'skeleton' #misc module + - 'preshutdown' #service module + - 'mstsc' #ts module + - 'multirdp' #ts module + condition: selection_1 or (module_names and mimikatz_separator) or (function_names and mimikatz_separator) falsepositives: - Legitimate Administrator using tool for password recovery level: medium From ed17c07affcaa4d7f78de0e1708ca394fe496ef5 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Mon, 20 Dec 2021 09:25:05 +0100 Subject: [PATCH 24/40] Corrected alignment --- rules/windows/builtin/win_alert_mimikatz_keywords.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index e352a76cb..41dbb1913 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -33,7 +33,7 @@ detection: - ' s::l ' - 'gentilkiwi.com' - 'Kiwi Legit Printer' - - 'sekurlsa::logonpasswords' + - 'sekurlsa::logonpasswords' - 'crypto::capi' - 'crypto::certificates' - 'crypto::certtohw' From 8c61e58152e826e433df1ce27b22ff00f240e290 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Mon, 20 Dec 2021 10:49:18 +0100 Subject: [PATCH 25/40] New rule to detect Mimimaktz MemSSP default log file creation --- .../file_event_mimimaktz_memssp_log_file.yml | 22 +++++++++++++++++++ 1 file changed, 22 insertions(+) create mode 100644 rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml diff --git a/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml new file mode 100644 index 000000000..2beeb62f7 --- /dev/null +++ b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml @@ -0,0 +1,22 @@ +title: Mimikatz MemSSP default log file creation +id: 034affe8-6170-11ec-844f-0f78aa0c4d66 +status: experimental +description: Detects Mimikatz MemSSP default log file creation +author: David ANDRE +references: + - https://pentestlab.blog/2019/10/21/persistence-security-support-provider/ +date: 2021/12/20 +tags: + - attack.credential_access + - attack.t1003 +logsource: + product: windows + category: file_event +detection: + mimikatz_memssp_filename: + TargetFilename|endswith: + - 'mimilsa.log' + condition: mimikatz_memssp_filename +falsepositives: + - Unknown +level: high From cf65b61397718fd9215d39e8a9ceca09dca068c2 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Dec 2021 12:51:27 +0100 Subject: [PATCH 26/40] Update file_event_mimimaktz_memssp_log_file.yml --- .../file_event/file_event_mimimaktz_memssp_log_file.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml index 2beeb62f7..526903249 100644 --- a/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml +++ b/rules/windows/file_event/file_event_mimimaktz_memssp_log_file.yml @@ -1,4 +1,4 @@ -title: Mimikatz MemSSP default log file creation +title: Mimikatz MemSSP Default Log File Creation id: 034affe8-6170-11ec-844f-0f78aa0c4d66 status: experimental description: Detects Mimikatz MemSSP default log file creation @@ -18,5 +18,5 @@ detection: - 'mimilsa.log' condition: mimikatz_memssp_filename falsepositives: - - Unknown -level: high + - Unlikely +level: critical From 5d3f39e31760df5250f2405e38028d168b2f3863 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Dec 2021 12:53:45 +0100 Subject: [PATCH 27/40] fix: duplicate entry --- rules/windows/builtin/win_alert_mimikatz_keywords.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 41dbb1913..9827cca1f 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -166,7 +166,6 @@ detection: - 'sekurlsa::minidump' - 'sekurlsa::msv' - 'sekurlsa::process' - - 'sekurlsa::minidump' - 'sekurlsa::pth' - 'sekurlsa::ssp' - 'sekurlsa::tickets' From ad65524fb7069a4e717a3f54986a62c69fb65297 Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 20 Dec 2021 13:59:38 +0100 Subject: [PATCH 28/40] fix: FP matching thor scanner --- rules/windows/other/windefend/win_alert_lsass_access.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/rules/windows/other/windefend/win_alert_lsass_access.yml b/rules/windows/other/windefend/win_alert_lsass_access.yml index 90269aed6..0aef6a5d1 100644 --- a/rules/windows/other/windefend/win_alert_lsass_access.yml +++ b/rules/windows/other/windefend/win_alert_lsass_access.yml @@ -20,7 +20,12 @@ detection: selection: EventID: 1121 Path|endswith: '\lsass.exe' - condition: selection + filter_thor: + ProcessName|startswith: 'C:\Windows\Temp\asgard2-agent\' + ProcessName|endswith: + - '\thor64.exe' + - '\thor.exe' + condition: selection and not filter_thor falsepositives: - Google Chrome GoogleUpdate.exe - Some Taskmgr.exe related activity From 145622afcfa80f16aff3129e48e81c103fcd95cd Mon Sep 17 00:00:00 2001 From: phantinuss <79651203+phantinuss@users.noreply.github.com> Date: Mon, 20 Dec 2021 15:12:21 +0100 Subject: [PATCH 29/40] change level to medium as non-tunable in the wild FPs with powershell.exe are found --- rules/windows/process_creation/win_susp_csc_folder.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_susp_csc_folder.yml b/rules/windows/process_creation/win_susp_csc_folder.yml index 108e06b1f..96ff5178b 100644 --- a/rules/windows/process_creation/win_susp_csc_folder.yml +++ b/rules/windows/process_creation/win_susp_csc_folder.yml @@ -35,4 +35,4 @@ detection: falsepositives: - https://twitter.com/gN3mes1s/status/1206874118282448897 - https://twitter.com/gabriele_pippi/status/1206907900268072962 -level: high +level: medium From 12387fc275100765cde22450c01f59c94269655b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Dec 2021 17:28:42 +0100 Subject: [PATCH 30/40] Update win_alert_mimikatz_keywords.yml --- rules/windows/builtin/win_alert_mimikatz_keywords.yml | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 9827cca1f..516ec9706 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -5,8 +5,8 @@ status: experimental author: Florian Roth (rule), David ANDRE (additional keywords) date: 2017/01/10 modified: 2021/12/20 -reference: - - https://tools.thehacker.recipes/mimikatz/modules +references: + - https://tools.thehacker.recipes/mimikatz/modules tags: - attack.s0002 - attack.t1003 # an old one @@ -22,7 +22,6 @@ logsource: product: windows detection: keywords: - - '\mimikatz' - 'mimikatz.exe' - '\mimilib.dll' - '<3 eo.oe' @@ -78,7 +77,6 @@ detection: - 'sekurlsa::tickets' - 'kerberos::ptc' - 'kerberos::ptt' - - 'kerberos::ptt' - 'kerberos::purge' - 'kerberos::tgt' - 'lsadump::backupkeys' @@ -105,7 +103,6 @@ detection: - 'misc::efs' - 'misc::lock' - 'misc::memssp' - - 'misc::memssp' - 'misc::mflt' - 'misc::ncroutemon' - 'misc::ngcsign' From 75765f2aef7a5c017ff590013fe4a6a5b34d5008 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Dec 2021 17:30:03 +0100 Subject: [PATCH 31/40] Update win_mimikatz_command_line.yml --- .../win_mimikatz_command_line.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/rules/windows/process_creation/win_mimikatz_command_line.yml b/rules/windows/process_creation/win_mimikatz_command_line.yml index 6f175ac0b..c876678d4 100644 --- a/rules/windows/process_creation/win_mimikatz_command_line.yml +++ b/rules/windows/process_creation/win_mimikatz_command_line.yml @@ -8,6 +8,14 @@ references: - https://tools.thehacker.recipes/mimikatz/modules date: 2019/10/22 modified: 2021/12/20 +tags: + - attack.credential_access + - attack.t1003 # an old one + - attack.t1003.001 + - attack.t1003.002 + - attack.t1003.004 + - attack.t1003.005 + - attack.t1003.006 logsource: category: process_creation product: windows @@ -48,11 +56,3 @@ detection: falsepositives: - Legitimate Administrator using tool for password recovery level: medium -tags: - - attack.credential_access - - attack.t1003 # an old one - - attack.t1003.001 - - attack.t1003.002 - - attack.t1003.004 - - attack.t1003.005 - - attack.t1003.006 From 3c7b4b7225eba37a25c146cf864fad4122aa2b63 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 20 Dec 2021 18:40:19 +0100 Subject: [PATCH 32/40] Update win_alert_mimikatz_keywords.yml --- .../builtin/win_alert_mimikatz_keywords.yml | 23 +++++++------------ 1 file changed, 8 insertions(+), 15 deletions(-) diff --git a/rules/windows/builtin/win_alert_mimikatz_keywords.yml b/rules/windows/builtin/win_alert_mimikatz_keywords.yml index 516ec9706..94c353e36 100644 --- a/rules/windows/builtin/win_alert_mimikatz_keywords.yml +++ b/rules/windows/builtin/win_alert_mimikatz_keywords.yml @@ -22,17 +22,7 @@ logsource: product: windows detection: keywords: - - 'mimikatz.exe' - - '\mimilib.dll' - '<3 eo.oe' - - 'eo.oe.kiwi' - - 'lsadump::sam' - - 'mimidrv.sys' - - ' p::d ' - - ' s::l ' - - 'gentilkiwi.com' - - 'Kiwi Legit Printer' - - 'sekurlsa::logonpasswords' - 'crypto::capi' - 'crypto::certificates' - 'crypto::certtohw' @@ -67,18 +57,21 @@ detection: - 'dpapi::vault' - 'dpapi::wifi' - 'dpapi::wwman' + - 'eo.oe.kiwi' - 'event::clear' - 'event::drop' + - 'gentilkiwi.com' + - 'id::modify' - 'kerberos::ask' - 'kerberos::clist' - 'kerberos::golden' - 'kerberos::hash' - 'kerberos::list' - - 'sekurlsa::tickets' - 'kerberos::ptc' - 'kerberos::ptt' - 'kerberos::purge' - 'kerberos::tgt' + - 'Kiwi Legit Printer' - 'lsadump::backupkeys' - 'lsadump::cache' - 'lsadump::changentlm' @@ -95,6 +88,8 @@ detection: - 'lsadump::setntlm' - 'lsadump::trust' - 'lsadump::zerologon' + - 'mimidrv.sys' + - '\mimilib.dll' - 'misc::aadcookie' - 'misc::clip' - 'misc::cmd' @@ -127,6 +122,7 @@ detection: - 'net::trust' - 'net::user' - 'net::wsession' + - ' p::d ' - 'privilege::backup' - 'privilege::debug' - 'privilege::driver' @@ -166,11 +162,9 @@ detection: - 'sekurlsa::pth' - 'sekurlsa::ssp' - 'sekurlsa::tickets' - - 'kerberos::list' - 'sekurlsa::trust' - 'sekurlsa::tspkg' - 'sekurlsa::wdigest' - - 'rpc::server' - 'service::me' - 'service::preshutdown' - 'service::remove' @@ -184,9 +178,8 @@ detection: - 'sid::lookup' - 'sid::modify' - 'sid::patch' - - 'id::modify' - - 'sid::add' - 'sid::query' + - ' s::l ' - 'standard::answer' - 'standard::base64' - 'standard::cd' From b490086d37b40542c17973e3857b19633a85584e Mon Sep 17 00:00:00 2001 From: frack113 Date: Mon, 20 Dec 2021 18:59:11 +0100 Subject: [PATCH 33/40] Add thedfirreport Diavol Ransomware --- .../win_pc_sqlcmd_veeam_dump.yml | 29 ++++++++++++++ .../win_pc_susp_reg_open_command.yml | 38 +++++++++++++++++++ 2 files changed, 67 insertions(+) create mode 100644 rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml create mode 100644 rules/windows/process_creation/win_pc_susp_reg_open_command.yml diff --git a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml new file mode 100644 index 000000000..1583ff3e2 --- /dev/null +++ b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml @@ -0,0 +1,29 @@ +title: VeeamBackup Database Credentials Dump +id: b57ba453-b384-4ab9-9f40-1038086b4e53 +status: experimental +author: frack113 +date: 2021/12/20 +description: Detects dump of credentials in VeeamBackup dbo +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ + - https://forums.veeam.com/veeam-backup-replication-f2/recover-esxi-password-in-veeam-t34630.html +tags: + - attack.collection + - attack.t1005 +logsource: + category: process_creation + product: windows +detection: + selection_tools: + CommandLine|contains: + - 'sqlcmd ' + - 'sqlcmd.exe' + selection_query: + CommandLine|contains|all: + - 'SELECT' + - 'TOP' + - '[VeeamBackup].[dbo].[Credentials]' + condition: all of selection* +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_pc_susp_reg_open_command.yml b/rules/windows/process_creation/win_pc_susp_reg_open_command.yml new file mode 100644 index 000000000..d189fee78 --- /dev/null +++ b/rules/windows/process_creation/win_pc_susp_reg_open_command.yml @@ -0,0 +1,38 @@ +title: Suspicious Reg Add Open Command +id: dd3ee8cc-f751-41c9-ba53-5a32ed47e563 +status: experimental +description: Threat actors performed dumping of SAM, SECURITY and SYSTEM registry hives using DelegateExecute key +references: + - https://thedfirreport.com/2021/12/13/diavol-ransomware/ +author: frack113 +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + selection_1: + CommandLine|contains|all: + - 'reg' + - 'add' + - 'hkcu\software\classes\ms-settings\shell\open\command' + - '/ve ' + - '/d' + selection_2: + CommandLine|contains|all: + - 'reg' + - 'add' + - 'hkcu\software\classes\ms-settings\shell\open\command' + - '/v' + - 'DelegateExecute' + selection_3: + CommandLine|contains|all: + - 'reg' + - 'delete' + - 'hkcu\software\classes\ms-settings' + condition: 1 of selection_* +falsepositives: + - unknown +level: medium +tags: + - attack.credential_access + - attack.t1003 From 5ac7c0a0763cb689553f0b2471a6f6788efcef08 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Mon, 20 Dec 2021 22:58:32 +0100 Subject: [PATCH 34/40] rule: add further reference in regsrv32 rule --- rules/windows/process_creation/win_pc_susp_regsvr32_image.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml index dc43c5d12..4f232b8ce 100644 --- a/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml +++ b/rules/windows/process_creation/win_pc_susp_regsvr32_image.yml @@ -4,6 +4,7 @@ status: experimental description: utilizes REGSVR32.exe to execute this DLL masquerading as a Image file references: - https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/ + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html tags: - attack.defense_evasion - attack.t1218.010 From 090e0304d409075219cceaafdbb9b99206bcf6d8 Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Mon, 20 Dec 2021 23:36:23 +0100 Subject: [PATCH 35/40] rule: abuse of permissions to hide services --- .../win_using_sc_to_hide_sevices.yml | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) create mode 100644 rules/windows/process_creation/win_using_sc_to_hide_sevices.yml diff --git a/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml b/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml new file mode 100644 index 000000000..ebc8bf7af --- /dev/null +++ b/rules/windows/process_creation/win_using_sc_to_hide_sevices.yml @@ -0,0 +1,28 @@ +title: Abuse of Service Permissions to Hide Services in Tools +id: a537cfc3-4297-4789-92b5-345bfd845ad0 +status: experimental +description: Detection of sc.exe utility adding a new service with special permission which hides that service. +author: Andreas Hunkeler (@Karneades) +references: + - https://blog.talosintelligence.com/2021/10/threat-hunting-in-large-datasets-by.html + - https://www.sans.org/blog/red-team-tactics-hiding-windows-services/ +date: 2021/12/20 +logsource: + category: process_creation + product: windows +detection: + sc: + Image|endswith: '\sc.exe' + cli: + CommandLine|contains|all: + - 'sdset' + - 'DCLCWPDTSD' + condition: sc and cli +falsepositives: + - Intended use of hidden services +level: high +tags: + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.t1574.011 From d5bfce1e366fc42bb7c61eb1793f7f10b32b13b3 Mon Sep 17 00:00:00 2001 From: David ANDRE Date: Tue, 21 Dec 2021 10:23:23 +0100 Subject: [PATCH 36/40] Removed duplicate filter entries. --- .../win_susp_system_user_anomaly.yml | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/rules/windows/process_creation/win_susp_system_user_anomaly.yml b/rules/windows/process_creation/win_susp_system_user_anomaly.yml index 4a429ff7d..630cb6612 100644 --- a/rules/windows/process_creation/win_susp_system_user_anomaly.yml +++ b/rules/windows/process_creation/win_susp_system_user_anomaly.yml @@ -84,15 +84,14 @@ detection: - 'dpapi::wwman' #Mimikatz - 'event::clear' #Mimikatz - 'event::drop' #Mimikatz + - 'id::modify' #Mimikatz - 'kerberos::ask' #Mimikatz - 'kerberos::clist' #Mimikatz - 'kerberos::golden' #Mimikatz - 'kerberos::hash' #Mimikatz - 'kerberos::list' #Mimikatz - - 'sekurlsa::tickets' #Mimikatz - 'kerberos::ptc' #Mimikatz - 'kerberos::ptt' #Mimikatz - - 'kerberos::ptt' #Mimikatz - 'kerberos::purge' #Mimikatz - 'kerberos::tgt' #Mimikatz - 'lsadump::backupkeys' #Mimikatz @@ -119,7 +118,6 @@ detection: - 'misc::efs' #Mimikatz - 'misc::lock' #Mimikatz - 'misc::memssp' #Mimikatz - - 'misc::memssp' #Mimikatz - 'misc::mflt' #Mimikatz - 'misc::ncroutemon' #Mimikatz - 'misc::ngcsign' #Mimikatz @@ -176,19 +174,15 @@ detection: - 'sekurlsa::kerberos' #Mimikatz - 'sekurlsa::krbtgt' #Mimikatz - 'sekurlsa::livessp' #Mimikatz - - 'sekurlsa::logonpasswords' #Mimikatz - 'sekurlsa::minidump' #Mimikatz - 'sekurlsa::msv' #Mimikatz - 'sekurlsa::process' #Mimikatz - - 'sekurlsa::minidump' #Mimikatz - 'sekurlsa::pth' #Mimikatz - 'sekurlsa::ssp' #Mimikatz - 'sekurlsa::tickets' #Mimikatz - - 'kerberos::list' #Mimikatz - 'sekurlsa::trust' #Mimikatz - 'sekurlsa::tspkg' #Mimikatz - 'sekurlsa::wdigest' #Mimikatz - - 'rpc::server' #Mimikatz - 'service::me' #Mimikatz - 'service::preshutdown' #Mimikatz - 'service::remove' #Mimikatz @@ -202,8 +196,6 @@ detection: - 'sid::lookup' #Mimikatz - 'sid::modify' #Mimikatz - 'sid::patch' #Mimikatz - - 'id::modify' #Mimikatz - - 'sid::add' #Mimikatz - 'sid::query' #Mimikatz - 'standard::answer' #Mimikatz - 'standard::base64' #Mimikatz @@ -227,7 +219,7 @@ detection: - 'ts::remote' #Mimikatz - 'ts::sessions' #Mimikatz - 'vault::cred' #Mimikatz - - 'vault::list' + - 'vault::list' #Mimikatz - ' p::d ' # Mimikatz - ';iex(' # PowerShell IEX - 'MiniDump' # Process dumping method apart from procdump From c0a6de06c4ec8aec3fbad234ad75a492885b31eb Mon Sep 17 00:00:00 2001 From: Andreas Hunkeler Date: Tue, 21 Dec 2021 11:25:08 +0100 Subject: [PATCH 37/40] rule: Add Java class proxy download rule --- rules/proxy/proxy_java_class_download.yml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 rules/proxy/proxy_java_class_download.yml diff --git a/rules/proxy/proxy_java_class_download.yml b/rules/proxy/proxy_java_class_download.yml new file mode 100644 index 000000000..efa420f2e --- /dev/null +++ b/rules/proxy/proxy_java_class_download.yml @@ -0,0 +1,19 @@ +title: Java Class Proxy Download +id: 53c15703-b04c-42bb-9055-1937ddfb3392 +status: experimental +description: Detects Java class download in proxy logs, e.g. used in Log4shell exploitation attacks against Log4j. +references: + - https://www.lunasec.io/docs/blog/log4j-zero-day/ +author: Andreas Hunkeler (@Karneades) +date: 2021/12/21 +tags: + - attack.initial_access +logsource: + category: proxy +detection: + selection: + c-uri|endswith: '.class' + condition: selection +falsepositives: + - Unknown +level: critical From c842b12970c485a334180b737c996209fe836312 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 21 Dec 2021 13:22:47 +0100 Subject: [PATCH 38/40] Update proxy_java_class_download.yml --- rules/proxy/proxy_java_class_download.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/proxy/proxy_java_class_download.yml b/rules/proxy/proxy_java_class_download.yml index efa420f2e..66c3ff4bd 100644 --- a/rules/proxy/proxy_java_class_download.yml +++ b/rules/proxy/proxy_java_class_download.yml @@ -16,4 +16,4 @@ detection: condition: selection falsepositives: - Unknown -level: critical +level: high From 6e19e75ece3a601ae16a91fc05a031a3bc924fcb Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 21 Dec 2021 13:24:36 +0100 Subject: [PATCH 39/40] Update win_pc_sqlcmd_veeam_dump.yml --- rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml index 1583ff3e2..a3a7a4835 100644 --- a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml +++ b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml @@ -15,9 +15,7 @@ logsource: product: windows detection: selection_tools: - CommandLine|contains: - - 'sqlcmd ' - - 'sqlcmd.exe' + Image|endswith: 'sqlcmd.exe' selection_query: CommandLine|contains|all: - 'SELECT' From 59bfca6aba5eb0d145bf4ec74530eec3495a89fa Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Tue, 21 Dec 2021 13:28:47 +0100 Subject: [PATCH 40/40] Update win_pc_sqlcmd_veeam_dump.yml --- rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml index a3a7a4835..897fde0bb 100644 --- a/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml +++ b/rules/windows/process_creation/win_pc_sqlcmd_veeam_dump.yml @@ -15,7 +15,7 @@ logsource: product: windows detection: selection_tools: - Image|endswith: 'sqlcmd.exe' + Image|endswith: '\sqlcmd.exe' selection_query: CommandLine|contains|all: - 'SELECT'