From f80f0d3696e43822075f23b55d282b4b3eaf1888 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Mon, 24 Jan 2022 13:37:28 +0100 Subject: [PATCH 01/22] rules: nircmd, nsudo, runx --- .../process_creation_tool_nircmd.yml | 39 +++++++++++++++++++ ...process_creation_tool_nircmd_as_system.yml | 28 +++++++++++++ .../process_creation_tool_nsudo_as_system.yml | 27 +++++++++++++ .../process_creation_tool_runx_as_system.yml | 28 +++++++++++++ 4 files changed, 122 insertions(+) create mode 100644 rules/windows/process_creation/process_creation_tool_nircmd.yml create mode 100644 rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml create mode 100644 rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml create mode 100644 rules/windows/process_creation/process_creation_tool_runx_as_system.yml diff --git a/rules/windows/process_creation/process_creation_tool_nircmd.yml b/rules/windows/process_creation/process_creation_tool_nircmd.yml new file mode 100644 index 000000000..30448754e --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nircmd.yml @@ -0,0 +1,39 @@ +title: NirCmd Tool Execution +id: 4e2ed651-1906-4a59-a78a-18220fca1b22 +status: experimental +description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity +author: Florian Roth +date: 2022/01/24 +references: + - https://www.nirsoft.net/utils/nircmd.html + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\nircmd.exe' + selection_params1: + CommandLine|contains|all: + - ' execmd ' + - ' attrib ' + selection_params2: + CommandLine|contains|all: + - ' execmd ' + - ' copy ' + selection_params3: + CommandLine|contains|all: + - ' execmd ' + - ' del ' + - ' /Q ' + condition: 1 of selection* +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: medium \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml new file mode 100644 index 000000000..c13b0f3c9 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml @@ -0,0 +1,28 @@ +title: NirCmd Tool Execution As LOCAL SYSTEM +id: d9047477-0359-48c9-b8c7-792cedcdc9c4 +status: experimental +description: Detects the use of NirCmd tool for command execution as SYSTEM user +author: Florian Roth +date: 2022/01/24 +references: + - https://www.nirsoft.net/utils/nircmd.html + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - 'elevatecmd' + - 'runassystem' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml b/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml new file mode 100644 index 000000000..df52cdf95 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_nsudo_as_system.yml @@ -0,0 +1,27 @@ +title: NSudo Tool Execution As System +id: 771d1eb5-9587-4568-95fb-9ec44153a012 +status: experimental +description: Detects the use of NSudo tool for command execution +author: Florian Roth +date: 2022/01/24 +references: + - https://nsudo.m2team.org/en-us/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\NSudo.exe' + CommandLine|contains: ' -U:S ' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high \ No newline at end of file diff --git a/rules/windows/process_creation/process_creation_tool_runx_as_system.yml b/rules/windows/process_creation/process_creation_tool_runx_as_system.yml new file mode 100644 index 000000000..75eae1053 --- /dev/null +++ b/rules/windows/process_creation/process_creation_tool_runx_as_system.yml @@ -0,0 +1,28 @@ +title: RunXCmd Tool Execution As System +id: 93199800-b52a-4dec-b762-75212c196542 +status: experimental +description: Detects the use of RunXCmd tool for command execution +author: Florian Roth +date: 2022/01/24 +references: + - https://www.d7xtech.com/free-software/runx/ + - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ +tags: + - attack.execution + - attack.t1569.002 + - attack.s0029 +logsource: + category: process_creation + product: windows +detection: + selection: + CommandLine|contains|all: + - ' /account=system ' + - '/exec=' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Legitimate use by administrators +level: high \ No newline at end of file From 364b5c9620e995c2c46affabf41a84b1d8e04e50 Mon Sep 17 00:00:00 2001 From: securepeacock <92804416+securepeacock@users.noreply.github.com> Date: Tue, 25 Jan 2022 15:57:03 -0500 Subject: [PATCH 02/22] Create sysmon_process_hollowing.yml Closed old request, and put rule into its appropriate file directory. --- .../sysmon/sysmon_process_hollowing.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/windows/sysmon/sysmon_process_hollowing.yml diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml new file mode 100644 index 000000000..6e6caa2d0 --- /dev/null +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -0,0 +1,21 @@ +title: Sysmon Process Hollowing Detection +id: c4b890e5-8d8c-4496-8c66-c805753817cd +status: experimental +description: Detects when a memory process image does not match the disk image, indicative of process hollowing. +author: Christopher Peacock '@securepeacock', SCYTHE '@scythe_io' +date: 2022/01/25 +references: + - https://twitter.com/SecurePeacock/status/1486054048390332423?s=20 +tags: + - attack.process_injection + - attack.t1055.012 +logsource: + category: process_tampering + product: windows +detection: + selection: + Type: Image is replaced + condition: selection +falsepositives: + - There are no known false positives at this time. +level: high From e08e8dd3d4b369d53363744ad7af270fbc325152 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Wed, 26 Jan 2022 17:53:46 +0100 Subject: [PATCH 03/22] Update sysmon_process_hollowing.yml --- rules/windows/sysmon/sysmon_process_hollowing.yml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index 6e6caa2d0..6ddfdb5f6 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -10,12 +10,13 @@ tags: - attack.process_injection - attack.t1055.012 logsource: - category: process_tampering product: windows + service: sysmon detection: selection: + EventID: 24 Type: Image is replaced condition: selection falsepositives: - - There are no known false positives at this time. + - There are no known false positives at this time level: high From f8ce6d87a8263f1e93e2336bde1c1868adb296a8 Mon Sep 17 00:00:00 2001 From: Tim Shelton Date: Thu, 27 Jan 2022 16:31:37 +0000 Subject: [PATCH 04/22] adding filter for fp of iexplorer calling cpls: C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:276824072 WinX:0 WinY:0 IEFrame:0000000000000000 --- .../process_creation/win_run_executable_invalid_extension.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/rules/windows/process_creation/win_run_executable_invalid_extension.yml b/rules/windows/process_creation/win_run_executable_invalid_extension.yml index e3a07fbe1..393336942 100644 --- a/rules/windows/process_creation/win_run_executable_invalid_extension.yml +++ b/rules/windows/process_creation/win_run_executable_invalid_extension.yml @@ -6,6 +6,7 @@ references: - https://twitter.com/mrd0x/status/1481630810495139841?s=12 author: Tim Shelton, Florian Roth date: 2022/01/13 +modified: 2022/01/27 logsource: category: process_creation product: windows @@ -17,6 +18,9 @@ detection: filter: - CommandLine|contains: '.dll' - CommandLine: '' + filter_iexplorer: + ParentImage|endswith: ':\Program Files\Internet Explorer\iexplore.exe' + CommandLine|contains: '.cpl' condition: selection and not 1 of filter* fields: - Image From edb769b0868da9be815cd06dfae24a3f1915708b Mon Sep 17 00:00:00 2001 From: Glenn Barrett Date: Thu, 27 Jan 2022 15:08:54 -0500 Subject: [PATCH 05/22] Typo fix in win_plugx_susp_exe_locations.yml Change SysWowo64 to SysWow64 --- rules/windows/process_creation/win_plugx_susp_exe_locations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 541f37f4c..06e9eeead 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -40,7 +40,7 @@ detection: Image|contains: - '\System32\' - '\SysNative\' - - '\SysWowo64\' + - '\SysWow64\' selection_mc: Image|endswith: '\Mc.exe' filter_mc: From 069d4ac8bd4428d4fcebd1cf94388918905130a6 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Fri, 28 Jan 2022 09:09:26 +0100 Subject: [PATCH 06/22] Update modified --- rules/windows/process_creation/win_plugx_susp_exe_locations.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml index 06e9eeead..8f465762b 100644 --- a/rules/windows/process_creation/win_plugx_susp_exe_locations.yml +++ b/rules/windows/process_creation/win_plugx_susp_exe_locations.yml @@ -7,7 +7,7 @@ references: - http://www.hexacorn.com/blog/2016/03/10/beyond-good-ol-run-key-part-36/ - https://countuponsecurity.com/2017/06/07/threat-hunting-in-the-enterprise-with-appcompatprocessor/ date: 2017/06/12 -modified: 2022/01/07 +modified: 2022/01/28 logsource: category: process_creation product: windows From a6e3b4691bd32e04c29bc978b9b8603979fb406b Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 28 Jan 2022 10:30:39 +0100 Subject: [PATCH 07/22] Update References --- .../windows/process_creation/sysmon_proxy_execution_wuauclt.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml index 439e99a78..1a7de3abc 100644 --- a/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml +++ b/rules/windows/process_creation/sysmon_proxy_execution_wuauclt.yml @@ -10,6 +10,7 @@ tags: - attack.t1218 references: - https://dtm.uk/wuauclt/ + - https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/ logsource: category: process_creation product: windows From 982808c3db059d3f5c152f05bf44fc9ef4b1d137 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 11:30:30 +0100 Subject: [PATCH 08/22] refactor: whoami / authority, rule: whoami as trusted installer --- .../win_whoami_as_priv_user.yml | 24 +++++++++++++++++++ .../process_creation/win_whoami_as_system.yml | 12 +++++----- 2 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 rules/windows/process_creation/win_whoami_as_priv_user.yml diff --git a/rules/windows/process_creation/win_whoami_as_priv_user.yml b/rules/windows/process_creation/win_whoami_as_priv_user.yml new file mode 100644 index 000000000..70b93cd68 --- /dev/null +++ b/rules/windows/process_creation/win_whoami_as_priv_user.yml @@ -0,0 +1,24 @@ +title: Run Whoami as Privileged User +id: 79ce34ca-af29-4d0e-b832-fc1b377020db +status: experimental +description: Detects a whoami.exe executed by privileged accounts that are often misused by threat actors +references: + - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment + - https://nsudo.m2team.org/en-us/ +author: Florian Roth +date: 2022/01/28 +tags: + - attack.privilege_escalation + - attack.discovery + - attack.t1033 +logsource: + category: process_creation + product: windows +detection: + selection: + User|contains: 'TrustedInstaller' + Image|endswith: '\whoami.exe' + condition: selection +falsepositives: + - Unknown +level: high diff --git a/rules/windows/process_creation/win_whoami_as_system.yml b/rules/windows/process_creation/win_whoami_as_system.yml index cdfa30d2f..b101e8e35 100644 --- a/rules/windows/process_creation/win_whoami_as_system.yml +++ b/rules/windows/process_creation/win_whoami_as_system.yml @@ -4,9 +4,9 @@ status: experimental description: Detects a whoami.exe executed by LOCAL SYSTEM. This may be a sign of a successful local privilege escalation. references: - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment -author: Teymur Kheirkhabarov +author: Teymur Kheirkhabarov, Florian Roth date: 2019/10/23 -modified: 2021/08/26 +modified: 2022/01/28 tags: - attack.privilege_escalation - attack.discovery @@ -16,11 +16,11 @@ logsource: product: windows detection: selection: - User|startswith: - - 'NT AUTHORITY\SYSTEM' - - 'AUTORITE NT\Sys' # French language settings + User|contains: + - 'AUTHORI' + - 'AUTORI' Image|endswith: '\whoami.exe' condition: selection falsepositives: - - Unknown + - Possible name overlap with NT AUHTORITY substring to cover all languages level: high From 5b30db61b0022503b753a82aa00ac71d301b58ed Mon Sep 17 00:00:00 2001 From: frack113 Date: Fri, 28 Jan 2022 16:12:38 +0100 Subject: [PATCH 09/22] Add windows redcannary rules --- .../win_builtin_remove_application.yml | 22 +++++++++++++++++ .../win_fe_install_teamviewer_desktop.yml | 21 ++++++++++++++++ .../win_pc_wmic_remove_application.yml | 22 +++++++++++++++++ .../registry_event/win_re_ie_persistence.yml | 24 +++++++++++++++++++ 4 files changed, 89 insertions(+) create mode 100644 rules/windows/builtin/application/win_builtin_remove_application.yml create mode 100644 rules/windows/file_event/win_fe_install_teamviewer_desktop.yml create mode 100644 rules/windows/process_creation/win_pc_wmic_remove_application.yml create mode 100644 rules/windows/registry_event/win_re_ie_persistence.yml diff --git a/rules/windows/builtin/application/win_builtin_remove_application.yml b/rules/windows/builtin/application/win_builtin_remove_application.yml new file mode 100644 index 000000000..3209074b4 --- /dev/null +++ b/rules/windows/builtin/application/win_builtin_remove_application.yml @@ -0,0 +1,22 @@ +title: An Application Is Uninstall +id: 570ae5ec-33dc-427c-b815-db86228ad43e +status: experimental +description: An application have been remove check if it is a critical +author: frack113 +date: 2022/01/28 +logsource: + product: windows + service: application +detection: + selection: + Provider_Name: 'MsiInstaller' + EventID: + - 11724 + - 1034 + condition: selection +falsepositives: + - Unknown +level: low +tags: + - attack.impact + - attack.t1489 diff --git a/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml b/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml new file mode 100644 index 000000000..151147665 --- /dev/null +++ b/rules/windows/file_event/win_fe_install_teamviewer_desktop.yml @@ -0,0 +1,21 @@ +title: Installation of TeamViewer Desktop +id: 9711de76-5d4f-4c50-a94f-21e4e8f8384d +status: experimental +description: TeamViewer_Desktop.exe is create during install +author: frack113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1219/T1219.md#atomic-test-1---teamviewer-files-detected-test-on-windows +date: 2022/01/28 +logsource: + product: windows + category: file_event +detection: + selection: + TargetFilename|endswith: \TeamViewer_Desktop.exe + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.command_and_control + - attack.t1219 diff --git a/rules/windows/process_creation/win_pc_wmic_remove_application.yml b/rules/windows/process_creation/win_pc_wmic_remove_application.yml new file mode 100644 index 000000000..a6e659657 --- /dev/null +++ b/rules/windows/process_creation/win_pc_wmic_remove_application.yml @@ -0,0 +1,22 @@ +title: WMI Uninstall An Application +id: b53317a0-8acf-4fd1-8de8-a5401e776b96 +status: experimental +description: Uninstall an application with wmic +author: frac113 +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1047/T1047.md#atomic-test-10---application-uninstall-using-wmic +date: 2022/01/28 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: \WMIC.exe + CommandLine|contains: call uninstall + condition: selection +falsepositives: + - Unknown +level: medium +tags: + - attack.execution + - attack.t1047 diff --git a/rules/windows/registry_event/win_re_ie_persistence.yml b/rules/windows/registry_event/win_re_ie_persistence.yml new file mode 100644 index 000000000..d5728ab7c --- /dev/null +++ b/rules/windows/registry_event/win_re_ie_persistence.yml @@ -0,0 +1,24 @@ +title: Use IE Registry for Persistence +id: d88d0ab2-e696-4d40-a2ed-9790064e66b3 +description: Use IE registry to hide a scripts +author: frack113 +date: 2022/01/22 +status: experimental +references: + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1112/T1112.md#atomic-test-5---javascript-in-registry +logsource: + category: registry_event + product: windows +detection: + selection_domains: + EventType: SetValue + TargetObject|contains: \Software\Microsoft\Windows\CurrentVersion\Internet Settings + filter: + Details|startswith: DWORD + condition: selection_domains and not filter +falsepositives: + - Unknown +level: low # as unknow false positives +tags: + - attack.defense_evasion + - attack.t1112 From bfee0f80679224514ff532303c27d090fe07e896 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 17:26:12 +0100 Subject: [PATCH 10/22] rule: xordump --- .../windows/process_creation/win_xordump.yml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) create mode 100644 rules/windows/process_creation/win_xordump.yml diff --git a/rules/windows/process_creation/win_xordump.yml b/rules/windows/process_creation/win_xordump.yml new file mode 100644 index 000000000..8851c63c3 --- /dev/null +++ b/rules/windows/process_creation/win_xordump.yml @@ -0,0 +1,27 @@ +title: XORDump Use +id: 66e563f9-1cbd-4a22-a957-d8b7c0f44372 +description: Detects suspicious use of XORDump process memory dumping utility +status: experimental +references: + - https://github.com/audibleblink/xordump +author: Florian Roth +date: 2022/01/28 +tags: + - attack.defense_evasion + - attack.t1036 + - attack.t1003.001 +logsource: + category: process_creation + product: windows +detection: + selection: + - Image|endswith: '\xordump.exe' + - CommandLine|contains: + - ' -process lsass.exe ' + - ' -m comsvcs ' + - ' -m dbghelp ' + - ' -m dbgcore ' + condition: selection +falsepositives: + - Another tool that uses the command line switches of XORdump +level: high From 7b05827326d27fc0406a10bdd1302bc879755f1b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 17:26:51 +0100 Subject: [PATCH 11/22] fix: FPs noticed with Aurora --- rules/windows/process_access/sysmon_lsass_memdump.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 289f16f67..60177f186 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/01/27 +modified: 2022/01/28 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -22,7 +22,7 @@ detection: TargetImage|endswith: '\lsass.exe' GrantedAccess|contains: - '0x1fffff' - - '0x01000' + #- '0x01000' # Too many false positives #- '0x1010' # Too many false positives - '0x1038' - '0x40' @@ -30,7 +30,6 @@ detection: - '0x1410' - '0x1438' - '0x143a' - - '0x1000' CallTrace|contains: - 'dbghelp.dll' - 'dbgcore.dll' From 0b09dbdcd1c38853aae0a955b0ee81232f848cf6 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 28 Jan 2022 21:01:43 +0100 Subject: [PATCH 12/22] Update process_creation_tool_nircmd_as_system.yml --- .../process_creation_tool_nircmd_as_system.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml index c13b0f3c9..e4fcc4251 100644 --- a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml +++ b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml @@ -17,7 +17,6 @@ logsource: detection: selection: CommandLine|contains|all: - - 'elevatecmd' - 'runassystem' condition: selection fields: @@ -25,4 +24,4 @@ fields: - ParentCommandLine falsepositives: - Legitimate use by administrators -level: high \ No newline at end of file +level: high From b0b9d32dfacd6012194cec68a611c4cd7f8cf0ad Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 28 Jan 2022 21:10:03 +0100 Subject: [PATCH 13/22] Update process_creation_tool_nircmd.yml --- .../process_creation_tool_nircmd.yml | 29 +++++++++---------- 1 file changed, 13 insertions(+), 16 deletions(-) diff --git a/rules/windows/process_creation/process_creation_tool_nircmd.yml b/rules/windows/process_creation/process_creation_tool_nircmd.yml index 30448754e..5a4592e42 100644 --- a/rules/windows/process_creation/process_creation_tool_nircmd.yml +++ b/rules/windows/process_creation/process_creation_tool_nircmd.yml @@ -2,11 +2,12 @@ title: NirCmd Tool Execution id: 4e2ed651-1906-4a59-a78a-18220fca1b22 status: experimental description: Detects the use of NirCmd tool for command execution, which could be the result of legitimate administrative activity -author: Florian Roth +author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' date: 2022/01/24 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ + - https://www.nirsoft.net/utils/nircmd2.html#using tags: - attack.execution - attack.t1569.002 @@ -16,24 +17,20 @@ logsource: product: windows detection: selection: - Image|endswith: '\nircmd.exe' - selection_params1: - CommandLine|contains|all: - - ' execmd ' - - ' attrib ' - selection_params2: - CommandLine|contains|all: - - ' execmd ' - - ' copy ' - selection_params3: - CommandLine|contains|all: - - ' execmd ' - - ' del ' - - ' /Q ' + Image|endswith: + - '\nircmd.exe' + - '\nircmdc.exe' + selection_params: + CommandLine|contains: + - 'execmd' + - 'exec' + - 'exec2' + - 'elevate' + - 'runinteractive' condition: 1 of selection* fields: - CommandLine - ParentCommandLine falsepositives: - Legitimate use by administrators -level: medium \ No newline at end of file +level: medium From 6f96372ece5a28b15b9493ad226143eb5404ed36 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Fri, 28 Jan 2022 21:10:52 +0100 Subject: [PATCH 14/22] Update process_creation_tool_nircmd_as_system.yml --- .../process_creation_tool_nircmd_as_system.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml index e4fcc4251..a47a6d541 100644 --- a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml +++ b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml @@ -2,11 +2,12 @@ title: NirCmd Tool Execution As LOCAL SYSTEM id: d9047477-0359-48c9-b8c7-792cedcdc9c4 status: experimental description: Detects the use of NirCmd tool for command execution as SYSTEM user -author: Florian Roth +author: 'Florian Roth, Nasreddine Bencherchali @nas_bench' date: 2022/01/24 references: - https://www.nirsoft.net/utils/nircmd.html - https://www.winhelponline.com/blog/run-program-as-system-localsystem-account-windows/ + - https://www.nirsoft.net/utils/nircmd2.html#using tags: - attack.execution - attack.t1569.002 From 34c8de908ddc6a9b3f9f934226b3714f146ee90c Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 23:08:41 +0100 Subject: [PATCH 15/22] Update process_creation_tool_nircmd_as_system.yml --- .../process_creation_tool_nircmd_as_system.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml index a47a6d541..43bb8c2e3 100644 --- a/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml +++ b/rules/windows/process_creation/process_creation_tool_nircmd_as_system.yml @@ -17,8 +17,7 @@ logsource: product: windows detection: selection: - CommandLine|contains|all: - - 'runassystem' + CommandLine|contains: ' runassystem ' condition: selection fields: - CommandLine From 56fba156382ec2212a6a237f70dbceb2958d8e37 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 23:14:17 +0100 Subject: [PATCH 16/22] Update process_creation_tool_nircmd.yml --- .../process_creation_tool_nircmd.yml | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/rules/windows/process_creation/process_creation_tool_nircmd.yml b/rules/windows/process_creation/process_creation_tool_nircmd.yml index 5a4592e42..2b9f1644c 100644 --- a/rules/windows/process_creation/process_creation_tool_nircmd.yml +++ b/rules/windows/process_creation/process_creation_tool_nircmd.yml @@ -22,12 +22,13 @@ detection: - '\nircmdc.exe' selection_params: CommandLine|contains: - - 'execmd' - - 'exec' - - 'exec2' - - 'elevate' - - 'runinteractive' - condition: 1 of selection* + - ' execmd ' + - ' exec2 ' + selection_commands: + CommandLine|contains: + - ' copy ' + - ' del ' + condition: selection or ( selection_params and selection_commands ) fields: - CommandLine - ParentCommandLine From dc198461018d86f1195f2911d7153c3d3e58958b Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Fri, 28 Jan 2022 23:43:11 +0100 Subject: [PATCH 17/22] fix: FPs in deprecated rule --- .../windows/deprecated/sysmon_mimikatz_detection_lsass.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml index facf54321..ef6dcdd0f 100644 --- a/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml +++ b/rules/windows/deprecated/sysmon_mimikatz_detection_lsass.yml @@ -13,7 +13,7 @@ tags: - car.2019-04-004 author: Sherif Eldeeb date: 2017/10/18 -modified: 2021/11/30 +modified: 2022/01/28 logsource: product: windows category: process_access @@ -25,7 +25,9 @@ detection: - '0x1010' - '0x410' filter: - SourceImage|startswith: 'C:\Program Files\WindowsApps\' + SourceImage|startswith: + - 'C:\Program Files\WindowsApps\' + - 'C:\Windows\System32\' SourceImage|endswith: '\GamingServices.exe' condition: selection and not filter fields: From c3c13d60896a75bcd98afc6d32a4f4f262638ea3 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sat, 29 Jan 2022 10:07:54 +0100 Subject: [PATCH 18/22] add lnx_pwnkit_local_privilege_escalation --- .../lnx_pwnkit_local_privilege_escalation.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml diff --git a/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml b/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml new file mode 100644 index 000000000..defe1cce7 --- /dev/null +++ b/rules/linux/builtin/lnx_pwnkit_local_privilege_escalation.yml @@ -0,0 +1,23 @@ +title: PwnKit Local Privilege Escalation +id: 0506a799-698b-43b4-85a1-ac4c84c720e9 +status: experimental +description: Detects potential PwnKit exploitation CVE-2021-4034 in auth logs +author: Sreeman +date: 2022/01/26 +references: + - https://twitter.com/wdormann/status/1486161836961579020 +logsource: + product: linux + service: auth +detection: + keyword: + - 'pkexec' + - 'The value for environment variable XAUTHORITY contains suscipious content' + - '[USER=root] [TTY=/dev/pts/0]' + condition: all of keyword +falsepositives: + - Unknown +level: high +tags: + - attack.privilege_escalation + - attack.t1548.001 \ No newline at end of file From 8d5742e83e7372a14fe4fef7b128eb12ac245f02 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 29 Jan 2022 18:17:46 +0100 Subject: [PATCH 19/22] fix: fixing FPs with LSASS access mask in old rule --- rules/windows/process_access/sysmon_lsass_memdump.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/windows/process_access/sysmon_lsass_memdump.yml b/rules/windows/process_access/sysmon_lsass_memdump.yml index 60177f186..d45b15459 100755 --- a/rules/windows/process_access/sysmon_lsass_memdump.yml +++ b/rules/windows/process_access/sysmon_lsass_memdump.yml @@ -4,7 +4,7 @@ status: experimental description: Detects process LSASS memory dump using Mimikatz, NanoDump, Invoke-Mimikatz, Procdump or Taskmgr based on the CallTrace pointing to ntdll.dll, dbghelp.dll or dbgcore.dll for win10, server2016 and up. author: Samir Bousseaden, Michael Haag date: 2019/04/03 -modified: 2022/01/28 +modified: 2022/01/29 references: - https://blog.menasec.net/2019/02/threat-hunting-21-procdump-or-taskmgr.html - https://cyberwardog.blogspot.com/2017/03/chronicles-of-threat-hunter-hunting-for_22.html @@ -27,7 +27,7 @@ detection: - '0x1038' - '0x40' #- '0x1400' # Too many false positives - - '0x1410' + # - '0x1410' # Too many false positives - '0x1438' - '0x143a' CallTrace|contains: From be238b53ff2310f0bd655085d3b15b996d36ffbc Mon Sep 17 00:00:00 2001 From: Maxime Lamothe-Brassard Date: Sat, 29 Jan 2022 13:22:48 -0800 Subject: [PATCH 20/22] Fix wildcard-only generation in LimaCharlie. --- tools/sigma/backends/limacharlie.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tools/sigma/backends/limacharlie.py b/tools/sigma/backends/limacharlie.py index 0d5e23a23..6736f5e1b 100644 --- a/tools/sigma/backends/limacharlie.py +++ b/tools/sigma/backends/limacharlie.py @@ -514,6 +514,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal if self._postOpMapper is not None: @@ -532,6 +535,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal if self._postOpMapper is not None: @@ -588,6 +594,9 @@ class LimaCharlieBackend(BaseBackend): if "*" not in val and "?" not in val: return ("is", val) + if val == "*": + return ("exists", None) + # Now we do a small optimization for the shortcut operators # available in LC. We try to see if the wildcards are around # the main value, but NOT within. If that's the case we can @@ -701,6 +710,9 @@ class LimaCharlieBackend(BaseBackend): } if op == "matches": newOp["re"] = newVal + elif op == "exists": + # Exists has no value. + pass else: newOp["value"] = newVal mapped.append(newOp) From 027fce7f138fee76432d390eb658348e36b8f637 Mon Sep 17 00:00:00 2001 From: Florian Roth Date: Sat, 29 Jan 2022 23:55:21 +0100 Subject: [PATCH 21/22] Update sysmon_process_hollowing.yml --- rules/windows/sysmon/sysmon_process_hollowing.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/rules/windows/sysmon/sysmon_process_hollowing.yml b/rules/windows/sysmon/sysmon_process_hollowing.yml index 6ddfdb5f6..7176fdc15 100644 --- a/rules/windows/sysmon/sysmon_process_hollowing.yml +++ b/rules/windows/sysmon/sysmon_process_hollowing.yml @@ -11,10 +11,9 @@ tags: - attack.t1055.012 logsource: product: windows - service: sysmon + category: process_tampering detection: selection: - EventID: 24 Type: Image is replaced condition: selection falsepositives: From 542a901f57cb6fa3f1b41d3bb7b7ee1eced0cb9d Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Sun, 30 Jan 2022 12:03:32 +0100 Subject: [PATCH 22/22] add win_pc_susp_takeown --- rules/windows/win_pc_susp_takeown.yml | 29 +++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 rules/windows/win_pc_susp_takeown.yml diff --git a/rules/windows/win_pc_susp_takeown.yml b/rules/windows/win_pc_susp_takeown.yml new file mode 100644 index 000000000..962297b44 --- /dev/null +++ b/rules/windows/win_pc_susp_takeown.yml @@ -0,0 +1,29 @@ +title: Suspicious Recursif Takeown +id: 554601fb-9b71-4bcc-abf4-21a611be4fde +status: experimental +description: Adversaries can interact with the DACLs using built-in Windows commands takeown which can grant adversaries higher permissions on specific files and folders +author: frack113 +references: + - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/takeown + - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1222.001/T1222.001.md#atomic-test-1---take-ownership-using-takeown-utility +date: 2022/01/30 +logsource: + category: process_creation + product: windows +detection: + selection: + Image|endswith: '\takeown.exe' + CommandLine|contains|all: + - '/f ' + - '/r' + condition: selection +fields: + - CommandLine + - ParentCommandLine +falsepositives: + - Scripts created by developers and admins + - Administrative activity +level: medium +tags: + - attack.defense_evasion + - attack.t1222.001