diff --git a/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml new file mode 100644 index 000000000..defe1cce7 --- /dev/null +++ b/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml @@ -0,0 +1,23 @@ +title: PwnKit Local Privilege Escalation +id: 0506a799-698b-43b4-85a1-ac4c84c720e9 +status: experimental +description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs +author: Sreeman +date: 2022/01/26 +references: + - https://twitter.com/wdormann/status/1486161836961579020 +logsource: + product: linux + service: auth +detection: + keyword: + - 'pkexec' + - 'The value for environment variable XAUTHORITY contains suscipious content' + - '[USER=root] [TTY=/dev/pts/0]' + condition: all of keyword +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1548.001 \ No newline at end of file diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml new file mode 100644 index 000000000..3209074b4 --- /dev/null +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -0,0 +1,22 @@ +title: An Application Is Uninstall +id: 570ae5ec-33dc-427c-b815-db86228ad43e +status: experimental +description: An application have been remove check if it is a critical +author: frack113 +date: 2022/01/28 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'MsiInstaller' + EventID: + - 11724 + - 1034 + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index facf54321..ef6dcdd0f 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -13,7 +13,7 @@ tags: - car.2019-04-004 author: Sherif Eldeeb date: 2017/10/18 -modified: 2021/11/30 +modified: 2022/01/28 logsource: product: windows category: process_access @@ -25,7 +25,9 @@ detection: - '0x1010' - '0x410' filter: - SourceImage|startswith: 'C:\Program Files\WindowsApps\' + SourceImage|startswith: + - 'C:\Program Files\WindowsApps\' + - 'C:\Windows\System32\' SourceImage|endswith: '\GamingServices.exe' condition: selection and not filter fields: diff --git a/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml b/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml new file mode 100644 index 000000000..151147665 --- /dev/null +++ b/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml @@ -0,0 +1,21 @@ +title: Installation of TeamViewer Desktop +id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d +status: experimental +description: TeamViewer_Desktop.exe is create during install +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows +date: 2022/01/28 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: \TeamViewer_Desktop.exe + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 289f16f67..d45b15459 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/01/27 +modified: 2022/01/29 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -22,15 +22,14 @@ detection: TargetImage|endswith: '\lsass.exe' GrantedAccess|contains: - '0x1fffff' - - '0x01000' + #- '0x01000' # Too many false positives #- '0x1010' # Too many false positives - '0x1038' - '0x40' #- '0x1400' # Too many false positives - - '0x1410' + # - '0x1410' # Too many false positives - '0x1438' - '0x143a' - - '0x1000' CallTrace|contains: - 'dbghelp.dll' - 'dbgcore.dll' diff --git a/rules/windows/process_creation/process_creation_tool_nircmd.yml b/rules/windows/process_creation/process_creation_tool_nircmd.yml new file mode 100644 index 000000000..2b9f1644c --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nircmd.yml @@ -0,0 +1,37 @@ +title: NirCmd Tool Execution +id: 4e2ed651-1906-4a59-a78a-18220fca1b22 +status: experimental +description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity +author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' +date: 2022/01/24 +references: + - https://www.nirsoft.net/utils/nircmd.html + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ + - https://www.nirsoft.net/utils/nircmd2.html#using +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: + - '\nircmd.exe' + - '\nircmdc.exe' + selection_params: + CommandLine|contains: + - ' execmd ' + - ' exec2 ' + selection_commands: + CommandLine|contains: + - ' copy ' + - ' del ' + condition: selection or ( selection_params and selection_commands ) +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: medium diff --git a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml new file mode 100644 index 000000000..43bb8c2e3 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml @@ -0,0 +1,27 @@ +title: NirCmd Tool Execution As LOCAL SYSTEM +id: d9047477-0359-48c9-b8c7-792cedcdc9c4 +status: experimental +description: Detects the use of NirCmd tool for command execution as SYSTEM user +author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' +date: 2022/01/24 +references: + - https://www.nirsoft.net/utils/nircmd.html + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ + - https://www.nirsoft.net/utils/nircmd2.html#using +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains: ' runassystem ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high diff --git a/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml b/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml new file mode 100644 index 000000000..df52cdf95 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml @@ -0,0 +1,27 @@ +title: NSudo Tool Execution As System +id: 771d1eb5-9587-4568-95fb-9ec44153a012 +status: experimental +description: Detects the use of NSudo tool for command execution +author: Florian Roth +date: 2022/01/24 +references: + - https://nsudo.m2team.org/en-us/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\NSudo.exe' + CommandLine|contains: ' -U:S ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_tool_runx_as_system.yml b/rules/windows/process_creation/process_creation_tool_runx_as_system.yml new file mode 100644 index 000000000..75eae1053 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_runx_as_system.yml @@ -0,0 +1,28 @@ +title: RunXCmd Tool Execution As System +id: 93199800-b52a-4dec-b762-75212c196542 +status: experimental +description: Detects the use of RunXCmd tool for command execution +author: Florian Roth +date: 2022/01/24 +references: + - https://www.d7xtech.com/free-software/runx/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - ' /account=system ' + - '/exec=' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 439e99a78..1a7de3abc 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -10,6 +10,7 @@ tags: - attack.t1218 references: - https://dtm.uk/wuauclt/ + - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ logsource: category: process_creation product: windows diff --git a/rules/windows/process_creation/win_pc_wmic_remove_application.yml b/rules/windows/process_creation/win_pc_wmic_remove_application.yml new file mode 100644 index 000000000..a6e659657 --- /dev/null +++ b/rules/windows/process_creation/win_pc_wmic_remove_application.yml @@ -0,0 +1,22 @@ +title: WMI Uninstall An Application +id: b53317a0-8acf-4fd1-8de8-a5401e776b96 +status: experimental +description: Uninstall an application with wmic +author: frac113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic +date: 2022/01/28 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \WMIC.exe + CommandLine|contains: call uninstall + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 541f37f4c..8f465762b 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -7,7 +7,7 @@ references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ date: 2017/06/12 -modified: 2022/01/07 +modified: 2022/01/28 logsource: category: process_creation product: windows @@ -40,7 +40,7 @@ detection: Image|contains: - '\System32\' - '\SysNative\' - - '\SysWowo64\' + - '\SysWow64\' selection_mc: Image|endswith: '\Mc.exe' filter_mc: diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml index e3a07fbe1..393336942 100644 --- a/rules/windows/process_creation/win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth date: 2022/01/13 +modified: 2022/01/27 logsource: category: process_creation product: windows @@ -17,6 +18,9 @@ detection: filter: - CommandLine|contains: '.dll' - CommandLine: '' + filter_iexplorer: + ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' + CommandLine|contains: '.cpl' condition: selection and not 1 of filter* fields: - Image diff --git a/rules/windows/process_creation/win_whoami_as_priv_user.yml b/rules/windows/process_creation/win_whoami_as_priv_user.yml new file mode 100644 index 000000000..70b93cd68 --- /dev/null +++ b/rules/windows/process_creation/win_whoami_as_priv_user.yml @@ -0,0 +1,24 @@ +title: Run Whoami as Privileged User +id: 79ce34ca-af29-4d0e-b832-fc1b377020db +status: experimental +description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://nsudo.m2team.org/en-us/ +author: Florian Roth +date: 2022/01/28 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + User|contains: 'TrustedInstaller' + Image|endswith: '\whoami.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml index cdfa30d2f..b101e8e35 100644 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -4,9 +4,9 @@ status: experimental description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -author: Teymur Kheirkhabarov +author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2021/08/26 +modified: 2022/01/28 tags: - attack.privilege_escalation - attack.discovery @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - User|startswith: - - 'NT AUTHORITY\SYSTEM' - - 'AUTORITE NT\Sys' # French language settings + User|contains: + - 'AUTHORI' + - 'AUTORI' Image|endswith: '\whoami.exe' condition: selection falsepositives: - - Unknown + - Possible name overlap with NT AUHTORITY substring to cover all languages level: high diff --git a/rules/windows/process_creation/win_xordump.yml b/rules/windows/process_creation/win_xordump.yml new file mode 100644 index 000000000..8851c63c3 --- /dev/null +++ b/rules/windows/process_creation/win_xordump.yml @@ -0,0 +1,27 @@ +title: XORDump Use +id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372 +description: Detects suspicious use of XORDump process memory dumping utility +status: experimental +references: + - https://github.com/audibleblink/xordump +author: Florian Roth +date: 2022/01/28 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\xordump.exe' + - CommandLine|contains: + - ' -process lsass.exe ' + - ' -m comsvcs ' + - ' -m dbghelp ' + - ' -m dbgcore ' + condition: selection +falsepositives: + - Another tool that uses the command line switches of XORdump +level: high diff --git a/rules/windows/registry_event/win_re_ie_persistence.yml b/rules/windows/registry_event/win_re_ie_persistence.yml new file mode 100644 index 000000000..d5728ab7c --- /dev/null +++ b/rules/windows/registry_event/win_re_ie_persistence.yml @@ -0,0 +1,24 @@ +title: Use IE Registry for Persistence +id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 +description: Use IE registry to hide a scripts +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry +logsource: + category: registry_event + product: windows +detection: + selection_domains: + EventType: SetValue + TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings + filter: + Details|startswith: DWORD + condition: selection_domains and not filter +falsepositives: + - Unknown +level: low # as unknow false positives +tags: + - attack.defense_evasion + - attack.t1112 diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml new file mode 100644 index 000000000..7176fdc15 --- /dev/null +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -0,0 +1,21 @@ +title: Sysmon Process Hollowing Detection +id: c4b890e5-8d8c-4496-8c66-c805753817cd +status: experimental +description: Detects when a memory process image does not match the disk image, indicative of process hollowing. +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +date: 2022/01/25 +references: + - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 +tags: + - attack.process_injection + - attack.t1055.012 +logsource: + product: windows + category: process_tampering +detection: + selection: + Type: Image is replaced + condition: selection +falsepositives: + - There are no known false positives at this time +level: high diff --git a/rules/windows/win_pc_susp_takeown.yml b/rules/windows/win_pc_susp_takeown.yml new file mode 100644 index 000000000..962297b44 --- /dev/null +++ b/rules/windows/win_pc_susp_takeown.yml @@ -0,0 +1,29 @@ +title: Suspicious Recursif Takeown +id: 554601fb-9b71-4bcc-abf4-21a611be4fde +status: experimental +description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders +author: frack113 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility +date: 2022/01/30 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\takeown.exe' + CommandLine|contains|all: + - '/f ' + - '/r' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.defense_evasion + - attack.t1222.001 diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 0d5e23a23..6736f5e1b 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -514,6 +514,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal if self._postOpMapper is not None: @@ -532,6 +535,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal if self._postOpMapper is not None: @@ -588,6 +594,9 @@ class LimaCharlieBackend(BaseBackend): if "*" not in val and "?" not in val: return ("is", val) + if val == "*": + return ("exists", None) + # Now we do a small optimization for the shortcut operators # available in LC. We try to see if the wildcards are around # the main value, but NOT within. If that's the case we can @@ -701,6 +710,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal mapped.append(newOp)