security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Redcannary 20220828

Browse Source
This commit is contained in:
frack113
2022-08-28 11:16:24 +02:00
parent 46d917f2ca
commit b9a2c720a8
3 changed files with 81 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/windows/network_connection/net_connection_win_script.yml
+24
View File
@@ -0,0 +1,24 @@
title: Script Initiated Connection
id: 08249dc0-a28d-4555-8ba5-9255a198e08c
status: experimental
description: Adversaries may use script to download malicious payloads.
author: frack113
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
date: 2022/08/28
logsource:
category: network_connection
product: windows
detection:
selection:
Initiated: 'true'
Image|endswith:
- '\wscript.exe'
- '\cscript.exe'
condition: selection
falsepositives:
- Legitimate script over networks
level: medium
tags:
- attack.command_and_control
- attack.t1105
rules/windows/process_creation/proc_creation_win_nimgrab.yml
+30
View File
@@ -0,0 +1,30 @@
title: Nimgrab Download File
id: 74a12f18-505c-4114-8d0b-8448dd5485c6
status: experimental
description: Detects usage of nimgrab downloading a file
references:
- https://github.com/redcanaryco/atomic-red-team/blob/28d190330fe44de6ff4767fc400cc10fa7cd6540/atomics/T1105/T1105.md
date: 2022/08/28
author: frack113
logsource:
category: process_creation
product: windows
detection:
selection_name:
Image|endswith: '\nimgrab.exe'
selection_hashes:
Hashes|contains:
- MD5=2DD44C3C29D667F5C0EF5F9D7C7FFB8B
- SHA256=F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
- IMPHASH=C07FDDD21D123EA9B3A08EEF44AAAC45
selection_hash:
- md5: 2DD44C3C29D667F5C0EF5F9D7C7FFB8B
- sha256: F266609E91985F0FE3E31C5E8FAEEEC4FFA5E0322D8B6F15FE69F4C5165B9559
- imphash: C07FDDD21D123EA9B3A08EEF44AAAC45
condition: 1 of selection_*
falsepositives:
- Legitimate use
level: medium
tags:
- attack.command_and_control
- attack.t1105
rules/windows/registry/registry_set/registry_set_treatas_persistence.yml
+27
View File
@@ -0,0 +1,27 @@
title: COM Hijacking via TreatAs
id: dc5c24af-6995-49b2-86eb-a9ff62199e82
description: Detect modification of TreatAs key to enable "rundll32.exe -sta" command
author: frack113
date: 2022/08/28
status: experimental
references:
- https://github.com/redcanaryco/atomic-red-team/blob/40b77d63808dd4f4eafb83949805636735a1fd15/atomics/T1546.015/T1546.015.md
logsource:
category: registry_set
product: windows
detection:
selection:
EventType: SetValue
TargetObject|endswith: 'TreatAs\(Default)'
filter_office:
Image|startswith: 'C:\Program Files\Common Files\Microsoft Shared\ClickToRun\'
Image|endswith: '\OfficeClickToRun.exe'
filter_office2:
Image: 'C:\Program Files (x86)\Microsoft Office\root\integration\integrator.exe'
condition: selection and not 1 of filter_*
falsepositives:
- Legitimate use.
level: medium
tags:
- attack.persistence
- attack.t1546.015