From b755d4fb6818dac5807ca582adbd67fe7e4f4649 Mon Sep 17 00:00:00 2001 From: yugoslavskiy Date: Tue, 5 Nov 2019 02:31:20 +0300 Subject: [PATCH] Update and rename win_system_owner_user_discovery.yml to win_local_system_owner_account_discovery.yml --- ...n_local_system_owner_account_discovery.yml | 60 +++++++++++++++++++ .../win_system_owner_user_discovery.yml | 30 ---------- 2 files changed, 60 insertions(+), 30 deletions(-) create mode 100644 rules/windows/process_creation/win_local_system_owner_account_discovery.yml delete mode 100644 rules/windows/process_creation/win_system_owner_user_discovery.yml diff --git a/rules/windows/process_creation/win_local_system_owner_account_discovery.yml b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml new file mode 100644 index 000000000..654f1edba --- /dev/null +++ b/rules/windows/process_creation/win_local_system_owner_account_discovery.yml @@ -0,0 +1,60 @@ +title: Local accounts discovery +status: experimental +description: Local accounts, System Owner/User discovery using operating systems utilities +author: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community +date: 2019/10/21 +modified: 2019/11/04 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml +logsource: + category: process_creation + product: windows +detection: + selection_1: + - Image: '*\whoami.exe' + - Image: '*\wmic.exe' + CommandLine|contains|all: + - 'useraccount' + - 'get' + - Image: + - '*\quser.exe' + - '*\qwinsta.exe' + - Image: '*\cmdkey.exe' + CommandLine|contains: '/list' + - Image: '*\cmd.exe' + CommandLine|contains|all: + - '/c' + - 'dir' + - '\Users\' + selection_2: + Image: + - '*\net.exe' + - '*\net1.exe' + CommandLine|contains: 'user' + filter: + CommandLine|contains: + - '/domain' # local account discovery only + - '/add' # discovery only + - '/delete' # discovery only + - '/active' # discovery only + - '/expires' # discovery only + - '/passwordreq' # discovery only + - '/scriptpath' # discovery only + - '/times' # discovery only + - '/workstations' # discovery only + condition: selection_1 or ( selection_2 and not filter ) +fields: + - Image + - CommandLine + - User + - LogonGuid + - Hashes + - ParentProcessGuid + - ParentCommandLine +falsepositives: + - Legitimate administrator or user enumerates local users for legitimate reason +level: low +tags: + - attack.discovery + - attack.t1033 + - attack.t1087 diff --git a/rules/windows/process_creation/win_system_owner_user_discovery.yml b/rules/windows/process_creation/win_system_owner_user_discovery.yml deleted file mode 100644 index 9936bb6de..000000000 --- a/rules/windows/process_creation/win_system_owner_user_discovery.yml +++ /dev/null @@ -1,30 +0,0 @@ -title: System Owner/User Discovery -status: experimental -description: Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. -author: Timur Zinniatullin, oscd.community -references: - - https://attack.mitre.org/techniques/T1033/ - - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1033/T1033.yaml -logsource: - category: process_creation - product: windows -detection: - selection: - CommandLine: - - '*cmd.exe*/c*whoami*' - - '*wmic*useraccount*get*' - - '*quser*' - - '*qwinsta*' - condition: selection -fields: - - Image - - CommandLine - - User - - LogonGuid - - Hashes - - ParentProcessGuid - - ParentCommandLine -level: low -tags: - - attack.discovery - - attack.t1033